Privacy Notice

I am committed to keeping your personal information safe. Your details will be kept securely and will only be used for the purposes agreed. I adhere to current data protection legislation, including the General Data Protection Regulation (EU/2016/679) (the GDPR), the Data Protection Act 2018 and the Privacy and Electronic Communications (EC Directive) Regulations 2003.

This privacy notice tells you what to expect in regard to how your personal information is handled from initial point of contact through to after your therapy has ended.

I am happy to talk through any questions you might have about my data protection policy. You can contact me via the email address at the foot of this document.

‘Data controller’ is the term used to describe the person / organisation that collects, stores and has responsibility for people’s personal data. In this instance, the data controller is me.

I am registered with the Information Commissioner’s Office; my registration number is ZC005307. You can search for me via https://ico.org.uk/.

Lawful basis and data protection rights

Under UK data protection law, I must have a “lawful basis” for collecting and using your personal information. There is a list of possible lawful bases in the UK GDPR. You can find out more about lawful bases on the ICO’s website.

If you are currently having therapy with me or if you are in contact with me to consider therapy, including any initial enquiries, I will process your personal data where it is necessary for the performance of our contract.

The GDPR also makes sure that I look after any sensitive personal information that you may disclose to me appropriately. This type of information is called ‘special category personal information’. The lawful basis for me processing any special categories of personal information is that it is for provision of counselling and necessary for a contract between you and me.

If you have had therapy with me and it has now ended, I will use legitimate interest as my lawful basis for holding and using your personal information.

Your rights

I endeavour to be as transparent as I can be in terms of giving people access to their personal information. You have a right to ask me to delete your personal information, to limit how I use your personal information, or to stop processing your personal information. You also have a right to ask for a copy of any information that I hold about you and to object to the use of your personal data in some circumstances. If I do hold information about you I will:

  • Give you a description of it and where it came from

  • Tell you why I am holding it, tell you how long I will store your data for and how I made this decision

  • Tell you who it could be disclosed to

  • Let you have a copy of the information in an intelligible form

You can ask me at any time to correct any mistakes there may be in the personal information I hold about you.

To make a request for any personal information I may hold about you, please put this in writing addressing it to the below email address. Please allow 28 working days for information to be collated for you.

If you have any complaint about how I handle your personal data, please do not hesitate to get in touch with me by sending an email to the below email address. I would welcome any suggestions for improving my data protection procedures.

If you want to make a formal complaint about the way I have processed your personal information, you can contact the ICO which is the statutory body that oversees data protection law in the UK. For more information go to https://www.ico.org.uk/make-a-complaint

How I use your information

Initial contact

When you contact me with an enquiry about my counselling services, I will collect information to help me satisfy your enquiry. This will include all personal details you offer at this stage, including but not limited to contact details and issues that you require support with.

Alternatively, your GP or other health professional may send me your details when making a referral, or a trusted individual may give me your details when making an enquiry on your behalf.

If you decide not to proceed, I will ensure all of your personal data is deleted no later than 6 months from the date of our final correspondence. If you would like me to delete this information sooner, please let me know in writing via the below email address.

Whilst you are accessing counselling

Please be confident that everything you discuss with me is confidential. That confidentiality will only be broken if:

  • Regarding the protection of children or vulnerable adults

  • You have divulged information about an act of terrorism, drug trafficking or money laundering, whether or not I believe it to be true

  • Information disclosed by you regarding a significant criminal act

  • If requested by court order or subpoena

  • If it is felt that there is serious risk of harm to yourself or others

  • Referring you to another professional for help or sharing basic information relating to your health with a health professional involved in your care

  • You request that I speak to someone else on your behalf

I will always try to speak to you about this first, unless there are safeguarding issues that prevent this.

I will keep a record of your personal details to help the counselling services run smoothly. These details are kept securely using Microsoft OneDrive which is encrypted using AES 256-bit encryption, both at rest and in transit. I will keep brief electronic factual notes of each session; these are securely stored on Microsoft OneDrive. I may keep brief handwritten notes of each session for the purposes of clinical supervision; your confidentiality will be retained throughout. These notes are kept in a secure filing cabinet and will be digitised once your therapy has ended and will then be disposed of securely. Any electronic notes will then be destroyed after seven years.

I consider all communications (text, email, phone logs) to be classified as part of your clinical notes and as such they will be retained for seven years, stored securely within your client notes on Microsoft OneDrive. My email is provided by Microsoft, an encrypted password protected web-based provider, which I access through password protected devices. I have a dedicated mobile phone which I use solely for work purposes. This mobile phone is password protected and uses facial recognition.

If I am unable to work through illness, accident or death, a trustee of my Clinical Will shall contact you to inform you of the current situation. The trustee of my Clinical Will would only have access to your name and contact details and they will not be able to access your client notes or other sensitive information.

After counselling has ended

Once counselling has ended, your records will be kept for seven years from the end of our contact and are then securely destroyed. If you want me to delete your information sooner than this, please advise me in writing by email at the below email address.

Third party recipients of personal data

I sometimes share personal data with third parties, for example, where I have contracted with a supplier to carry out specific tasks. In such cases I have carefully selected which partners I work with. I take great care to ensure that I have a contract with the third party that states what they are allowed to do with the data I share with them. I ensure that they do not use your information in any way other than the task for which they have been contracted.

Details of the services I contract are listed below:

  • Email: I use Microsoft 365 to provide email services. This is a secure, encrypted platform that is widely used. Whilst I use the services of Microsoft 365, they do not actively process any client data.

  • Computer software: I use Microsoft 365 to provide basic office software, such as word processing and spreadsheets. Whilst I use the services of Microsoft 365, they do not actively process any client data. I may choose to access client notes stored in OneDrive (see below) via the web-based Microsoft 365 Office applications.

  • Secure storage: I use OneDrive, provided by Microsoft 365, for secure digital storage of client data. OneDrive is encrypted at rest and in transit using AES-256 encryption. Access to OneDrive is controlled via multi-factor authentication, using the Microsoft Authenticator application on my dedicated work mobile phone to which only I have access. Client notes are not stored locally on any device.

  • Office facilities: Any face-to-face sessions will be conducted at The Harlow, No. 1 Cardale Park, Beckwith Head Road, Harrogate HG3 1RZ. Whilst I may use the facilities at The Harlow, they will not have access to client details unless the client shares said details with The Harlow upon arriving for a scheduled counselling session. Whilst at The Harlow, if I have my work laptop or work phone with me then they will be locked and kept secure at all times when I am not actively using them.

  • British Association for Counselling and Psychotherapy (BACP): I am a registered and regulated member of the BACP (member number: 414358). The BACP does not regularly receive client data, however, I may be compelled to share information with the BACP in certain circumstances, for example, if a complaint is made against me.

  • Clinical supervisor: As a regulated member of the BACP, I am required to undertake regular clinical supervision with another regulated member of the BACP. The purpose of clinical supervision is to ensure that I am acting ethically and morally, as well as providing my clients with the best possible care. In order to undertake clinical supervision, I will be required to share details of our sessions with my clinical supervisor, however, they must also adhere to the same data protection requirements that I do.

  • His Majesty’s Revenue and Customs (HMRC): As a registered sole trader, I am regulated by HMRC for tax purposes. I may share details of my bank records with HMRC if I am legally compelled to do so, for example, if I am audited.

  • Information Commissioner’s Office (ICO): I am regulated by the ICO to ensure that any data I retain is kept securely and in accordance with the aforementioned regulations.

  • Banking: My business bank will retain information related to invoices and client transactions for the purpose of record keeping and banking. No sensitive client information will be shared with the bank. For my personal protection, I have not disclosed the name of my bank, however, if you require further details then please contact me via the below email address and I will consider your request.

The circumstances where I may have to disclose personal and special category information without your consent may include;

  • If I believe that either you or someone else is at risk of significant harm

  • Where there is another legal reason or requirement to disclose your personal information, such as a court order

  • If information is shared about involvement in terrorism (as required by the Prevention of Terrorism Act, 2000)

  • If I become incapacitated, due to an unforeseen emergency, then your name and contact details will be accessed by the trustee of my Clinical Will who will contact you to explain the situation and discuss alternative support.

Data security and duty of confidentiality

I take the security of the data I hold about you very seriously and as such I take every effort to make sure it is kept secure. To ensure robust data security and protection practices, I use a work laptop and dedicated work smartphone that are secured using biometric data (fingerprint or facial recognition) and any physical documents are stored in a secure filing cabinet to which only I have access. I also implement access controls to limit data access and regularly review security practices to ensure data protection. I also implement robust virus protection and scanning software.

In the event of a data breach that affects your personal information, I will notify you and the Information Commissioner's Office (ICO) within 72 hours.

I am subject to a common law duty of confidentiality. However, there are circumstances where I will share relevant information. These are where:

  • You have provided me with your consent (I have taken it as implied to provide you with care, or you have given it explicitly for other uses)

  • We have a legal requirement (including court orders) to collect, share or use the data

  • On a case-by-case basis, the public interest to collect, share and use the data overrides the public interest served by protecting the duty of confidentiality (for example sharing information with the police to support the detection or prevention of serious crime)

  • The requirements of The Health Service (Control of Patient Information) Regulations 2002 are satisfied;

Visitors to my website

My website is built and hosted by Squarespace. When someone visits my website, I have instructed Squarespace to collect standard internet log information and details of visitor behaviour patterns. I do this to find out things such as the number of visitors to the various parts of the site. This information is processed in a way that does not identify anyone. I do not make, and do not allow Squarespace to make, any attempt to find out the identities of those visiting my website.

I use legitimate interests as my lawful basis for holding and using your personal information in this way when you visit my website.

I use Squarespace so that I can continually improve my service to you. Like most websites I use cookies, which are small text files that are saved on your device to help the site work more efficiently – you can choose to opt out of the use of cookies on the website or through your browser settings. However, turning off cookies may affect how well my website or other websites work.

No user-specific data is collected by me or any third party on the website. If you fill in a form on my website, that data will be temporarily stored by Squarespace before being sent to me via email.

I am registered with the Information Commissioner's Office, reference number: ZC005307. You can search my ICO registration here Information Commissioner's Office www.ico.org.uk

Contact Information

If you have any questions or concerns about how your data is handled, or wish to exercise your rights under GDPR, please contact me, Tracy Ward, at: tracy@tracywardcounselling.com

Privacy Notice 2025