Privacy notice

1. Introduction

Your privacy is a top priority. We're committed to always being a good custodian of your personal information, handling it in a responsible manner, and securing it with industry standard administrative, technical and physical safeguards.

We follow two guiding principles when it comes to your privacy:

• transparency - we work hard to be transparent about what personal information we collect and process
• simplicity - we try to use easy-to-understand language to describe our privacy practices to help you make informed choices

About us

The British Association for Counselling and Psychotherapy (BACP) is registered as a data controller with the Information Commissioner's Office (ICO) (ICO registered number Z7078162).

It is also a company registered in England and Wales (company number 02175320), registered address BACP House, 15 St John's Business Park, Lutterworth, Leicestershire LE17 4HB. BACP also incorporates BACP Enterprises Ltd – (company number 01064190) as a legal entity and shares data with it (ICO registered number Z3237939).

BACP is a registered charity (registered charity number 298361).

If you have any queries about this privacy notice or about any aspect of our data management, please contact our Data Protection Lead at dpl@bacp.co.uk.

We'll update this privacy notice regularly to ensure it continues to comply with the latest regulations and best practice. This privacy notice was last amended on 28 May 2019.

2. How we use your information

a) Storage and management of personal information

Our principal data management system is a Microsoft Dynamics CRM system which is maintained and developed by a third party processor. This system enables us to efficiently store any information about our members, former members and other stakeholders in a way that ensures adequate security and only allows people who have the right level of authority to access personal information. It also simplifies our responsibilities for data retention and subject access requests.

b) Visitors to our website and social media platforms

When someone visits our website we use a third party service, Google Analytics, to collect standard internet log information and details of visitor behaviour patterns. We do this to find out things such as the number of visitors to the various parts of the site. This information is only processed in a way that does not identify anyone. We do not make, and do not allow Google to make, any attempt to find out the identities of those visiting our website.

We use Google Analytics so that we can continually improve our service to you - read the Google Analytics privacy notice.

We use Umbraco as the content management system for our website - find out about Umbraco and data protection.

Like most websites we use cookies to help the site work more efficiently - find out about our use of cookies.

No user-specific data is collected by us or any third party. If you fill in a form on our website, that data will be temporarily stored on the web host before being sent to us.

Non-members can sign up to the website in order to order journals or to book onto events. When doing this you will be asked for your name, email address and date of birth. Your details will be retained for as long as you regularly log into the website.

BACP has a presence on various social media platforms. If you engage with us via these platforms we will not collect or store any of your personal data, however you need to be aware of how those websites use your data. Currently we have a corporate presence on Facebook, LinkedIn and Twitter. To find out about how these companies use your data and how you can control the way they use your data follow these links: Facebook; LinkedIn; Twitter.

c) Members and former members

The legal basis we use for processing members' and former members' personal information is a combination of contract and legitimate interest.

We carefully safeguard the information we hold about members. This information comes from the way members engage with us, information provided through application and booking forms, renewals forms or details completed in members' online profiles.

The information may also come from members' interactions with us, for example, through social media, website usage or surveys. It may include, for example, contact details, interests or guidance documents downloaded from our website.

What the information is used for

We collect this information to provide our services to members and to inform our development of new and improved products to continue to meet our members' needs.

We also use member information for identity verification and to comply with regulatory functions. Usually, when members call us, we need to identify them depending on the nature of the enquiry. We may do this by asking for certain information known only to you.

Specifically, we may use member information to:

• carry out regulatory checks and meet our obligations to the Professional Standards Authority
• develop and improve our services through assessment and analysis of the information, market and product analysis and market research
• improve the relevance of marketing messages we may send you
• personalise our website for you
• protect our systems

We may also monitor or record any communications with members including telephone calls. We'll use these recordings to check your instructions to us, to analyse, assess and improve our services and for training and quality purposes.

We send messages by post, telephone, text, email or other digital methods. These messages may be:

• to help you manage your membership
• to meet our obligations, for example visits by our own regulators
• statements regarding standards of practice, such as gay reparative therapy
• to keep you informed about the features and benefits of the products and services available to you that may be of professional interest

We will never pass on your information to a third party to use in their own direct marketing without your consent.

Sharing your information

During your contact with us, we'll tell you how your information will be used and that it may be necessary to share it with other services and organisations.

We will not share your information with any third parties unless:

• you have consented to this (for example by providing information to us after we've told you that we will supply the information to a third party)
• it is required for the management of your membership or a legitimate business purpose
• it is as part of our duty to protect a child, a vulnerable adult, yourself or the public
• for the prevention and detection of a crime or the assessment of any tax or duty
• we are required to do so by any court or law or any relevant regulatory authority
• to protect the rights, property or safety of BACP or any third parties (for example for the purposes of fraud protection)
• we transfer our rights and duties to provide products and services to another organisation

As a professional body, it is in our legitimate interests to verify the membership status of an individual when we receive a query from a third party, including membership category and expiry date. Other information such as contact details are not disclosed.

By being a member of BACP and using our products and services, you grant us permission to process personal data which you have provided to us.

One significant role of BACP is to promote the membership and qualifications of our members to the public. To this end we publish a member directory on our website and we answer telephone queries where we will give callers the following information about members: whether someone is currently a member; the date they became a member; the expiry or expected renewal date of their membership; current membership category; whether the member is Registered or not; the criteria the member has demonstrated in order to achieve their level of membership; member status and grade on a specific date in the past.

The purchase of some of our services requires that we publish your details in the public domain, such as in printed materials or on our website, for example therapist directory, networks or events. This information may be used by other members or third parties to contact you but is outside our control. When you purchase these services, you may have the right to opt out from some information being published.

When you make a payment to us, we use a third party processor to manage the process and the direct debit payments.

We use TestReach to provide and invigilate member exams - see the TestReach privacy notice.

We will keep records of purchases for financial audit reasons for six years, We'll also keep records of qualifications, complaints and adjudications for six years. The basic records of a member's name and membership period will be kept indefinitely in case ex-members wish to re-join. 

We use Think Publishing to handle membership publishing for us – see the Think privacy notice. We manage subscriptions to our publications using a third party service

When people make complaints against our members, we hold data relating to the complainant as well as details of the complaint and witnesses or interested parties. We share information with panel members and external clerks who all sign data processor agreements with us. All data relating to this process is kept very securely. Paper records are kept in locked cabinets and then archived in a secure off-site facility.

Member register

Together with 17 other organisations running accredited registers, we've signed up to an information sharing protocol. We've all agreed to inform each other about, and to take into account, decisions made through the other organisations' professional conduct proceedings which have resulted in an individual being removed from a register.

Member certificate of proficiency (COP)

We manage the COP through a third party. This system records equality and diversity data, assessment results, contact details and special requirements. Equality and diversity data is only kept for two months, raw scores are kept until the member has passed, and contact details and special requirements are kept until the assessment process is complete.

Accreditation of services and courses

We award accreditation to therapeutic counselling and psychotherapy services that meet our quality standards. We're also the leading body for the accreditation of training courses in counselling and psychotherapy.

We use assessors and moderators to run these services and we ensure we have data processing agreements with them.

Information is retained for the five year accreditation term and for a further three years following a lapse of accreditation.

Member audit

Member audit is managed internally with data stored on our CRM and on spreadsheets. We receive hard copy submissions which are stored in secure cabinets and shredded once the audit is complete.

d) Members of the public who make enquiries or complaints

We do not usually record or process any data from members of the public who ring us with general enquiries. If a query does require us to take personal data we will explain this at the time. We do not record phone calls.

We retain emailed queries from the general public for a maximum of one year. If a member of the general public contacts us to make a complaint about a member we will need to record personal data (and often sensitive personal data) in order to investigate the complaint. We may also need to share this information with various third parties. We will explain this process in detail when we collect the information.

e) Members and non-members who attend our events

If you apply to attend a BACP event we will hold the information we need in order to deliver this event. Our legal basis for holding your data will be a combination of contract and legitimate interest.

All event attendees will be listed on the delegate list that is shared with other delegates, exhibitors and sponsors. Event information is stored on our CRM, while video and still images are stored on our servers. We keep information about event attendees, presenters and actors for 25 years. Information about exhibitors and sponsors is kept for five years. We use SurveyMonkey to gather event evaluation. Evaluation forms can be anonymous, if you supply your name this will not be used after two years.

Names and job titles of delegates are shared with Delekit who provide electronic badges. A copy of their privacy notice can be found here. We also share details of delegates of delegates with hearing impairment with an interpreter.

Photography and filming

If you attend an event or take part in a promotional activity, we may ask to take your photograph or film you. Any images we hold, whether in still photographs or video, may be covered by the definition of personal data in the GDPR. We will need your consent in order to take and use these images fairly and lawfully. We will ask you to complete the form below.

Photography and filming consent form

Filming

We may record events for use in an online video library, publicity and marketing materials, including use on our website. This filming will primarily focus on the speakers (with whom we always have contracts covering data protection), however, it may include some shots of the audience. By attending these events you are deemed to have consented to your inclusion in these recordings. If you don't want to be included in any recording it is your responsibility to tell the cameraman at the event before filming starts.

We use various third parties to help us produce and distribute video and images. We always have GDPR compliant contracts with these processors. The main suppliers we use are Silverstream (SSTV); McGowan Transcription; and Push Record. You can access their privacy notices by following the links.

We use third party processors to help us deliver successful events. We use a wide range of venues, mostly hotels, around the UK to host events. We ensure that we have appropriate data protection agreements with all of them.

f) Members and non-members that take part in our campaigning work

If you take part in one of our campaigns, we will hold some personal data about you in order to keep you informed of the progress and results of the campaign. To manage our campaigns we use Engaging Networks, whose privacy notice can be seen here. All personal data is deleted at the end of the campaign.

g) Contributors to our academic journals

We use Steers McGillan Eves to design our journals – see Steers privacy notice.

Our divisional editors have signed an addendum to their contracts of service, in which they agree to adhere to BACP's data protection policy. Additionally, they have signed a BACP adequate security document detailing good working practice when handling BACP data.

Contributors to our journals agree to follow our contributor guidelines, which provide contributors with information on how their data will be used, and for how long. The guidelines, which can be found at www.bacp.co.uk/bacp-journals, include a link to BACP's privacy notice.

BACP operates GDPR-compliant contracts with any third party involved with its journals, including designers and printers, which cover how data is handled and how long it is retained.

h) Job applicants, current and former staff

We will only use any information you provide during the recruitment process for the purpose of progressing your application, or to fulfil legal or regulatory requirements if necessary.

We will not share any information you provide during the process with any third parties for marketing purposes or store it outside of the European Economic Area. The information you provide will be held securely by us or our data processors, whether the information is in electronic or physical format.

We use Caraires Recruitment to help us find the right candidates – read Caraires privacy notice.

We will use the contact details you provide to contact you to progress your application. We will use the other information you provide to assess your suitability for the role you've applied for.

We do not collect more information than we need to fulfil our stated purposes and will not retain it for longer than is necessary.

The information we ask for is used to assess your suitability for employment. You don't have to provide what we ask for, but it might affect your application if you don't.

If we make a conditional offer of employment, we'll ask you for information so that we can carry out pre-employment checks. You must successfully complete pre-employment checks to progress to a final offer. We are required to confirm the identity of our staff and their right to work in the UK, and to seek assurance as to their trustworthiness, integrity and reliability.

Therefore, you must provide:

• proof of your identity – we'll ask you for original documents and will take copies
• proof of your qualifications – we may ask you for original documents and will take copies

We will contact your referees, using the details you provide in your application, directly to obtain references.

If we make a final offer, we'll also ask you for the following:

• bank details – to process salary payments
• emergency contact details – so we know who to contact if you have an emergency at work

If you accept a final offer from us, some of your personnel records will be held on our internal HR records system.

During your employment we may need to share your information with third party processors who provide elements of our ongoing employment service, that is employment law advice, occupational health advice, payroll and pensions processing and other employee benefits such as health and wellbeing services. We have contracts in place with all of our third party processors. This means they cannot do anything with your personal information unless we instruct them to do so. They will not share your personal information with any organisation apart from us. They will hold it securely and retain it for the period we instruct.

If you are employed by us relevant details about you will be provided to JPM Group who administers our pension scheme. You will be auto-enrolled into the pension and the details provided to JPM will be your name, date of birth, National Insurance number and salary.

We use Optum to provide an Employee Assistance Programme (EAP) This service is provided initially via a telephone service. We only share your name and date of birth with them for the purpose of your security.

We provide a full Occupational Health service to all staff via Sugarman Occupational Health Services, we will provide only relevant details regarding you and your employment to Sugarman as may be deemed necessary.

We use Busy Bees Benefits to provide staff with a range of employee benefits such as Child care vouchers, Cycle to Work scheme, Salary Sacrifice car leasing. We only share your name and date of birth with Busy Bees.

During your employment, we may need to seek employment law advice and we use Stone King for this service. We will share with Stone King only the relevant details about you and your employment at BACP to allow for the required full legal guidance/advice to be given.

The main 3rd parties are:

• Aegon - see the Aegon privacy policy;
• Busy Bees - see the Busy Bees privacy policy;
• JPM - see the JPM privacy policy;
• Optum - see the Optum privacy policy;
• Stone King - see the Stone King privacy policy;
• Sugarman - see the Sugarman privacy policy;

The information you provide will be retained as part of your employee file for the duration of your employment and for six years afterwards.

If you're unsuccessful the information you give us, and any information we create during the process, are retained for six months.

We send text alerts to staff using the third party service TextAnywhere - see the TextAnywhere privacy policy.

Volunteers

We use Mullwood Partnership to manage volunteer recruitment – see the Mulwood privacy statement.

Volunteers carry out various essential roles at BACP, such as being a trustee, serving on an executive committee, writing for our journals, reviewing our publications, participating in our campaigns and/or projects or acting as an expert point of contact. We collect only information that we need for volunteers. Information is retained for the duration of their volunteering then is immediately deleted.

We do not collect more information than we need to fulfil our stated purposes and will not retain it for longer than is necessary. We will use the contact details you provide as a Volunteer to contact you during your association with us. We will use the other information you provide to assess your suitability for the role you've applied for, including a declaration of interests.

All BACP volunteers are made aware of their data protection responsibilities and sign up to our volunteer data protection guidelines before handling any personal data.

We also use volunteers as media spokespeople. We maintain lists of these volunteers for as long as they agree to speak to media outlets on our behalf.

i) People who visit our premises

We have closed circuit TV at our offices. This is a purely internal system that is used to help maintain personal safety and security. Video recordings are kept securely on-site and only shared with police when they are needed to investigate a crime. Only staff who have appropriate authority are allowed access to the recordings. The recordings are kept for thirty days.

We record the name of all visitors to our offices for fire safety reasons. This information is deleted after three months.

j) Members of our regional networks

We have regional groups that are co-ordinated by fellow members on a voluntary basis. The co-ordinators maintain spreadsheets of details of members who are in their regions. They use these to keep members informed of local events and to help members network with each other. All regional co-ordinators sign third party processor agreements with us clearly laying down their responsibilities with regard to members' personal data.

k) People who take part in our surveys and consultations

We use third party processors for both our internal and external surveys.  We collect minimal personal data in surveys - generally only IP address and email address so that we can keep in touch with participants. We keep information only for the duration of the survey campaign.

l) People who sign up to our newsletter

If you sign up to our newsletter we will use a third party to keep your data, to distribute the newsletter and to keep track of open rates and other standard media measures. We only keep your email and name and we will renew your consent every two years.

m) People who engage with research and awards

We run many awards programmes, some of which are awarded jointly with partner organisations. Our partners include the Counselling and Psychotherapy Central Awarding Body (CPCAB) (see the CPCAB privacy notice) and PCCS Books (see the PCCS privacy notice).

If a member takes part in our pilot for 'Pragmatic Tracker' - an online client management system - their details will be passed to Manyother Ltd, the supplier of the system. Their privacy notice can be found here. Personal data will be retained until the end of the pilot (in 2019).

We only collect name, email and postal address for most of the awards. For the PhD Studentship we also need to collect supervisor and finance details. The details of unsuccessful applicants are always deleted once the decision has been made. Successful applicant data is kept for 12 months.

3. Audit and regulatory requirements

We may share any data about our operations with:

• our auditors, Atkinson Finch & Co - see the Atkinson Finch privacy policy
• HMRC - see the HMRC personal information charter
• the Charity Commission - see the Charity Commission personal information charter
• the Information Commissioner's Office - see the ICO privacy notice
• Companies House - see the Companies House personal information charter

and other regulatory bodies, should this be necessary to complete our statutory audit and regulatory requirements.

We use several law firms to provide advice and guidance on a range of topics and we may share personal data with them at times. All third parties have contracts with us which includes a third-party processor agreement.

4. Your rights

Under the General Data Protection Regulation (GDPR) you have rights as an individual data subject which you can exercise in relation to the information we hold about you. You can read more about these rights on the ICO's website.

5. Complaints and queries

We try to meet the highest standards when collecting and using personal information, and we take any complaints about this very seriously. We encourage you to let us know if you think that our collection or use of information is unfair, misleading or inappropriate. We also welcome any suggestions for improving our procedures.

This privacy notice does not provide exhaustive details of all aspects of our collection and use of personal information. However, we're happy to provide any additional information or explanation needed. Please send any requests for this to our DPL at the address in the Introduction above.

If you want to make a complaint about the way we've processed your personal information, you can contact the ICO as the statutory body which oversees data protection law - see ICO concerns.

6. Your rights

Access to your information

We try to be as open as we can in terms of giving people access to their personal information. You can find out if we hold any personal information about you by making a 'subject access request' under GDPR. If we do hold information about you, we will:

• give you a description of it
• tell you why we are holding it
• tell you who it could be disclosed to
• let you have a copy of the information in an intelligible form

If you agree, we'll try to deal with your request informally, for example by providing you with the specific information you need over the telephone.

Records of treatment

If you have received therapy from one of our members and require access to information about your treatment or the treatment someone else has received, you will need to contact the appropriate therapist directly.

Correcting mistakes

You can ask us to correct any mistakes in any factual information we hold about you, such as your address, date of birth, contact details etc.

Erasure

The GDPR also gives you the right to have the data we hold about you deleted in some circumstances. This is called the 'right to erasure' or the 'right to be forgotten'. The right applies in the following circumstances:

• We no longer need your data
• You originally provided consent and have now withdrawn consent
• You have objected to the use of your data and your interests outweigh ours
• We have collected your data unlawfully
• We have a legal obligation to erase your data

Please be aware that we are unlikely to delete financial transactional data, core membership data, declarations you have made to us or any conduct related information that is being retained in the public interest. 

If you would like to exercise your above right, please contact our Data Protection Lead at dpl@bacp.co.uk.

7. Disclosure of personal information

In many circumstances we will not disclose personal data without consent, but there are circumstances where we might do so. The list below provides some scenarios in which we may disclose personal data. Please be aware that this is not a complete list but serves as an example.

• When we investigate a complaint, we'll need to share personal information with the individuals or organisations involved.
• We may share data with other regulatory bodies or associations that you are a member of.
• During our applications process, or any assessments we undertake, we collect personal data about individuals. If we are concerned about unsafe practice, we may share that data internally within BACP so appropriate action can be taken.
• We will share personal data with external legal professionals if we need legal advice.
• We may share personal data with law enforcement agencies or government departments where appropriate.

We will only share information that we consider to be necessary and proportionate.

8. Data security

We recognise that the information you provide may be sensitive and we will respect your privacy. We keep information about you confidential. This means we store it securely and control who has access to it. We sometimes share personal data with third parties where we have contracted them to carry out specific tasks for us. In such cases we carefully select which partners we work with. We take great care to ensure that we have a contract with the third party that states what they are allowed to do with the data we share with them. We ensure that they do not use your information in any way other than the task for which they have been contracted.

We will only share personal data with other organisations where we are satisfied that the other organisation is entitled to receive it and will keep your information secure.

We're committed to holding all personal data within BACP on secure systems. We keep any paper-based personal data in locked cabinets to which only appropriate staff have access. We're working to reduce the amount of paper-based information we hold as it is easier to secure data if it is only held electronically. The majority of personal data is held electronically on our CRM system that is hosted by Microsoft.   

We use third party processors to provide email monitoring and filtering.

We have invested extensively in ensuring our information systems are secure and that our staff are suitably trained. We have recently achieved the UK Government's Cyber Essentials standard.

Members can find more information about how GDPR affects their practice in our FAQs about GDPR.