Copyright © 2012 arnoldus venter.

JAPIE DEYSEL

BA Psych / Psig   B.Psych / Psig
REGISTERED COUNSELLOR
PROTECTION OF PERSONAL INFORMATION ACT 4 OF 2013 (POPIA).
1. Introduction.
The protection of personal information has become a significant phenomenon since 2013. The  PROTECTION OF PERSONAL INFORMATION ACT 4 OF 2013 or POPIA became an Act of Law in 2013 with the intent of ensuring that the processing of personal information is done fairly without harmfully affecting the rights of privacy of the people to whom the information relates. The act finally came in force on 1 July 2021. In POPIA terms the person to whom the personal information relates is referred to as a Data Subject – in the context of  the COUNSELLING PRACTICE  it refers to the Clients involved in the counselling sessions. The Personal Information of a Data Subject collected, includes all personal information relating to an identifiable, living natural person or juristic person (e.g. information relating to identity, race, gender, marital status, age, health, disability, language, education and employment, criminal history, contact details,  physical and business addresses, etc.).The third role player in the process of protecting personal information is the Responsible Party and describes the public or private body (or any other person) which, alone or in conjunction with others, determines the purpose of and means for processing personal information. In this case I am the Responsible Party representing my Practice.

2. Right to Privacy.
A person’s Right to Privacy means to have control over his/her personal information and being able to conduct his/ her affairs relatively free from unwanted intrusions. Given the importance of privacy, as a Sole Practitioner and Registered Counselor in a Private Practice (www.japieberaad.co.za) I’m committed to effectively manage personal information in accordance with POPIA’s guidelines.

3. Information Officer.
POPIA requires that an Information Officer has to be appointed. I am the Information Officer and is registered with the Information Regulator (an Independent Body established by Government in terms of section 39 of the Protection of Personal Information act 4 of 2013). My responsibilities include:
• Dealing with requests made by the Information Regulator or Data Subjects.
• Work with the Information Regulator in relation to investigations.
• Develop, implement and monitor a compliance framework for the POPIA compliance within the PRACTICE .
• Develop internal measures and adequate systems to process requests for access to information.
• Alter, modify and replace agreements, documents and other documentation containing personal information to comply with POPIA requirements.
• Any other responsibilities as may be prescribed from time to time (by the Minister or the Information Regulator).

4. Collecting and processing of information.
Collection of information is essential to the administrative business of my PRACTICE. In collecting personal data it is my responsibility to utilize the information both effectively and ethically. A balance has always to be maintained between the Data Subject’s (Client ’s) right to privacy and the legitimate business requirements of the PRACTICE  (Responsible Party).

4.1. Personal information can be categorized as:
Personal information in general (General personal information relating to an identifiable living natural person or juristic person and can be information such as race, gender, sex, employment history, physical address, age, culture etc.)
Special personal information includes information such as religious beliefs, criminal behavior, trade union membership, mental health history, sex life etc.

5. Lawful processing of information.
5.1. Accountability.
Accountability stipulates that the responsible party has the responsibility of ensuring the other conditions are in place before data processing commences. The responsible party must ensure POPIA compliance both when deciding to process data as well as when the processing of the data is in progress.

5.1.1. Confidentiality and Privacy.
The purpose of counselling is explained to the Client  in the first session. Counselling involves a confidential process designed to help him/her to address their concerns, come to a greater understanding of themselves, and learn effective personal and interpersonal coping strategies. It includes a relationship between the Client  and a trained Counsellor who has the desire and willingness to help the Client  to accomplish his/her individual goals. The process therefore involves the disclosure of sensitive, personal, and private information by the Client  (Data Subject) to the Counsellor (Responsible Party).

The PRACTICE  meets the requirements of the PROTECTION OF PERSONAL INFORMATION ACT, 4 OF 2013 (POPIA) and all information required on the counselling form is necessary for administrative reasons as well as referrals to other health professionals. All interactions with the counselling services, including scheduling of/ or attendance of appointments, content of sessions, progress in counselling, and records, are strictly confidential and kept secure. The release of specific information has to be requested by the Client  in writing and will only be done with the written consent of the Client. Only when the Counsellor has sufficient evidence that the Client is a serious threat to him/herself or another person and/or is subpoenaed by law, he will disclose confidential information.

Information will be destroyed after a period of three years after the last counselling session. (https://www.psyssa.com/wp-content/uploads/2016/12/SOUTH-AFRICAN-PROFESSIONAL-CONDUCT-GUIDELINES-IN-PSYCHOLOGY-2007-PsySSA_updated_01-12-2016pdf.pdf) as stipulated by law.

5.2. Processing Limitation
This POPIA principle requires that personal information may only be processed in a fair and lawful manner. A well-designed explanatory counselling questionnaire is completed by the Data Subject before we embark on any form of counselling. The counselling approach is explained to the Client  and consent obtained before counselling may commence.

5.3. Purpose Specification.
Purpose Specification helps to determine the scope within which personal information may be processed by an organization. The purpose of counselling is to create a safe and confidential collaboration between qualified Counsellors and Clients to promote mental health and wellbeing, enhance self-understanding, and resolve identified concerns. Clients are active participants in the counselling process at every stage. When collecting information it should be relevant to the counselling procedure which includes: booking of an appointment, completion of a questionnaire requesting basic personal details such as presenting problem, bank details for payments, contact information, proof of Counsellor’s professional registration and professional codes for service provided.

5.4. Further Processing Limit should be relevant.
In POPIA terms this principle refers to when an organization has identified and obtained consent for specific, legitimate and explicitly defined purposes, the processing of such personal information may only occur insofar as it is necessary for the fulfillment of those purposes. In a counselling context more sessions will be needed to reach the desired goal of the counselling. This goal is determined in the first session. Information collected during counselling should be relevant to the desired goal.

In the Counselling Practice  information is obtained in two ways:
By the completion a counselling form or questionnaire. Only information relating to the counselling goal (presenting problem), admin requirements (financial details for payments and contact information) and a basic psychological history (for referral purposes) are required on this questionnaire. This information will obviously be utilized only with the consent of the Client.
Information is also obtained through talking to the Client (Data Subject) in counselling. Counselling is a narrative process. As part of the healing process, the Client  may disclose deep, intimate, extremely confidential information. Some of this information will probably be amplified in discussion in later sessions in order to address emotional/ spiritual/ psychological issues in the life of the Client. Relevancy to the counselling goal must still be maintained however. (I.e. if the presenting problem is anger issues it is is not relevant to ask questions regarding the sex life of the Client).
5.5. Information Quality.
It is the responsibility of organizations to ensure and maintain the quality of the personal information that they process. In counselling the Counsellor is often confronted with controversial information depending on the psychological approach utilized and mental state of the Client. The Counsellor should evaluate the authenticity of this information as the counselling process progresses.

5.6. Openness.
In terms of POPIA “Openness” is linked directly to an organization’s duty to process information in a fair and transparent manner. In the PRACTICE this principle is met in the counselling relationship the Counsellor establishes with the Client. Building rapport is a very significant skill required from a Counsellor and refers to a close and harmonious relationship in which the Counsellor and Client understand each other's feelings or ideas and communicate well.

5.7. Security Safeguards.
All personal information should be kept secure against the risk of loss, unauthorized access, interference, modification, destruction or disclosure. In my PRACTICE  numerous efforts are in place to protect the Private Information of the Client (Data Subject). As the Responsible Party I ensure that:
The office is fitted with a keypad and a pin is required for entrance.
The computer is password protected.
All hard copies of all personal information is locked in a cupboard in the office.
Records of personal information older than three (3) years after final session, are destroyed.
An armed response alarm system is activated after hours.   
5.8. Data Subject Participation.
POPIA requires that Data Subjects have access and/or request the correction or deletion of any personal information held about them that may be inaccurate, misleading or outdated. This does not occur very often in the PRACTICE  because the Clients provide the information by completing the counselling questionnaire themselves, but Clients still do have the right if they desire to do so.

6. Private Practice.
In my PRACTICE  I provide my counselling service to two types of Clients:
Clients who contact me as result of “word of mouth” of someone else, or in response to an advert on the Internet etc. We arrange an appointment and see each other virtually or in my office. In the first session the counselling form questionnaire, containing minimum, relevant and necessary information, is completed by the Client. The Policy of Privacy is explained in the questionnaire and by signing it the Client  provides his/her consent to progress with the counselling.
I also provide my counselling services to CAREWAYS, which is the Wellness initiative of Life EHS from the Life Healthcare Group. The Client or his/her Medical Aid is registered with Careways. Careways contacts me and I arrange an appointment with the Client. After each session the counselling notes are submitted on a portal which is password protected. Careways also provides a STATEMENT OF UNDERSTANDING for the Client to complete in the first session wherein he/she acknowledges the protection of personal information according to the Careways Privacy Policy. The Careways Privacy Policy is available on the Careways website and can be viewed at: https://employeehealthsolutions.co.za/wp-content/uploads/2018/02/TERMS-AND-CONDITIONS-OF-ACCESS-TO-AND-USE-OF-THE-WEBSITE.pdf.
7. Data Storage Location.
6.1. Afrihost: The PRACTICE  utilizes the service the Afrihost Data Provider. Afrihost adheres to the SA “Privacy Shield”, ensuring that our data is securely stored and General Data Protection Regulation (GDPR) compliant. https://www.afrihost.com/site/page/privacy_policy.
7. POPIA RIGHTS.
To be POPIA compliant is critically important in my Private Practice. It is therefore my aim to comply with the South African Protection of Personal Information Act 4 of 2013 Regulation. Protection of Personal Information Act 4 of 2013.