Data Protection & Record-Keeping Policy 

1. Purpose

This policy outlines how The Hazelton Clinic | Cork Counselling creates, stores, manages, and protects client records. Our aim is to ensure confidentiality, security, and compliance with the General Data Protection Regulation (GDPR), Irish Data Protection Acts, and the ethical standards of the Irish Association for Counselling and Psychotherapy (IACP).

2. Format of Records

  • All new client files (from [date]) are created and stored in digital format only.
  • Existing paper files are being gradually digitised on a “scan on demand” basis. Once digitised, paper records will either be securely destroyed or archived in line with our retention schedule.
  • Digital records are stored on a GDPR-compliant, encrypted system hosted within the EU/EEA.

3. Content of Records

Client records may include:

  • Contact details
  • Consent forms
  • Clinical notes and assessments
  • Correspondence relevant to therapy or treatment
  • Invoices or receipts

Only information necessary for clinical, ethical, and administrative purposes is recorded.

4. Access & Confidentiality

  • Records are confidential and accessible only to authorised staff who require access to perform their role.
  • Access is controlled by individual logins, strong passwords, and two-factor authentication.
  • The system keeps an audit log of access and edits to client records.
  • Client information is not shared with third parties unless required by law or with the client’s written consent.

5. Data Retention

  • Adult clients: Records are retained for 7 years after the end of therapy.
  • Child clients: Records are retained until the client reaches age 25, or 26 if they were 17 at the conclusion of therapy.
  • After the retention period, records are securely destroyed.

6. Security Measures

  • Digital files are encrypted both in storage and during transfer.
  • Systems are backed up automatically to secure EU/EEA servers.
  • Staff receive regular training on data protection and confidentiality.
  • Paper files (during transition) are stored in locked cabinets with restricted access.

7. Client Rights

In line with GDPR, clients have the right to:

  • Access their personal records
  • Request corrections to inaccurate information
  • Request deletion of records (subject to legal and ethical obligations)
  • Be informed about how their data is used

Clients are informed of these rights through our Privacy Notice, provided at the start of therapy.

8. Data Breach Procedure

In the event of a suspected data breach:

  • The Data Protection Officer (DPO) or designated lead will investigate immediately.
  • If necessary, the Data Protection Commission (DPC) will be notified within 72 hours.
  • Affected clients will be informed without undue delay.