1. Introduction

2. Who We Are

3. What Data We Collect

A. Information You Provide to Us:

• Full name, date of birth, age
• Contact details (address, email address, phone number)
• Emergency contact information
• GP details and other healthcare professionals involved in your care

• Medical history and current health conditions
• Mental health history
• Current medications
• Previous counselling or therapy experience
• Information about your reasons for seeking therapy
• Session notes and therapeutic records
• Assessment information
• Goals and progress in therapy

• Payment details for session fees
• Billing information
• Insurance information (if applicable)

• Emails, text messages, and other correspondence
• Phone call records
• Contact form submissions
• Appointment booking information

B. Information We Collect Automatically:

• IP address and browser type
• Device information and operating system
• Pages visited on our website
• Date and time of visits
• Referring website
• Cookies and similar technologies (see our Cookie Policy)

4. How We Use Your Data

Primary Purposes:

• Providing Therapeutic Services: To deliver counselling, psychotherapy, and clinical supervision services
• Appointment Management: To schedule, confirm, and manage appointments
• Client Care: To maintain therapeutic records and track progress
• Communication: To respond to inquiries and communicate about services
• Billing and Payments: To process payments and maintain financial records
• Clinical Supervision: To receive professional supervision (as required by BACP)
• Safeguarding: To fulfill safeguarding obligations for children and vulnerable adults

Legal Basis for Processing:

1. Consent: Where you have given explicit consent (particularly for sensitive health data)
2. Contract: Performance of our contract to provide therapeutic services
3. Legal Obligation: Compliance with legal requirements (safeguarding, court orders, etc.)
4. Vital Interests: To protect your vital interests or those of another person
5. Legitimate Interests: For legitimate practice management purposes

Special Category Data:

• Health and mental health information
• Information about ethnicity, religion, sexual orientation (where relevant to therapy)
• Information about criminal convictions (where relevant, e.g., safeguarding)

5. Data Sharing and Disclosure

A. Routine Sharing:

• Clinical Supervision: Anonymous or pseudonymized case discussions with my professional supervisor (as required by BACP accreditation)
• Healthcare Professionals: With your GP or other healthcare providers (with your explicit consent)
• Service Providers: Trusted third parties who assist in our operations (IT services, payment processors, email services)

B. Legal Obligations – Confidentiality Exceptions:

1. Safeguarding: There is a risk of serious harm to you or others
2. Legal Requirements: Required by law, court order, or regulatory body
3. Terrorism: Prevention of terrorism (under Counter-Terrorism legislation)
4. Drug Trafficking: Prevention of drug trafficking offenses
5. BACP Requirements: To comply with BACP Ethical Framework requirements

C. With Your Consent:

• Insurance companies (if claiming through insurance)
• Other therapists or specialists involved in your care
• Family members or support persons (where appropriate)

6. Data Retention

Therapeutic Records:

• Adults: 7 years after the last session (BACP recommendation)
• Children and Young People: Until age 25, or 8 years after last session, whichever is longer
• Clinical Supervision Records: 7 years

Financial Records:

• Payment Records: 7 years (for tax and accounting purposes)
• Invoices: 7 years

Website and Inquiry Data:

• Inquiries (no service): 2 years from initial contact
• Cookies: As per our Cookie Policy

Secure Destruction:

• Shredding paper records
• Secure digital deletion
• Ensuring data cannot be reconstructed

7. Your Rights

Your Data Protection Rights:

1. Right to Access: Request copies of your personal data and therapeutic records
2. Right to Rectification: Request correction of inaccurate or incomplete data
3. Right to Erasure (“Right to be Forgotten”): Request deletion of your data (subject to legal retention requirements)
4. Right to Restrict Processing: Request limitation of how we use your data
5. Right to Data Portability: Request transfer of your data to another provider (where technically feasible)
6. Right to Object: Object to processing of your data
7. Rights Related to Automated Decision-Making: Not applicable to our practice (we don’t use automated decision-making)

How to Exercise Your Rights:

Special Considerations for Therapeutic Records:

• You have the right to access your therapy records
• In rare circumstances, access may be limited if it could cause serious harm to your physical or mental health
• We may need to verify your identity before releasing information
• Third-party information may be redacted to protect others’ privacy

8. International Data Transfers

Where We Store Your Data:

• Primary Storage: UK-based systems and physical records at our practice
• Email: May use email services that process data outside the UK
• Online Counselling Platforms: May use platforms with international servers

Safeguards:

• Adequacy decisions by the UK government
• Standard contractual clauses
• Privacy Shield frameworks (where applicable)
• Explicit consent for specific transfers

9. Data Security

Physical Security:

• Practice Location: Private, dedicated therapy room at home address
• Secure Storage: Locked filing cabinets for paper records
• Controlled Access: Practice room is secure and confidential
• Parking: Private drive and roadside parking available

Digital Security:

• Password Protection: All electronic devices and files are password-protected
• Encryption: Sensitive data is encrypted
• Secure Email: Encrypted email for sensitive communications
• Antivirus Software: Up-to-date security software
• Regular Backups: Secure backup systems
• Secure Internet: Password-protected Wi-Fi

Organizational Measures:

• Confidentiality Agreement: Bound by BACP Ethical Framework
• Training: Regular data protection and confidentiality training
• Professional Indemnity Insurance: Fully insured
• Professional Supervision: Regular supervision to ensure best practice
• Enhanced DBS: Current enhanced DBS clearance

Breach Procedures:

• Immediate containment and assessment
• Notification to ICO within 72 hours (if required)
• Notification to affected individuals (if high risk)
• Documentation and review to prevent recurrence

10. Cookies and Website Technologies

Types of Cookies We Use:

• Essential for website functionality
• Cannot be disabled
• No personal data stored

• Help us understand website usage
• Anonymous data collection
• Improve website performance

• Remember your settings and preferences
• Enhance user experience

• Not currently used on our website

Managing Cookies:

• Browser settings
• Cookie consent banner on our website
• Deleting cookies manually

11. Online Counselling and Teletherapy

Additional Data Collected:

• Video/audio call recordings (only with explicit consent)
• Platform usage data
• Connection quality information
• Chat transcripts (if applicable)

Platforms Used:

• Secure video conferencing platforms
• Telephone services
• Email and text messaging

Security Considerations:

• We use encrypted platforms where possible
• You are responsible for your own internet security
• We recommend using private, secure connections
• Sessions are conducted from a private space

12. Children and Young People

Parental Consent:

• For clients under 16, parental consent may be required
• We assess Gillick competence for young people
• Confidentiality is maintained appropriate to age and understanding

Safeguarding:

• Enhanced DBS clearance held
• Safeguarding policies in place
• Mandatory reporting obligations
• Child protection procedures followed

Data Retention for Minors:

13. Clinical Supervision

What This Means:

• I receive regular professional supervision
• Case discussions are confidential and anonymized
• Supervisor is also bound by confidentiality
• This is for quality assurance and ethical practice

Data Shared in Supervision:

• Anonymized client information
• Therapeutic approaches and challenges
• Professional development needs
• Ethical considerations

14. Complaints and Concerns

Informal Resolution:

• Discuss concerns directly with Lisa Wakefield
• Email: annelisa@hotmail.co.uk
• Phone: 07974 834 732

Formal Complaints:

• Written complaint to practice address
• Investigation within 28 days
• Written response with outcome
• Opportunity for discussion

BACP Complaints:

• BACP Professional Conduct Department
• For ethical complaints about practice

DATA PROTECTION COMPLAINTS PROCESS

15. How to Make a Data Protection Complaint

Contact Us:

What to Include in Your Complaint:

• Your full name and contact details
• Client reference number (if applicable)
• Clear details of your data protection concern
• What has happened and when
• The effect it has had on you
• Copies of relevant documents or correspondence
• What outcome you are seeking

Our Complaints Handling Process:

• Confirm we have received your complaint
• Provide a reference number
• Explain who will handle your complaint
• Give you an expected timeframe for a full response

• Investigate your complaint thoroughly
• Review our data protection practices
• Take appropriate steps to address your concerns
• Keep you informed of progress
• Deal with your complaint without undue delay

• A full written response to your complaint
• Explanation of our findings
• Any actions we have taken or will take
• Timeline for implementation where applicable
• Information about further steps if you remain dissatisfied

• Keep you updated on progress
• Explain any delays
• Provide a new timeframe for response

Timeline:

• Acknowledgment: Within 30 days of receipt
• Full Response: Within one calendar month (or we will inform you of expected timeframe)
• Complex Cases: We will keep you informed of progress

If You’re Not Satisfied:

• Please give us the opportunity to resolve your complaint first
• Wait for our response (up to one month)
• If you’ve received our response but remain unsatisfied, you can then escalate to the ICO
• Provide the ICO with copies of your complaint and our response

Complaints Log:

• The nature of the complaint
• Actions taken
• Outcomes and resolutions
• Timeline of handling

16. Changes to This Privacy Policy

How We’ll Notify You:

• Post changes on this page with updated date
• Significant changes will be communicated directly
• Updated policy will be accessible from website footer
• Continued use of services constitutes acceptance

Review Schedule:

• Annually (every 12 months)
• When legislation changes
• When our services change
• Following any data breaches or incidents

17. Contact Us

18. Key Definitions

19. Your Responsibilities

• Provide accurate and up-to-date information
• Inform us of any changes to your contact details
• Use secure communication methods
• Respect appointment cancellation policies
• Pay fees as agreed
• Use online platforms responsibly

20. Additional Information for Specific Services

Employee Assistance Programme (EAP):

• Data may be shared with referring organizations (anonymized)
• Aggregate reporting only (no individual identification)
• Separate consent required for organizational reporting

Corporate Counselling:

• Billing information shared with employing organization
• Session content remains confidential
• Aggregate usage reports only

Clinical Supervision Services:

• Supervisee records maintained separately
• Professional development documentation
• Shared with relevant professional bodies (with consent)