Email us at:

enquiries@familyandtherapy.co.uk

Located at:

Page St, Swansea

Data Protection Policy

Data protection, Confidentiality and Record keeping policy

Family and Therapy (F&T) is committed to complying with applicable data protection legislation and to handling clients’ personal information responsibly, lawfully, fairly and securely. This policy explains what personal information F&T collects and holds, why it is processed, how it is protected, how long it is retained, and the rights clients have in relation to their personal data. F&T processes personal data where it is necessary to provide play therapy, counselling and related therapeutic services, and where there is an appropriate lawful basis under UK data protection law. This policy reflects the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 and the Privacy and Electronic Communications Regulations 2003.

This policy sets out how Family and Therapy collects, uses, stores and shares personal information relating to clients for whom F&T has contracted therapists to provide support. It should be read alongside the client contract, including the section on data protection, and clients must be offered a copy of the Privacy Notice.

This policy does not apply to therapists’ work with private clients outside the scope of F&T services. Where therapists work independently with private clients, the therapist remains responsible for that data as the relevant data controller and sole trader.

A data controller is the organisation or individual responsible for deciding how and why personal data is collected, processed and stored. F&T acts as a data controller for information processed within its service. Data protection compliance is overseen and reviewed annually by the Directors of Family and Therapy. F&T is registered with the Information Commissioner’s Office (ICO) under registration number ZA84731. Therapists and students working with F&T must also maintain appropriate ICO registration where required and provide their ICO registration number as part of the induction or contracting process.

F&T also works in accordance with the BACP Ethical Framework for the Counselling Professions, which requires practitioners to keep records that are accurate, adequate, relevant and limited to what is necessary for the service provided, and to comply with applicable data protection requirements. 

Contact details with regard to data protection

Name: Rachel Butt

Phone Number: 07546 614644

E-mail:enquiries@familyandtherapy.co.uk,

Lawful basis for processing personal data

F&T identifies and documents an appropriate lawful basis before processing personal data. Where special category data is processed, including health-related information, F&T will also identify and document a separate Article 9 UK GDPR condition before processing begins.

Type of processing Likely Article 6 lawful basis Special category condition, where relevant
Administration, referral handling, appointment booking and service communications
Contract, legitimate interests, or consent depending on the circumstances
Not usually required unless special category information is included
Therapeutic assessment, counselling, play therapy records and outcome information
Contract or legitimate interests, depending on the service arrangement
Explicit consent, health or social care, or another applicable Article 9 condition where justified and documented
Financial, accounting, contractual and insurance records
Legal obligation, contract or legitimate interests
Not usually required unless special category information is included

Explicit consent may be used where appropriate, but F&T will not assume that explicit consent is the only lawful condition for processing special category data. Where another Article 9 condition applies, F&T will record the justification and apply any additional safeguards required by the Data Protection Act 2018.

Where F&T relies on a Schedule 1 condition under the Data Protection Act 2018, F&T will maintain an appropriate policy document setting out how it complies with the data protection principles, and how special category data is retained and erased.

 

Client consent and agreement

Clients will initially provide consent through a GP, referrer or referral form, which allows F&T to process the information required to consider and arrange therapeutic support. When therapy begins, clients will be provided with a contract to read and sign. This contract explains how further personal information may be collected and used to support the therapeutic work and confirms the client’s agreement to those arrangements.

 

Privacy Notice

Therapists must routinely provide clients with a Privacy Notice explaining the identity and contact details of the controller, the purposes for which information is processed, the categories of personal data collected, the Article 6 lawful basis and any Article 9 special category condition relied upon, who information may be shared with, how information is stored, how long it is retained, the client’s rights, how to make a data protection complaint, and the right to complain to the ICO. The Privacy Notice must include clear information about any processing of special category data and must be written in clear, accessible language.

F&T is required to provide clients with clear information about the terms on which services are provided, including how confidentiality and record keeping will be managed. Under UK GDPR and professional ethical standards, clients have the following rights and expectations in relation to their information:

  1. to know the extent and limitations of the confidentiality that they are being offered by the therapist
  2. to be told what records will be made and kept, what lawful basis and special category condition applies, and how consent will be requested where consent is relied upon
  3. to be told the circumstances in which the therapist may wish to breach confidentiality and to have an opportunity to discuss and negotiate this with the therapist at the outset of their work together
  4. to have a clear therapeutic contract with terms that they fully understand, accept and support,
  5. to know who will make, keep and have access to their notes and records, how they will be kept, for how long, and for what purposes they may be retained/destroyed/disclosed.
  6. where explicit consent is used, consent must be specific, informed, freely given, unambiguous, recorded, and capable of being withdrawn, although withdrawal will not affect processing already carried out lawfully before withdrawal

 

Definition of records

A record is any paper-based, creative or electronic document created or retained in connection with work with a client. Records may include:

  • all appointment dates, including non-attendance by client
  • names, contact detail, surgery
  • clients referral form
  • contract with any written and signed consents to all activities and passing of confidential information
  • counsellor’s minimum working record of client work (see below)
  • copies of any correspondence to/from client
  • assessment outcomes e.g CORE/CORS/TPM, etc
  • clients’ drawings etc.
  • client databases
  • process notes that do not identify any clients and are kept as a separate reflective journal, for example, and do not contain anything that could identify the client do not form part of that record (Bond 2015). Anonymised information ceases to be ’personal data’ with the associated legal requirements and protection when any means of identifying the person concerned has been genuinely and irreversibly removed.

 

How information is collected and used

Client details may be provided to F&T by a GP, health professional, another concerned party or by the client directly when a referral is made. F&T may also collect personal information when contacting a client to arrange an initial appointment. This may include contact details, availability and other information relevant to arranging or providing the service. Personal information will be used only for the purposes of providing services and communicating relevant information. It will not be shared with any other person or organisation without the client’s knowledge and permission, unless there is a lawful or professional obligation to do so.

At the outset of therapy, clients are provided with a contract explaining how their personal data will be handled, stored and retained. Consent is recorded either verbally, with the date noted, or in writing where consent is relied upon. F&T respects client confidentiality and information disclosed during counselling is treated as confidential. However, confidentiality may be limited where there is a legal, safeguarding or professional duty to disclose information, for example where there is a risk of harm to the client or another person, knowledge of terrorist activity, or where disclosure is required by a court order. Wherever possible and appropriate, F&T will discuss any proposed disclosure with the client first.

Clients will be informed about the circle of confidentiality. This may include the therapist, relevant F&T Directors, clinical supervisors, placement or training providers where applicable, professional advisers, insurers, referrers, safeguarding agencies or legal authorities where involvement is necessary, lawful and proportionate. Identifiable information will be shared only where authorised by the client, required by law, justified by safeguarding or serious risk concerns, or otherwise supported by a recognised legal and ethical basis. Anonymised information will be used wherever this provides a practical alternative.

 

Secure storage and breach reporting

F&T ensures that client information is stored securely and confidentially. Appropriate safeguards are used to reduce the risk of unauthorised access, loss, misuse, alteration or accidental disclosure. These safeguards include password protection, restricted access, secure email or approved transfer methods, secure deletion, locked storage for paper records, and encryption where appropriate. Therapists and students must protect devices used for F&T work with suitable technical safeguards, including passwords, up-to-date software, firewalls, antivirus protection and reasonable measures to prevent unauthorised access. Personal devices used for F&T work must be protected to the same standard as work devices.

Any actual or suspected personal data breach, including loss, unauthorised access, accidental disclosure or insecure transmission of client information, must be reported promptly to the F&T Directors. F&T will assess the breach, record the decision-making process, take steps to reduce any risk of harm, and report to the ICO and affected individuals where required by law.

 

Sharing information with us

Referrals, including GP referrals, are shared with F&T digitally through secure NHS and F&T systems and stored centrally in a secure, password-protected digital folder managed by the F&T Directors. Contact and referral details may then be shared by secure email with the relevant therapist so that they can contact the client by telephone or email. Therapists must use appropriate professional communication arrangements and must protect any work phone or device with a password. Where a student counsellor does not have a work phone, they must withhold their number when contacting clients.

Records created during therapy

Each counsellor or play therapist will maintain a minimum record of client information necessary to support the intervention and meet ethical and legal requirements. These records are the responsibility of the individual therapist and must be stored securely. Records may include questionnaire outcomes, the therapist’s working notes and client creative work. Such records may be stored securely in digital format or, where handwritten or creative, in locked storage at the therapist’s premises.

At the end of counselling, outcomes are reviewed with the client. Where a third-party referral has been made on the client’s behalf, F&T may, with the client’s consent and knowledge, share brief outcome information with the GP or referring agency. Information shared will be limited to what is necessary and appropriate, and correspondence should avoid the use of full names where possible, using initials, NHS number or date of birth for identification. Confidential information disclosed by the client will not be shared unless it is necessary in F&T’s professional judgement, is lawful, and is shared with the client’s permission or another valid legal basis. Client creative work will normally be returned to the client at completion. Minimal quantitative outcome data may be collected and shared with the client and F&T Directors through the digital database to inform client care and service effectiveness.

 

Retention and Disposal of Records

What data should be kept?

Bond (2015) helpfully details specifics of professional matters that should be recorded:

  • contract with any written and signed consents to all activities and passing of confidential information
  • all appointments, including non-attendance by client
  • up-to-date records of counsellor’s reasoning behind decisions about significant interventions and general strategies
  • consultations with anyone else about the client
  • copies of any correspondence from the client or relating to work with the client
  • any instructions given to the client and whether or not the client acted on these

How long  should data be kept?

UK GDPR does not prescribe fixed retention periods for every type of record. F&T will retain personal data only for as long as it is necessary for the purpose for which it was collected, taking account of professional, contractual, legal, insurance and safeguarding requirements.

Record type Indicative retention period Rationale and notes
Adult client therapeutic records, including minimum working records and session dates
Normally seven years after the end of the F&T contract or therapeutic work
Supports professional accountability, insurance requirements and potential legal claims
Child or young person records
Normally until the young person reaches age 25, or longer where required by safeguarding, insurance or legal considerations
Reflects the need to retain records beyond childhood where claims or safeguarding issues may arise later
Safeguarding records or records relating to serious risk
Reviewed case by case and retained for as long as necessary
Retention may need to be longer because of ongoing safeguarding, legal or public interest considerations
Financial and accounting records
Six years
Supports tax, accounting and contractual requirements
Central client databases and outcome data
Normally three years unless a longer period is required
Supports service monitoring and continuity while applying data minimisation
Student placement records
Deleted at the end of placement unless anonymised records are required by the university or placement provider
Students must not retain identifiable F&T client data unless authorised and lawful

For contracted counsellors and play therapists, F&T recommends that client names, session dates and therapists’ working diary notes are retained for the duration of the F&T contract with the client and for seven years afterwards, or for any longer period required by the therapist’s insurer or professional body. Client databases, digital correspondence and other personally identifiable information such as referral forms and outcome letters must be deleted from therapists’ digital devices when the relevant F&T contract ends, unless there is a lawful reason to retain them. Clients may request earlier deletion of information, subject to any legal, professional or contractual retention requirements.

F&T will retain evidence of financial transactions with therapists for six years. F&T will also centrally store client databases containing names, surgery, date of birth, NHS number, appointment dates and outcome data on a secure protected back-up device for three years, unless a different retention period is required.

 

Counselling students must delete client details and communications relating to clients, including texts and emails, once their work with the client has ended, unless there is a lawful or placement-related reason to retain anonymised records. Students may retain anonymised working notes only for as long as required by their university or placement requirements. Databases stored on student devices must be deleted when the placement with F&T ends.

 

Sharing information with others and disclosure requests

Under UK GDPR, individuals have the right to know whether their personal data is being used or stored and to request access to that data. A subject access request from a client may require F&T or the relevant practitioner to provide details of records containing that client’s personal data, subject to any lawful exemptions or professional considerations.

  • If a request arrives from a legal representative or the police asking for disclosure (in standard lawyers’ letters the wording may ask for ‘all notes and records’ relevant to the work with their client), if they have attached a client consent form, the practitioner is legally authorised to disclose the information requested
  • Police officers are not normally permitted access to counselling records unless they have explicit client consent or are acting under a court order.
  • When writing reports for other professionals, we will normally do this at our client’s request and with explicit consent, unless there is a lawful requirement or reason which justifies disclosure without consent in the public interest. it is necessary to think through information sharing carefully, and in consultation with a supervisor, trusted colleague,   professional body and possibly seek legal advice from an insurance company.
  • If sharing the information is necessary and appropriate, limit the information disclosed to the minimum necessary in order to avert the risk, and make a note as soon as possible of the following
  1. the date of providing the information
  2. to whom the information is given
  • the reason why
  1. the content of the information shared
  2. the method of disclosure or referral
  3. whether consent was given (and by whom)
  • if the disclosure is made without consent, record the reasons why this decision was made.

F&T will take responsibility for considering how best to respond in such situations and will ensure that any information sharing is documented accurately. Records of disclosure should be sufficient to explain what was shared, with whom, when, why and on what lawful basis.

Client rights

Clients have the right to request a copy of their personal information, free of charge, in electronic or paper format. This is known as a subject access request. F&T will respond without undue delay and normally within one month of receipt. Where a request is complex or multiple requests are made, F&T may extend the response period by up to a further two months and will inform the client within the first month if an extension is required. F&T may need to verify the identity of the requester or confirm the authority of a third party acting on the client’s behalf before disclosing information. Clients also have the right to ask F&T to correct inaccurate or incomplete information. Requests to access, correct, update or delete records should be made by email to enquiries@familyandtherapy.co.uk.

Clients are encouraged to contact F&T first if they have concerns about how their personal information is used. Requests and concerns will be considered fairly, promptly and in accordance with UK data protection law.

 

Right to erasure

Clients have the right to request erasure of personal information held about them, including information that is no longer required for its original purpose or where consent is withdrawn. F&T will consider each request in accordance with UK GDPR. Erasure may not be possible where F&T has a legal, professional, safeguarding, contractual or insurance-related obligation to retain the information.

 

Data portability

Where applicable, clients have the right to receive personal information they have provided to F&T in a structured, commonly used and machine-readable format, and to request that this information is transferred to another party.

 

Complaints

If clients have concerns about F&T’s use of their personal information, they may make a data protection complaint by emailing enquiries@familyandtherapy.co.uk, by telephone – 07546 614644, in writing, or through any other reasonable communication channel. F&T will acknowledge data protection complaints within 30 days of receipt, investigate without undue delay, keep the complainant informed where appropriate, and provide an outcome without undue delay. F&T will keep a record of data protection complaints, the investigation undertaken, the decision reached and any remedial action taken.

Clients may also complain to the ICO if they are unhappy with how F&T has used their data or handled their complaint. The ICO’s address is: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

 

Conclusion

Appropriate, accurate, relevant, lawful and secure record keeping is central to F&T’s ethical and professional practice. The nature of therapeutic work means that client information may be sensitive and personal. F&T is therefore committed to maintaining clear standards for confidentiality, data protection and record keeping, while being transparent with clients about the limits of confidentiality and the way their information is handled. This approach supports client trust, professional accountability and safe therapeutic practice.

 

Approval and review

This Policy lets everyone know how clients’ personal information is being collected, stored, and shared and this is in line with UK General Data Protection Regulations.  

 

Review date: June 2027, or earlier if there are material changes to UK data protection law, ICO guidance, BACP requirements, F&T services, retention requirements, safeguarding arrangements or information-sharing practices.

 

References and source material

This policy has been informed by and adapted from the following sources:

Scroll to Top