Data Protection Policy

Introduction

This policy explains, in clear and straightforward terms, how personal data is protected within this counselling practice.

I work in line with UK data protection law, including the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, alongside professional ethical guidance, to ensure your information is handled safely, lawfully, and responsibly.

I am the data controller for this practice.

What Data Is Held

I may hold the following types of personal data:

• Contact details
• Appointment records
• Clinical notes relating to counselling sessions
• Payment records

Clinical notes are treated as confidential and sensitive at all times.

Why Data Is Held

Your data is held only where necessary and for legitimate purposes, including:

• To provide counselling safely and ethically
• To manage appointments and communication
• To meet professional, legal, and insurance requirements

The lawful basis for holding this data is typically contractual obligation, legitimate interest, and, where applicable, legal obligation.

How Your Data Is Kept Safe

Appropriate steps are taken to protect your information, including:

• Secure, password-protected electronic systems
• Locked storage for any paper records
• Restricted access (only the practitioner has access)

Your information is not shared unless there is a clear legal or safeguarding reason to do so.

How Long Records Are Kept

Client records are retained in line with professional guidance:

• Typically 6–7 years after therapy ends for adult clients

After this period, records are securely and confidentially destroyed.

Sharing Information

Information will only be shared without your consent where necessary, including:

• If there is a serious risk of harm to you or another person
• Where safeguarding concerns arise
• If disclosure is required by law or court order

Where possible and appropriate, this will be discussed with you beforehand.

Your Rights

Under UK data protection law, you have the right to:

• Request access to your personal data
• Request correction of inaccurate or incomplete information
• Request erasure of your data where appropriate
• Restrict or object to how your data is processed
• Raise concerns about how your data is handled

Requests will be responded to within appropriate legal timeframes.

You also have the right to contact the Information Commissioner’s Office (ICO) if you have concerns.

Data Breaches

In the unlikely event of a data breach, appropriate action will be taken in line with legal requirements, including notification where necessary.

Review of This Policy

This Data Protection Policy is reviewed regularly to ensure it remains clear, ethical, and up to date.

 Last reviewed: March 2026