General Data Protection Regulation Policy


The General Data Protection Regulation (GDPR) is concerned with the personal information about you that I collect and process. This policy describes what personal data of yours is collected and why, how it is stored and shared, and your rights related to your information, in line with the regulation.


Lawful basis for processing your information:


The lawful basis for processing of your information is in relation to the delivery of a contract to you as a health care professional. As a member of the British Association for Counselling and Psychotherapy (BACP) I operate under a strict code of confidentiality.


Personal information I will collect:


  • Name

  • Gender (or preferred identity)

  • Date of birth

  • Family and significant relationships

  • Occupation

  • Address

  • Telephone number(s) (plus permission to send an SMS and/or leave a voice message)

  • Email address (plus permission to send emails to you)

  • Telephone and/or email address of any third party paying for sessions

  • Counselling/psychotherapy history

  • GP name and contact details

  • Medical conditions relevant to counselling

  • Prescribed medication relevant to counselling

  • Details of other professionals and organisations providing support to you

  • Presenting difficulties

  • Significant life events and family history relevant to counselling

  • Session summary (After each session I will keep a short record of the content)


I will also ask and record how you heard about my services. This is not necessary for our work together and you are free to refuse to say how. I use this data to evaluate advertising or directory entries I have purchased.


How I will store your personal information:


Storage methods:


  • Paper: I store the paper documents listed below securely in a locked safe and/or filing cabinet. When I transport paper documents between locations I carry them in a bag that has a combination lock. I will use a four-digit client code on documents relating to you to link them together.


  • Phone: I use an Android One smartphone that is solely for my counselling work. The smartphone is secured by fingerprint identification and receives regular security updates. I will store your phone number in my contact list along with a four-digit client code rather than use your name or any information that could directly identify you. I will delete the logs of our calls, SMS messages and voicemails on a regular basis and on our work ending together. I will also delete your phone number on our work ending.


  • SMS/WhatsApp: Electronic correspondence will be held in my phone’s SMS app or WhatsApp app should we exchange messages this way. I will delete all correspondence stored there on a regular basis and on our work ending together.


  • Email: Your email address and correspondence will be stored in my practice Gmail account by nature of you contacting me or vice versa. I will use Gmail when responding to website queries. I will delete all correspondence stored in my Gmail account on a regular basis and on our work ending together. Gmail encrypts messages, so that it cannot be read by a third party in transit. Gmail as part of google is covered by the US privacy shield


  • My website: None of your personal information is stored on my website, which is hosted by Wix, other than to briefly collect & send it to my Gmail account for the purposes of our initial contact.


  • BACS: If you (or a third party) choose to pay for your session by bank transfer (BACS) my bank will record the transactions, and the payment will be recorded on my bank statement.


Documents that I will hold:




  • Client contact information form

  • Third party contact information form

  • Therapy agreement

  • GDPR privacy notice

  • Assessment form

  • Brief notes on each session

  • Any cause for concern or safeguarding forms

  • Copies of additional documents, such as letters, related to clinical matters

  • Duplicates of receipts of cash payments with four-digit client code written on them

  • Copies of invoices

  • My bank statements

  • Appointments diaries




  • Phone number with four-digit client code

  • Phone contact log

  • Email, SMS and WhatsApp correspondence





















How I may share your personal information:




I attend regular consultations with a qualified therapist. The purpose for this is to maintain the quality and effectiveness of my therapeutic work and to remain in line with the requirements of the BACP’s ethical framework. In order to protect your privacy I will discuss you and any aspect of your life in a non-identifiable way.


Therapeutic will


I am currently making arrangements so that in the event of my death or incapacity, should you still be in therapy with me, your name and contact details will be shared with my Therapeutic Executor, so that you can be notified.




If I believe that you are at risk of serious harm, I may share necessary personal information with emergency services, the mental health crisis team or your GP. I will endeavour to seek your consent before making a disclosure when possible.


Sharing in cases of public interest and legal obligation


I would share relevant personal information with the appropriate authority when there is a risk of serious harm to another person, organisation or the state (e.g. violence, drink-driving, terrorism), you have committed a serious crime, or a child is being abused. When possible and legally allowed, I will do so with your prior knowledge.


I would also have to share relevant personal information with a court, if ordered to do so, when required by law.


I would share cash payment receipts, invoices and my bank statements with the HMRC if required to provide them as evidence in matters of tax.

Third party payments


If your sessions are paid for by a third party (e.g. an employer, a family member or a friend), I would discuss with them payment and payment-related matters, such as the number, time and date of sessions, when payment is due and when payment is no longer required following the termination of sessions. It may also involve sending them invoices or receipts.


I would not share with the third party details about clinical and personal matters discussed in our sessions.

How long I will hold your personal information:


When we have finished working together I will shred paper copies of your contact information and erase any electronic correspondence within one month. I will hold onto your consultation records (i.e. the contract, GDPR privacy notice, assessment form, session notes, and any other documents related to clinical matters) for up to five years past the end of our working together. This is so that I have a reference of our work in situations such as you returning to counselling in the future, and because it is a requirement of my insurer in case a legal claim is made against me. After the five years has passed, I will shred those documents.

I will keep duplicates of any cash payment receipts, invoices and bank statements as well as my appointments diaries for five years after the 31st January deadline of the relevant tax year in case the HMRC require me to provide them as a evidence in matters of tax.


Your rights relating to your personal information:


  • To be informed what information about you I hold (i.e. this document).


  • To request a copy of the information I hold about you (free of charge for the initial request).


  • To request that I rectify any inaccurate or incomplete information I hold on you.


  • To request that I stop using your information (However, I can decline whilst the information is needed for me to practise lawfully, competently & contractually, and I can continue to store the information for up to five years for use if you made a legal claim against me).


  • To request that I erase information that I hold about you (However, I can decline whilst the information is needed for me to practise lawfully, competently & contractually and to comply with the requirements of my insurer).


If you would like to make a request, please email me at I will respond to requests within 30 days.

This policy was formulated using the following sources:

This policy will be reviewed regularly. Last updated December 2019.

  • Instagram
  • Facebook Social Icon

© 2019 by Will Jones Counselling and Psychotherapy. Created with