Privacy notice

1. Introduction

Your privacy is a top priority. We're committed to always being a good custodian of your personal information, handling it in a responsible manner, and securing it with industry standard administrative, technical and physical safeguards.

We follow two guiding principles when it comes to your privacy:

• transparency - we work hard to be transparent about what personal information we collect and process
• simplicity - we try to use easy-to-understand language to describe our privacy practices to help you make informed choices

About us

The British Association for Counselling and Psychotherapy (BACP) is registered as a data controller with the Information Commissioner's Office (ICO) (ICO registered number Z7078162).

It is also a company registered in England and Wales (company number 02175320), registered address BACP House, 15 St John's Business Park, Lutterworth, Leicestershire LE17 4HB. BACP also incorporates BACP Enterprises Ltd (company number 01064190) as a legal entity and shares data with it (ICO registered number Z3237939).

BACP is a registered charity (registered charity number 298361).

If you have any queries about this privacy notice or about any aspect of our data management, please contact our Data Protection Lead at dpl@bacp.co.uk.

We'll update this privacy notice regularly to ensure it continues to comply with the latest regulations and best practice. This privacy notice was last amended on 15 December 2020.

2. How we use your information

a) Storage and management of personal information

Our principal data management system is a Microsoft Dynamics CRM system which is maintained and developed by a third party processor. This system enables us to efficiently store any information about our members, former members and other stakeholders in a way that ensures adequate security and only allows people who have the right level of authority to access personal information. It also simplifies our responsibilities for data retention and subject access requests.

b) Visitors to our website and social media platforms

When someone visits our website we use a third party service, Google Analytics, to collect standard internet log information and details of visitor behaviour patterns. We do this to find out things such as the number of visitors to the various parts of the site. This information is only processed in a way that does not identify anyone. We do not make, and do not allow Google to make, any attempt to find out the identities of those visiting our website.

We use Google Analytics so that we can continually improve our service to you - read the Google Analytics privacy notice.

We use Umbraco as the content management system for our website - find out about Umbraco and data protection.

Like most websites we use cookies to help the site work more efficiently - find out about our use of cookies.

If you fill in a form on our website, that data will be temporarily stored on the web host before being sent to us.

Where we provide links to websites of other organisations, this privacy notice does not cover how that organisation processes personal information. We encourage you to read the privacy notices on the other websites you visit.

Non-members can sign up to the website in order to order journals or to book onto events. When doing this you will be asked for your name, email address and date of birth.

BACP has a presence on various social media platforms. If you engage with us via these platforms we will not usually collect or store your personal data. Where we are collecting personal data for future use, we will let you know and provide you with details about the intended use. We have a presence on Facebook, LinkedIn and Twitter. To find out how these companies use your data and how you can control the way they use your data please refer to their privacy policies, which should be available on their websites.

c) Members and former members (routine processing)

The main legal bases we use for processing members' and former members' personal information is a combination of contract and legitimate interest.

We carefully safeguard the information we hold about members. This information comes from the way members engage with us, information provided through application and booking forms, renewals forms or details completed in members' online profiles.

The information may also come from members' interactions with us, for example, opinions you provide on our website, comments or communication through our groups on social media, data you provide to us when completing forms.

What the information is used for

We collect this information to provide our services to members and to inform our development of new and improved products to continue to meet our members' needs.

We also use member information for identity verification and to comply with regulatory functions. Usually, when members call us, we need to identify them depending on the nature of the enquiry. We may do this by asking for certain information known only to you.

Specifically, we may use member information to:

• carry out regulatory checks and meet our obligations to the Professional Standards Authority
• develop and improve our services through assessment and analysis of the information, market and product analysis and market research
• improve the relevance of messages we may send you
• personalise our website for you
• protect our systems

We may also monitor or record any communications with members including telephone calls. We'll use these recordings to check your instructions to us, to analyse, assess and improve our services and for training and quality purposes.

We send messages by post, telephone, text, email or other digital methods. These messages may be:

• to help you manage your membership
• to meet our obligations, for example visits by our own regulators
• statements regarding standards of practice, such as gay reparative therapy
• to keep you informed about the features and benefits of the products and services available to you that may be of professional interest

We will keep records of purchases for financial audit reasons for six years, We'll also keep records of qualifications, complaints and adjudications for six years. The basic records of a member's name and membership period will be kept indefinitely in case ex-members wish to re-join.

We will not pass on your information to a third party to use in their own direct marketing without your consent.

Sharing your information

During your contact with us, we'll tell you how your information will be used and that it may be necessary to share it with other services and organisations.

We will not share your information with any third parties unless:

• you have consented to this (for example by providing information to us after we've told you that we will supply the information to a third party)
• it is required for the management of your membership or a legitimate business purpose
• it is as part of our duty to protect a child, a vulnerable adult, yourself or the public
• for the prevention and detection of a crime or the assessment of any tax or duty
• we are required to do so by any court or law or any relevant regulatory authority
• to protect the rights, property or safety of BACP or any third parties (for example for the purposes of fraud protection)
• we transfer our rights and duties to provide products and services to another organisation

By being a member of BACP and using our products and services, you grant us permission to process personal data which you have provided to us.

One significant role of BACP is to promote the membership and qualifications of our members to the public. As a professional body, we will also verify the membership status of an individual when we receive a query from a third party. To this end we publish a member directory on our website and we will answer telephone queries from the public. We will give callers the following information about members:

• whether someone is currently a member
• the date they became a member
• the expiry or expected renewal date of their membership
• current membership category
• whether the member is registered or not
• the criteria the member has demonstrated in order to achieve their level of membership 
• any of the above information for dates in the past

The purchase of some of our services requires that we publish your details in the public domain, such as in printed materials or on our website, for example therapist directory, networks or events. This information may be used by other members or third parties to contact you but is outside our control. When you purchase these services, you may have the right to opt out from some information being published.

When you make a payment to us, we use a third party processor to manage the process and the direct debit payments.

We use TestReach to provide and invigilate member exams - see the TestReach privacy notice.

We use Think Publishing to handle membership publishing for us – see the Think privacy notice. We manage subscriptions to our publications using a third party service

When people make complaints against our members, we hold data relating to the complainant as well as details of the complaint and witnesses or interested parties. We share information with panel members and external clerks who all sign data processor agreements with us. All data relating to this process is kept securely.

Sharing conduct related information

Together with 17 other organisations running accredited registers, we've signed up to an information sharing protocol. We've all agreed to inform each other about, and to take into account, decisions made through the other organisations' professional conduct proceedings which have resulted in an individual being removed from a register.

Member certificate of proficiency (COP)

We use a third party to help us manage our assessments (TestReach - see the TestReach privacy notice). TestReach provides BACP with the assessment platform and also invigilates. As part of the assessment process, BACP collects equality and diversity data, assessment results, contact details and special requirements. Identifiable information, including equality and diversity data, contact details and special requirements are kept until the assessment process is complete or a booking is cancelled.

Please note that results (pass or fail) are kept as part of a member's record.

Accreditation of services and courses

We award accreditation to therapeutic counselling and psychotherapy services that meet our quality standards. We're also the leading body for the accreditation of training courses in counselling and psychotherapy.

We use assessors and moderators to run these services and we ensure we have data processing agreements with them.

Information is retained for the five year accreditation term and for a further three years following a lapse of accreditation.

Member audit

Member audit is managed internally with data stored on our Customer Relationship Management (CRM) system, the Learning Centre and on spreadsheets. We receive hard copy and electronic submissions. Audit data is stored securely. A record of the audit result will be kept on CRM, We'll hold your personal information only for as long as is necessary for the audit and any follow-up process’

d) Members of the public who make enquiries or complaints

We may record or process data from members of the public who ring us with general enquiries, please refer the section below about phone calls.

We retain general queries via email from the general public for a maximum of one year.

If a member of the general public contacts us to make a complaint about a member or about BACP, we will need to record personal data (and often sensitive personal data) in order to investigate the complaint. We may also need to share this information with various third parties (e.g. parties engaged by BACP to assist with the complaint). This information will be held for 6 years to defend against any potential legal claims.

e) Members and non-members who attend our events

If you apply to attend a BACP event we will hold the information we need in order to deliver this event. Our legal basis for holding your data will be a combination of contract and legitimate interest.

Event information is stored on our Customer Relationship Management (CRM) system, while video and still images are stored elsewhere on our servers. We keep information about presenters and actors for 25 years. Information about exhibitors and sponsors is kept for up to five years. Evaluation forms can be anonymous, if you supply your name this will not be used after two years.

Names and job titles of delegates are shared with Delekit who provide electronic badges - see the Delekit privacy notice. We also share details of delegates with hearing impairment with an interpreter if requested.

Photography and filming

If you attend an event or take part in a promotional activity, we may ask to take your photograph or film you. Any images we hold, whether in still photographs or video, may be covered by the definition of personal data in the GDPR. We will need your consent in order to take and use these images fairly and lawfully. We will ask you to complete a form.

Filming

We may record events for use in an online video library, publicity and marketing materials, including use on our website. This filming will primarily focus on the speakers (with whom we always have contracts covering data protection), however, it may include some shots of the audience. By attending these events you are deemed to have consented to your inclusion in these recordings. If you don't want to be included in any recording it is your responsibility to tell the cameraman at the event before filming starts. There should be signs at the event telling you about the filming and what to do if you don't wish to be filmed.

We use various third parties to help us produce and distribute video and images. We always have GDPR compliant contracts with these processors. The main suppliers we use are Silverstream (SSTV); McGowan Transcription; and Push Record. You can access their privacy notices by following the links. We use freelance professionals where required (e.g. camera operators); we ensure that appropriate agreements are in place with them.

We use third party processors to help us deliver successful events. We use a wide range of venues, mostly hotels, around the UK to host events. We ensure that we have appropriate data protection agreements with them.

f) Members and non-members that take part in our campaigning work

Whenever you take part in one of our campaigns (e.g. signing up to petitions, sending MP letters etc.), you will provide us with some personal data. At the point your data is collected, we will tell you how your data will be used. The campaigns are optional and you can ask for your data to be deleted by emailing publicaffairs@bacp.co.uk. To manage our campaigns we use Engaging Networks - see the Engaging Networks privacy notice.

g) Contributors to our academic journals

We use Steers McGillan Eves to design our journals – see Steers privacy notice.

Contributors to our journals agree to follow our author guidelines, which provide contributors with information on how their data will be used, and for how long. The guidelines include a link to this privacy notice.

We have data protection related contracts in place with third parties where required.

Divisional journals

BACP’s quarterly divisional journals provide sector-specific content for members of BACP’s seven divisions and for online subscribers. BACP’s divisional editors (and occasionally the divisional journals’ managing editor) need to be in touch with journal contributors to liaise about editing of their articles, and to ensure that due diligence is done in respect of consents, permissions and client confidentiality, as required by our journal contributor guidelines. This is the main purpose of the processing of journal contributors’ data, and is normally done by email exchange.

With respect to client data, our author guidelines explain to contributors the instances where they need to confirm with BACP that they have obtained consents from clients or others; for example, if a client is discussed in a case study. Where consents are required to be seen by BACP prior to publication, our guidelines explain how this should be done securely to protect client data.

The legal basis for processing this personal data is covered by the Legitimate Interests condition – please see further details in the Divisional Journals Legitimate Interest Assessment (pdf). Contributors’ email correspondence with us will be restricted to authorised individuals and only processed if there is a legal basis to do so. We retain contributors’ email correspondence for five years. Any client or other consents provided by contributors are deleted immediately, once they have been seen.

So that divisional members can be mailed out a copy of the journal they subscribe to, we send their names and addresses (mailing data) via secure portal to our journal designers for onward transmission to our printer prior to each publication.    

Up to the point of printing, we can remove content from a print journal, at the request of a contributor, or of someone whose data is included in an article, or if BACP as publisher wishes to do so. After printing, we are unable to remove content in print journals. However, we may, at BACP’s discretion, be able to remove content online. Requests for removal should be made initially to the respective divisional journal editor, whose contact details are published on BACP’s website. In our author guidelines, we communicate to contributors that we will not publish their emails in our divisional journals, unless they ask the journal editor to publish them.

h) Job applicants, current and former staff

We will only use any information you provide during the recruitment process for the purpose of progressing your application, or to fulfil legal or regulatory requirements if necessary.

We will not share any information you provide during the process with any third parties for marketing purposes. The information you provide will be held securely by us or our data processors, whether the information is in electronic or physical format.

We may use third parties to help us find the right candidates. This includes Indeed, Totaljobs and Caraires.

We will use the contact details you provide to contact you to progress your application. We will use the other information you provide to assess your suitability for the role you've applied for. You don't have to provide what we ask for, but it might affect your application if you don't.

We do not collect more information than we need to fulfil our stated purposes and will not retain it for longer than is necessary (this is currently a six month period for unsuccessful candidates).

If we make a conditional offer of employment, we'll ask you for information so that we can carry out pre-employment checks. You must successfully complete pre-employment checks to progress to a final offer. We are required to confirm the identity of our staff and their right to work in the UK, and to seek assurance as to their trustworthiness, integrity and reliability. Refer to the government's guidance on right to work checks.

Therefore, you must provide:

• proof of your identity – we'll ask you for original documents and will take copies
• proof of your qualifications – we may ask you for original documents and will take copies

We will contact your referees, using the details you provide in your application, directly to obtain references.

If we make a final offer, we'll also ask you for the following:

• bank details – to process salary payments
• emergency contact details – so we know who to contact if you have an emergency at work

If you accept a final offer from us, some of your personnel records will be held on our internal HR records system.

During your employment we may need to share your information with third party processors who provide elements of our ongoing employment service, that is employment law advice, occupational health advice, payroll and pensions processing and other employee benefits such as health and wellbeing services. We have contracts in place with all of our third party processors. This means we have restricted what they can use your information for and who they can share it with. They hold it securely and retain it for the period we instruct.

If you are employed by us relevant details about you will be provided to JPM Group who administers our pension scheme. You will be auto-enrolled into the pension and the details provided to JPM will be your name, date of birth, National Insurance number and salary.

We use LifeWorks to provide an Employee Assistance Programme (EAP) This service is provided initially via a telephone service. We only share your name and date of birth with them for the purpose of your security.

We provide a full Occupational Health service to all staff via Sugarman Occupational Health Services, we will provide only relevant details regarding you and your employment to Sugarman as may be deemed necessary.

We use Busy Bees Benefits to provide staff with a range of employee benefits such as Child care vouchers, Cycle to Work scheme, Salary Sacrifice car leasing. We only share your name and date of birth with Busy Bees.

During your employment, we may need to seek employment law advice and we use Stone King for this service. We will share with Stone King only the relevant details about you and your employment at BACP to allow for the required full legal guidance/advice to be given.

The main third parties are:

• Aegon - see the Aegon privacy policy
• Busy Bees - see the Busy Bees privacy policy
• JPM - see the JPM privacy policy
• LifeWorks - see the LifeWorks privacy policy
• Stone King - see the Stone King privacy policy
• Sugarman - see the Sugarman privacy policy
• Indeed - see the Indeed privacy policy
• Totaljobs - see the Totaljobs privacy policy
• Caraires Recruitment – read Caraires privacy notice

The information you provide will be retained as part of your employee file for the duration of your employment and for six years afterwards. Please be aware that some information may be kept for longer if there is a legal reason to do so.

We use an online text service run by TextAnywhere. We use the service to send text alerts to BACP employee mobile phones. Responses can be sent and received using the service. This service will be used to communicate with staff to keep the business running in certain circumstances (e.g. in response to severe weather conditions).

Volunteers

On occasion we use Reach Volunteering to manage volunteer recruitment – see the Reach Volunteering privacy notice. 

Volunteers carry out various roles at BACP, such as being a trustee, serving on an executive committee, writing for our journals, reviewing our publications, participating in our campaigns and projects or acting as an expert point of contact. We collect only information that we need for volunteers. Information is retained for the duration of their volunteering and only retained for longer if we have a legitimate reason to do so.

We do not collect more information than we need to fulfil our stated purposes and will not retain it for longer than is necessary. We will use the contact details you provide as a volunteer to contact you during your association with us. We will use the other information you provide to assess your suitability for the role you've applied for, including a declaration of interests.

All BACP volunteers are made aware of their data protection responsibilities and sign up to our volunteer data protection guidelines before handling any personal data.

We also use volunteers as media spokespeople. We maintain lists of these volunteers for as long as they agree to speak to media outlets on our behalf.

i) People who visit our premises

We have closed circuit TV at our offices. This is a purely internal system that is used to help maintain personal safety and security. Video recordings are kept securely on-site and only shared with police when they are needed to investigate a crime. Only staff who have appropriate authority are allowed access to the recordings. The recordings are kept for thirty days.

We record the name of all visitors to our offices for fire safety reasons. The information is disposed of at the end of each working week.

j) Members of our regional networks

We have regional groups that are co-ordinated by fellow members on a voluntary basis. The co-ordinators maintain spreadsheets of details of members who are in their regions. They use these to keep members informed of local events and to help members network with each other. All regional co-ordinators sign third party processor agreements with us clearly laying down their responsibilities with regard to members' personal data.

k) People who take part in our surveys and consultations

The majority of our surveys are managed by BACP employees using software called ‘Questback’. We also use mi-voice to conduct governance matters, such as BACP committee votes.

On occasion we may use third parties to carry out research on our behalf. If we do this we will carry out checks on the third parties and have appropriate contracts in place.

Some surveys will be anonymous and some will be identifiable (we will know who has completed them), this should be made clear within each survey.

Personal data collected via surveys will be kept for as long as it is needed for the reasons stated when it is collected.

l) People who engage with research and awards

We run many awards programmes, including funded PhD Studentships, BACP Outstanding Research award, BACP New Researcher awards and some awarded jointly with partner organisations. Our partners include the Counselling and Psychotherapy Central Awarding Body (CPCAB) (see the CPCAB privacy notice) and PCCS Books (see the PCCS privacy notice).

We do not collect more information than we need to evaluate and process applications, and we will not retain it for longer than is necessary (this is currently a six month period for unsuccessful applicants). Successful applicant data is kept for 12 months or for the duration of the award if longer.

If a member takes part in our AdaPT project (a pilot for 'Pragmatic Tracker' - an online client management system) their details will be passed to Manyother Ltd, the supplier of the system - see the Manyother privacy notice. We will also receive some data from Manyother relating to your usage of the system so that we can maintain our records and regularly review whether you want to continue being involved. Personal data will be retained until the end of the project (currently funded until the end of February 2022) or until you inform us that you’re withdrawing from the project. If you withdraw from the project we will contact you to ensure that you have exported any client data held in the system before formally instructing Manyother Ltd to delete your data.

m) BACP products and services

You may use products or services provided by BACP (some are paid for and some are free). This includes, but is not limited to, our therapist directory and the jobs board. In order to provide you with these products and services it will be necessary to process a certain amount of personal data about you (for example, the details to be included in the therapist directory and your payment details).

n) Get help with counselling concerns (previously known as the Ask Kathleen Service)

Our Get help with counselling concerns service, run by BACP staff members, provides confidential guidance and information on what to do if you have any concerns about your therapy or your therapist. You can choose to use the service anonymously.

If you do provide identifiable data when using the service (because you want to receive ongoing support), BACP will only retain your personal data, it does not keep any identifiable information relating to third parties that you may discuss when using the service (for example details of the therapist or family members that may be affected). Please be aware that this may be different for other services provided by BACP. The legal basis for processing your personal data in this way is covered by the legitimate interest condition (please see further details in the Legitimate Interest Assessment (pdf)).

BACP will also retain identifiable data and details of the support provided to you, this will allow BACP to defend itself should someone complain about the guidance provided by the Get help with counselling concerns service (the legal basis for retaining this information is defence against potential legal claims). Please be aware that you will not be able to ask for your personal data to be erased as it will be kept for this purpose – for details regarding your other rights, please see section 5 of this privacy notice.

Access to the information will be restricted to authorised individuals and only processed if there is a legal basis to do so. In normal circumstances, your data will only be seen by the Get help with counselling concerns team but please be aware that it will be processed where there is a legal obligation to do so (for example in the event of receiving a court order) or if there is a legal basis to do so and we feel it is appropriate (for example when defending against a legal claim).

The data you provide will be retained for three years after collection unless there is a good reason to keep it for longer (for example it is being used to defend against a legal claim)

o) BACP telephone systems

We record calls made to our customer services team for training purposes and performance monitoring. If you object to call recording, you will need to end the call when you are told that calls are recorded. Alternative methods of communication are available - see Contact us.

Should a call include Special Category Data (such as information relating to your health), the recording will be manually paused as we do not need to record this data. Should any Special Category Data be recorded in error, this will be deleted.

Recorded calls may be shared with other managers within BACP on request. If appropriate, a link to the call will be provided; however, access will not be given to the call recording system or any other calls in the database.

There may be times when calls are not recorded, this may happen if:

• there is a technical fault with the telephone system
• your call is transferred internally to another member of BACP (calls to staff outside the customer services team are not recorded)
• a customer services officer manually pauses a call

We will also not record a full call when payment card information (PCI) is disclosed. When making a payment, the recording will automatically pause before you provide any card details. Recording will resume once payment has been completed.

We do not plan to record special category data (such as details about your health) and our legal basis for processing your personal data is reliant on the legitimate interest condition (please see the call recording Legitimate Interest Assessment (docx) for further details).

Our telephone system provider is 8x8 - see 8x8 privacy policy

Call recordings will be retained for 40 days before being deleted. During this time, should a request be made to access this data, then an unredacted copy of the call(s) will be provided via a unique link. Should such a request be made outside of the 40-day period, we will be unable to provide a copy of the recording in question.

In some circumstances a call may be used as part of a complaint or another matter (for example defence against legal claims). If this is the case, the recording will be retained for as long as it is needed to fulfil that purpose.

The telephone system integrates with our Customer Relationship Management system using your telephone number. If our system recognises your phone number, the customer service agent will be presented with a screen containing your membership records before the call is answered.

Our speech analytics system will also automate reporting to provide information on call types and / or customer sentiment during a call - we will use this data to help improve our service.

Please refer to section 5 of this privacy notice to see details about your rights.

Recordings will be used to monitor the quality of service provided by individuals within the customer services team. Calls will automatically be scored by the recording system based on criteria set by the Customer Services Manager or Supervisor. Recordings may be used as evidence in addressing capability issues should repeat training fail to improve the level of service provided.

p) Bulk emails

​We use a third-party (Click Dimensions) to send service emails (those that relate directly to service provision such as membership administration) and emails about our products and services to our members and other customers. Click Dimensions is based in the US and will have access to the information used to process these emails, including email addresses and the content of emails. We have Standard Contractual Clauses (SCCs) in place to protect the data, please refer to the Click Dimensions SCCs (pdf).

Click Dimensions automatically includes unique tracking pixels in these emails, which log when the email has been opened. This information can be tracked to individual members but it is used primarily to assess the effectiveness of email campaigns rather than to target specific individuals. We have processes in place to help ensure the data is not used for other purposes. The tracking data is retained for six months, after which it is destroyed.

We're unable to offer an opt-out option for service emails at present due to limitations within the system; however, we are working closely with Click Dimensions to provide this functionality. You can ask us to stop sending non-service emails to you (i.e. those that are about opportunities relating our products and services) by emailing our communications team at membercomms@bacp.co.uk. You can also unsubscribe from receiving these types of email by clicking on the unsubscribe option at the bottom of non-service emails sent by BACP.

Please refer to section 5 of this privacy notice to see further details with regard to your other rights.​

q) Learning Centre

This is a system to provide members with an online tool for planning, undertaking and recording CPD activities.

BACP will analyse the system to find out what type of CPD activities are being undertaken and how frequently. This information will be used to identify any additional materials that might be useful to our members.

BACP will provide users with recommendations, through the ‘My learning’ area, as to the content they may be interested in. This is based on information such as the membership type. For example, a student member may receive recommendations relating to student based material.

If a registered member is selected for audit then they are able to submit their CPD record directly from the LMS instead of sending completed Word templates to us. They do this by clicking on ‘Submit for review’ - it is only once this confirmation has taken place that the BACP audit team will access the personal CPD record of a member.

Personal data about the member

The legal basis for processing this personal data is covered by the legitimate interests condition - please see further details in the Learning Centre Legitimate Interest Assessment (pdf).

Access to the information will be restricted to authorised individuals and only processed if there is a legal basis to do so. In normal circumstances, your data will only be seen by the relevant teams within BACP (e.g. the team responsible for the Learning centre system and the audit team). However, it will be processed where there is a legal obligation to do so (for example in the event of receiving a court order or to comply with a subject access request) or if there is a legal basis to do so and we feel it is appropriate (for example when defending against a legal claim).

Personal data will be retained while you continue to use the system. It will be kept for two years after you stop using the system unless you object.

Users of the Learning centre should retain full control over their data, with the ability to opt out of having an account. Users will also be able to delete their learning history by sending a request to learningcentre@bacp.co.uk. For details of your other rights please refer to section 5 of this privacy notice.

Please note: users of the Learning centre have control over the information that is uploaded to the system. The terms and conditions state that special category data should not be uploaded onto the Learning centre. Particular care should be taken when uploading data relating to personal reflections.

3. Audit and regulatory requirements

We may share any data about our operations with:

• our auditors, RSM - see RSM privacy policies
• HMRC - see the HMRC personal information charter
• the Charity Commission - see the Charity Commission personal information charter
• the Information Commissioner's Office - see the ICO privacy notice
• Companies House - see the Companies House personal information charter

and other regulatory bodies, should this be necessary to complete our statutory audit and regulatory requirements.

We use several law firms to provide advice and guidance on a range of topics and we may share personal data with them at times. We ensure that we have appropriate data protection agreements with them.

4. Complaints and queries

We try to meet the highest standards when collecting and using personal information, and we take any complaints about this very seriously. We encourage you to let us know if you think that our collection or use of information is unfair, misleading or inappropriate. We also welcome any suggestions for improving our procedures.

This privacy notice does not provide exhaustive details of all aspects of our collection and use of personal information. However, we're happy to provide any additional information or explanation needed. Please send any requests for this to our Data Protection Lead - dpl@bacp.co.uk.

If you want to make a complaint about the way we've processed your personal information, you can contact the ICO as the statutory body which oversees data protection law - see ICO concerns.

5. Your rights

Under the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA 2018), you have rights as a data subject which you can exercise in relation to the information we hold about you. You can read more about these rights on the ICO's website.

Access to your information

We try to be as open as we can in terms of giving people access to their personal information. You can find out if we hold any personal information about you by making a 'subject access request' under GDPR. If we do hold information about you, we will:

• give you a description of it
• tell you why we are holding it
• tell you who it could be disclosed to
• let you have a copy of the information in an intelligible form

If you agree, we'll try to deal with your request informally, for example by providing you with the specific information you need over the telephone.

Please be aware that we may withhold information from you or provide you with redacted documents in line with exemptions in appropriate legislation.

Records of treatment

If you have received therapy from one of our members and require access to information about your treatment or the treatment someone else has received, you will need to contact the appropriate therapist directly.

Correcting mistakes

You can ask us to correct any mistakes in any factual information we hold about you, such as your address, date of birth, contact details etc.

Erasure

The GDPR also gives you the right to have the data we hold about you deleted in some circumstances. This is called the 'right to erasure' or the 'right to be forgotten'. The right applies in the following circumstances:

• we no longer need your data
• you originally provided consent and have now withdrawn consent
• you have objected to the use of your data and your interests outweigh ours
• we have collected your data unlawfully
• we have a legal obligation to erase your data

Please be aware that we are unlikely to delete financial transactional data, core membership data, declarations you have made to us or any conduct related information that is being retained in the public interest.

Making a request

If you would like to exercise your above rights, please contact our Data Protection Lead at dpl@bacp.co.uk with details of your request. Please note that details of your request, correspondence and a copy of any information disclosed will be held by BACP, this information will be used as evidence we have met our legal obligations.

6. Disclosure of personal information

In many circumstances we will not disclose personal data without consent, but there are circumstances where we might do so. The list below provides some scenarios in which we may disclose personal data. Please be aware that this is not a complete list but serves as an example.

• When we investigate a complaint, we'll need to share personal information with the individuals or organisations involved.
• We may share data with other regulatory bodies or associations that you are a member of.
• During our applications process, or any assessments we undertake, we collect personal data about individuals. If we are concerned about unsafe practice, we may share that data internally within BACP so appropriate action can be taken.
• We will share personal data with external legal professionals if we need legal advice.
• We may share personal data with law enforcement agencies or government departments where appropriate.

We will only share information that we consider to be necessary and proportionate.

7. Data security

We recognise that the information you provide may be sensitive and we will respect your privacy. This means we store it securely and control who has access to it. We sometimes share personal data with third parties where we have contracted them to carry out specific tasks for us. In such cases we carefully select which partners we work with. We take great care to ensure that we have a contract with the third party that states what they are allowed to do with the data we share with them.

We will only share personal data with other organisations where we are satisfied that the other organisation is entitled to receive it. Where relevant, we carry out due diligence checks on other organisations and ensure we have appropriate data protection agreements in place.

We're committed to holding all personal data within BACP on secure systems. We keep any paper-based personal data in locked cabinets to which only appropriate staff have access. We're working to reduce the amount of paper-based information we hold as it is easier to secure data if it is only held electronically. The majority of personal data is held electronically on our CRM system that is hosted by Microsoft.   

We use third party processors to provide email monitoring and filtering.

We have invested extensively in ensuring our information systems are secure and that our staff are suitably trained. We have achieved the UK Government's Cyber Essentials standard.

Members can find more information about how GDPR affects their practice in our FAQs about GDPR.