Privacy Policy
Who I am
I am Loretta Rose MBACP, a private practice psychotherapist & counsellor and a registered member of the British Association for Counselling and Psychotherapy (BACP). I adhere to the BACP Ethical Framework, which sets out professional standards for confidentiality, record-keeping, and client care. This policy explains what data I collect, why I collect it, how I store it, and your rights under United Kingdom data protection laws, including the United Kingdom General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
What data I collect and why
I collect and process personal data to provide safe, ethical, and effective therapy. Below is an outline of the data I collect and the reasons for doing so.
1. Enquiries and initial contact
When you enquire about my services via Meela, Psychology Today, Counselling Directory, the Black, African and Asian Therapy Network (BAATN), the British Association for Counselling and Psychotherapy (BACP), my website (dawnsong.co.uk), or direct contact, I store the following personal data:
- Your full name
- Your email address
- Your phone number
- The reason for your enquiry
Purpose
I use Bigin to securely manage and track these enquiries and consultations. This system helps me respond to your enquiry, assess your needs, and arrange a consultation efficiently. In addition, I record the following:
- Date of your enquiry
- Date and time of your consultation
- Consultation outcome
- Your referral source
Storage and security
- Your data are encrypted both in transit and at rest, protecting it from unauthorised access.
- Only I have access to your information, secured with passwords and two-factor authentication.
- Your data is stored in a United Kingdom-based data centre, ensuring compliance with local data protection requirements.
- Bigin complies with the United Kingdom General Data Protection Regulation (UK GDPR) and follows strict security and privacy standards to safeguard client information.
Retention
Enquiry records are kept for six months before being securely deleted if you do not proceed with therapy.
2. Consultations
During an initial consultation, I collect and store the following data:
- Your email address.
- Your full name.
- Your age.
- Your location.
- The issue that has led you to seek therapy.
- How long you have been experiencing this issue.
- Any previous experience of therapy.
- Your goals for therapy.
- Your support systems and coping mechanisms.
- Any diagnosed mental health conditions.
- Current medications you are taking.
- Any relevant physical health conditions.
- Any history of self-harm or suicidal thoughts, whether recent or in the past.
- Your preferred session time, date, and location.
What I do not record
I do not document sensitive information that is not directly related to you, such as the names of family members, friends, or your workplace.
Purpose
I collect this data to assess whether therapy is appropriate for you and whether I am the right therapist to support you. This also helps me tailor therapy to your specific needs and goals, and identify risk factors and consider any safeguarding requirements.
Storage and security
- This data is stored in Microsoft Word documents on an encrypted drive that is backed up to OneDrive, which is also encrypted.
- Access is restricted to me only.
- Two-factor authentication (also called multi-factor authentication) is enabled on all platforms where it is available.
Retention
- If you proceed with therapy, consultation notes are deleted seven years after our last session.
- If you do not proceed with therapy, consultation notes are deleted within six months.
3. New client information
Data collected through Microsoft Forms and securely stored within both Microsoft Forms and Microsoft Excel.
I collect the following personal data through Microsoft Forms to ensure I have the relevant information to provide safe, effective, and personalised therapy. This information allows me to tailor therapy to your needs, assess potential risks, and fulfil my professional and legal responsibilities:
- Your full name.
- Date of birth.
- Gender identity.
- Ethnicity.
- Belief system.
- Sexual orientation.
- General practitioner’s (GP) name.
- GP surgery name and address.
- Emergency contact name and phone number.
- Emergency contact relationship.
- Agreement to therapy terms.
Purpose
This data ensures I can tailor therapy to your needs, manage risks, and comply with my professional and legal obligations, providing you with a safe and effective therapeutic experience.
Storage and security
- Data collected through Microsoft Forms is encrypted both during transmission and when stored, ensuring protection from unauthorised access.
- The data is stored in a password-protected Excel workbook on an encrypted drive, which is backed up to OneDrive, which is also encrypted.
- Only I have access to this data, secured by passwords and two-factor authentication on all platforms where available.
- Microsoft Forms follows data protection regulations, including the United Kingdom General Data Protection Regulation (UK GDPR), ensuring data is handled securely and lawfully.
Retention
- If you proceed with therapy, this data is stored for seven years after our last session and then securely deleted.
- If you do not proceed with therapy, this data is deleted within six months.
4. Mental wellbeing assessment
As part of therapy, I may ask you to complete mental wellbeing assessments, such as:
- Patient Health Questionnaire-9 (PHQ-9) – to assess symptoms of depression.
- Generalised Anxiety Disorder-7 (GAD-7) – to assess symptoms of anxiety.
- Other wellbeing measures that may be suited to your needs.
Purpose
These surveys help track your mental health over time, assess progress in therapy, identify any risk factors (such as self-harm or suicidal thoughts), and inform treatment decisions to ensure therapy remains effective.
Storage and security
- This data is stored on an encrypted drive, backed up to OneDrive, which is also encrypted.
- Two-factor authentication is in use to protect all stored data.
Retention
Wellbeing survey data is deleted seven years after our last session.
5. Session notes
I keep session notes that include:
- Session date and time.
- An anonymised client code.
- Main themes discussed in the session.
- Any identified risks and actions for follow-up.
Purpose
These notes help me maintain a factual record of therapy sessions, ensure continuity of care, track progress, and document safeguarding concerns, if necessary.
Storage and security
- Notes are stored on an encrypted drive, backed up to OneDrive, which is also encrypted.
- Two-factor authentication is enabled.
Retention
Session notes are stored for seven years after our last session, then securely deleted.
Other data considerations
1. Session communications
I use the following tools for communication during sessions:
- Microsoft Teams for secure video and audio sessions.
- Phone for voice calls.
- WhatsApp Business for phone and video calls.
Purpose
These tools ensure that I can offer flexible communication options for sessions, including both video and audio calls, to meet your needs.
Security
- Microsoft Teams and WhatsApp Business use end-to-end encryption to protect your data.
- Calls made through phone networks are protected using secure networks and best practices to prevent unauthorised access.
Retention
Call logs are stored on my secure mobile phone for one year before deletion.
2. Sharing information
Supervision
As required by the BACP Ethical Framework, I share relevant session information and protected characteristics with my clinical supervisor. My supervisor is bound by equivalent confidentiality and ethical standards.
Legal and safeguarding obligations
I am legally required to share information in the following circumstances:
- If I become aware of money laundering or terrorism offences, I must report this to the police.
- If there is a serious risk of harm to you or someone else, I may need to disclose information to the relevant authorities.
- I will only share the minimum necessary information in line with legal and ethical obligations.
How I protect your data
- Encryption
All data is encrypted both during transfer and when stored. - Access control
Only I have access to client data, secured with passwords and two-factor authentication. - Regular security updates
I keep all systems updated to protect against security threats.
Your rights over your data
You have rights under data protection law, including the right to:
- Request a copy of your personal data.
- Ask for incorrect information to be updated.
- Ask for your data to be erased (subject to legal obligations).
- Limit how your data is used.
- Request your data in a format that can be transferred elsewhere.
- Challenge how your data is used.
- Complain to the Information Commissioner’s Office (ICO) at www.ico.org.uk, if you have concerns about how your data is collected, stored, managed or used.
Contact information
If you have any questions regarding the collection, storage, or management of your data, please email data@dawnsong.co.uk.