This website is run by gaddum. We respect your privacy and comply with the Data Protection Act 1998. You are welcome to access our site without disclosing your personal data.
To view our direct marketing policy for all of our services, please click the downloadable link below:
Direct Marketing Policy v1
gaddum aims to provide its service users with a high quality of service. To help support you, we need to keep records about you and the service we have provided or are providing.
We know that you value your privacy and the security of personal information held about you.
On this page you will find information about the ways in which we collect, and our lawful bases for collecting and processing personal data about you. You will also find information on how this information is used, and what your rights are.
Any changes we may make to what we do with your personal data in the future will be posted on this page.
If you have a question which is not answered by the information on this page, please use the contact details at the bottom of this page to get in touch with us.
The principles of processing
The Data Protection Principles of processing state that data should be:
1. Processed lawfully, Fairly and in a transparent manner;
2. Collected for the specified, explicit and legitimate purpose;
3. Adequate, relevant and limited to what is necessary;
4. Accurate and, where necessary, kept up to date;
5. Retained only for as long as necessary;
6. Processed in an appropriate manner to maintain security.
What information is recorded
Information recorded may include:
• Basic details about you, such as address, date of birth, NHS number;
• Information for data monitoring, such as gender, ethnicity, religion;
• Any relevant medical details, including medication, that has been disclosed by yourself;
• Referral and appointment information such as dates and attendance rates;
• Other details about your health, such as frameworks that help monitor your recovery.
As part of providing a professional, safe and efficient service, there is certain information that we record. This information will not be shared with anyone else except under the circumstances described below in ‘Sharing Information.’
Why do we record this information?
We collect this information for a number of reasons including:
• To help us work with you to provide the services you receive
• To make sure that services you receive are safe and effective
• To work effectively with others to provide you with care and support
• To check the quality of our services
• Help with the planning of new services
• Help investigate any worries or complaints you have about our services
What is our Lawful Basis for collection of your information?
Under the General Data Protection Regulations, gaddum must have a Lawful Basis to collect and process your data.
In most circumstances, we may ask for your expressed consent to collect and process data, or have a contract (agreement) in place which allows us to collect and process your data. If we ask for consent, you will be supplied with a consent form outlining exactly what you are consenting to. Where a contract has been agreed between yourself and gaddum, specific information may be required to fulfil that contract.
In other instances, the Lawful Basis for data collection and processing may be gaddum’s ‘Legitimate Interest’ in the information in order to provide you with a service. This information can be useful in ensuring that the service is appropriate for you, and to better understand your situation. You have the right to object to information which is collected with legitimate interest as a lawful basis.
Occasionally we may have a legal obligation to collect information for the purposes of services which are provided by Law, or have a Vital interest in the information in order to protect the individual or other person’s life (see below for more information on Vital Interests).
Processing may also be necessary for gaddum to perform a task in the public interest or which has a clear basis in law (for instance, the Advocacy Services provided by gaddum). In these instances, the individual’s information would be required for the provision of the service and would need to be retained for the time in which the individual accesses and up to seven years after disengaging from the service. Some data may be retained longer where necessary.
Some data is considered as Specialist Category information. This is usually applied to the nine protected characteristics:
• Racial or ethnic origin of data subject
• Political opinions of data subject
• Religious beliefs or beliefs of a similar nature of data subject
• Whether a data subject is a member of a trade union
• Physical or mental health or condition of data subject
• Sexual life of data subject
• Commission or alleged commission by data subject of an offence
• Any proceedings for any offence committed or alleged to have been committed by a data subject, the disposal of such proceedings or the sentence of any court in such proceedings
These will require an additional basis in order to collect and process information.
If you are unsure of the Lawful Basis which we have for asking certain information, please speak to your service provider who will be able to explain further.
Occasionally, gaddum may require personal information in order to protect your own or someone else’s life. The lawful basis for collecting this information is called a Vital interest.
The kinds of information that gaddum may collect under a vital interest are:
• Substance abuse
• Harm to themselves and others
We must record this information to be able to help individuals and those around them who are vulnerable to harm, including self-harm and suicide. The information that you provide under a Vital Interest will be kept confidential, and will not be shared with third parties without your consent. However, in certain circumstances it may be necessary to share that information in order to protect your own or someone else’s life (please see sharing information for more details).
Where your information is stored
gaddum has a secure system which can only be accessed by authorised people at gaddum. Some services not yet using our system will use either a paper-based records system, a system of documents within gaddum’s internal computer network or a combination of both to record your personal data. All personal data is held securely within these systems, and the systems are reviewed regularly for potential risks.
Some of gaddum’s services (including GP based Counselling and Getting Help) use external systems. These systems are managed by the provider and as such are held to their data protection policies. If you are unsure what system your data is being held in, please speak to your service provider who should be able to explain further.
How long we hold your information for
Personal data processed for any purpose shall not be kept for longer than is necessary for that purpose. However, we retain data for a maximum of 8 years for the purposes of audits and your right to access that information.
Where a young person accesses services, this may be extended to their 25th birthday, (or 26 if they are 17 when treatment ends) or eight years after their death, if sooner. Also it is advised that if a child’s illness or death could be relevant to an adult condition or have genetic implications for their family, records may be kept for longer.
If after the 8 years’ maximum has been reached, we feel your data needs to be retained longer due the nature of the interactions, likely need for your access in future or possible claim made against gaddum. These will be reviewed on a case by case basis.
The information held about you will not be shared for any reason, unless:
• You ask us to do so;
• We ask and you give us specific permission;
• We are required by law, for example if case notes are needed for a police investigation;
• If you are believed to be suicidal.
If the service user lacks capacity to agree to a disclosure of information, gaddum will act in accordance with the Mental Capacity Act 2005 Code of Practice where disclosure of information is in the best interests of the service user.
There may be instances where we ask your permission to share information with your doctor and other healthcare professionals.
Anyone who receives information from us also has a legal duty to keep this information confidential, subject to recognised exceptions of the types listed above.
We share anonymised information with our funders in order to evidence the work we do and help shape the future of our service delivery. Anonymised information shared with others may include:
• Details about changes to your health and wellbeing
• Demographic monitoring, such as gender, ethnicity, religion
If a safeguarding concern raised, we may be required by law to share information whether in respect of a child/ren, or in respect of a vulnerable adult/s.
Safeguarding concerns in respect of children include:
• Physical abuse
• Sexual abuse or exploitation
• Psychological abuse
• Affected by domestic abuse
Safeguarding concerns in respect of vulnerable adults include:
• Financial abuse
• Domestic Violence
• Institutional Abuse
• Harm to self or others
Full more details on the information we share, see our Safeguarding and Data Protection policies.
Signposting or referring to other services
If we are referring you onto another service, we may be required to fill in a referral form for that service. At that time, the Lawful basis for processing that data should be considered as consent, which you can withdraw at your discretion. Once the referral form has left our premises we will keep limited information as evidence that this request has been processed and a relationship between yourself and gaddum.
gaddum has a duty of care to its employees, and as such may request information regarding Criminal Convictions at Referral stage and during assessment.
We may not work with a person or family who is involved with an ongoing conviction as we cannot guarantee that information disclosed to us will remain confidential (a subpoena may be issued for the client’s information). As such we will review the circumstances around the ongoing conviction to identify if and how we can work with you.
Where past convictions are declared, these will not be used as a basis for exclusion from the service, however it may be deemed that we are unable to work with individuals in certain circumstances.
All declarations of Criminal Convictions are reviewed individually and where we cannot work with you, we ensure that you are appropriately signposted to another service.
For more information, please call or email us.
You have the right to confidentiality under the General Data Protection Regulation, the Human Rights Act 1998 and the common law duty of confidence.
We also have our own Confidentiality Code of Conduct and all of gaddum staff, trainees and volunteers have a requirement to keep records about you confidential, secure and accurate.
All our staff contracts and volunteer agreements contain a requirement to keep service user information confidential.
Your Right to be informed
You have the right it be informed about the data we are collecting, why we collect it where it is stored and who it may be shared with. This page aims to answer those questions, but as we collect many different pieces of information across our services at gaddum, we do not provide a list of all questions asked here.
If you have questions about the information we collect, please feel free to speak to your service provider.
Your right to view your records
You have the right to ask for a copy of the records gaddum stores about you.
This will be provided free of charge; however, charges may incur in future if the data requests become repetitive in character, unfounded or excessive. Your request must be made in writing to the project holding your information, either where your initial assessment/counselling sessions take place or the centre you go to for support. You will need to give adequate information in order for gaddum’s staff to identify you (for example, full name, address and date of birth.) You will be required to provide ID to confirm your identity, for example a passport or full driving license before any information is released to you.
gaddum is required to respond to your request within 30 days, however where requests are complex or numerous this may be extended by an additional two months. If this is the case, you will be informed within one month from receipt of your original request.
Your right to rectification
If you find that any information we hold about you is inaccurate or incorrect, you have the right to have that information rectified. Please let us know what information is incorrect, and provide us with the right information so that your file can be updated as per your request.
Your right to data portability
At gaddum we work hard to give you the best experience possible whilst accessing services. However, if you wish to switch service providers, you have the right to request your information is transferred so that you can continue therapy with another provider.
The way in which this is provided will depend on the service that you are receiving and the system where your data is stored. Once a request has been made for the transfer of data, gaddum will operate to perform the transfer as soon as is possible.
Data portability does not apply to information that is collected under Legitimate interests.
Your right to object
You have the right to object to providing information that we ask for. If you do object to giving information, it will not affect your ability to access services, however it could impact on the service provided as we require specific information in order to facilitate service provision. In this instance, we will explain our reasons and Lawful Basis for processing this data and you then have the right to complain to gaddum and the Supervisory authority, should you feel that the reason behind collection of this information is not satisfactory.
Your right to Erasure
If, at any time you feel that you no longer want your personal data to be held by gaddum, you have the right for your data to be removed from our databases and systems under the General Data Protection Regulations ‘Right to Erasure’.
However, if at the time of the request you are currently accessing services with an intention to continue accessing that service, we may not be able to remove the data at that time. This is because some services require information so that we are able to support you effectively. Some data may also be retained if it is considered that it may be required for future legal claims and as evidence of your relationship with gaddum.
Requesting that your data is removed post therapy ending, will not affect your ability to access services in future. If you have any questions, please speak to your service provider.
gaddum will ensure that any institutions, business, charities or organisations have satisfactory Data Protection protocols in place prior to working with them.
Some trainee counsellors work with us in order to gain their certifications at University. These trainee counsellors may take recordings and data that is held by themselves and the university of their education. In these instances, the university and trainee counsellor will provide you with appropriate documentation to the effect of where your data will be stored and used.
Any breach of data held by these parties will follow their procedure and gaddum cannot assume responsibility for data which is not controlled or processed by itself.
Where a worker who operates for gaddum, is working in another professional setting (e.g. GP surgery counselling), gaddum will have an agreement between the worker, gaddum service managers and the third party regarding how data will be kept. Normally the contract between the worker and the service user is confidential and will not be recorded on any other records, e.g. medical records. Where a GP/another professional is consulted about a matter of medical judgement, risk or legality, a copy of the factual material discussed, advice given, decisions taken and reasons, may be given to the other party to keep for record purposes.
If there is a breach to data at gaddum
A ‘personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. If the breach is likely to result in a risk to the rights and freedoms of the individuals effected, gaddum must by law contact the individuals effected without undue delay, to detail the data breach and outline our next steps with regards to protecting your rights. Any breach will also be reported to the Information Commissioners Office.
Please speak to a member of gaddum staff if you would like to discuss any of this information further.