Privacy

• Cookies
• General privacy information
  
• What information do we collect and what we use it for?
• Lawful processing of personal data
  
• Retention of data
• Recipients of personal data
• Security
  
• Your rights

Cookies

Like many websites, we use cookies. A cookie is a small amount of data that is sent to your computer or mobile phone browser from a website’s computer and is stored on your device’s hard drive.

Cookies record information about your online preferences. They help us understand how visitors engage with our site so that we can improve your online experience with us. We do not use cookies to collect personally identifiable information about you.

Each website you visit can send its own cookie to your browser if your browser’s preferences allow it. To protect your privacy, your browser only permits a website to access the cookies it has already sent to you, not the cookies sent to you by other websites.

How to control and delete cookies

You can instruct your browser to refuse all cookies or to indicate when a cookie is being sent. However, if you do not accept cookies, you may not be able to use some portions of our website.

You may restrict or block the cookies which are set by our website, or any other website, through your browser settings. You can also ask your browser to alert you when a cookie is issued.

For more information about cookies and how to manage them is available at www.aboutcookies.org

We use Google Analytics to understand how visitors engage with our website. It collects information anonymously and reports website trends without identifying individual visitors. For more information visit Google Analytics privacy and security information.

UKCP privacy notice

General

The UK Council for Psychotherapy (UKCP) is the leading organisation for the education, training, accreditation and regulation of psychotherapists and psychotherapeutic counsellors in the UK. We exist to promote and maintain high standards of the practice of psychotherapy and psychotherapeutic counselling for the benefit of the public throughout the United Kingdom.  UKCP is a charity registered in England and Wales (charity no. 1058545, company no. 3258939).

UKCP is registered as a data controller with the Information Commissioner’s Office (ICO). Registration number Z500659X.

If you have any questions regarding this policy, please contact our Data Protection Lead, using the following details:

Data Protection Lead
UK Council for Psychotherapy (UKCP), York House, 221 Pentonville Road, London N1 9UZ

Email: dataprotection@ukcp.org.uk

UKCP operates https://www.psychotherapy.org.uk/ and takes privacy and confidentiality very seriously.  This policy informs you how we collect personal information. Personal information is held strictly in accordance with the Data Protection Act 2018. UKCP may at times modify, alter and update this privacy policy. We will notify you of any changes to this privacy policy by posting the amended version on our website.

UKCP is a membership organisation, a professional association and a regulator and we only collect the personal data required to carry out these functions

This policy applies to information we collect about:

• visitors to our websites
• people who use our services, for example to enquire about the services of our members
• our members (individuals and organisations)
• job applicants and our current and at times former employees
• volunteers
• any other information that you may choose to send to us
• UKCP employees
• third party suppliers.

Information we collect and what we use it for

Visitors to our websites

When someone visits our website, we collect standard internet log information and details of visitor behaviour patterns, we do this to find out things such as the number of visitors to the various parts of our site. We collect this information in a way that does not identify anyone.  The exception to this is logging into the member’s area, where there is a need to identify our members.

We may use your personal information to monitor and improve our website. By using our website, you agree to the collection and use of information in accordance with this policy.

The UKCP website comprises http://www.psychotherapy.org.uk and any other subdomains required for delivery of additional content or services to members. These subdomains include, but are not limited to, http://www.ukcp.org.uk and https://psychotherapy.force.com, the latter of which provides access to the UKCP National Register, the List of Trainee Therapists and the Member Area of the website.

While using our website, we may ask you to provide us with certain personally identifiable information that can be used to contact or identify you. Any personally identifiable information may include but is not limited to your name and internet protocol (IP) address. This can be when you are booking something or submitting an enquiry through our website for example.

Search engine

Search queries and results are logged anonymously to help us improve our website and search functionality, no user-specific data is collected by either UKCP or any other third party.

People who use UKCP online services

UKCP offer various services to its members, volunteers and the public, including:

Public

• find a therapist: practitioner search via the website and also via telephone enquiry
• public surveys
• public online promotions
• event booking
• UKCP presence on social media platforms such as Facebook, Twitter, Instagram and LinkedIn.

Members

• members area of the website
• forum
• member surveys
• members online promotions
• event bookings.

Most of the services we provide are run in their entirety by UKCP. Exceptions would be surveys or bookings which may partly be hosted with third parties for example, Eventbrite or Survey Monkey.

Where possible, we do not request personal identifiable information unless it is necessary for the functionality of the service being provided. We will not request more information than necessary to supply the service.  We will only use details to provide the service the person has requested and for other closely related purposes. When people do subscribe to our services, they can cancel their subscription at any time and are given an easy way of doing this.

When financial transactions take place online, personal details such as name and address are stored on the UKCP servers. Where a third-party processor has been used, we will have agreements with them to protect your information so that it is stored securely and in line with GDPR.

Online promotions

For events we sometimes use speakers’ names and photos to promote events – this is usually done with their approval but on occasions we take information from their website and use that. If this happens then we contact the speakers prior to using the information and inform them of this.  This information is kept afterwards for reference only to evaluate the effectiveness of different promotional tools.

People who telephone us

When we receive a call from or about a UKCP member, we may record the details of the call in the ‘activity history’ section of the member’s database record, to allow us to administer your membership.

We also store phone numbers and timings of the call. On occasion we may record phone calls for training or monitoring purposes; if we do this we will tell you before the call is recorded.

People who email us

Any email sent to us, including any attachments, may be monitored and used by us for reasons of security and for monitoring compliance with office policy. Email monitoring or blocking software may also be used. Your emails will be stored by the relevant departments in accordance to the UKCP retention policy. When we receive an email from or about a UKCP member, we may record the details of the email in the ‘activity history’ section of the member’s database record”, to allow us to administer your membership. 

Communications

We may use your personal information to contact you with newsletters, marketing or promotional material.

We may also gather content in the form of film, photography and case study stories for use in our PR and marketing activity.  Our process for this involves informed consent. At events we put up a notice informing people of our activities, with a contact person for people to make themselves known to crew if they do not wish to be filmed.

If we are gathering case studies, we discuss the potential use of those case studies, images etc. in terms of where and how the case studies and images may be used.

We have different levels of consent, will usually require a consent form to be signed and the terms and conditions of the image use to be agreed.

The form we use has contact details on it, so if someone prefers for their image not to be used within the two-year time frame stated, or if they wish to ‘disappear’, we can delete the image from our library.

Complaints about UKCP

All complaints about UKCP are treated seriously and we will only use the personal information we collect to process the complaint and to check on the level of service we provide.

Complaints about our members

UKCP has a strict complaints and conduct process. In order to process a complaint, it is necessary to obtain certain details, which will usually include some personal information. This may include special categories of personal data such as health information. We need to process this information as part of our regulatory role and may need to keep and use the information even if the complaint is subsequently withdrawn, for example, if UKCP considers an investigation is necessary as part of its role in protecting the public. We usually have to disclose the complainant’s identity to the members concerned. However, there are occasions when we can take anonymous complaints. We will always notify the complainant of our intention to disclose their identity to the member. If they object, we will consider whether we may need to disclose the information in any event, in fairness to the member being investigated. We will keep personal information in a safe place and access is restricted according to the ‘need to know principle’.

We never publish the names of complainants but we do publish certain details of members in accordance to our Publication of Decisions policy if a complaint has been upheld. Members are aware before registration that they are subject to our complaints and conduct process, and its related policies.

To avoid duplicate complaints being made to different regulatory bodies, we may also provide information about complaints including but not limited to the British Association of Counselling and Psychotherapy (BACP) and the British Psychoanalytic Council (BPC). A link to our Hearings and Decisions page is sent to the other bodies, this page details the name of the registrant and the Adjudication Panel’s decision. The decision paper is written in accordance with our Publication of Decisions Policy. On occasion the other bodies may request further information, and this will be shared provided the request is in relation to their regulatory function.

Membership information

As part of the membership process we ask all of our members to provide certain types of information so that we are able to process their application and create a record on our database. This includes:

• name
• home address (this is kept confidential and is for internal use only)
• work address (If applying for full clinical membership this address may be used on our ‘Find a Therapist’ tool)
• telephone number
• personal email address
• work email address
• organisational membership details
• course details (for student and trainee membership)
• declaration of any criminal convictions or ongoing complaints (please see section on special category data)
• date of birth
• indemnity insurance information
• gender
• other diversity data such as disabilities or ethnic group (see special category data).

As part of the membership process we send out annual membership renewal notices. For us to process a member’s renewal, we process bank details. These are shared with a third-party to process the card payments and direct debit payments we receive from our members.

We may also use your information to contact your organisational member to confirm that you are still a member and if the contact details we have for you are still correct.

As our function as a regulator we have a duty to ensure that our registrants aremeeting our standards. We conduct an annual audit of a random 3% selection of our full clinical members. We ask our registrants to provide the following information:

• name
• organisational membership information
• membership number
• details of supervision (this includes the supervisors name, contact details and UKCP membership information).

This information is processed in accordance with our Registrant Sample Audit policy. The results are recorded on the registrant’s record on our database and any hard copy or electronic copy is destroyed within one year of the audit report completion.

We collect this data and run these processes in order to carry out our membership and regulatory functions.

Volunteers

We may use the personal information we collect from you in any of the following ways:

• Processing volunteer applications. Your personal information allows us to communicate with you and assess your suitability for the role.
• Administering all the aspects of your volunteering role.
• Administering your volunteer records.
• Supporting in your volunteering journey at UKCP and your volunteering activities for us.
• Engaging better and in a more meaningful way with you.
• Matching your skills, expertise or skills with various volunteering and development opportunities.
• Data analysis of volunteering involvement and engagement.
• Improvement of our volunteering services and processes. For example, we may at times provide you with feedback opportunities.
• Processing bank details for expense claims.
• Collectin of other diversity data such as disabilities or ethnic group (see special category data).

Organisational members

For any of our organisational members we list the organisation’s name and contact details on our website. This information is obtained when an organisation makes an application and is updated via the five yearly reviews. The information is also updated when an organisational member informs us of a change. This information is used for the purposes of:

• informing our members and the public of where to go if they want to contact them
• contacting them regarding their five yearly reviews
• contacting them regarding any membership queries.

Job applicants, current/former UKCP employees, workers and contractors

Please see our separate HR privacy notice and the employee handbook, or you can request a copy by emailing hr@ukcp.org.uk.

Officers, committee members and trustees

When individuals take up a position at UKCP, we will only use the information they supply to us to process their appointment.

Personal information about unsuccessful candidates will be held for 6-12 months after the appointments process has been completed. It will then be destroyed or deleted. We may use information about candidates to help inform our future recruitment activities.

We may collect, store, and use the following categories of personal information:

• personal contact details such as name, title, addresses, telephone numbers, and personal email addresses
• photos and voice recordings
• date of birth
• gender
• National Insurance number
• bank account details, payroll records and tax status information
• remuneration, annual leave, pension and benefits information
• start date and term of appointment
• location of workplace
• appointment information (including: cv, pre-appointment checks such as bankruptcy, disqualified directors registers, references, academic qualifications, declarations of interest)
• appointment records (including role description, career history, working hours, training records and professional memberships)
• performance and career development information
• information about your use of our information and communications systems.

We share bank details, pension information and HMRC information with a third party who processes salary payments and expenses. 

We may also collect, store and use the following 'special categories' of more sensitive personal information:

• information about your health, including any medical condition, health and sickness records
• information about criminal convictions and offences
• other diversity data such as disabilities or ethnic group (see special category data).

Special category data

Note that in some cases we may process “special categories” of personal data, and information about criminal convictions and offences. For example:

• information in relation to our employees (such as health data), which is necessary for the performance of our contract with them or under employment law (in the case of our volunteers, we obtain their consent to process these types of information)
• information in relation to our members (for example, whether they have criminal convictions) which is necessary to uphold high standards in the profession and to protect the public
• information provided by complainants (such as health data, sexuality), which is necessary in order to process complaints
• other diversity data such as disabilities or ethnic group.

The Equality Act 2010 says public authorities must comply with the public sector equality duty. This extends to organisations that carry out public functions, which includes UKCP – as a charity and a regulator that works in the public interest.

The duty aims to make sure such organisations think about things such as discrimination and the needs of people who are disadvantaged or suffer inequality, when they make decisions about how they provide their services and implement policies.

• In order to deliver tailored services or to shape policies, it is important to have a good understanding of challenges and requirements, the make-up of the profession or the client base, as well as any gaps or overlaps. This is why UKCP processes diversity data.

We take particular care of this information, using appropriate security measures, including limiting who has access to such information and always working to a 'need to know' principle.

Lawful processing of personal data

UKCP will only process your personal data in accordance with one of the conditions for lawful processing set out in the GDPR.   The main ways in which we process data are as follows:

• processing on the basis of consent
• processing is necessary for the performance of a contract
• processing based on legitimate interests.

Consent – When new members register with UKCP, they are asked if they would like to receive information about courses, events, publications and other goods and services offered by UKCP, its member organisations, and other professional and commercial organisations.  You can withdraw your consent at any time by updating your mailing preferences in the member area.

Contract – In order to perform our obligations to our members, we need to process their personal data (for example, information about their qualifications to check they are eligible for membership or notifying them of an upcoming Chair election).  Similarly, where members of the public sign up to paid events, we need to process their personal details in order to administer the booking.

Legitimate interests – Where it is necessary to process personal data for our purposes as an organisation (our “legitimate interests”), we may do so provided that this does not override the rights and freedoms of the person whose data we are processing.   UKCP exercises some functions where it is necessary to process personal data (including that of non-members) for the performance its regulatory and public protection functions (such as the processing of complaints).  In these cases, UKCP may rely on its legitimate interests as a body set out to promote and maintain high standards in the profession. In some cases, there will be some prejudice to the rights and freedoms of members who are subject to complaints, as they may be subject to an adverse decision.  However, any such prejudice will be outweighed by UKCP’s legitimate interests in maintaining high standards in the profession and protection of the public

Where it is necessary to use personal data to provide services (see People who use UKCP online services) and explicit consent has not been provided, we will rely on our legitimate interests in providing the services to further our organisation’s aims, provided they are not outweighed by the rights and freedoms of those using the services.

In some cases, we may send information about courses or events we think individuals may be interested in.  This is in our legitimate interest because it is promoting our charitable objects, by promoting the profession, and is normally unlikely to cause any prejudice to those receiving the materials.  However, it is always possible to change your preferences about receiving these materials by contacting us using the details above and/or updating them via the Members’ Area.

Transfers outside the EEA

UKCP may occasionally transfer your personal data outside of the EEA.  For example, the information contained on our cloud-based servers is backed up and this back up information is held outside the EEA.  We also use some service providers (for example, to produce surveys or invitations to events) who are based outside of the EEA.  This can involve the transfer of personal data outside the EEA.

Whenever we transfer your personal data out of the EEA, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:

• We will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission.
• Where we use certain service providers, we may use specific contracts approved by the European Commission which give personal data the same protection it has in Europe.
• Where we use providers based in the US, we may transfer data to them if they are part of the Privacy Shield which requires them to provide similar protection to personal data shared between the Europe and the US.

Please Contact us if you want further information on the specific mechanism used by us when transferring your personal data out of the EEA.

Retention of data

Information about how long we keep the personal data of members is set out in our retention policy, available on request by contacting us.

For non-members, we will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.

To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements. You can read our Document Retention Policy here, it outlines the duration in which we keep data relating to complaint work.

Recipients of personal data

In addition to bodies mentioned in this policy, we may occasionally need to transfer personal data to other organisations, including but not limited to:

• current, past or future employers (for example, in relation to a request for references)
• healthcare, social and welfare advisors or practitioners
• education, training and accrediting establishments and examining bodies
• employees and agents of the UKCP
• suppliers, providers of goods and services (such as the mailing house for our membership certificates and magazine)
• persons making an enquiry or complaint (For example with an organisational member or another regulatory body)
• police forces (For example if a criminal investigation is being carried out involving one of our registrants)
• central government
• voluntary and charitable organisations
• ombudsmen and regulatory authorities.

We will ensure we have a legal basis for any such transfers before doing so.

Security

We will respect your confidentiality and will keep the information about you confidential. We store it securely and control who has access to it.

We will only share such information as necessary, and where we are satisfied that a third party is entitled to receive it and they will keep your information confidential and secure.

The security of your Personal Information is important to us but remember that no method of transmission over the internet, or method of electronic storage, is 100% secure. While we strive to use commercially acceptable means to protect your Personal Information, we cannot guarantee its absolute security.

Other websites

If you transfer to another website from a link within the UKCP website, this privacy notice does not apply. We recommend you examine all privacy statements for all third-party websites to understand their privacy procedures.

Your rights

Request access to your personal data (commonly known as a “data subject access request”). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.

Request correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.

Request erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal data to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.

Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. You also have the right to object where we are processing your personal data for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms.

Request restriction of processing of your personal data. This enables you to ask us to suspend the processing of your personal data in the following scenarios: (a) if you want us to establish the data’s accuracy; (b) where our use of the data is unlawful but you do not want us to erase it; (c) where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims; or (d) you have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.

Withdraw consent at any time where we are relying on consent to process your personal data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.

You have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues (www.ico.org.uk). We would, however, appreciate the chance to deal with your concerns before you approach the ICO so please contact us in the first instance.

Changes to this privacy notice

We aim to keep this notice under review to reflect changes to law or practice.

Document Created June 2018

Updated:  July 2023