Privacy Policy

Privacy Notice for Counselling Services

Data Controller: Russell Lewis
Address: 57 Friary House, Guildford, Surrey, GU1 4YR
Phone: 07713576222
Email: russ@russelllewiscounselling.com
Date: 06/09/2025
Review Date: 01/09/2026

How We Use Your Personal Information

This privacy notice explains how and why we collect, store, and use your personal information when you use our counselling services. It also explains your rights regarding your personal information.

We are committed to protecting your privacy and handling your personal information in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

1. Information We Collect

Personal Details:

Name, address, telephone numbers, email address
Date of birth, gender, occupation
Emergency contact information
GP details and relevant medical information
Previous therapy/counselling history

Session Information:

Session notes and clinical observations
Treatment plans and goals
Risk assessments where applicable
Appointment dates and attendance records

Special Category Data:

We process special category personal data about your:

Physical and mental health
Emotional wellbeing
Personal relationships and family circumstances
Religious or philosophical beliefs (where relevant to therapy)

2. Legal Basis for Processing

We process your personal information under the following legal bases:

For General Counselling Services:

Article 6(1)(b) GDPR: Processing is necessary for the performance of our counselling contract with you
Article 6(1)(f) GDPR: Our legitimate interests in providing safe, effective therapy

For Special Category Data:

Article 9(2)(h) GDPR: Processing for healthcare purposes
Article 9(2)(a) GDPR: Your explicit consent (where applicable)

For Safeguarding Purposes:

Article 6(1)(d) GDPR: To protect your vital interests or those of others
Article 6(1)(c) GDPR: Legal obligation to report safeguarding concerns

3. How We Use Your Information

We use your personal information to:

Provide counselling services including assessment, treatment planning, and therapeutic intervention
Ensure your safety and wellbeing through risk assessment and safeguarding procedures
Maintain clinical records for continuity of care and professional accountability
Communicate with you about appointments, treatment, and administrative matters
Fulfil legal obligations including safeguarding reporting where required
Seek clinical supervision to ensure quality of care (anonymized where possible)
Manage our practice including appointment scheduling and fee collection

4. Information Sharing

We may share your information with:

Clinical Supervisor: Your information may be discussed in clinical supervision to ensure quality of care. Supervisors are bound by the same confidentiality requirements.

Healthcare Professionals: With your consent, we may communicate with your GP or other healthcare providers involved in your care.

Safeguarding Authorities: We have a legal and ethical duty to share information if we believe you or someone else is at serious risk of harm, including:

Local Authority Safeguarding Teams
Police (in emergency situations)
Social Services
Other relevant authorities

Legal Requirements: We may disclose information if required by law, court order, or other legal process.

Administrative Support: Trusted administrative staff may access basic contact information for appointment scheduling (all staff are bound by confidentiality agreements).

We will NOT share your information:

For marketing purposes
With insurance companies (unless you specifically consent)
With employers (unless you specifically consent)
With family members (unless you specifically consent and you are an adult)

5. Data Security

We implement appropriate technical and organisational measures to protect your personal information:

Physical Security:

Locked filing cabinets for paper records
Secure premises with controlled access
Clean desk policy

Electronic Security:

Password-protected computers and devices
Encrypted data storage
Secure email systems for sensitive communications
Regular software updates and security patches
Automatic screen locks

Access Controls:

Only authorized personnel have access to your information
Regular review of access permissions
Staff training on data protection

6. Data Retention

We keep your personal information for the following periods:

Active client records: Duration of therapeutic relationship plus 7 years
Children's records: Until age 25 or 8 years after last contact (whichever is longer)
Safeguarding records: Permanently or as advised by safeguarding authorities
Financial records: 6 years for tax purposes
Appointment records: 7 years

After these periods, records are securely destroyed through confidential waste disposal services.

7. Your Rights

Under data protection law, you have the following rights:

Right to be Informed:

This privacy notice provides information about how we use your data.

Right of Access:

You can request copies of your personal information. The first copy is free; additional copies may incur a reasonable fee.

Right to Rectification:

You can ask us to correct inaccurate or incomplete information.

Right to Erasure ('Right to be Forgotten'):

You can ask us to delete your information, but this may conflict with our professional obligations to maintain records.

Right to Restrict Processing:

You can ask us to limit how we use your information in certain circumstances.

Right to Data Portability:

You can ask for your information to be transferred to another provider in a structured format.

Right to Object:

You can object to processing based on legitimate interests, but we may have overriding legitimate grounds.

Please note: Some rights may be limited due to our professional and legal obligations as healthcare providers.

8. Data Breach Procedures

If We Experience a Data Breach:

Immediate Response (within 24 hours):
- Contain the breach and assess the risk
- Document all known facts about the breach
- Begin investigation into cause and extent
Notification (within 72 hours of discovery):
- Report to ICO if high risk to individuals
- Notify affected individuals if high risk to their rights and freedoms
- Provide clear information about the breach and steps being taken
Follow-up Actions:
- Implement measures to prevent recurrence
- Review and update security procedures
- Provide support to affected individuals

If You Suspect a Breach:

Please contact us immediately if you believe your personal information has been compromised.

9. Complaints

If you have concerns about how we handle your personal information:

Contact us directly: We will investigate and respond within 30 days
Contact our supervisor: [Supervisor contact details if applicable]
Contact the ICO: Information Commissioner's Office at ico.org.uk or 0303 123 1113
Contact BACP: For professional conduct concerns at bacp.co.uk

10. International Transfers

We do not routinely transfer personal information outside the UK. If this becomes necessary (e.g., for online therapy platforms), we will:

Ensure adequate protection through approved mechanisms
Inform you of the transfer and safeguards in place
Obtain your consent where required

11. Automated Decision Making

We do not use automated decision-making or profiling in our counselling services. All clinical decisions are made by qualified professionals.

12. Contact Information

For questions about this privacy notice or your data rights:

Data Controller: Russell Lewis
Business Address: 57 Friary House, Guildford, Surrey, GU1 4YR
Phone: 07713576222
Email: russ@russelllewiscounselling.com

ICO Registration Number: ZC007875

13. Changes to This Notice

We review this privacy notice annually or when there are significant changes to how we process personal information. We will notify you of any important changes and provide you with an updated notice.

This notice was last updated: 06/09/2025
Next review date: 01/09/2026

By engaging with our counselling services, you acknowledge that you have read and understood this privacy notice.