The Metis Institute

Data Protection & Confidentiality Policy

  1. Policy Statement

The Metis Institution is committed to protecting the rights, privacy, and confidentiality of all Trainees, staff, applicants, clients, and placement partners. We comply with:

  • UK General Data Protection Regulation (UK GDPR)
  • Data Protection Act 2018
  • Freedom of Information Act 2000 (where applicable)
  • Professional standards (e.g. BACP, UKCP) regarding confidentiality in therapeutic and training contexts

We only collect and process personal data for legitimate purposes related to education, training, safeguarding, and professional practice.

  1. Scope

This policy applies to:

  • All personal data held by The Metis Institution in any format (digital or paper)
  • All staff, Trainees, contractors, supervisors, and volunteers involved in training and clinical practice
  • All client, trainee, and placement records
  • All trainee assignments and any associated assessed work

This policy covers personal data, special category data, and confidential information encountered during psychotherapy and counselling training.

  1. Data Protection Principles

We commit to the six core principles of UK GDPR:

Personal data must be:

  1. Processed lawfully, fairly, and transparently
  2. Collected for specified, explicit, and legitimate purposes
  3. Adequate, relevant, and limited to what is necessary
  4. Accurate and kept up to date
  5. Kept only as long as necessary
  6. Processed securely

We also uphold individual rights under UK GDPR, including access, rectification, erasure (where appropriate), restriction, and data portability.

  1. Types of Data Collected

We may collect the following:

Data Type

Examples

Legal Basis

Personal Identification

Name, contact details, Trainee ID

Contract, Legitimate Interests

Academic & Training Records & Assessments

Applications, progress, supervision, assignments

Contract, Legitimate Interests

Special Category Data

Health information, ethnicity

Explicit Consent, Legal Obligation

Clinical Data (client-related)

Case notes, supervision material

Legitimate Interests, Public Interest in Health

Safeguarding Information

Risk disclosures, referrals

Vital Interests, Legal Obligation

No unnecessary or excessive data will be collected.

  1. Confidentiality in Clinical Training
  • We acknowledge Clinical supervision confidentiality may be overridden by legal duties
  • We adhere to NCPS standards on anonymisation, secure supervision notes, and record-keeping.
  • We will handle ethical dilemmas in data sharing with advice from our professional supervisor and/ or professional bodies (NCPS UKCP)

Trainees must:

  • Maintain strict professional confidentiality
  • Anonymise client information in written and spoken work
  • Comply with placement organisations’ data and confidentiality procedures

Confidentiality may be breached only when legally necessary, including:

  • Immediate risk of harm to self or others
  • Serious crime or safeguarding concerns
  • Court order or legal requirement

Any disclosure will be:

  • Considered carefully
  • Necessary and proportionate
  • Documented and reported to supervisors/Designated Safeguarding Lead
  1. Data Security

The Institution will:

  • Protect data using appropriate technical and organisational measures
  • Use secure systems with controlled access levels
  • Ensure safe storage and disposal of records
  • Encrypt and password-protect confidential information

Staff and trainees must:

  • Never store identifiable client data on personal devices without protection
  • Use approved secure methods for transferring data
  • Keep log-ins and passwords confidential
  1. Data Retention

Data will be held in accordance with legal and professional requirements:

Category

Retention Period

Trainee academic records

Minimum 6 years after completion

Placement and supervision records

Minimum 6 years

After expiry, data will be securely deleted or destroyed.

  1. Data Sharing & Third Parties

We will not sell or disclose personal data to third parties except:

  • When required by law
  • When necessary for assessment, supervision, safeguarding, or accreditation
  • When informed consent has been obtained

All partners (e.g., placement providers) must maintain GDPR compliance.

  1. Individual Rights & Requests

Individuals may request:

  • Access to their personal data (Subject Access Request)
  • Correction of inaccurate data
  • Deletion where lawful
  • Restriction or objection to processing

Requests can be submitted to the Data Protection Officer (DPO) who must respond within one month, unless legally permitted extension applies.

  1. Data Breach Reporting

Any suspected or actual breach must be:

  • Reported immediately to the DPO
  • Investigated within set procedures

Where rights or freedoms are at risk:

  • The Information Commissioner’s Office (ICO) will be notified within 72 hours
  • Affected individuals will be informed without undue delay
  1. Roles & Implementation
  • A named Data Protection Officer oversees compliance, training, and policy enforcement
  • All staff and trainees receive data protection training during induction and CPD
  • Failure to follow this policy may lead to disciplinary action
  1. Policy Review

This policy will be reviewed:

  • Annually
  • Or earlier if legislation or regulatory guidance changes

Reviewed: January 2026

To Review: January 2027