Your privacy is a top priority. We're committed to always being a good custodian of your personal information, handling it in a responsible manner, and securing it with industry standard administrative, technical and physical safeguards.
We follow two guiding principles when it comes to your privacy:
- transparency - we work hard to be transparent about what personal information we collect and process
- simplicity - we try to use easy-to-understand language to describe our privacy practices to help you make informed choices
The British Association for Counselling and Psychotherapy (BACP) is registered as a data controller with the Information Commissioner’s Office (ICO) (ICO registered number Z7078162).
It is also a company registered in England and Wales (company number 02175320), registered address BACP House, 15 St John’s Business Park, Lutterworth, Leicestershire LE17 4HB. BACP also incorporates BACP Enterprises Ltd – (company number 01064190) as a legal entity and shares data with it.
BACP is a registered charity (registered charity number 298361).
If you have any queries about this privacy notice or about any aspect of our data management, please contact our Data Protection Lead at email@example.com.
We'll update this privacy notice regularly to ensure it continues to comply with the latest regulations and best practice. This privacy notice was published on the website on 25 May 2018.
2. How we use your information
a) Storage and management of personal information
Our principal data management system is a Microsoft Dynamics CRM system which is maintained and developed by a third party processor. This system enables us to efficiently store any information about our members, former members and other stakeholders in a way that ensures adequate security and only allows people who have the right level of authority to access personal information. It also simplifies our responsibilities for data retention and subject access requests.
b) Visitors to our website
When someone visits our website we use a third party service, Google Analytics, to collect standard internet log information and details of visitor behaviour patterns. We do this to find out things such as the number of visitors to the various parts of the site. This information is only processed in a way that does not identify anyone. We do not make, and do not allow Google to make, any attempt to find out the identities of those visiting our website.
We use Google Analytics so that we can continually improve our service to you - read the Google Analytics privacy notice.
We use Umbraco as the content management system for our website - find out about Umbraco and data protection.
No user-specific data is collected by us or any third party. If you fill in a form on our website, that data will be temporarily stored on the web host before being sent to us.
c) Members and former members
The legal basis we use for processing members’ and former members’ personal information is a combination of contract and legitimate interest.
We carefully safeguard the information we hold about members. This information comes from the way members engage with us, information provided through application and booking forms, renewals forms or details completed in members’ online profiles.
The information may also come from members’ interactions with us, for example, through social media, website usage or surveys. It may include, for example, contact details, interests or guidance documents downloaded from our website.
What the information is used for
We collect this information to provide our services to members and to inform our development of new and improved products to continue to meet our members’ needs.
We also use member information for identity verification and to comply with regulatory functions. Usually, when members call us, we need to identify them depending on the nature of the enquiry. We may do this by asking for certain information known only to you.
Specifically, we may use member information to:
- carry out regulatory checks and meet our obligations to the Professional Standards Authority
- develop and improve our services through assessment and analysis of the information, market and product analysis and market research
- improve the relevance of marketing messages we may send you
- personalise our website for you
- protect our systems
We may also monitor or record any communications with members including telephone calls. We'll use these recordings to check your instructions to us, to analyse, assess and improve our services and for training and quality purposes.
We send messages by post, telephone, text, email or other digital methods. These messages may be:
- to help you manage your membership
- to meet our obligations, for example visits by our own regulators
- statements regarding standards of practice, such as gay reparative therapy
- to keep you informed about the features and benefits of the products and services available to you that may be of professional interest
We will never pass on your information to a third party to use in their own direct marketing without your consent.
Sharing your information
During your contact with us, we’ll tell you how your information will be used and that it may be necessary to share it with other services and organisations.
We will not share your information with any third parties unless:
- you have consented to this (for example by providing information to us after we’ve told you that we will supply the information to a third party)
- it is required for the management of your membership or a legitimate business purpose
- it is as part of our duty to protect a child, a vulnerable adult, yourself or the public
- for the prevention and detection of a crime or the assessment of any tax or duty
- we are required to do so by any court or law or any relevant regulatory authority
- to protect the rights, property or safety of BACP or any third parties (for example for the purposes of fraud protection)
- we transfer our rights and duties to provide products and services to another organisation
As a professional body, it is in our legitimate interests to verify the membership status of an individual when we receive a query from a third party, including membership category and expiry date. Other information such as contact details are not disclosed.
By being a member of BACP and using our products and services, you grant us permission to process personal data which you have provided to us.
The purchase of some of our services requires that we publish your details in the public domain, such as in printed materials or on our website, for example therapist directory, networks or events. This information may be used by other members or third parties to contact you but is outside our control. When you purchase these services, you may have the right to opt out from some information being published.
When you make a payment to us, we use a third party processor to manage the process and the direct debit payments.
We will keep records of purchases for financial audit reasons for six years, We'll also keep records of qualifications, complaints and adjudications for six years. The basic records of a member’s name and membership period will be kept indefinitely in case ex-members wish to re-join.
We use Think Publishing to handle membership publishing for us – see Think’s privacy notice. We manage subscriptions to our publications using a third party service
When people make complaints against our members, we hold data relating to the complainant as well as details of the complaint and witnesses or interested parties. We share information with panel members and external clerks who all sign data processor agreements with us. All data relating to this process is kept very securely. Paper records are kept in locked cabinets and then archived in a secure off-site facility.
Together with 17 other organisations running accredited registers, we've signed up to an information sharing protocol. We've all agreed to inform each other about, and to take into account, decisions made through the other organisations' professional conduct proceedings which have resulted in an individual being removed from a register.
Member certificate of proficiency (COP)
We manage the COP through a third party. This system records equality and diversity data, assessment results, contact details and special requirements. Equality and diversity data is only kept for two months, raw scores are kept until the member has passed, and contact details and special requirements are kept until the assessment process is complete.
Accreditation of services and courses
We award accreditation to therapeutic counselling and psychotherapy services that meet our quality standards. We’re also the leading body for the accreditation of training courses in counselling and psychotherapy.
We use assessors and moderators to run these services and we ensure we have data processing agreements with them.
Information is retained for the five year accreditation term and for a further three years following a lapse of accreditation.
Member audit is managed internally with data stored on our CRM and on spreadsheets. We receive hard copy submissions which are stored in secure cabinets and shredded once the audit is complete.
d) Members of the public who make enquiries
We do not usually record or process any data from members of the public who ring us with general enquiries. If a query does require us to take personal data we will explain this at the time. We do not record phone calls.
We retain emailed queries from the general public for a maximum of one year.
e) Members and non-members who attend our events
If you apply to attend a BACP event we will hold the information we need in order to deliver this event. Our legal basis for holding your data will be a combination of contract and legitimate interest.
All event attendees will be listed on the delegate list that is shared with other delegates, exhibitors and sponsors. Event information is stored on our CRM, while video and still images are stored on our servers. We keep information about event attendees, presenters and actors for 25 years. Information about exhibitors and sponsors is kept for five years. We use SurveyMonkey to gather event evaluation
Photography and filming
If you attend an event or take part in a promotional activity, we may ask to take your photograph or film you. Any images we hold, whether in still photographs or video, may be covered by the definition of personal data in the GDPR. We will need your consent in order to take and use these images fairly and lawfully. We will ask you to complete the form below.
We may record events for use in an online video library, publicity and marketing materials, including use on our website. This filming will primarily focus on the speakers and their presentations, however, it may include some shots of the audience. By attending these events you are deemed to have consented to your inclusion in these recordings. If you don't want to be included in any recording it is your responsibility to tell the cameraman at the event before filming starts.
We use third party processors to help us deliver successful events. We use a wide range of venues, mostly hotels, around the UK to host events. We ensure that we have appropriate data protection agreements with all of them.
f) Contributors to our academic journals
We use Steers McGillan Eves to design our journals – see Steers privacy notice.
g) Job applicants, volunteers, current and former staff
We will only use any information you provide during the recruitment process for the purpose of progressing your application, or to fulfil legal or regulatory requirements if necessary.
We will not share any information you provide during the process with any third parties for marketing purposes or store it outside of the European Economic Area. The information you provide will be held securely by us or our data processors, whether the information is in electronic or physical format.
We use Caraires Recruitment to help us find the right candidates – read Caraires privacy notice.
We will use the contact details you provide to contact you to progress your application. We will use the other information you provide to assess your suitability for the role you've applied for.
We do not collect more information than we need to fulfil our stated purposes and will not retain it for longer than is necessary.
The information we ask for is used to assess your suitability for employment. You don’t have to provide what we ask for but it might affect your application if you don’t.
If we make a conditional offer of employment we'll ask you for information so that we can carry out pre-employment checks. You must successfully complete pre-employment checks to progress to a final offer. We are required to confirm the identity of our staff and their right to work in the UK, and to seek assurance as to their trustworthiness, integrity and reliability.
Therefore, you must provide:
- proof of your identity – we’ll ask you for original documents and will take copies
- proof of your qualifications – we may ask you for original documents and will take copies
We will contact your referees, using the details you provide in your application, directly to obtain references.
If we make a final offer, we’ll also ask you for the following:
- bank details – to process salary payments
- emergency contact details – so we know who to contact if you have an emergency at work
If you accept a final offer from us, some of your personnel records will be held on our internal HR records system.
During your employment we may need to share your information with third party processors who provide elements of our ongoing employment service, that is employment law advice, occupational health advice, payroll and pensions processing and other employee benefits such as health and wellbeing services. We have contracts in place with all of our third party processors. This means they cannot do anything with your personal information unless we instruct them to do so. They will not share your personal information with any organisation apart from us. They will hold it securely and retain it for the period we instruct.
The information you provide will be retained as part of your employee file for the duration of your employment and for six years afterwards.
If you're unsuccessful the information you give us, and any information we create during the process, are retained for six months.
We use Mullwood Partnership to manage volunteer recruitment – see the Mulwood privacy statement.
We collect only information that we need for volunteers. Information is retained for the duration of their volunteering then is immediately deleted.
h) People who visit our premises
We have closed circuit TV at our offices. This is a purely internal system and the recordings are kept securely on-site. Only staff who have appropriate authority are allowed access to the recordings. The recordings are kept for seven days.
We record the name of all visitors to our offices for fire safety reasons. This information is deleted after three months.
i) Members of our regional networks
We have regional groups that are co-ordinated by fellow members on a voluntary basis. The co-ordinators maintain spreadsheets of details of members who are in their regions. They use these to keep members informed of local events and to help members network with each other. All regional co-ordinators sign third party processor agreements with us clearly laying down their responsibilities with regard to members’ personal data.
j) People who take part in our surveys and consultations
We use third party processors for both our internal and external surveys. We collect minimal personal data in surveys - generally only IP address and email address so that we can keep in touch with participants. We keep information only for the duration of the survey campaign.
k) People who sign up to our newsletter
If you sign up to our newsletter we will use a third party to keep your data, to distribute the newsletter and to keep track of open rates and other standard media measures. We only keep your email and name and we will renew your consent every two years.
l) People who engage with research and awards
We run many awards programmes, some of which are awarded jointly with partner organisations. Our partners include the Counselling and Psychotherapy Central Awarding Body (CPCAB) (see the CPCAB privacy notice) and PCCS Books (see the PCCS privacy notice).
We only collect name, email and postal address for most of the awards. For the PhD Studentship we also need to collect supervisor and finance details. The details of unsuccessful applicants are always deleted once the decision has been made. Successful applicant data is kept for 12 months.
3. Audit and regulatory requirements
We may share any data about our operations with:
- HMRC - see HMRC personal information charter
- the Charity Commission - see Charity Commission personal information charter
- the Information Commissioner’s Office - see ICO privacy notice
- Companies House - see Companies House personal information charter
and other regulatory bodies, should this be necessary to complete our statutory audit and regulatory requirements.
We use several law firms to provide advice and guidance on a range of topics and we may share personal data with them at times. All third parties have contracts with us which includes a third-party processor agreement.
4. Your rights
Under the General Data Protection Regulation (GDPR) you have rights as an individual data subject which you can exercise in relation to the information we hold about you. You can read more about these rights on the ICO's website.
5. Complaints and queries
We try to meet the highest standards when collecting and using personal information, and we take any complaints about this very seriously. We encourage you to let us know if you think that our collection or use of information is unfair, misleading or inappropriate. We also welcome any suggestions for improving our procedures.
This privacy notice does not provide exhaustive details of all aspects of our collection and use of personal information. However, we’re happy to provide any additional information or explanation needed. Please send any requests for this to our DPO at the address in the Introduction above.
If you want to make a complaint about the way we've processed your personal information, you can contact the ICO as the statutory body which oversees data protection law - see ICO concerns.
6. Access to your personal information
We try to be as open as we can in terms of giving people access to their personal information. You can find out if we hold any personal information about you by making a ‘subject access request’ under GDPR.
If we do hold information about you we will:
- give you a description of it
- tell you why we are holding it
- tell you who it could be disclosed to
- let you have a copy of the information in an intelligible form
To request any personal information we may hold, you must put your request in writing to our DPO at the address in the Introduction above.
If you agree, we'll try to deal with your request informally, for example by providing you with the specific information you need over the telephone.
You can ask us to correct any mistakes in any information we hold by contacting our DPO.
7. Disclosure of personal information
In many circumstances we will not disclose personal data without consent. However, when we investigate a complaint, for example, we'll need to share personal information with the organisation concerned and with other relevant bodies.
8. Data security
We recognise that the information you provide may be sensitive and we will respect your privacy. We keep information about you confidential. This means we store it securely and control who has access to it. We sometimes share personal data with third parties where we have contracted them to carry out specific tasks for us. In such cases we carefully select which partners we work with. We take great care to ensure that we have a contract with the third party that states what they are allowed to do with the data we share with them. We ensure that they do not use your information in any way other than the task for which they have been contracted.
We will only share personal data with other organisations where we are satisfied that the other organisation is entitled to receive it and will keep your information secure.
We're committed to holding all personal data within BACP on secure systems. We keep any paper-based personal data in locked cabinets to which only appropriate staff have access. We're working to reduce the amount of paper-based information we hold as it is easier to secure data if it is only held electronically. The majority of personal data is held electronically on our CRM system that is hosted by Microsoft.
We use third party processors to provide email monitoring and filtering.
We have invested extensively in ensuring our information systems are secure and that our staff are suitably trained. We are currently working towards the UK Government’s Cyber Essentials standard.
Members can find more information about how GDPR affects their practice in our FAQs about GDPR.