Privacy & policies
Confidentiality is the foundation of therapeutic work. Taking it seriously — alongside data protection, safeguarding, and being openly accountable for how I practise — is part of taking the work seriously. This page sets out, in plain English, how I do that.
If you'd like to read any of the underlying policies in full, they're listed at the end of this page and available on request.
How I handle your information
When you contact me about therapy for a young person, I collect only the information I need to provide a safe, professional service:
- Identifying information — name, date of birth, home address, email, phone, GP details, emergency contact.
- Referral and intake — how you found me, the issues bringing you in touch, any agencies already involved.
- Clinical records — session notes, agreed therapeutic goals, risk assessments, attendance.
- Consent records — signed therapy contract, data protection consent, Gillick competence assessment where applicable, parental consent form where applicable.
- Financial records — invoices and payment receipts, held separately from clinical records.
I process this information under UK GDPR using two lawful bases: performance of a contract (Article 6(1)(b)) for personal details, and explicit consent (Article 9(2)(a)) for sensitive health data. After therapy ends, records are retained on the basis of establishment of legal claims (Article 9(2)(f)) — this protects both you and me during the period in which a complaint or claim could be made.
Where your information lives
Clinical records use a Client Alias rather than your real name. A separate, encrypted document maps each alias to the client's real identity, stored in a different location from the clinical records. This means that even if one part of the system were compromised, your identity could not be determined from clinical notes alone. All electronic records are encrypted, behind two-factor authentication, and held only on devices and accounts I control. Any paper records are kept in a locked cabinet.
How long I keep records
- Clinical records for adult clients: 7 years after the final session.
- Clinical records for clients who were under 18 during therapy: until the client's 25th birthday, or 7 years after the final session — whichever is later. This reflects the extended limitation period that applies to claims made by minors.
- Initial enquiries that didn't proceed to therapy: 3 years.
- Financial records: 6 years, per HMRC requirements.
After the relevant retention period, records are securely and permanently destroyed. I keep a brief log of what was destroyed and when, using the Client Alias only.
Your rights under UK GDPR
You have the right to:
- Access the information I hold about you (a Subject Access Request — I'll respond within one calendar month).
- Rectify any factual inaccuracies (e.g. a wrong date of birth or contact detail). Clinical notes and professional opinions are not subject to rectification, but you can ask for a note of disagreement to be added to the record.
- Erase your records — though this right is limited where I'm required to retain them for legal claims or compliance.
- Restrict processing while a concern is being investigated.
- Withdraw consent at any time (this doesn't affect the lawfulness of processing before the withdrawal).
- Complain to the Information Commissioner's Office. Contact details are at the bottom of this page.
To exercise any of these rights, please email me directly.
Confidentiality and its limits
What's said in our sessions stays between us, with three carefully defined exceptions.
I discuss anonymised case material with my professional supervisor — your real name is never used. I have a Clinical Executor named in case of my sudden incapacity, who can access your contact details only (not your session notes), and only where you've consented to that arrangement at the start of therapy. The Executor's role is to notify you and help you find alternative support.
Beyond that closed circle, confidentiality may be limited only in the following circumstances:
- A real and credible risk of imminent serious harm — to you, to a young person in your care, or to another person. Where there is a safeguarding concern, the safety of the child takes precedence over confidentiality.
- Two specific statutory disclosures: terrorism offences (Terrorism Act 2000) and Female Genital Mutilation involving someone under 18 (Serious Crime Act 2015, s.74). These are mandatory by law and cannot be discussed in advance.
- A formal court order.
Other than the two statutory situations above, I will ordinarily talk with you before any disclosure is made — unless doing so would increase the risk of harm or compromise an investigation.
Safeguarding
Working with children and young people, my first duty is to their safety. If a concern arises during or after a session, I follow a clear process: assess whether the risk is real and imminent, consider the young person's understanding (Gillick competence) where relevant, consult my supervisor, and where necessary make a referral to the appropriate service — typically the local Multi-Agency Safeguarding Hub (MASH), the Local Authority Designated Officer (LADO), or the police if there is immediate risk.
My full Safeguarding Children and Young People Policy is available on request.
Professional standards
I'm a registered member of the British Association for Counselling and Psychotherapy (BACP) and work to the BACP Ethical Framework. I hold professional indemnity insurance through Balens, meet regularly with a qualified clinical supervisor, and undertake regular safeguarding training, including Safeguarding Children Level 3 (Designated Officer), valid to February 2028. I also hold an Enhanced DBS certificate (Child Workforce). The practice is registered with the Information Commissioner's Office.
| BACP membership | MBACP No. 00971089 |
| BACP framework | BACP Ethical Framework for the Counselling Professions (2018) |
| ICO registration | ZC121926 |
| Professional indemnity | Balens |
| Practice type | Sole-practitioner private practice |
Raising a concern
You should never feel that raising a concern will damage our therapeutic relationship or affect the quality of care.
If something doesn't feel right, I'd encourage you to talk to me directly first — most concerns can be resolved through open conversation. If you'd prefer to put it in writing, email me and I'll acknowledge within five working days and respond fully within fourteen calendar days.
If, after that, you remain dissatisfied — or if you'd rather raise the concern externally from the start — you have the right to:
- Contact the British Association for Counselling and Psychotherapy about my professional conduct as a therapist: bacp.co.uk · 01455 883300
- Contact the Information Commissioner's Office about how I've handled your personal information: ico.org.uk · 0303 123 1113
Documents available on request
The summary above is drawn from the formal policies that govern how I run the practice. If you'd like to read any of them in full, please ask:
- Privacy Notice (UK GDPR Article 13)
- Young Person's Privacy Notice (an age-appropriate version of the above for clients under 18)
- Confidentiality and Data Protection Policy
- Data Retention Policy
- Safeguarding Children and Young People Policy
- Information Sharing Agreement
- Complaints Procedure
- Therapeutic Agreement and Parental Consent Form
These will also be provided to you when therapy begins, as part of the contracting process.
This page is a plain-English summary of how I handle confidentiality, data protection, safeguarding, and complaints. It is not a substitute for the formal policies, which take precedence in the event of any inconsistency.