top of page

Privacy and Data Protection Policy

What is GDPR and DUAA, how do they affect me?

The GDPR replaces the 1998 Data Protection Act to ensure your personal and sensitive, confidential data is kept private and held securely, being processed in the way that you have agreed to. It is there to protect your rights as a consumer of a service or product that might involve your identifiable data, e.g. your name and address or whether you have a specific condition. It also covers any session records, text messages or emails we exchange.

 

The Data (Use and Access) Act 2025 (DUAA) has since updated and built upon this framework, introducing further protections for how your data is handled. It does not replace the GDPR but works alongside it. The key changes relevant to you as a client are explained throughout this policy.

 

I am committed to complying with the terms of both the GDPR and the DUAA, and to the responsible and secure use of your data. I am also registered with the Information Commissioner's Office (ICO), reference: ZA152095.

 

Which legislation covers my data?

My data protection practices comply with the following legislation:

• UK General Data Protection Regulation (UK GDPR)

• Data Protection Act 2018

• Data (Use and Access) Act 2025 (DUAA)

 

This policy will be reviewed and updated as legislation evolves.

 

How long will you hold our information for?

I am regulated by the BACP and insured by Towergate. Their requirements are that I must hold your data for 6 years after your final session. Unless you are a child, in which case I must hold your data until your 25th birthday, unless you are 17 when treatment ends and then I must keep it until your 26th birthday. Therefore, all records will be deleted in the January after the above retention scales.

 

Personal data rights

If you would like to see the information I hold about you, or would like to correct, update or delete any records, please email me at: info@tonbridgecounselling.org. If you have any concerns about my use of your data, please contact me directly at the same email address and I will do my utmost to resolve any concerns you have.

 

In line with the Data (Use and Access) Act 2025, you now have a formal right to raise a data protection complaint directly with me. I will acknowledge any complaint within 30 days and will work to resolve it without undue delay, keeping you informed of progress and outcome. I keep a written record of all data complaints received and how they were handled.

 

If for any reason I cannot resolve the issues to your satisfaction, you may contact the ICO directly at ico.org.uk or by calling 0303 123 1113.

 

What if I don’t want our records to be held for that long?

Under the GDPR you can make a request in writing to me, for all your records to be deleted and I would refer this request to my Insurer for their approval. Once this is given, all your paper records would be shredded and any electronic data such as emails or text messages would be permanently deleted from the devices they are stored on. I would have to save the request for deletion you made but would not save any other data. In some circumstances my insurance company’s legal team may want to verify information I send out.

 

Why do you need to record this information?

I collect information about; why you are using the service, a small amount of medical information and a small amount of information about your important others, alongside brief session notes. This information enables me to provide a high-quality service to you, ensuring I am equipped with the knowledge of our previous discussions prior to each session. Your data will only be used to provide you with my services and I will not share your details with any other person or organisation without your knowledge and permission unless there is a legal requirement as stated in the counselling contract.

 

What lengths are made to ensure your information is held securely?

I will take all reasonable precautions to prevent the loss, misuse or alteration of information you give me.

Hardcopy documents – Are all stored in a locked cabinet in a locked building.

Text messages – My phone is secured with a pin code.

Emails – My email account requires a username and password.

Laptop – My laptop is password protected and has the latest anti-virus software installed. I also keep up with the latest software updates.

 

Is what we discuss confidential?

Everything we talk about during our sessions are strictly confidential between you and me. To ensure I am doing my job effectively and that I have the right support, I may discuss elements of our sessions with my supervisor. During these discussions I do not disclose any details that may identify you to my supervisor, and my supervisor also adheres to the GDPR.

 

How to make a data protection complaint

If you wish to raise a concern about how I have handled your personal data, please contact me in writing at info@tonbridgecounselling.org or by post to my practice address. Please include as much detail as possible about your concern so I can investigate it properly.

 

I will acknowledge your complaint within 30 days of receipt and will keep you informed of progress and outcome. I aim to resolve all complaints as promptly as possible. A record of all complaints received is kept securely as part of my data protection compliance.

 

If you remain dissatisfied after I have responded to your complaint, you have the right to escalate your concern to the Information Commissioner’s Office (ICO):

Website: ico.org.uk

Telephone: 0303 123 1113

Post: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

  • Instagram
  • facebook
  • linkedin

©2019 by Rachel Miller. Proudly created with Wix.com

bottom of page