Privacy NoticeGDPR & Data Protection Policy Nicola Morley Psychotherapy

 

1. IntroductionThis policy outlines how Nicola Morley Psychotherapist collects, stores, and processes personal data in compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. As a registered and accredited counsellor, I am committed to maintaining the confidentiality and security of client information, ensuring that all personal data is handled lawfully, fairly, and transparently.

 

2. Data Controller Details

Name: Nicola Morley Name:

Therapy Address: Richmond House, Lytham St Annes, FY8 IPE

Mail: nicola@nicolamorley.com

Phone: 07867815208

 

3. What Data I CollectI collect and process the following types of personal data from clients:Personal details:

Name, address, phone number, email address.

Sensitive personal data (special category data):

Health information, GP details (if provided), and therapy session notes.

Session records: Brief anonymised notes summarising key points from sessions.

Online session data: Limited data related to video or telephone counselling (e.g., platform used, date/time of session).Payment details: Invoices and transaction records (via secure payment platforms).

 

4. Legal Basis for Processing DataI process personal data under the following lawful bases:Consent – Clients provide explicit consent for the collection and storage of their data.Contractual necessity – Data is required to deliver counselling services.Legal obligation – Certain records must be retained to comply with legal or regulatory requirements.Legitimate interests – Maintaining minimal session records to provide effective therapy and professional accountability.

 

5. How I Store and Protect DataI take appropriate security measures to protect personal data:Paper notes – Stored in a locked filing cabinet, accessible only to me. Digital records – Stored securely on a password-protected device with encryption.  Emails and messages – Kept securely and deleted when no longer required. Online sessions – Conducted via secure, GDPR-compliant platforms (e.g., Zoom, Microsoft Teams).

 

6. Data RetentionSession notes are retained for 5 years following the end of therapy, in line with professional guidelines.  Contact details and email communications are deleted within 6 months after therapy ends, unless required for ongoing professional obligations.  Financial records are kept for 6 years, as required for tax and accounting purposes.

 

7. Sharing of DataI do not share client data with third parties unless:

Required by law (e.g., safeguarding concerns, court orders).

Clients request data to be shared (written consent required).In supervision, where case discussions are anonymised.

 

8. Client RightsClients have the right to:

Access their data (receive a copy of personal information held).Rectification (request corrections to inaccurate or incomplete data).

Erasure (“Right to be forgotten” – request deletion of data where appropriate).Restrict processing (request limited use of their data).

Object to processing based on legitimate interests.Data portability (request transfer of their data in a structured format).

Requests can be made in writing to info@catherinedonnellytherapy.com and I will respond within one month. 9. Confidentiality & LimitsConfidentiality is fundamental to my counselling practice.

 

However, I may need to break confidentiality if:

A client is at serious risk of harm to themselves or others.

There is a legal obligation to disclose (e.g., safeguarding concerns, terrorism, drug trafficking).

 

I adhere to the BACP ethical Framework https://www.bacp.co.uk/ethical-framework-for-the-counselling-professions-2018Where possible, I will discuss this with the client before taking action.

 

10. Complaints

If clients have concerns about how their data is handled, they can contact me at niocola@nicolamorley.com.

If unresolved, they may contact the Information Commissioner’s Office (ICO):Website: www.ico.org.uk

Phone: 0303 123 1113 11.

Policy Review

This policy is reviewed annually or when significant changes occur in data protection law.Last reviewed: July 2025