0 Shortlist Search
Enter your keyword, course, subject or interest
EC Default Banner

Counselling Service Privacy Notice

Who is collecting the information?

Edinburgh College is the Data Controller. We have an appointed Data Protection Officer (DPO), who can be contacted by emailing: DataProtection@edinburghcollege.ac.uk.

Edinburgh College’s Counselling team members will usually be the only people involved in the collection of your data.

Why are we collecting it, and what are we doing with it (Purpose)?

The Counselling Service collects different types of information to provide counselling to the students of Edinburgh College:

  • We collect basic information that helps us get to know you
  • We collect your campus, course, email address, and phone number so that we can contact you and arrange a meeting. 
  • We collect mental health measurement data through the CORE measurement system to monitor risk, progress, and reporting. 
  • We ask for your ethnicity for equality monitoring purposes and to ensure our services are accessible to all, but this information is optional, and you don’t have to provide it.
  • Counsellors will keep a record of session engagement and case notes to comply with the British Association for Counselling and Psychotherapy (BACP) ethical framework and data protection legislation. These notes are confidential, and personal identifiers are kept to a minimum. The session notes are securely kept on the CORE-NET database. 
  • Using art or working creatively is offered in some of the counselling sessions. The artwork created during these sessions will capture your thoughts and feelings.
  • Data is also used anonymously for reporting on the use and effectiveness of the counselling service.

Suppose you permit a Trainee Counsellor to use details about your sessions for their coursework, but this should be on an anonymous basis. In that case, any personal data involved will be processed by the Trainee and their college or university and not by Edinburgh College.

What personal data do we collect?

Personal Data

  • Forename
  • Surname
  • Date of birth
  • Email 
  • Phone number
  • Course
  • Campus of study
  • Term-time address
  • GP Surgery details
  • Location preference for sessions
  • Availability for sessions 
  • Pronoun
  • Gender identity 

Special Category (Sensitive) Data

  • Health, including mental health/anxiety information
  • Any other sensitive information you decide to share in connection with using our service (we will not request this). For example, religion, sexual orientation, racial or ethnic origin
  • Mental health history
  • Presenting mental health difficulties
  • Reasons for referral
  • Ethnicity: You can choose whether to provide this or not

How are we collecting this information? What is the source?

We collect this information directly from you when you use our service (only where you choose to supply it) through the secure online system CORE-NET.

The lawful basis for the processing

The College’s lawful basis for processing (and sharing) your personal data is UK GDPR Article 6(1)(c) “processing is necessary for compliance with a legal obligation.” and 6(1)(e) “processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.” The Post-16 Education (Scotland) Act 2013, the Further and Higher Education (Scotland) Acts 1992 and 2005, and the Equality Act 2010, Part 6, Chapter 2, provide the legal framework and the duty of care the college has in delivering wellbeing support to students. 

Where special category personal data is collected, then the lawful basis is UK GDPR Article 9(2)(g) “processing is necessary for reasons of substantial public interest”, the Data Protection Act 2018 (DPA) Schedule 1, Part 2 (6) Statutory etc and government purposes and  (17) Counselling etc. 

Who we share the information with

Your personal data will not be shared outside of the Counselling Service unless you have asked us to share it, if it is necessary to protect you or others from harm, or if we are legally required or authorised to disclose.

More information on why we may have to break confidentiality can be found in the Counselling Agreement you will be provided with. This is in accordance with the BACP Code of Ethics and Professional Conduct.

The College holds the majority of your information on CORE-NET, a web-based, secure database platform. Please note the use of third-party software, including. Teams and CORE-Net are done so securely, and the appropriate contract documentation is in place.

How long do we hold the personal data?

Counselling records will be securely retained for 7 years from the last counselling session, then securely disposed of in accordance with College procedures.

If you are using art in your therapy as part of your counselling sessions, you will have the opportunity to take these away with you at the end of each session. If you choose not to do this, the artwork will be locked in a secure cupboard and securely destroyed 6 weeks after you receive your last counselling session.  

Individuals’ rights in relation to this processing

Under data protection law, you have a number of rights; some of these rights only apply if certain conditions are met. Your rights are: right to be informed (e.g. privacy notice), right of access, right of rectification, right of erasure (commonly known as the right to be forgotten), right to restrict processing, right to object, right to data portability and the right to know of any automated decision making (including profiling). It’s worth noting that you can exercise your rights either verbally or in writing, and the College would be required to process your request within one month.

The rights that apply to this particular processing are:

  • Right to be Informed – i.e. a privacy notice.
  • Right of Access – this means you have the right to access your personal information.
  • Right to Rectification – this means you have the right to correct inaccurate or incomplete personal information.
  • Right to Erasure – commonly known as the Right to be Forgotten (RTBF) – this means you can request that your personal data be deleted.
  • Right to Data Portability – this means you have the right to request your information in a machine-readable format (e.g. a .csv file) to be provided to you or transferred in that format to another organisation.
  • Right to Restriction – this means you can restrict the processing of your information and links with some of the other rights.
  • Right to Object – this means you can object to how your data is used.
  • Right to be informed of automated individual decision-making (including profiling) – we do not use this for OH purposes, and therefore this does not apply.

Some of the rights above have caveats and only apply in certain circumstances. You can exercise your rights at any time, and the College would be required to answer within a month upon receipt of your request. If you wish to exercise your rights or have any queries in relation to this, please contact the Data Protection Team at DataProtection@edinburghcollege.ac.uk.

Complaints to the UK Information Commissioner’s Office (ICO)

If you are concerned about how your personal data is being used by the College, in the first instance, please contact the College Data Protection Officer (DPO) at DataProtection@edinburghcollege.ac.uk. If you are not satisfied with the outcome, then you can complain to the regulator of data protection, the UK Information Commissioner’s Office (ICO). The ICO guides on the ICO website.

You can email them at casework@ico.org.uk, call them on 0303-123-113, or you can send a letter to them at the following address:

Customer Contact
Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
SK9 5AF