UCD Student Counselling Service Privacy Statement
Last updated: 16/03/2021
Introduction
This is a statement of the practices of the University College Dublin Student Counselling Service (“the Service”) in connection with the processing of personal data for the purposes of the Service and the steps taken by University College Dublin (“University College” / “the University”) as a data controller to safeguard individuals’ rights under data protection legislation, specifically the EU General Data Protection Regulation (“GDPR”) and Data Protection Acts 1988-2018.
The UCD Student Counselling Service sees our clients’ consent as being the key factor in dealing with their information. The service understands and respects the importance of the right to privacy and actively seeks to preserve the privacy rights of data subjects who share personal data with the University. Any personal information which you volunteer to the Service will be treated with the highest standards of security and confidentiality, in accordance with data protection legislation.
This privacy statement explains the following:
- How the Service processes your personal data.
- The purpose and legal basis for processing your personal data.
- How we store and secure personal data.
- Details of third parties with whom we share personal data.
- Your rights under data protection legislation.
Definitions
Personal Data
Any information relating to an identified or identifiable natural person (‘data subject’).
Special Categories of Personal Data (Sensitive personal data)
- Data concerning health
- Personal data revealing racial origin, ethnic origin, political opinions, religious beliefs, philosophical beliefs, trade-union membership
- The processing of genetic data for the purpose of uniquely identifying a natural person
- The processing of biometric data for the purpose of uniquely identifying a natural person
- Data concerning a natural person's sex life or sexual orientation
Processing
Any operation or set of operations performed on personal data. Processing includes storing, collecting, retrieving, using, combining, erasing, and destroying personal data, and can involve automated or manual operations.
Data subject
Someone who can be identified, directly or indirectly, by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
Data controller
An organisation, such as University College, which determines the purposes and means of the processing of personal data.
Data processor
A natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller, traditionally under contract. This does not include Service staff who are processing personal data on behalf of the University as part of their employment duties.
How we process your personal data
The personal data we collect from you will only be processed by the Service for the specific and lawful purposes as outlined in this privacy statement.
Personal data is processed in the following way:
Electronic data
- Student’s registering with the counselling service input their contact details using Google Forms.
- For email communication and general administration, we use google.
- To keep records of counselling sessions we use Titanium Schedule software.
- For videoconferencing we use the licensed version of Zoom.
- For client feedback we use Survey Monkey.
Paper-based data
- Counsellor notes and client case files. These are retained for a defined period after you have concluded your sessions with the Service.
- Workshop and group feedback forms may be input to Survey Monkey to enable analysis of the data for the purpose of quality assurance.
Purpose and legal basis for processing personal data
Counselling records are maintained for the purposes of facilitating and monitoring a client's progress in counselling. Records are especially important when there are significant periods of time between counselling contacts or when the client seeks services from another professional or service. Appropriate records can also help to protect both client and counsellor(s). Precise record keeping can help provide clarity in the event of legal or ethical proceedings. For the purposes stated above confidential electronic and paper-based notes of counselling sessions and consultations with clients will be recorded.
Any personal data you provide when engaging with the Service will be processed fairly and lawfully in accordance with data protection legislation.
- Under Article 6 GDPR your personal data will be processed on the legal basis of consent.
- Under Article 9 GDPR your sensitive personal data will be processed on the exemption of explicit consent provided.
When registering with the Service you will be asked to complete the following forms and provide your consent to processing:
- Registration forms to be completed before first appointment and at the start of each academic year.
- Assessment questionnaires if appropriate.
Under GDPR, consent can only be valid if it is a clear, specific, freely given and unambiguous indication of the data subject’s wishes. Unless valid consent is obtained the Service will not be permitted to process your personal data.
Details of third parties with whom we share personal data
The Service will only share your data with third parties (internal and external) where necessary for the purposes of processing outlined in this privacy statement. This will only be done with your express consent.
The following table details the third parties with whom your personal data is shared together with the purposes for the sharing:
| Third Party | Reason |
|---|---|
| Titanium | To store client contact details and client notes and to run reports on statistics for monitoring demand and capacity. Non identifying statistical data is published in an annual report of Student Services, the annual National Counselling Data Report Psychological Counsellors in Higher Education (PCHEI) and to the University Management Team. Titanium is also used as a diary for all counsellors and to send reminder texts and emails. |
| Google docs | Email correspondence, spreadsheets & reports. |
| Survey Monkey | Service user feedback for evaluation of the quality and student focus of service. |
| Zoom Licensed Version | 1:1 Video counselling, group counselling and induction. |
| SilverCloud | Online CBT educational and therapeutic programmes. Students self-register with Silvercloud (please refer to their data privacy statement. |
| Microsoft Office | Preparing letters that students request. |
How we securely store personal data
Any data we collect from you will be stored confidentially and securely as required by the UCD Data Protection Policy. The University is committed to ensuring that the processing of your data is performed in a secure manner relevant to the processing.
When we store your personal data on our systems the data will be stored either on the University premises or on secure IT platforms within the European Economic Area which are subject to GDPR requirements.
University College will share your personal data with third parties where necessary for purposes of the processing outlined in this privacy statement. When we share your data with third parties the Service will ensure that the data is only processed according to specific instructions and that the same standards of confidentiality and security are maintained.
Managing your information
In order to provide for your care here we need to collect and keep information about you on our records.
- We retain your information securely.
- We will only ask for and keep information that is necessary. We will attempt to keep it accurate and up to-date as possible. We will explain the need for any information we ask for if you are not sure why it is needed.
- We ask you to inform us about any relevant changes that we should know about such as change of address and phone numbers. All persons in the practice (not already covered by a professional confidentiality code) sign a confidentiality agreement that explicitly makes clear their duties in relation to personal information and the consequences of breaching that duty.
- Access to patient records is regulated to ensure that they are used only to the extent necessary to enable the secretary or manager to perform their tasks for the proper functioning of the practice. In this regard, patients should understand that practice staff may have access to their records to ensure safe and efficient care for you. Administrative staff will need to access your record to carry out the following functions:
- Typing referrals to allied health professionals such as GPs, Psychiatrist, external partnered services.
- Opening letters from referrers. The letters could be appended to a patient’s paper file or scanned into their electronic patient record.
- Scanning clinical letters, reports and any other documents not available in electronic format.
- Monitoring emails and performing integration of information into the electronic client record
- If you decide at any time and for whatever reason to transfer to another counsellor within the service we will facilitate that decision by making available to your new counsellor a copy of your records.
- We may need to pass some of this information to other health and social care professionals in order to provide you with the services you need. Only the relevant part of your record will be released. These other professionals are also legally bound to treat your information with the same duty of care and confidence that we do.
Use of information for teaching, training and quality assurance
It is usual for clinicians to discuss client case histories as part of their continuing professional education or for the purpose of training counselling students. In these situations the identity of the client concerned will not be revealed. In other situations, however, it may be beneficial for other clinicians within the practice to be aware of clients cases and this practice would only communicate the information necessary to provide the highest level of care to the patient.
How long we retain your data
In keeping with the data protection principle of storage limitation we will only retain your data for as long as is necessary. For the purposes described in this privacy statement we will store your data for the duration of your studies plus seven years.
Your rights under data protection law
You have the following rights over the way we process your personal data:
Right of Access
You have the right to request a copy of the personal data which is processed by the Service, including your counselling notes, and to exercise that right easily and at reasonable intervals.
Consent
You have the right to withdraw your consent to the processing of your personal data. You may withdraw your consent to the Service processing your personal data at any time. To withdraw your consent, we require you to advise the Service in writing.
Rectification
You have the right to have inaccuracies in personal data that we hold about you rectified.
Erasure
You have the right to have your personal data deleted where we no longer have any justification for retaining it, subject to exemptions such as the use of pseudonymised or anonymised data for scientific research purposes.
Object
You have the right to object to processing your personal data if:
- We have processed your data based on a legitimate interest or for the exercise of the public tasks of the University if you believe the processing to be disproportionate or unfair to you.
- The personal data was processed for the purposes of direct marketing or profiling related to direct marketing.
- We have processed the personal data for scientific or historical research purposes or statistical purposes unless the processing is necessary for the performance of a task carried out for reasons of public interest.
Restriction
You have the right to restrict the processing of your personal data if:
- You are contesting the accuracy of the personal data.
- The personal data was processed unlawfully.
- You need to prevent the erasure of the personal data in order to comply with legal obligations.
- You have objected to the processing of the personal data and wish to restrict the processing until a legal basis for continued processing has been verified.
Portability
Where it is technically feasible you have the right to have a readily accessible machine readable copy of your data transferred or moved to another data controller where we are processing your data based on your consent and if that processing is carried out by automated means.
Further information
We hope this has explained any issues that might arise . If you have any questions relating to the processing of your personal data for the purposes outlined above or you wish to make a request in relation to your rights you can contact the Service at: (opens in a new window)student.counselling@ucd.ie.
If you wish to make a complaint or escalate an issue relating to your rights you can contact the University College Data Protection Officer at (opens in a new window)dataprotection@ucd.ie .
If you are not satisfied with the information we have provided to you in relation to the processing of your personal data or you are dissatisfied with how University College is processing your data you can raise a concern with the Data Protection Commission at: (opens in a new window)https://forms.dataprotection.ie/contact.