privacy policy – data protection and confidentiality policy

1. Introduction

This policy outlines how Sarah Dyson counselling handles personal data in compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. As a sole trader and therapeutic counsellor, I am the Data Controller. This policy applies to all personal data I collect, including sensitive "special category" data, from the initial contact through to the end of therapy and beyond.



2. The principles of UK GDPR

I adhere to the seven core principles of the UK GDPR in all data processing activities:


  1. Lawfulness, fairness, and transparency: I process your data legally, fairly, and openly. You have the right to know what data I hold, why, and what I do with it. This policy serves as your notice.
  2. Purpose limitation: I only collect data for specific, explicit, and legitimate purposes related to providing you with safe and effective therapeutic care. I will not use your data for any other purpose without your explicit consent.
  3. Data minimisation: I only collect the minimum amount of data necessary for the purpose of therapy.
  4. Accuracy: I take reasonable steps to ensure your data is accurate and up-to-date. Please notify me of any changes to your personal details.
  5. Storage limitation: I keep personal data for no longer than is necessary. This is guided by professional body guidelines and my insurance provider's requirements.
  6. Integrity and confidentiality (security): I use appropriate technical and organisational measures to ensure your data is secure and protected against unauthorised access, loss, or damage.
  7. Accountability: I am responsible for and can demonstrate my compliance with all the UK GDPR principles. This policy is part of that demonstration.



3. Data I collect and process

I collect and process the following types of personal data:

  • Initial contact information: When you first contact me via phone, email, or my website, I collect your name, email address, and phone number to respond to your enquiry.
  • Client information form: Before our first session, I will ask you to complete a form that includes your name, date of birth, address, phone number, email address, GP details, and an emergency contact person.
  • Special category data: During our sessions, I will collect special category data related to your physical and mental health. This includes session notes, which may contain details about your personal history, relationships, and presenting issues.
  • Financial data: I keep a record of payments for invoicing and accounting purposes.
  • Online and digital data: If we communicate via email or a secure video platform, I will hold a record of our correspondence.



4. Legal basis for processing your data

I have a legal basis for processing your data under the UK GDPR. For your personal data (e.g., contact details), the legal basis is legitimate interest to manage our professional relationship and the performance of a contract to provide you with a therapeutic service.

For your sensitive special category data (i.e., your health information), the legal basis is that the processing is "necessary for the provision of health or social care or treatment."



5. How I store and protect your data

Your data is stored with the utmost care and security.

  • Initial enquiries: Contact information from initial enquiries is deleted after two weeks if you do not become a client.
  • Written notes: Brief, anonymised session notes are stored in a locked filing cabinet, separate from any identifying information. I use a unique client code on your notes.
  • Electronic data: Your identifying information (Client Information Form) is stored separately from your session notes on a password-protected computer and/or cloud storage with two-factor authentication. Any emails are deleted once the content has been transferred to your secure record.
  • Mobile Phone: Your phone number may be stored on my password-protected mobile phone.



6. Confidentiality and data sharing

Your confidentiality is of the highest importance.

  • Supervision: I discuss my clinical work with a supervisor as part of my professional and ethical practice. The purpose of supervision is to ensure I am working effectively and ethically. Your name or any other identifying details will not be disclosed during these discussions.
  • Emergency contact: In the event of a medical emergency or a serious risk of harm to yourself or others, I may need to contact your emergency contact or your GP. I will always try to discuss this with you first, unless doing so would increase the risk.
  • Legal obligation: I may be legally required to break confidentiality if I receive a court order or subpoena to provide your records.
  • Professional executor: In the event of a sudden, serious illness or death, I have appointed a professional executor (a trusted, qualified counsellor) to access your contact details only to notify you of the situation and provide onward care arrangements. They will not have access to your session notes.



7. Your rights under UK GDPR

Under the UK GDPR, you have several rights regarding your personal data. You can make a request for any of these rights in writing.

  • Right to be informed: You have the right to be informed about how your data is processed. This policy serves to fulfil that right.
  • Right of access: You can request a copy of the personal information I hold about you. I will provide this information within one calendar month.
  • Right to rectification: You can ask me to correct any inaccuracies in the data I hold about you.
  • Right to erasure ('the right to be forgotten'): You can ask me to delete your personal data. However, I may be required to keep some records for a certain period for legal or professional reasons (e.g., for my insurance).
  • Right to restrict processing: You can ask me to stop processing your personal data in certain circumstances.
  • Right to data portability: You can ask me to provide your data in a structured, commonly used, machine-readable format.
  • Right to object: You can object to me processing your data.



8. Data retention and disposal

I will retain your personal and clinical data for the period required by my professional body (BACP) and my professional indemnity insurance provider. Currently, this is five years after our last session. After this period, your electronic and paper records will be securely destroyed.



9. Data breaches

I have a procedure in place to manage any personal data breaches. If a breach occurs that is likely to result in a high risk to your rights and freedoms, I will notify you and the Information Commissioner's Office (ICO) within 72 hours.



10. Complaints

If you have a concern about how I have handled your data, please contact me directly to resolve the issue. If you are not satisfied with my response, you have the right to lodge a complaint with the ICO:


Information Commissioner’s Office (ICO) Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF Telephone: 0303 123 1113 Website: www.ico.org.uk

Copyright © 2025 Sarah Dyson counselling - All Rights Reserved. Illustrative therapy images by iStock by Getty Images. Original photography by Will Drane and Sarah Dyson. 

Portraits by  Jo Campbell www.jocampbell.co.uk (head and shoulders) and Anne-Sarah Huet www.photofeel.net (standing, three-quarter length.)

  • Privacy policy
  • Safeguarding policy

Powered by

This website uses cookies.

We use cookies to analyze website traffic and optimize your website experience. By accepting our use of cookies, your data will be aggregated with all other user data.

DeclineAccept