Privacy Notice for Therapy Clients (May 2018)

You may be aware of new laws relating to General Data Protection Regulation (GDPR) that are in effect from 25 May 2018.  The purpose of GDPR is to provide a set of standardised data protection laws across all EU member countries.   This document sets out how Dr Reetta Newell, Clinical Psychologist, and the data controller, complies with these laws.

My Information Commissioner’s Office (ICO) registration number is: ZA223851

What personal data I process

I collect and process the following personal data from therapy clients:

  • Personal data: basic contact information: name, address, email, contact number, and GP contact details.
  • Sensitive personal data: Signed ‘Information and Therapy contract’, therapy records (therapist notes, letters, reports and/or outcome measures).
  • If you complete a web-based enquiry form, I will also collect any information you provide to me as well as your internet protocol (IP) address. This is automatically supplied by the website software used to offer the form.

If you are referred by your health insurance provider, then I also collect and process personal data provided by that organisation. This includes basic contact information, referral information, and health insurance policy number and authorisation for psychological treatment.

The lawful basis for processing personal data

I have a legitimate interest in using the personal data and sensitive personal data I collect for the purpose of providing health treatment. It is necessary for me to collect this data to be able to provide psychological therapy to clients.

I may also ask for information on how you found my service for the purpose of my own marketing research.  No information you provide is passed on without your consent.  I will never sell your information to others.

What I do with your personal information

I take your privacy seriously. I will only use your personal information to provide the services you have requested from me.

If you do not provide the personal information requested, then I may be unable to provide a therapy service to you.

How long I store personal information

I will only store your personal information for as long as it is required.  Basic contact information held on my mobile phone is deleted within three months of the end of therapy.

The sensitive personal data defined above is stored for a period of seven years after the end of therapy. After this time, this data is securely destroyed at the end of each calendar year. For clients under the age of 18, this data will be stored until the client’s 25th birthday.

How your personal information is used

I use the information I collect to:

  • Provide my services to you.
  • Process payment for such services.

Who I might share personal information with

I hold information about each of my clients and the therapy they receive in confidence. This means that I will not normally share your personal information with anyone else. However, there are exceptions to this when there may be need for liaison with other parties:

  • If you are referred by your health insurance provider, or otherwise claiming through a health insurance policy to fund therapy, then I will share appointment schedules with that organisation for the purposes of billing. I may also share information with that organisation to provide treatment updates.
  • In cases where treatment has been instructed by a solicitor, relevant clinical information from therapy records will be shared with legal services as required and with your written consent.

In exceptional circumstances, I might need to share personal information with relevant authorities:

  • When there is need-to-know information for another health provider, such as your GP.
  • When disclosure is in the public interest, to prevent a miscarriage of justice or where there is a legal duty, for example a Court Order.
  • When the information concerns risk of harm to the client, or risk of harm to another adult or a child. I will discuss such a proposed disclosure with you unless I believe that to do so could increase the level of risk to you or to someone else.

What I will NOT do with your personal information

I will not share your personal information with third-parties for marketing purposes.

How I ensure the security of personal information

Personal information is minimised in phone and email communication. Sensitive personal data will be sent to clients in an email attachment that is password protected. Email applications use private (SSL) settings, which encrypts email traffic so that it cannot be read at any point between our computing devices and our mail server. I will never use open or unsecure Wi-Fi networks to send any personal data.

Personal information is also stored on an office computer. This is password protected. Malware and antivirus protection is installed on all computing devices.  Mobile devices are protected with a passcode, mobile security and antivirus software.

Your right to access the personal information I hold about you

  • You have a right to access the information I hold about you.
  • I will usually share this with you within 30 days of receiving a request.
  • There may be an admin fee for supplying the information to you.
  • I may request further evidence from you to check your identity.
  • A copy of your personal information will usually be sent to you in a permanent form (that is, a printed copy).
  • You have a right to get your personal information corrected if it is inaccurate.
  • You can complain to a regulator. If you think that I haven’t complied with data protection laws, you have a right to lodge a complaint with the Information Commissioner’s Office (ICO). Their contact details are: website: , Email:, Tel: 0303 123 1113

I reserve the right to refuse a request to delete a client’s personal information where this is therapy records. Therapy records are retained for a period of seven years (or until the client’s 25th birthday when the client is under the age of 18 at the time of therapy) in accordance with the guidelines and requirements for record keeping by The British Psychological Society (BPS; 2000)[1] and The Health and Care Professions Council (HCPC; 2017)[2].

[1] The British Psychological Society (2000). Clinical Psychology and Case Notes: Guidance on Good Practice. Leicester: Division of Clinical Psychology, BPS.

[2] Health and Care Professions Council (2017). Confidentiality – guidance for registrants. London: HCPC.