Privacy notice

1. Introduction

Your privacy is a top priority. We're committed to always being a good custodian of your personal information, handling it in a responsible manner, and securing it with industry standard administrative, technical and physical safeguards.

We follow two guiding principles when it comes to your privacy:

• transparency - we work hard to be transparent about what personal information we collect and process
• simplicity - we try to use easy-to-understand language to describe our privacy practices to help you make informed choices

About us

The British Association for Counselling and Psychotherapy (BACP) is registered as a data controller with the Information Commissioner's Office (ICO) (ICO registered number Z7078162).

It is also a company registered in England and Wales (company number 02175320), registered address BACP House, 15 St John's Business Park, Lutterworth, Leicestershire LE17 4HB. BACP also incorporates BACP Enterprises Ltd – (company number 01064190) as a legal entity and shares data with it (ICO registered number Z3237939).

BACP is a registered charity (registered charity number 298361).

If you have any queries about this privacy notice or about any aspect of our data management, please contact our Data Protection Lead at dpl@bacp.co.uk.

We'll update this privacy notice regularly to ensure it continues to comply with the latest regulations and best practice. This privacy notice was last amended on 3 Feb 2020.

2. How we use your information

a) Storage and management of personal information

Our principal data management system is a Microsoft Dynamics CRM system which is maintained and developed by a third party processor. This system enables us to efficiently store any information about our members, former members and other stakeholders in a way that ensures adequate security and only allows people who have the right level of authority to access personal information. It also simplifies our responsibilities for data retention and subject access requests.

b) Visitors to our website and social media platforms

When someone visits our website we use a third party service, Google Analytics, to collect standard internet log information and details of visitor behaviour patterns. We do this to find out things such as the number of visitors to the various parts of the site. This information is only processed in a way that does not identify anyone. We do not make, and do not allow Google to make, any attempt to find out the identities of those visiting our website.

We use Google Analytics so that we can continually improve our service to you - read the Google Analytics privacy notice.

We use Umbraco as the content management system for our website - find out about Umbraco and data protection.

Like most websites we use cookies to help the site work more efficiently - find out about our use of cookies.

If you fill in a form on our website, that data will be temporarily stored on the web host before being sent to us.

Where we provide links to websites of other organisations, this privacy notice does not cover how that organisation processes personal information. We encourage you to read the privacy notices on the other websites you visit.

Non-members can sign up to the website in order to order journals or to book onto events. When doing this you will be asked for your name, email address and date of birth.

BACP has a presence on various social media platforms. If you engage with us via these platforms we will not usually collect or store your personal data. Where we are collecting personal data for future use, we will let you know and provide you with details about the intended use. We have a presence on Facebook, LinkedIn and Twitter. To find out how these companies use your data and how you can control the way they use your data please refer to their privacy policies, which should be available on their websites.

c) Members and former members (routine processing)

The main legal bases we use for processing members' and former members' personal information is a combination of contract and legitimate interest.

We carefully safeguard the information we hold about members. This information comes from the way members engage with us, information provided through application and booking forms, renewals forms or details completed in members' online profiles.

The information may also come from members' interactions with us, for example, opinions you provide on our website, comments or communication through our groups on social media, data you provide to us when completing forms.

What the information is used for

We collect this information to provide our services to members and to inform our development of new and improved products to continue to meet our members' needs.

We also use member information for identity verification and to comply with regulatory functions. Usually, when members call us, we need to identify them depending on the nature of the enquiry. We may do this by asking for certain information known only to you.

Specifically, we may use member information to:

• carry out regulatory checks and meet our obligations to the Professional Standards Authority
• develop and improve our services through assessment and analysis of the information, market and product analysis and market research
• improve the relevance of messages we may send you
• personalise our website for you
• protect our systems

We may also monitor or record any communications with members including telephone calls. We'll use these recordings to check your instructions to us, to analyse, assess and improve our services and for training and quality purposes.

We send messages by post, telephone, text, email or other digital methods. These messages may be:

• to help you manage your membership
• to meet our obligations, for example visits by our own regulators
• statements regarding standards of practice, such as gay reparative therapy
• to keep you informed about the features and benefits of the products and services available to you that may be of professional interest

We will keep records of purchases for financial audit reasons for six years, We'll also keep records of qualifications, complaints and adjudications for six years. The basic records of a member's name and membership period will be kept indefinitely in case ex-members wish to re-join.

We will not pass on your information to a third party to use in their own direct marketing without your consent.

Sharing your information

During your contact with us, we'll tell you how your information will be used and that it may be necessary to share it with other services and organisations.

We will not share your information with any third parties unless:

• you have consented to this (for example by providing information to us after we've told you that we will supply the information to a third party)
• it is required for the management of your membership or a legitimate business purpose
• it is as part of our duty to protect a child, a vulnerable adult, yourself or the public
• for the prevention and detection of a crime or the assessment of any tax or duty
• we are required to do so by any court or law or any relevant regulatory authority
• to protect the rights, property or safety of BACP or any third parties (for example for the purposes of fraud protection)
• we transfer our rights and duties to provide products and services to another organisation

By being a member of BACP and using our products and services, you grant us permission to process personal data which you have provided to us.

One significant role of BACP is to promote the membership and qualifications of our members to the public. As a professional body, we will also verify the membership status of an individual when we receive a query from a third party. To this end we publish a member directory on our website and we will answer telephone queries from the public. We will give callers the following information about members:

• whether someone is currently a member;
• the date they became a member;
• the expiry or expected renewal date of their membership;
• current membership category;
• whether the member is Registered or not;
• the criteria the member has demonstrated in order to achieve their level of membership; and/or
• any of the above information for dates in the past.

The purchase of some of our services requires that we publish your details in the public domain, such as in printed materials or on our website, for example therapist directory, networks or events. This information may be used by other members or third parties to contact you but is outside our control. When you purchase these services, you may have the right to opt out from some information being published.

When you make a payment to us, we use a third party processor to manage the process and the direct debit payments.

We use TestReach to provide and invigilate member exams - see the TestReach privacy notice.

We use Think Publishing to handle membership publishing for us – see the Think privacy notice. We manage subscriptions to our publications using a third party service

When people make complaints against our members, we hold data relating to the complainant as well as details of the complaint and witnesses or interested parties. We share information with panel members and external clerks who all sign data processor agreements with us. All data relating to this process is kept securely.

Sharing conduct related information

Together with 17 other organisations running accredited registers, we've signed up to an information sharing protocol. We've all agreed to inform each other about, and to take into account, decisions made through the other organisations' professional conduct proceedings which have resulted in an individual being removed from a register.

Member certificate of proficiency (COP)

We use a third party to help us manage our assessments (TestReach - see their privacy policy here). TestReach provide BACP with the assessment platform and also invigilate. As part of the assessment process, BACP collects equality and diversity data, assessment results, contact details and special requirements. Identifiable information, including equality and diversity data, contact details and special requirements are kept until the assessment process is complete or a booking is cancelled.

Please note that results (pass or fail) are kept as part of a members record.

Accreditation of services and courses

We award accreditation to therapeutic counselling and psychotherapy services that meet our quality standards. We're also the leading body for the accreditation of training courses in counselling and psychotherapy.

We use assessors and moderators to run these services and we ensure we have data processing agreements with them.

Information is retained for the five year accreditation term and for a further three years following a lapse of accreditation.

Member audit

Member audit is managed internally with data stored on our Customer Relationship Management (CRM) system and on spreadsheets. We receive hard copy and electronic submissions. Audit data is stored securely. A record of the audit result will be kept on CRM, information submitted as part of the audit process will be disposed of when a result has been achieved.

d) Members of the public who make enquiries or complaints

We do not usually record or process any data from members of the public who ring us with general enquiries. If a query does require us to take personal data we will explain this at the time. We do not record phone calls.

We retain emailed queries from the general public for a maximum of one year. If a member of the general public contacts us to make a complaint about a member we will need to record personal data (and often sensitive personal data) in order to investigate the complaint. We may also need to share this information with various third parties. We will explain this process in detail when we collect the information.

e) Members and non-members who attend our events

If you apply to attend a BACP event we will hold the information we need in order to deliver this event. Our legal basis for holding your data will be a combination of contract and legitimate interest.

Event information is stored on our Customer Relationship Management (CRM) system, while video and still images are stored elsewhere on our servers. We keep information about presenters and actors for 25 years. Information about exhibitors and sponsors is kept for up to five years. Evaluation forms can be anonymous, if you supply your name this will not be used after two years.

Names and job titles of delegates are shared with Delekit who provide electronic badges. A copy of their privacy notice can be found here. We also share details of delegates with hearing impairment with an interpreter if requested.

Photography and filming

If you attend an event or take part in a promotional activity, we may ask to take your photograph or film you. Any images we hold, whether in still photographs or video, may be covered by the definition of personal data in the GDPR. We will need your consent in order to take and use these images fairly and lawfully. We will ask you to complete a form.

Filming

We may record events for use in an online video library, publicity and marketing materials, including use on our website. This filming will primarily focus on the speakers (with whom we always have contracts covering data protection), however, it may include some shots of the audience. By attending these events you are deemed to have consented to your inclusion in these recordings. If you don't want to be included in any recording it is your responsibility to tell the cameraman at the event before filming starts. There should be signs at the event telling you about the filming and what to do if you don't wish to be filmed.

We use various third parties to help us produce and distribute video and images. We always have GDPR compliant contracts with these processors. The main suppliers we use are Silverstream (SSTV); McGowan Transcription; and Push Record. You can access their privacy notices by following the links. We use freelance professionals where required (e.g. camera operators); we ensure that appropriate agreements are in place with them.

We use third party processors to help us deliver successful events. We use a wide range of venues, mostly hotels, around the UK to host events. We ensure that we have appropriate data protection agreements with them.

f) Members and non-members that take part in our campaigning work

Whenever you take part in one of our campaigns (e.g. signing up to petitions, sending MP letters etc.), you will provide us with some personal data. At the point your data is collected, we will tell you how your data will be used. The campaigns are optional and you can ask for your data to be deleted by emailing PublicAffairs@BACP.co.uk. To manage our campaigns we use Engaging Networks, whose privacy notice can be seen here.

g) Contributors to our academic journals

We use Steers McGillan Eves to design our journals – see Steers privacy notice.

Our divisional editors have signed an addendum to their contracts of service, in which they agree to adhere to BACP's data protection policy. Additionally, they have signed a BACP adequate security document detailing good working practice when handling BACP data.

Contributors to our journals agree to follow our author guidelines, which provide contributors with information on how their data will be used, and for how long. The guidelines, which can be found at https://www.bacp.co.uk/bacp-journals/author-guidelines/, include a link to this privacy notice.

We have data protection related contracts in place with third parties where required.

h) Job applicants, current and former staff

We will only use any information you provide during the recruitment process for the purpose of progressing your application, or to fulfil legal or regulatory requirements if necessary.

We will not share any information you provide during the process with any third parties for marketing purposes. The information you provide will be held securely by us or our data processors, whether the information is in electronic or physical format.

We may use third parties to help us find the right candidates. This includes Indeed, Totaljobs and Caraires.

We will use the contact details you provide to contact you to progress your application. We will use the other information you provide to assess your suitability for the role you've applied for. You don't have to provide what we ask for, but it might affect your application if you don't.

We do not collect more information than we need to fulfil our stated purposes and will not retain it for longer than is necessary (this is currently a 6-month period for unsuccessful candidates).

If we make a conditional offer of employment, we'll ask you for information so that we can carry out pre-employment checks. You must successfully complete pre-employment checks to progress to a final offer. We are required to confirm the identity of our staff and their right to work in the UK, and to seek assurance as to their trustworthiness, integrity and reliability. Refer to the governments guidance on right to work checks here.

Therefore, you must provide:

• proof of your identity – we'll ask you for original documents and will take copies
• proof of your qualifications – we may ask you for original documents and will take copies

We will contact your referees, using the details you provide in your application, directly to obtain references.

If we make a final offer, we'll also ask you for the following:

• bank details – to process salary payments
• emergency contact details – so we know who to contact if you have an emergency at work

If you accept a final offer from us, some of your personnel records will be held on our internal HR records system.

During your employment we may need to share your information with third party processors who provide elements of our ongoing employment service, that is employment law advice, occupational health advice, payroll and pensions processing and other employee benefits such as health and wellbeing services. We have contracts in place with all of our third party processors. This means we have restricted what they can use your information for and who they can share it with. They hold it securely and retain it for the period we instruct.

If you are employed by us relevant details about you will be provided to JPM Group who administers our pension scheme. You will be auto-enrolled into the pension and the details provided to JPM will be your name, date of birth, National Insurance number and salary.

We use LifeWorks to provide an Employee Assistance Programme (EAP) This service is provided initially via a telephone service. We only share your name and date of birth with them for the purpose of your security.

We provide a full Occupational Health service to all staff via Sugarman Occupational Health Services, we will provide only relevant details regarding you and your employment to Sugarman as may be deemed necessary.

We use Busy Bees Benefits to provide staff with a range of employee benefits such as Child care vouchers, Cycle to Work scheme, Salary Sacrifice car leasing. We only share your name and date of birth with Busy Bees.

During your employment, we may need to seek employment law advice and we use Stone King for this service. We will share with Stone King only the relevant details about you and your employment at BACP to allow for the required full legal guidance/advice to be given.

The main 3rd parties are:

• Aegon - see the Aegon privacy policy
• Busy Bees - see the Busy Bees privacy policy
• JPM - see the JPM privacy policy
• LifeWorks - see the LifeWorks privacy policy
• Stone King - see the Stone King privacy policy
• Sugarman - see the Sugarman privacy policy
• Indeed - see the Indeed privacy policy
• Totaljobs - see the Totaljobs privacy policy
• Caraires Recruitment – read Caraires privacy notice

The information you provide will be retained as part of your employee file for the duration of your employment and for six years afterwards. Please be aware that some information may be kept for longer if there is a legal reason to do so.

We use an online text service run by TextAnywhere. We use the service to send text alerts to BACP employee mobile phones. Responses can be sent and received using the service. This service will be used to communicate with staff to keep the business running in certain circumstances (e.g. in response to severe weather conditions).

Volunteers

On occasion we use Reach Volunteering to manage volunteer recruitment – see their privacy notice here. 

Volunteers carry out various roles at BACP, such as being a trustee, serving on an executive committee, writing for our journals, reviewing our publications, participating in our campaigns and/or projects or acting as an expert point of contact. We collect only information that we need for volunteers. Information is retained for the duration of their volunteering and only retained for longer if we have a legitimate reason to do so.

We do not collect more information than we need to fulfil our stated purposes and will not retain it for longer than is necessary. We will use the contact details you provide as a Volunteer to contact you during your association with us. We will use the other information you provide to assess your suitability for the role you've applied for, including a declaration of interests.

All BACP volunteers are made aware of their data protection responsibilities and sign up to our volunteer data protection guidelines before handling any personal data.

We also use volunteers as media spokespeople. We maintain lists of these volunteers for as long as they agree to speak to media outlets on our behalf.

i) People who visit our premises

We have closed circuit TV at our offices. This is a purely internal system that is used to help maintain personal safety and security. Video recordings are kept securely on-site and only shared with police when they are needed to investigate a crime. Only staff who have appropriate authority are allowed access to the recordings. The recordings are kept for thirty days.

We record the name of all visitors to our offices for fire safety reasons. The information is disposed of at the end of each working week.

j) Members of our regional networks

We have regional groups that are co-ordinated by fellow members on a voluntary basis. The co-ordinators maintain spreadsheets of details of members who are in their regions. They use these to keep members informed of local events and to help members network with each other. All regional co-ordinators sign third party processor agreements with us clearly laying down their responsibilities with regard to members' personal data.

k) People who take part in our surveys and consultations

The majority of our surveys are managed by BACP employees using software called ‘Questback’. We also use mi-voice to conduct governance matters, such as BACP committee votes.

On occasion we may use third parties to carry out research on our behalf. If we do this we will carry out checks on the third parties and have appropriate contracts in place.

Some surveys will be anonymous and some will be identifiable (we will know who has completed them), this should be made clear within each survey.

Personal data collected via surveys will be kept for as long as it is needed for the reasons stated when it is collected.

l) People who engage with research and awards

We run many awards programmes, including: funded PhD Studentships; BACP Outstanding Research award; BACP New Researcher awards; and some awarded jointly with partner organisations. Our partners include the Counselling and Psychotherapy Central Awarding Body (CPCAB) (see the CPCAB privacy notice) and PCCS Books (see the PCCS privacy notice).

If a member takes part in our AdaPT project (a pilot for 'Pragmatic Tracker' - an online client management system) their details will be passed to Manyother Ltd, the supplier of the system. Their privacy notice can be found here. Personal data will be retained until the end of the pilot (in 2020).

We do not collect more information than we need to evaluate and process applications, and we will not retain it for longer than is necessary (this is currently a 6-month period for unsuccessful applicants). Successful applicant data is kept for 12 months or for the duration of the award if longer.

m) BACP products and services

You may use products or services provided by BACP (some are paid for and some are free). This includes, but is not limited to, our Therapist Directory and the jobs board. In order to provide you with these products and services it will be necessary to process a certain amount of personal data about you (for example, the details to be included in the therapist directory and your payment details).

3. Audit and regulatory requirements

We may share any data about our operations with:

• our auditors, RSM - see RSM privacy policies
• HMRC - see the HMRC personal information charter
• the Charity Commission - see the Charity Commission personal information charter
• the Information Commissioner's Office - see the ICO privacy notice
• Companies House - see the Companies House personal information charter

and other regulatory bodies, should this be necessary to complete our statutory audit and regulatory requirements.

We use several law firms to provide advice and guidance on a range of topics and we may share personal data with them at times. We ensure that we have appropriate data protection agreements with them.

4. Complaints and queries

We try to meet the highest standards when collecting and using personal information, and we take any complaints about this very seriously. We encourage you to let us know if you think that our collection or use of information is unfair, misleading or inappropriate. We also welcome any suggestions for improving our procedures.

This privacy notice does not provide exhaustive details of all aspects of our collection and use of personal information. However, we're happy to provide any additional information or explanation needed. Please send any requests for this to our Data Protection Lead - DPL@BACP.co.uk.

If you want to make a complaint about the way we've processed your personal information, you can contact the ICO as the statutory body which oversees data protection law - see ICO concerns.

5. Your rights

Under the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA 2018), you have rights as a data subject which you can exercise in relation to the information we hold about you. You can read more about these rights on the ICO's website.

Access to your information

We try to be as open as we can in terms of giving people access to their personal information. You can find out if we hold any personal information about you by making a 'subject access request' under GDPR. If we do hold information about you, we will:

• give you a description of it
• tell you why we are holding it
• tell you who it could be disclosed to
• let you have a copy of the information in an intelligible form

If you agree, we'll try to deal with your request informally, for example by providing you with the specific information you need over the telephone.

Please be aware that we may withhold information from you or provide you with redacted documents in line with exemptions in appropriate legislation.

Records of treatment

If you have received therapy from one of our members and require access to information about your treatment or the treatment someone else has received, you will need to contact the appropriate therapist directly.

Correcting mistakes

You can ask us to correct any mistakes in any factual information we hold about you, such as your address, date of birth, contact details etc.

Erasure

The GDPR also gives you the right to have the data we hold about you deleted in some circumstances. This is called the 'right to erasure' or the 'right to be forgotten'. The right applies in the following circumstances:

• We no longer need your data
• You originally provided consent and have now withdrawn consent
• You have objected to the use of your data and your interests outweigh ours
• We have collected your data unlawfully
• We have a legal obligation to erase your data

Please be aware that we are unlikely to delete financial transactional data, core membership data, declarations you have made to us or any conduct related information that is being retained in the public interest.

Making a request

If you would like to exercise your above rights, please contact our Data Protection Lead at dpl@bacp.co.uk With details of your request.

6. Disclosure of personal information

In many circumstances we will not disclose personal data without consent, but there are circumstances where we might do so. The list below provides some scenarios in which we may disclose personal data. Please be aware that this is not a complete list but serves as an example.

• When we investigate a complaint, we'll need to share personal information with the individuals or organisations involved.
• We may share data with other regulatory bodies or associations that you are a member of.
• During our applications process, or any assessments we undertake, we collect personal data about individuals. If we are concerned about unsafe practice, we may share that data internally within BACP so appropriate action can be taken.
• We will share personal data with external legal professionals if we need legal advice.
• We may share personal data with law enforcement agencies or government departments where appropriate.

We will only share information that we consider to be necessary and proportionate.

7. Data security

We recognise that the information you provide may be sensitive and we will respect your privacy. This means we store it securely and control who has access to it. We sometimes share personal data with third parties where we have contracted them to carry out specific tasks for us. In such cases we carefully select which partners we work with. We take great care to ensure that we have a contract with the third party that states what they are allowed to do with the data we share with them.

We will only share personal data with other organisations where we are satisfied that the other organisation is entitled to receive it. Where relevant, we carry out due diligence checks on other organisations and ensure we have appropriate data protection agreements in place.

We're committed to holding all personal data within BACP on secure systems. We keep any paper-based personal data in locked cabinets to which only appropriate staff have access. We're working to reduce the amount of paper-based information we hold as it is easier to secure data if it is only held electronically. The majority of personal data is held electronically on our CRM system that is hosted by Microsoft.   

We use third party processors to provide email monitoring and filtering.

We have invested extensively in ensuring our information systems are secure and that our staff are suitably trained. We have achieved the UK Government's Cyber Essentials standard.

Members can find more information about how GDPR affects their practice in our FAQs about GDPR.