My commitment to your privacy

Your privacy matters deeply to me, and protecting your personal information is an essential part of the trust we build together in therapy. I want you to feel safe knowing that everything you share with me is handled with the utmost care and confidentiality. This statement explains, in plain terms, what information I collect, why I need it, and how I look after it.

What information I collect

To provide you with effective therapy, I collect and keep the following types of information:

• Your name and contact details (phone number, email address, postal address)
• Emergency contact information
• Details about what brings you to therapy (your presenting concerns)
• Notes from our sessions together
• Relevant medical or health history that may be important for your care
• Payment information and records of fees paid
• Any correspondence between us

All records are kept digitally only — I do not maintain paper files.

Why I collect this information

I have a lawful basis under UK data protection law for collecting and using your personal information:

For your general personal data, I rely on Article 6(1)(f) UK GDPR — legitimate interests. Specifically, my legitimate interest in retaining information necessary to provide you with the best possible treatment and to comply with my professional indemnity insurance requirements as a practitioner in private practice.

For your health-related information (which the law treats as "special category" data requiring additional protection), I rely on Article 9(2)(h) UK GDPR — processing is necessary for the provision of health care treatment by a health professional subject to a professional obligation of confidentiality. The additional DPA 2018 Schedule 1 condition I meet is Part 1, paragraph 2 (health or social care purposes). My professional obligation of confidentiality is grounded in the common-law duty of confidence owed by health and wellbeing practitioners to their clients, and the standard professional practice expected of practitioners in private practice.

My professional obligations

I engage in ongoing continuing professional development to maintain and develop my skills as a Counselling Psychologist. I am committed to providing you with ethical, competent care.

Where I engage in peer consultation or clinical supervision to reflect on my work, all discussion is fully anonymised. Your name and identifying details are never disclosed — I discuss themes and professional challenges without revealing who you are.

What happens if I am suddenly unable to practise

I have appointed a Clinical Executor — a trusted colleague who will step in if I become seriously ill, incapacitated, or die unexpectedly. Their role is to contact you sensitively, let you know what has happened, and handle your records with complete confidentiality. This arrangement ensures you are not left without information or support, and that your records remain protected.

Who else may see your information

I take confidentiality seriously and only share your information in limited, specific circumstances:

• Clinical supervisor — I discuss my work in supervision to maintain good practice, but all material is anonymised. Your identity is never disclosed.
• Employee Assistance Programme (EAP) — If you were referred through an EAP or similar referral platform, I may share limited information with them as part of the commissioning arrangement (such as confirmation of attendance). This is always kept to the minimum necessary.
• Service providers — I use third-party tools to run my practice, including WriteUpp for clinical notes, Microsoft Teams and Doxy.me for online video sessions, Google reCAPTCHA to protect my contact form from spam and a banking provider for BACS transfers. 
  
  These providers process limited data on my behalf. Some transfer data to the USA, and where this occurs, appropriate safeguards (such as Standard Contractual Clauses) are in place. You can request more information about these safeguards at any time.

• Legal or statutory authorities — In rare circumstances, I may be legally required to share information (see below).

When I might need to break confidentiality

Confidentiality is fundamental to our work together, and I will always aim to keep what you share private. However, there are rare situations where I may need to share information without your consent:

• If I believe there is a serious risk of harm to you or to someone else
• If there are safeguarding concerns about a child or vulnerable adult
• If ordered to do so by a court of law
• If I am obliged by any relevant legislation or any other legal requirement to disclose to the appropriate bodies, for example if you share information about a proposed act of terrorism, drug trafficking, or money laundering.

Whenever possible, I will discuss this with you first and explain what I need to share and why.

How long I keep your records

I keep your records for 7 years after our last session together. This retention period is in line with the Limitation Act 1980 and standard professional indemnity insurance requirements.

All records are stored electronically, encrypted, and password-protected on secure systems. Access is restricted to me only. At the end of the retention period, your records are securely deleted.

Your rights

Under UK GDPR and the Data Protection Act 2018, you have important rights over your personal information:

• See your records — You can ask for a copy of the information I hold about you. I will respond within one month.
• Correct errors — If anything in your records is inaccurate, let me know and I will put it right.
• Request deletion — You can ask me to delete your data. I will do so where possible, but please be aware I may need to keep certain information to meet my legal and professional obligations.
• Restrict or object to processing — In some circumstances, you can ask me to limit how I use your data or object to its use altogether.
• Data portability — You can ask for your data in a format that allows you to transfer it elsewhere.

If you would like to exercise any of these rights, simply get in touch with me.

Making a complaint

If you are unhappy with how I have handled your personal information, I would welcome the chance to put things right. Please contact me directly using my contact form or email ferncopland@protonmail.com.

You also have the right, under the Data (Use and Access) Act 2025, to complain to the Information Commissioner's Office (ICO) if you remain dissatisfied:

• Website: ico.org.uk
• Telephone: 0303 123 1113