- Policy scope
- This policy applies to;
- All City Therapy Staff
- City Therapy Directors
- Therapists and Senior Trainees connected with City Therapy
- Service Users
- This policy covers all personal information including employee information, Therapist/Senior Trainee information and Service User information generated by City Therapy Dame Street.
- It applies to all personal data collected and stored in/by City Therapy Dame Street. This policy applies to both soft and hard copy data held on City Therapy systems, on network share drives, on cloud files and emails.
- Where data is being transferred to any third party it is the responsibility of the organisation to ensure consent agreements are in place covering security and retention of data.
- This data protection policy aims to ensure that City Therapy adheres to data protection law and applies good practice. It protects the rights of the Directors and Staff and is transparent about how it stores and processes individual’s data and mitigates from the risk of data breeches.
- The 8 Data Protection Principles and How to Apply to City Therapy Policy
- a) Obtain and process information fairly
- The collection of data by City Therapy includes a clear statement advising the service user and Therapists/Senior Trainees of the identity of the controller, the purpose of collecting the data to whom it may be disclosed and any other relevant information necessary to ensure that all processing meets the requirement of fair processing.
- Where City Therapy collects sensitive data the data subject must give consent to the processing. Appropriate security measures will be put in place to ensure confidentiality.
- b) City Therapy Policy – Therapist Information
- The data controllers in City Therapy are Anne Devlin, Shaunna Impey and holiday cover staff (which will be covered by a Non Disclosure Agreement).
- The data collected on each therapist includes CV’s, Garda Vetting, Emails, Phone numbers, copies of references and Insurance Certificates.
- The purpose of holding CV’s is done as part of the assessment for suitability. The CV’s are kept so that City Therapy directors can refer to these if any issues arise and/or references need to be checked.
- Emails and phone numbers of each therapists’ are kept as these are the two main points of contact when referring clients to therapists.
- The data collected on Therapists is only disclosed to a third party i.e. EAP (or a perspective client) once the therapist has agreed to this. All documents to third parties containing therapist information are encrypted.
- All phone inquiries are asked for their consent before any information is passed on
- Therapist CV’s are kept in a password protected file
- c) City Therapy – Client Information
- Information obtained from clients is done so to ensure the ‘best fit’ when referring on to a therapist
- In relation to inquiries, identifying information (in the form of emails) is kept on the client. In relation to the inquiry, emails are deleted once the client has been placed with a therapist. In relation to the inquiry, any mails that are kept a) while we are waiting for consent from the client to pass the mail on b) until we know client has been placed. In the case where a person has made an enquiry and we are waiting for consent (or a reply) we will only keep these mails after one month we will contact the client again to see if they wish to proceed or to be removed from the City Therapy inbox.
- Consent is sought from all callers/mailers before any information is passed on (for referral purposes)
- All information kept on clients is done so on email and access to the email is password protected. Only Shaunna and Anne (holiday cover) have the password to the main email account. In the instance where holiday cover is required an NDA is signed by the individual covering the holiday. The password for the email account is then changed after the holiday.
- d) Keep it only for one or more specified, explicit and lawful purposes.
- City Therapy will keep data for purposes that are specific, lawful and clearly stated. Primary purposes include:
- The assessment and management of applications by Therapists/Senior Trainees to City Therapy (CV’s)
- The creation of files for each Therapists for Transfer to EAP’s (Therapist consent obtained)
- The creation of files for each Therapist/Senior Trainee containing current Garda Vetting Certificates and Insurance Certificates, CV’s, Children’s First Certs and References
- For the purpose of finding the best Therapeutic fit for a Service User
- Compliance with regulatory, legal and tax laws and regulations
- e) Basis for Processing Personal Data is as follows:
- Consent: the individual has given clear consent for you to process their personal data emails). We note that a person must give their consent and that ‘silence’ or ‘not saying no’ does not mean consent
- Legitimate interests: the processing is necessary for our legitimate interests or the legitimate interests of a third party unless outweighed by the data subject’s interests. It is likely to be most appropriate where you use people’s data in ways they would reasonably expect, and which have a minimal privacy impact, or where there is a compelling justification for the processing.
- f) Lawful Basis for Special Categories of Personal Data is as follows:
- The data subject has given consent to the processing of their personal data for one or more specified purposes.
- Processing is necessary for the purposes of preventive or occupational medicine (Under the Category of Health)
- g) Use and disclose it only in ways compatible with these purposes
- City Therapy will ensure that any use and disclosure will only happen for the purposes or compatible with the purposes for which the data is collected or otherwise in compliance with Data Protection legislation.
- Persons to whom data may be disclosed include the following:
- Persons acting on the person’s behalf e.g solicitors
- The Service User whom the information concerns
- One of the Therapist’s linked to City Therapy
- An individual’s General Practitioner in the case where a Service User might disclose the intention to Self Harm, Harm another or Sexual Abuse of a minor. A contract of agreement is recommended standard practice for all therapists linked to City Therapy to include the limitations of confidentiality.
- The Garda Siochana, or any other person who is authorised by law to access service’s records. Such requests must be in writing and quoting the basis on which access is sought.
- h) Keep it safe and secure
- City Therapy will ensure that appropriate security measures are taken against unauthorised access to or alteration, disclosure or destruction of the data and against their accidental loss or destruction. This will include appropriate procedures in relation to back up data. Particular focus will be placed on the security of personal data held on portable devices/cloud files, with appropriate security measures such as password protection/Encryption. To increase the safety and security of personal data City Therapy are buying their own server/email which will be password protected/encrypted
- On a going forward basis developments of the City Therapy IT systems will aim to ensure that access to personal data being logged can be audited. The aim is to include access on a read only basis. Such logs will be routinely checked on a random basis to ensure that access is appropriate. Our aim at City Therapy is to ensure that robust procedures for limiting access to personal data are in place, that staff are aware of these limits and that any breaches can be identified.
- City Therapy has a confidentiality policy in place to the collection, processing, keeping and use of sensitive data. Access to sensitive data will be restricted to authorised staff. Some examples of good practice are shown below:
- Using password protected screensavers to hide any information on workstations whilst taking breaks.
- City Therapy email ‘logged out’ each evening
- Manual data kept in filing cabinet under lock and key with only two key holders (this is not currently in use)
- Protecting manual files and to disallow any unauthorised access, destruction, modification or photocopying.
- Operate a “Clean desk policy” to ensure no personal data is lying around for others to see
- i) Keep it accurate, complete and up to date.
- City Therapy will keep data complete and up-to-date as it is given by the Therapists/Senior Trainees.
- Therapists can ask for their data to be corrected where it is found to be incorrect
- This will be achieved through the correction of incorrect data in line with the Data Protection Acts including where this is identified by the data subject to be the case in a verifiable way.
- j) Ensure that it is adequate relevant and not excessive.
- City Therapy will only collect information that is necessary for the purposes needed. The method of seeking information from Service Users/Therapists/Senior Trainees will be checked on an ongoing basis to ensure that only relevant information is sought and provided.
- City Therapy will only collect data that directly relates to the purposes for which it is being collected. City Therapy will not ask for more information than needed.
- k) Retain it for no longer that is necessary for the purpose or purposes.
- City Therapy has a data retention policy. Client information (held on site) will be held for a period of six years after the ending of the therapeutic relationship. Currently there is no need to hold client information on site.
- All City Therapists will retain their own client information offsite and for a period outlined by their Insurers/Awarding Body.
- Where an individual inquiry about City Therapy services but does not subsequently engage with the services or is referred on details will be kept on file for a period of two months to facilitate a subsequent engagement.
- l) Give a copy of his/her personal data to that individual on request
- City Therapy has a procedure in place to ensure that subject access requests are dealt with in accordance with the Data Protection Acts.
- Service Users/Therapists/Senior Trainees have the right:
- To enquire if any information is held about them
- To request a copy of the information held
- To have any inaccurate data corrected
- To have their names removed from any mailing lists etc. (Insurance Certificates/Garda Vetting/CV’s will not be removed while a Therapist/Senior Trainee is still working with City Therapy)
- m) Enquiry Timescales
- 21 days to respond to an enquiry as to whether information is held on computer or not (NO FEE)
- 40 days (from receipt of formal written request) to provide customer with a copy of their information. Discretionary – donation to a charity
- Any inaccurate data corrected – (NO FEE).
- Data Retention
- The purpose of a Data Retention policy is to ensure that City Therapy have clear and enforceable instructions around how long to retain data. Having a data retention policy will enable the City Therapy to be in compliance with the Data Protection Acts Rule 7 which states that in relation to Personal Data that the data shall not be kept for longer than is necessary for that purpose or those purposes.
- The objective of this policy is to ensure that;
- Guidance exists so that retention limits can be set for data which complies with the Data Protection Acts and all other relevant legislation
- Once retention limits are reached, the data is either automatically destroyed or reviewed for destruction
- Retained data is held securely
- All data marked for destruction is comprehensively and securely destroyed (Shredded)
- All relevant staff are asked to create their own Data Retention policy
- 4. Considerations necessary prior to implementation of this schedule
- If under investigation or if litigation is likely, retain files as they may be used as evidence.
- On-going legislative requirements.
Figure 1. Retention Limits
The below schedule is taken from the IACP Data Protection Policy and will be used as a guideline for City Therapy.
|Type of Record||Retention Period|
|Voice Recordings (for training||6 months from date call was recorded|
|and/ or verification purposes)|
|Employee Paper Data Retention||7 years after employee has left the organisation|
|Member’s Data||7 years from the date the individual’s membership has lapsed|
|Unsuccessful Application Data||7 years from date the application is deemed unsuccessful|
|Deceased Members Data||1 Year from the date City Therapy are notified of the death|
|Payment Information||No card details are stored in City Therapy as all transactions are cash.
Going forward, payment details will be inputted to a secure online payment facility at the point of purchase
|Complaints||7 years from the date the complaint is finalised|
|Minutes of Meetings (with||Indefinitely|
|Garda Vetting||Applications are kept for a one year period from the date they|
- Data Storage
- All storage of data will be kept in line with the Data Protection guidelines.
- Notes belonging to clients will be kept by each individual therapist on their respective clients.
- It is recommended that these notes are coded with no identifying information (eg. Age, DOB, Phone, Email, Address).
- It is recommended that therapists keep client intake forms (with identifying information) separate to their client notes. City Therapy recommends that Therapists keep their notes locked away in a room that is also locked.
- City Therapy does not keep any personal information on Service Users in a hard copy format on Site.
- City Therapy will protect data according to the sensitivity of that information and will protect that information in line with that sensitivity.
- City Therapy is aware that data retention guidelines apply to all data stored manually and electronically, the transfer of data internally and externally, and the protection from outside intrusion via internet and physical theft.
- Destruction Policy
- The destruction of records in relation to City Therapy will take place as part of a managed process and documented. City Therapy does not take responsibility for documents held by Therapists working at City Therapy and leaves the destruction of client documents up to the individual Therapists.
- A clearly defined procedure for reviewing and selecting records for disposal and must ensure:
- All records held are retained in accordance with the Data protection guidelines.
- Records are disposed of in line with the level of detail contained in them.
- Data remaining is organised and labelled to maintain the integrity of the filing system.
- Training and Awareness
- All employees of City Therapy will be made aware of the impact of the Data Retention policy on their day-to-day interaction with service user information.
- All Therapists linked to City Therapy will be made aware that the GDPR polices apply to them as individual practitioners and that they are asked to act in line with these
- Data security breach
- Occurs when there is unauthorised access to, collection, use, disclosure ordisposal of personal information.
- This type of breach can occur for several reasons including:
- Loss or theft of data or equipment on which data is stored;
- Inappropriate access controls allowing unauthorised use;
- Equipment failure;
- Human Error;
- Unforeseen circumstances such as a flood or fire;
- A hacking attack;
- Access where information is obtained by deceiving the organisation that holds it.
- A record isdefined under the Freedom of Information Acts 1997 and 2003 as “any memorandum, book, plan, map, drawing, diagram, pictorial or graphic work or other document, any photograph, film or recording (whether of sound or images or both), any form in which data (within the meaning of the Data Protection Act, 1988 and 2003) are held, any other form (including machine-readable form) or device in which information is held or stored manually, mechanically or electronically and anything that is a part or a copy, in any form of any of the foregoing or is a combination of two or more of the foregoing” (Freedom of Information Act, 1997, 2003
- a) Data Security Breach Guidelines
- As a data controller, City Therapy processes personal data and appropriate measures require to be taken against the unauthorised or unlawful processing and accidental loss, destruction of or damage to personal data. It is, therefore, essential that in the event of a data security breach, appropriate action is taken by City Therapy to minimise any associated risks as soon as possible.
- The purpose of these guidelines is to set out the processes that represent best practice in the event of a data security breach involving personal data or sensitive personal data. These guidelines are a supplement to City Therapy’s Data Protection Policy which affirms its commitment to protect the privacy rights of individuals in accordance with Data Protection legislation.
- b) Responding to a Potential Data Security Breach
- In line with best practice, these guidelines outline five stages to managing a response to a breach:
Stage 1: Identification and Classification
- If a data security breach has occurred, this must be reported immediately to the staff member responsible for data protection (currently Anne Devlin – Director) and to the second Director Shaunna Impey.
Stage 2: Containment and Recovery
- The aim of the City Therapy staff member is to limit the scope and impact of the data security breach. If a breach has occurred, appropriate action will be taken by the relevant City Therapy staff to minimise any associated risks which may include:
- Establishing who within City Therapy needs to be made aware of the breach and ensuring relevant staff/Directors are informed what is required to assist in the containment exercise;
- Establishing whether there are any actions which may recover losses and limit the damage the breach can cause;
- Where appropriate, informing the Gardaí.
Stage 3: Risk Assessment
- In assessing the risk arising from a data security breach, the relevant City Therapy staff are required to consider the potential adverse consequences for individuals, i.e. how likely are adverse consequences to materialise and, if so, how serious or substantial are they likely to be. The information provided by the individual reporting the breach can assist with this stage.
Stage 4: Notification of Breaches
- In accordance with the Office of the Data Protection Commissioner’s (ODPC) “Personal Data Security Code of Practice“, all incidents in which personal data has been put at risk must be reported to the ODPC within 2 days of City Therapy becoming aware of the incident, however, incidents do not have to be reported to the ODPC when:
- the full extent and consequences of the incident has been reported without delay directly to the affected data subject(s) and
- it affects no more than 100 data subjects and
- it does not include sensitive personal data or personal data of a financial nature.
Stage 5: Evaluation and Response
- Subsequent to a data security breach, a review of the incident by the staff member responsible for data protection and Management will occur to ensure that the steps taken during the incident were appropriate and to identify areas that may need to be improved.
Potential Data Security Breach Report (Taken from IACP)
Please complete the following questions in order to ascertain if a data security breach has occurred and return the completed form the staff member responsible for data protection.
|What type of data is involved?|
|Does it fall under the definitions of personal data and/or sensitive personal data outlined above?|
|If so, the following information must be provided|
|Details of the breach|
|Date and time incident occurred (if known)|
|Date and time incident detected|
|Name of person reporting inciden|
|Details on how the data was held, e.g. laptop, memory stick, personal digital assistant etc.|
|Details of safeguards (e.g. encryption), if any, that would mitigate the risk if data has been lost or stolen|
|Are there any reasons to suspect that the passwords used to protect the data may have been compromised? (e.g. password stored with mobile device or weak password used)|
|Details of the number of individuals whose information is at risk, i.e. how many individuals’ personal data are affected by the breach?|
|Who are the individuals whose data has been breached – are they staff, students, suppliers,third parties etc?
|What could the data tell a third party about the individual?|
|Any other information|
Appendix 2: Personal Data Request Form
18 Dame Street
I wish to make an access request under the Data Protection Acts 1988 and 2003 for a copy of any information you keep about me, on computer or in manual form. I am making this request under section 4 of the Data Protection Acts.
Full Name: _______________________________________________________
Name (please print): _______________________________________________________
Date when (if ever) you last made a request of this nature to City Therapy: ________________
- Request in writing should be made and signed by the applicant in person.
- Within the terms of the Data Protection Act 1988/2003, City Therapy will respond to your request for personal data within 40 days.
- Please donate something to charity
- In order for us to protect the security of personal data, it is necessary for you to provide proof of your identity. Please contact the City Therapy to receive a list of acceptable documents.
Requests should be submitted to: Anne Devlin, 18 Dame Street, Dublin
Appendix 3: Glossary of Terms
As with any legislation, certain terms have particular meaning. The following are some useful definitions:
Data means information in a form which can be processed. It includes both automated data and manual data.
Automated data means, broadly speaking, any information on computer, or information recorded with the intention of putting it on computer.
Manual data means information that is kept as part of a relevant filing system, or with the intention that it should form part of a relevant filing system.
Relevant filing system means any set of information that, while not computerised, is structured by reference to individuals, or by reference to criteria relating to individuals, so that specific information is accessible.
Personal data means data relating to a living individual who is or can be identified either from the data or from the data in conjunction with other information that is in, or is likely to come into, the possession of the data controller. This can be a very wide definition depending on the circumstances.
Processing means performing any operation or set of operations on data, including: – obtaining, recording or keeping data, – collecting, organising, storing, altering or adapting the data, – retrieving, consulting or using the data, – disclosing the information or data by transmitting, disseminating or otherwise making it available, – aligning, combining, blocking, erasing or destroying the data.
Data Subject is an individual who is the subject of personal data. Data Controllers are those who, either alone or with others, control the contents and use of personal data.
Data Controllers is a body that, either alone or with others, controls the contents and use of personal data. It can be either legal entities such as companies, Government Departments or voluntary organisations, or they can be individuals such as G.P.’s, pharmacists or sole traders.
Data processor is a person who processes personal data on behalf of a data controller, but does not include an employee of a data controller who processes such data in the course of his/her employment. Again individuals such as G.P.’s, pharmacists or sole traders are considered to be legal entities.
Sensitive personal data relates to specific categories of data which are defined as data relating to a person’s racial origin; political opinions or religious or other beliefs; physical or mental health; sexual life; criminal convictions or the alleged commission of an offence; trade union membership. You have additional rights in relation to the processing of any such data.
Data Protection Commissioner 2018. General Data Protection Regulation [Online] Available at https://www.dataprotection.ie/docs/GDPR/1623.htm (Accessed on 18 January 2018)