Privacy Policy

This policy describes how and why I collect, use, store, and share your personal information, from before our counselling has begun through to after it has ended. Please read it carefully to understand how your privacy is protected and make an informed decision about counselling.

Who collects your data

1.      Data Controller

The term ‘data controller’ is used by the Information Commissioner’s Office (ICO) to describe the person or organisation responsible for collecting, storing and managing personal data. As the data controller, I make sure that your personal information is collected, processed and stored in a fair and secure manner.

2.    Data Processor

A ‘data processor’ is any person or organisation, other than the data controller and their employees, that processes data on behalf of the data controller. This may include third-party companies that store or collect data, such as cloud storage providers, email services, and booking systems. These processors help manage client information and helps services to be delivered efficiently. I only use data processors that meet high security and confidentiality requirements and comply with all relevant data protection laws and regulations. They only process data as directed and have no right to use or share your information.

What data is collected

1.      Personal Data

Under the General Data Protection Regulation (GDPR), ‘personal data’ refers to any information that directly or indirectly identifies a person. I therefore collect the following types of personal data:

  • Full Name 

  • Address

  • Phone Number

  • Email Address

  • Date of Birth

  • Bank Details

2.      Special Category Data

As a counsellor, I may collect and store ‘special category data’ or sensitive information, including session notes, medical details, and any other personal information you disclose during our sessions. The data I collect can include, but is not limited to:

  • Ethnicity

  • Gender

  • Medical Information

  • Political Views

  • Race

  • Religion or Beliefs

  • Sex Life 

  • Sexual Orientation

  • Trade Union Membership

Why your data is collected

1.      Personal Data

The General Data Protection Regulation (GDPR) requires a lawful basis, or reason, to collect and process personal data. This lawful basis can change depending on the stage at which your data is processed.

Counselling services are typically provided based on a contract with the client, or in the case of children, with a parent or guardian who holds parental responsibility. To provide my services, it is necessary to collect and store basic information such as your name and email address. If you are currently considering or having counselling, the lawful basis for processing your data is therefore ‘necessary for the performance of a contract’.

After counselling has ended, I will use ‘legitimate interest’ as my lawful basis for holding and using your personal information. This allows me to keep information for the purposes of managing my practice, maintaining accurate records, and complying with my legal and professional obligations, including insurance requirements.

2.    Special Category Data

Under the GDPR, this type of data requires a higher level of protection and an additional lawful basis for processing. As such, the lawful basis for processing this type of data is that it is ‘necessary for the provision of health or social care or treatment’, which in this case includes counselling services.

How your data is collected

Most of the personal information I process is provided directly by you. However, I may also receive information from third parties, such as other support or health providers. If you are not the source of the information, I will check that I have your consent to receive and process it.

As your counsellor, it is likely that I will collect special category data, including sensitive information, as part of my assessment and session notes based on what you disclose during our sessions.

Your data is collected through:

  • Forms or questionnaires completed at the beginning of our counselling relationship.

  • Direct communication, such as phone calls, emails, or face-to-face meetings.

How your data is stored

Where your data is stored

I take data security seriously and implement the following measures to make sure it is kept secure. All physical data is anonymised and stored securely in a locked filing cabinet. To protect client confidentiality, session notes are kept separate from the client’s name and contact details to minimise the risk of identification. Only the counsellor and their supervisor have access to the coding system used to store and organise client records. All electronic records are encrypted and stored securely on a password protected device, with access granted only to the counsellor and their supervisor in case of an emergency. For security reasons, I do not retain text messages or email correspondence for more than a month.

How long your data stored

As required by my insurance policy, client records are retained for seven years after the end of counselling. After this period, all records are securely destroyed unless they are required by a court order.

How is your data destroyed

Client records are destroyed on the 1st of each month. Physical records are securely shredded, and electronic records are permanently deleted. If you wish for your data to be deleted sooner, please let me know.

How data breaches are managed

A data breach is any incident that affects the confidentiality, integrity, or availability of personal data. This can include data being lost, destroyed, accessed without permission. As the data controller, I am responsible for maintaining a data breach log and following strict protocols in the event of a breach. Any breach, however minor, will be recorded in the data breach log and any breach that poses a significant risk will be reported to both you and the ICO. Minor breaches will not be reported when the risks to the client have been addressed appropriately.

How your data is used

Before Counselling

When you are considering counselling, I will collect information to assess your needs and determine whether we can work together. If you decide not to proceed with counselling, I will delete your personal data after one year. If you would your personal information to be deleted sooner, please let me know.

During Counselling

I keep a record of your personal details to help the counselling services run smoothly as required by my insurance provider. I may also make brief notes relating to our sessions, which you are welcome to see at any time. These are intended to support my work with you and will not be shared unless legally required (e.g. by a court order).

After Counselling

Once counselling has ended, as required by my insurance provider, your records will be kept for seven years from the end of our contact, after which they will be destroyed. If you would like your personal information to be deleted sooner, let me know.

How your data is shared

Sharing Your Data

Your data will not be shared with third parties unless:

  • You give explicit consent.

  • I am required by law (e.g., safeguarding or court orders).

  • I am required by my ethical body membership.

  • It’s necessary for providing the service.

Third Party Recipients

I may share personal data with third-party companies that store or collect data, such as cloud storage providers, email services, and booking systems. I only use data processors that meet high security and confidentiality requirements and comply with all relevant data protection laws and regulations. They only process data as directed and have no right to use or share your information other than for the specified purpose. Examples of third parties I work with include:

  • Acuity Scheduling (Squarespace): Used for appointment scheduling and collecting intake information (e.g., name, address, email, phone number).

  • ICO and HMRC: For compliance with legal and regulatory obligations.

  • Zoom Workplace: Used for online sessions.

  • BACP: For professional enquires and ethical standards.

  • Google Workspace: Used for email communication and administrative purposes.

Website Visitors

When someone visits my website, I use a third party service, Squarespace, to collect standard details of visitor behaviour patterns. I do this to find out things such as number of visitors to the various parts of the site. This information is only processed in a way that does not identify anyone. I do not make, and do not allow Squarespace to make any attempt to find out the identities of those visiting my website. I use legitimate interests as my lawful basis for holding and using your personal information in this way when you visit my website. If you fill in a form on my website, that data will be temporarily stored on the web host before being forwarded to my practice.

Your Rights

Right of Access

You have the right to access or request copies of any personal information I hold about you. If you make a request, I will respond within one month.

Right to Rectification

You have the right to correct any mistakes in the personal information I hold about you and ask that any missing information be provided.

Right to Erasure

You have the right to ask for the deletion of your personal information.

Right to Restriction of Processing

You have the right to ask for a restriction on the processing of your personal information, such as limiting who we share your data with.

Right to Object to Processing

You have the right to object to the processing of your personal information.

Right to Data Portability

You have the right to ask that your personal information be transferred to another organisation.

Complaints

If you have any concerns about how I handle your personal data, please feel free to contact me. If you wish to make a formal complaint about how your personal information has been processed, you can contact the ICO, the statutory body responsible for overseeing data protection law in the UK.