Privacy policy.

Effective Date: 19th October 2024

This privacy policy has been compiled according to the UK General Data Protection Regulations (UK GDPR, 2018) and the Data Protection Act (2018). The policy provides transparency to current and former clients about what personal information Katie Westbury, operating as Graceful Therapy, holds and how this information is stored, processed, and used. It also sets out how long personal data is retained, the rights clients have concerning their data, and under what circumstances data will be deleted or anonymised.

Katie Westbury, operating as Graceful Therapy, acts as the data controller of any personal data collected and processed. Processing includes the organisation, retrieval, consultation, use, and destruction of information, as well as its disclosure to third parties. The information you provide will primarily be processed in connection with the administration of my counselling and therapy services.

1. Lawful Basis for Processing Data

Data protection laws allow data to be processed for specific reasons. In this case, the reasons include:

• Legitimate Interests: I process your personal data to provide the best possible service by recording relevant health and personal information through my website or during counselling sessions.

• Contractual Obligations: I process your data to fulfil my contractual duties, such as confirming or rearranging appointments and delivering online counselling sessions.

• Consent: Some personal data may be processed based on your explicit consent, such as consent to record therapy sessions or share information with your GP.

• Legal Obligations: Certain personal data may be processed to comply with legal obligations, including those required by regulatory bodies.

2. Personal Data Collected

To ensure I can work safely and professionally with you, I may collect the following personal and special category data:

• Personal Data: Full name, home address, date of birth, phone number, email address, emergency contact name and phone number, GP name and contact details, payment information, occupation, and invoices.

• Special Categories Data: Relevant medical information, session notes, preferred gender pronouns, gender, ethnicity, sexuality, marital status (where relevant to therapy), and voice recordings (with explicit consent).

Special category data, such as health-related information, is collected to ensure appropriate care and to determine if any reasonable adjustments are required. This data will only be processed when necessary, either with your explicit consent, to provide mental health care, or in compliance with legal obligations.

3. How Data is Collected

Personal data is typically collected in the following ways:

• Through initial enquiries made via my website, email, or counselling directories such as the Counselling Directory, BACP, or Psychology Today.

• During the initial 15-minute consultation and during subsequent therapy sessions.

• Through referrals from your GP or other healthcare providers (with your permission).

4. How Your Data is Stored

Personal data is stored securely in the following ways:

• Clinic Management System: I use a GDPR-compliant software system called “Power Diary” to manage your personal data, session notes, appointment bookings, payments, invoicing, and communications.

• Encrypted Digital Storage: Notes are taken on a tablet and transferred to the clinic management system. Any voice recordings (with consent) are stored securely using encryption methods.

• Secure Platforms: Online sessions are conducted via secure platforms such as Google Meet, Zoom, or Power Diary’s telehealth portal, all of which are GDPR-compliant and use encryption.

5. Data Sharing

Your data will not be shared with any third parties without your explicit consent, except in the following circumstances:

• Referral to Healthcare Providers: If necessary, I may share relevant information with your GP or another healthcare professional, but only with your consent unless there's a legal requirement to do so.

• Legal Requirements: I may share data when required by law, such as for safeguarding, court orders, or in situations involving risk of harm, terrorism, or money laundering.

• Clinical Will: In the event of my incapacity or death, my clinical will executor will have access to your contact details to inform you of any relevant changes to your treatment.

Third-party services that process your data on my behalf include:

• Google and Squarespace: Contact form information will be shared and stored in my secure email account and website provider.

• Zoom, WhatsApp, FaceTime (telehealth services).

6. Client Rights

Under UK GDPR, you have several rights regarding your personal data:

• The Right to be Informed: You have the right to be informed about the data I collect and how it is used.

• The Right of Access: You can request access to the data I hold on you by making a formal data access request.

• The Right to Rectification: You can request that your records be corrected if they are inaccurate or incomplete (e.g., change of name or address).

• The Right to Erasure: You can request that your data be deleted or removed if there is no compelling reason for its continued processing, subject to legal or regulatory obligations.

• The Right to Restrict Processing: You have the right to prevent or limit the processing of your personal data.

• The Right to Data Portability: You can request your data in a portable format to transfer to another service provider.

• The Right to Object: You have the right to object to your data being processed for specific purposes, such as direct marketing.

• The Right Not to Be Subject to Automated Decision-Making or Profiling: I do not use any automated decision-making or profiling processes in my services.

If you wish to exercise any of these rights, please contact me at katie@gracefultherapy.co.uk. Requests will be handled within one month. If I am unable to comply with a request, I will provide a clear explanation for my decision.

For more information on your rights, visit the Information Commissioner’s Office (ICO) website.

7. Data Retention

I will retain your personal data for as long as necessary to fulfil the purposes for which it was collected. After your final session, I will retain your data for six years, as required by legal and regulatory obligations. After this period, data will be securely deleted or anonymised.

Certain data, such as emergency contact information and GP details, will be deleted immediately following the end of therapy unless it is necessary to retain it for legal reasons. Special category data will be retained only as long as necessary and may be anonymised for research or statistical purposes.

8. Right to Erasure

You have the right to request that your personal data be erased, subject to certain legal obligations. Where data is required to be retained for legal, regulatory, or professional reasons (such as counselling records for six years), I may not be able to comply with the request immediately. I will inform you of any decisions and the reasons for data retention.

9. Security Measures

I take the security of your data seriously and have implemented measures to ensure your data is protected, including password protection, two-factor authentication, and encrypted storage for digital records. In the event of a data breach, I will notify the ICO and affected clients within 72 hours.

10. Data Transfers

I do not transfer personal data outside the UK unless there are adequate safeguards in place that comply with UK GDPR standards, such as through GDPR-compliant service providers.

11. Complaints

If you have concerns about how your data is being processed or wish to make a complaint, please contact me at christine@thelosstherapist.co.uk. If you are not satisfied with my response, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO) by visiting their website or calling 0303 123 1113.

-

This privacy policy is subject to regular review and will be updated as necessary. You will be informed of any changes that may affect you.