I currently collect and process the following information:

·        Personal identifiers, contacts and characteristics (for example, full names, residential addresses, date of birth, gender, telephone numbers, email addresses, insurance company or bank account details, details of key contacts such as general practitioners/next of kin, schools, or employers, among other information).

·        Special category or sensitive data (for example, race, ethnic origin, religion, gender identity, sexual orientation, physical and mental health information, medical history, criminal convictions or offences, among other information).

·        Other kinds of data (for example, measure or questionnaire data, among other information).

Personal and sensitive information is collected from our first point of contact (referral letters, telephone calls, e-mails, etc.) and during our subsequent contacts (consent and information sharing forms, risk assessment forms, questionnaires, emails, and conversations in person or on the telephone). Relevant information from other agencies that are working with you may also be kept (shared with your knowledge).

​Most of the personal information I process is provided to me directly by you for one of the following reasons:

·        To facilitate contact with you.

·        In order to provide you with therapeutic support. This involves keeping case notes on assessment and process paperwork. This is important for me to work effectively (e.g. clinical reflection, taking to clinical supervision, plan sessions etc.)

 I may also receive personal information indirectly, from the following sources: Information provided by your healthcare providers (e.g. General Practitioner, health professional, insurance company) with your prior knowledge or at your request.

 I may share this information with other organisations (such as your General Practitioner) with your prior knowledge, at your request, or if any of the exceptions to confidentiality above are met. My professional registration requires me to access clinical supervision monthly and any discussions around clinical material will be done with use of initials to protect confidentiality. I may also share personal contact information with agencies or organisations as required to recoup financial loss (for example, where sessions are unpaid). Your details may also be shared with a trusted person in case of illness or emergency where I am unable to contact you myself.

Under the General Data Protection Regulation (GDPR), the lawful bases I rely on for processing this information are:

·        I have a contractual obligation to provide you with a service (for example, storing personal information to contact you, sharing your initials during case discussion in supervision).

·        I have a legal obligation (for example, passing your information to a third party for accounting within the UK).

·        I have what is known as a legitimate interest for keeping data and I am registered with the Information Commissioners Office (ICO) to do so.

I store your information in the following places:

- Written notes in session

- in my online clinic management software: WriteUpp (writeupp.com)
in my online accounting software (Quickbooks)
- In my email systems (outlook)

- Information from contact forms completed is stored within my website editing platform (Squarespace)

I have the following systems in place to protect your data:

- written notes are destroyed (shredded) immediately following the session once a clinical note has been added to WriteUpp.

- WriteUpp data is encrypted. This means that no one can read data being sent to, or coming from, my WriteUpp account. My account is locked with a strong password and two-step verification.

- My mobile phone is encrypted and must be opened with a password.
- My email, website, and accounting systems are secured with a password.
- Access to the analytics on my website are secured with a strong password.

Your data is stored for the following timeframe:

All data is deleted after the ‘retention period’. This is as follows:

- For therapy clients aged 18 and over, the retention period is 7 years after the work has ended.
- For therapy clients aged under 18 after the work has ended, the retention period is 7 years after the client’s 18th birthday.
- For people enquiring about therapy (who do not become clients) the data retention period is 1 year.