Privacy Policy

Version: 1.1 (Updated August 2025)
Applies to: Strive
ICO Reg: ZC042401

1. Introduction

Strive is committed to protecting the privacy and confidentiality of all personal information entrusted to us. This Privacy Policy explains how we collect, use, store, and share personal data in line with the Data Protection Act 2018, UK GDPR, and professional ethical obligations under the BACP Ethical Framework.

2. Scope

This policy applies to all personal data processed by Strive, including data relating to clients, placement counsellors, volunteers, employees, contractors, and third parties. It covers data processed through our website, booking systems, email, and counselling records.

3. Data We Collect

We may collect and process the following categories of data:
– Contact details (name, address, email, phone).
– Personal details provided by clients during assessment and counselling.
– Health information relevant to counselling provision.
– Emergency contact and GP details for safeguarding purposes.
– Counsellor/volunteer application and supervision records.
– Financial information related to payments (processed securely via PayPal).

4. Legal Basis for Processing

Strive processes data on the following bases:
– Consent: Where clients or counsellors provide explicit consent (e.g., for assessment, counselling, or data sharing).
– Contract: Where processing is necessary for the provision of counselling services.
– Legal obligation: To comply with legal and regulatory requirements (e.g., safeguarding).
– Legitimate interests: For purposes such as service evaluation, supervision, and organisational management.

4a. Stages of Data Collection and Legal Basis

Referral and Self-Referral
– Data collected: Name, email, phone, brief overview of presenting issue(s).
– Legal basis: Consent (the individual chooses to provide this information to access services).
Clinical Assessment
– Data collected: Full personal details, health and wellbeing information, risk/safeguarding details, GP/emergency contact.
– Legal basis: Consent (for counselling purposes), plus Legitimate Interests and Legal Obligation where safeguarding is required.
Counsellor Assignment
– Data collected: Allocation records, internal notes regarding suitability.
– Legal basis: Legitimate Interests (ensuring clients are matched appropriately with counsellors).
Counselling Sessions
– Data collected: Location of client at each session, client notes, session records.
– Legal basis: Contract (necessary to provide counselling services), Legitimate Interests (safe practice, supervision), and Legal Obligation (where safeguarding requires disclosure).
Review
– Data collected: Monitoring and evaluation data, outcome measures (e.g., CORE forms).
– Legal basis: Legitimate Interests (service improvement, accountability) and Consent (for using anonymised data in reporting).
End of Counselling
– Data collected: Closing summary, retention of counselling notes.
– Legal basis: Legitimate Interests (maintaining records), Legal Obligation (retention for 7 years under professional guidance).
Complaints
– Data collected: Complaint details, investigation records, correspondence.
– Legal basis: Legitimate Interests (resolving disputes, organisational accountability) and Legal Obligation (professional and regulatory compliance).

5. Confidentiality

All counselling records are treated as confidential and will not be disclosed without consent, except where:
– There is a risk of serious harm to the client or others.
– There is a legal obligation to disclose (e.g., safeguarding, terrorism, money laundering).
– Disclosure is required by a court order.

Other limits of confidentiality exist, and should be contracted for with clients. The Proprietor/CEO reserves full access to all records across Strive for quality, assurance, safeguarding and compliance purposes.

6. Data Storage and Security

– Client data, assessments, and notes are stored securely on Strive-managed systems (Microsoft 365, Google, Setmore).
– Paper records (if any) are kept in locked storage accessible only to authorised personnel.
– Access to data is restricted to those who require it for legitimate organisational purposes.
– Personal devices must not be used to store Strive records unless encrypted and authorised. Multi-factor authentication should be utilised wherever possible.

7. Data Retention

Strive retains counselling records for a minimum of 7 years following the end of counselling, in line with professional guidance. After this period, records will be securely destroyed unless required for legal or regulatory purposes.

For evaluation or statistical purposes, Strive may use pseudonymised data (with identifying details replaced by a code), but the master counselling record will remain securely attributable to the individual for a minimum of 7 years before being securely destroyed or anonymised.

8. Data Sharing

– Strive does not sell or share personal data with third parties for marketing.
– Data may be shared with external agencies where required for safeguarding, legal compliance, or with the client’s consent.
– Data processors (e.g., Setmore, PayPal, Microsoft, Google) are required to comply with UK GDPR.

9. Individual Rights

Individuals have the following rights under UK GDPR:
– The right to be informed about how their data is used.
– The right of access to their personal data.
– The right to rectification of inaccurate data.
– The right to erasure (‘right to be forgotten’) in certain circumstances.
– The right to restrict processing.
– The right to data portability.
– The right to object to processing.
– Rights in relation to automated decision-making and profiling.

Requests should be submitted in writing to the Proprietor/CEO.

10. Breach of Data Security

Any data breach will be reported promptly to the Proprietor/CEO, where they will be investigated and, where appropriate, addressed in line with ICO guidance.

11. Review

This Privacy Policy will be reviewed annually, or sooner if required by legislation, guidance from the ICO, or organisational needs.