UK General Data Protection Regulation: PRIVACY POLICY
PRIVACY POLICY UPDATED 17th June 2026
These documents explain how Emma Weston Counselling collects, stores, and protects your personal data in line with UK GDPR and the Data (Use and Access) Act 2025.
GDPR Statement: Legal Basis for Collection and Processing of Personal Data
In accordance with the UK General Data Protection Regulation (UK GDPR) and the BACP Ethical Framework for the Counselling Professions (points 10, 55–57), I am committed to protecting your personal information through transparent, lawful, and ethical data processing practices.
As your counsellor or supervisor, I collect, store, and process personal data under the legal basis of contract (to fulfil our counselling or supervision agreement), legitimate interests (to practise safely, ethically, and professionally), and legal obligation (e.g. supervision, HMRC reporting).
This statement outlines the data I hold, storage methods, sharing practices, retention periods, and your rights.
Why I Process Your Data – Lawful Basis
Under the UK GDPR, I must have a valid legal reason (known as a “lawful basis”) to process your personal information. Because counselling and supervision involve sensitive health information, I need to meet two separate legal requirements:
Article 6 – General Personal Data
I process your personal data under Article 6(1)(b) UK GDPR: processing is necessary for the performance of the therapeutic or supervisory contract between us. This means I need to process your information to provide the counselling or supervision service you have engaged me for. Without this information, I could not offer you safe and effective therapy or supervision.
Article 9 – Special Category Health Data
I process your health-related data under Article 9(2)(h) UK GDPR: processing is necessary for the provision of health or social care treatment by a health professional.
The additional condition required under UK law is found in the Data Protection Act 2018, Schedule 1, Part 1, paragraph 2 (health or social care). This condition applies because:
- I am a qualified counsellor and supervisor providing health related treatment
- I am bound by a professional obligation of confidentiality under the BACP Ethical Framework (2018 & 2025)
- The processing is necessary for me to provide you with counselling or supervision safely and effectively
Last updated: 17th June 2026
I am Emma Weston, a qualified counsellor and supervisor in private practice.
I am registered with the Information Commissioner’s Office (ICO) under registration number ZA370247.
Contact: emmawestoncounselling@proton.me
Full compliance documents: https://emmawestoncounselling.com/gdpr
Note-Keeping and Access to Records
Session notes, correspondence, consent forms, contracts, assessments, and related records are kept solely for clinical purposes and professional development.
You may request access to your records informally or formally under your subject access rights (Article 15 UK GDPR). I will respond within one month, free of charge for the first request.
Personal Information Collected
As a Counsellor
To provide effective counselling, I collect:
Name, pronouns, age, date of birth
Relationships and progeny
Occupation
Address
Telephone / SMS number (with permission for SMS/voicemail)
Counselling history
GP and next-of-kin details
Relevant health information, medical conditions, and medication
Assessment information (physical symptoms, sleep, mood/emotions, neurodivergence, anxiety, relationships, self-harm/suicidality/risk/safeguarding, addictions, sexuality/sexual health, trauma, cognitions, concentration, OCD, nutrition, life circumstances, identity, culture/spirituality)
Reasons for therapy
Brief session summaries
Your health and therapy-related information is classified as “special category data” under Article 9(1) UK GDPR and receives enhanced legal protection.
As a Supervisor
To provide effective supervision, I also collect the following about supervisees:
Supervisee practice details
Supervisee contact details and registrations
Information about registration with ICO (for GDPR)
Professional body/bodies you are registered with, along with registration(s) or membership number(s)
Insurance company information
Details about whether you hold an up-to-date DBS Certificate
Information about qualifications, training, CPD, and ongoing development
Details will be held on client work and supervision work, but information discussed and recorded in supervision will be anonymised.
I collect information directly from you during initial contact, assessment or intake sessions, and throughout our therapeutic or supervisory work. I do not collect information from third parties unless you give explicit consent, or in exceptional circumstances where it is necessary to protect safety.
Storage Methods
Paper:
All clinical and supervision records including notes, consent forms, contracts, assessments, and client codes are stored securely in locked filing cabinets.
Electronic:
No clinical or supervision records are held electronically. No session notes, therapy records, or supervision records are stored on computers, devices, or cloud services.
Session booking and administrative emails are deleted once no longer needed (e.g. after printing contracts or confirming appointments), in line with data minimisation (Article 5(1)(c)).
No personal data is stored on my website. Signed contracts exist as the
authoritative paper record only.
Processing, Sharing, Professional Obligations and Supervision
Data may be processed as follows:
As a BACP Accredited member, I am required to discuss my clinical work in professional supervision. This is an essential part of maintaining high standards of care and ensures I am working ethically and effectively. Your identity is protected in supervision. My clinical supervision (as counsellor): includes anonymised discussion (using initials only) with a qualified supervisor for ethical practice and development (BACP requirement). I do not share your name or any identifying details with my supervisor. My supervisor receives only anonymised case material and is bound by their own professional body’s confidentiality obligations.
Supervision (as supervisor): I discuss supervisees’ client work in supervision sessions. Details are held on client work and supervision work, but information is anonymised where possible. Your name and identifying details are not shared unless necessary for safeguarding or legal reasons.
HMRC/Accounting: Name and payment details shared solely for tax compliance as a UK taxpayer.
How long I keep your data
I retain your information for different periods depending on its type:
Therapy records - 7 years after our last session
In line with the limitation act 1980 and standard professional indemnity insurance requirements
Financial records (invoices, receipts)- 6 years. Legal requirement under HMRC rules
Clinical Will
In the event of my death or incapacitation, your name and contact details may be shared with my Therapeutic Executor (a qualified counsellor/supervisor) to assist with notifying my clients and supervisees' and arranging onward support or referral if needed.
Arrangements are in place to ensure that a designated professional colleague can:
- Securely access my client and supervisee records
- Contact you to let you know what has happened
- Arrange onward referral if appropriate
- Ensure your records are stored or destroyed in accordance with this policy
Emergencies
Contact details may be shared with emergency services or your GP if your health is at imminent risk.
I will always try to discuss this with you first, unless doing so would itself put someone at risk. If I ever need to break confidentiality, I will share only the minimum information necessary and only with the appropriate people.
There are rare legal exceptions where disclosure may occur without informing the client first, primarily driven by statutory obligations that override ethical norms to prevent serious harm or crime. These are mandated by UK law. Legal mandates prohibiting client notification include:
Terrorism-related disclosures and statutory obligations may require disclosure without prior consent or notification in exceptional cases (e.g. Terrorism Act 2000, court orders) .Under the Terrorism Act 2000 (section 19).
Drug trafficking: The Misuse of Drugs Act 1971, and Proceeds of Crime Act 2002 Money laundering, the Proceeds of Crime Act 2002. Under specific circumstances, I may also break confidentiality in relation to a violation of any abuse of a minor in accordance with The Children’s Act 1989/2004 and any associated legislation.
Data Retention and Erasure
Paper records are retained for five years post-therapy (or from age 18 for minors) to support continuity of care and legitimate interests (BACP guidance), then securely destroyed by shredding.
Supervision records are retained for five years after the last supervision session, in line with professional and BACP guidance.
Emails are permanently deleted immediately after any necessary action (e.g. printing signed contracts, noting appointments), per storage limitation (Article 5(1)(e)).
Signed contracts exist as the authoritative paper record only.
Your Rights Under UK GDPR
Right to be informed (this document)
Right of access (subject access request)
Right to rectification of inaccurate data
Right to withdraw consent (where applicable; note this may impact service delivery and I may decline whilst the information is needed for me to practise lawfully and competently)
Right to erasure (“right to be forgotten”), subject to exemptions for legal and professional obligations
To exercise any of these rights, please contact me in writing.
Data Protection Complaints
If you have any concerns or complaints about how I collect, store, use, or otherwise process your personal data or session notes, please contact me in writing at:
emmawestoncounselling@proton.me
I will acknowledge your complaint within 30 days and will investigate it promptly, providing you with a clear response and any actions taken without undue delay.
If you remain dissatisfied with my response, you may refer your complaint to the Information Commissioner’s Office (ICO) at:
Under the Data (Use and Access) Act 2025, you also have the right to complain directly to the Information Commissioner's Office (ICO) if you are not satisfied with my response:
Website: ico.org.uk
Telephone: 0303 123 1113
I am Emma Weston and my ICO Registration reference is: ZA370247
To exercise rights, please contact me in writing. I aim for full transparency on data practices.
Protecting Your Personal Information - GDPR Statement
GDPR Statement Last updated: 17 June 2026
My Commitment to Your Privacy
At Emma Weston Counselling, Psychotherapy and Supervision, I believe that protecting your personal information is a fundamental part of the trust between us. The therapeutic relationship depends on you feeling safe to share openly, and that includes knowing your information is handled with care, confidentiality and respect. This statement explains, in plain terms, how I collect, use, and protect your data.
What Information I Collect
When you work with me, I may collect and hold the following types of information:
Your name and contact details (address, phone number, email)
Emergency contact information
Details about why you have come to therapy (your presenting issues)
Handwritten session notes recording our work together
Relevant medical or mental health history you share with me
Information about your GP (if you choose to provide this)
Payment information and invoicing records
Why I Collect Your Information
I need to collect and process your personal information so that I can provide you with therapy. The legal bases for this processing are:
For general personal data: Article 6(1)(b) UK GDPR — processing is necessary for the performance of the therapeutic contract between us.
For health and therapy-related information (known as "special category data"): Article 9(2)(h) UK GDPR, processing is necessary for the provision of health or social care treatment by a health professional. The additional condition under DPA 2018 Schedule 1, Part 1, paragraph 2 (health or social care) also applies. This processing is carried out by me as a qualified counsellor subject to a professional obligation of confidentiality under the BACP Ethical Framework.
Professional Obligations and Supervision
As a BACP registered member, I am required to discuss my clinical work in professional supervision. This is an essential part of maintaining high standards of care and ensures I am working ethically and effectively.
Your identity is protected in supervision. I do not share your name or any identifying details with my supervisor. My supervisor receives only anonymised case material and is bound by their own professional body's confidentiality obligations.
Clinical Will Arrangements
I have arrangements in place for a clinical will, a plan that ensures your records are handled appropriately and confidentially in the unlikely event that I become unable to continue practising.
Who Else May See Your Information
Beyond myself, the following may have limited access to your information:
Clinical supervisor that receives anonymised case material only, with no identifying details.
Employee Assistance Programme (EAP) or referral platform, where you have been referred to me through an EAP, limited information may be shared as part of the commissioning arrangement (such as confirmation that sessions have taken place).
Website and communication service providers:
Go Daddy: this website is built on Go Daddy, which may collect certain technical data about visitors including basic analytics.
Zoom — I use Zoom for online video sessions where applicable.
Statutory authorities — where I am legally required to share information (see below)
When I Might Need to Break Confidentiality
Everything you share with me is confidential. However, there are rare circumstances where I may need to share information without your consent:
If I believe there is a serious risk of harm to you or someone else
If there are child safeguarding or vulnerable adult protection concerns
If I receive a court order requiring me to disclose information
Wherever possible, I will discuss any such disclosure with you first and explain what information I need to share and why.
How Long I Keep Your Records
I keep your therapy records for 7 years after our last session. This retention period is in line with the Limitation Act 1980 and standard professional indemnity insurance requirements.
Your records are stored as paper notes in a locked filing cabinet in a secure room. Access is restricted to me alone. At the end of the retention period, paper records are disposed of by secure shredding.
Your Rights
Under UK data protection law, you have several rights regarding your personal information:
See your records: you can ask me for a copy of the information I hold about you
Correct errors: if any information I hold is inaccurate, you can ask me to put it right
Request deletion: in some circumstances, you can ask me to delete your information, though I may need to keep certain records for legal, insurance, or safeguarding reasons
Restrict processing: you can ask me to limit how I use your data in certain situations
Object to processing: you can object to certain types of processing
Data portability: where applicable, you can request your data in a portable format
If you would like to exercise any of these rights, please get in touch with me directly by email at emmawestoncounselling@proton.me.
Making a Complaint
If you have concerns about how I have handled your personal information, I would encourage you to raise this with me first so I can try to resolve it. If you have any concerns or complaints about how I collect, store, use, or otherwise process your personal data or session notes, please contact me in writing at emmawestoncounselling@proton.me I will acknowledge your complaint within 30 days and will investigate it promptly, providing you with a clear response and any actions taken without undue delay. If you remain dissatisfied with my response, you may refer your complaint to the Information Commissioner’s Office (ICO) at https://ico.org.uk.
Compliance information:
https://emmawestoncounselling.com/gdpr
Under the Data (Use and Access) Act 2025, you also have the right to complain directly to the Information Commissioner's Office (ICO) if you are not satisfied with my response:
Website: ico.org.uk
Telephone: 0303 123 1113
Emma Weston
ICO Registration reference: ZA370247
Copyright © 2026 Emma Weston Counselling, Psychotherapy, EMDR, Supervision, mentoring and Training - All Rights Reserved.