Data Protection Policy

Data protection Policy

I am on the Information Commissioner’s Office’s register, Reference Number: ZA442152. The ICO has been set up to uphold information rights.

The information I hold:

  • clients will send me an email with whatever they choose to share. This I have no control over. This will be kept in my email folder. 
  • At a later date I will ask for address, dob, next of kin, phone details – all of this is held by me in my email folder and will only be used in the case of emergency. It is passed to no third parties.
  • If clients have ticked, or signed up to receive a newsletter, these details (name and email address) will be held by MailChimp, and will only be used by me to pass on newsletters, as clients will be informed of.
  • I also share a number of policies with clients, about social media, and safeguarding their relationship with me etc. (all this can be seen on website) and then ask them to read a contract which can be viewed also on my website. When they agree to this contact the web app generates an email which is sent to my email inbox which informs me of the clients name, when they have done this, their IP address and that they have agreed to the contract. This is stored only in my email.
  • I hold anonymised notes on BACPAC. I do not keep dates of births, just clients initials and very brief notes of themes of the sessions. This is a very secure website, however, for my piece of mind I have not kept any sensitive information on here, which could connect the notes with an identifiable person.


  • Email: I have informed clients of this in my social media policy. If you choose to e-mail me anything relating to you and your therapy sessions, that email (in general) is not completely secure or confidential. If you choose to communicate with me by email, be aware that all emails are retained in the logs of your and my Internet service providers. While it is unlikely that someone will be looking at these logs, they are, in theory, available to be read by the system administrator(s) of the Internet service provider.There is no other way I could carry out my business without the information being passed to me this way. No alternative, however consent is given.
  • My notes are held by a secure service, it is kept separately from any identifying information i.e. from information in my email. BACPAP is the most secure note service available. I have informed clients I keep notes here, and in the contract clients agree to on beginning work with me, and by whom they are held.

Lawful basis for processing personal data

Clients have given clear consent for me to hold their personal data for a specific purpose. I have been clear about why I collect, and when I would use this information. As a psychotherapist I need to create a contract for the therapeutic relationship, and hold minimal information about them (simply that they have agreed, date, IP address). I potentially have a legal or moral obligation, to protect a client or others if I thought someone to be at risk of serious harm so hold basic information in order to identify my client. I may need to protect someone’s vital interests, for example if the client wanted to take their own life, having basic information would enable me to be able to identify the client to emergency services if necessary.


At every point in my process of collecting information I inform my client why I am collecting and how it will be stored. I inform my client how I store information about the contract, as well as informing how notes are stored and by whom. Clients can choose to give consent to this way of storage at any point, and at the point of collection. Clients have to actively tick boxes to give consent. If they do not give consent I cannot receive information and clients can discuss in person with me. Clients can inform if they want me to remove this information.

Right of Access

If a client asks to have access to any of the information I hold I will comply with any data protection and BACP guidelines. If clients request deletion or changes, again I will comply with all guidelines. No automatic profiling takes place.


This policy will be made available on my website and shared explicitly with clients post- initial session.

Breach Notification

If data protection is breached I will contact the ICO, or keep records about the breach.