Privacy Policy

‍ ‍1. Who I Am

I am Rhian Shurlock, trading as Centred Self Therapy, a private psychotherapy practice. I take your privacy seriously and am committed to protecting your personal information.

I am a private psychotherapy practitioner and a registered member of the British Association for Counselling and Psychotherapy (BACP), I work in accordance with its Ethical Framework and the requirements of United Kingdom General Data Protection Regulation (UK GDPR). I am committed to protecting your personal data and handling it in accordance with applicable data protection law.

This Privacy Policy explains how I collect, use, and store your personal data, and your rights in relation to that information, in line with UK GDPR.

2. What Information I Collect, Use, and Why

Providing Counselling Services‍

I collect and use the following personal information in order to provide safe and effective counselling services:

  • Name, address, and contact details

  • Pronoun preferences

  • Next of kin and emergency contact details

  • ‍Health information (including medical history and relevant personal circumstances)

  • Session notes, assessments, and records of meetings and decisions

  • Payment and financial information

  • Correspondence (e.g. emails or messages)

This includes special category data, such as health information, which is afforded additional protection under data protection law.

Safeguarding and Public Protection

Where necessary, we may process personal and health information to:

  • assess and respond to risk of harm

  • protect clients or others

  • meet safeguarding responsibilities

Legal and Administrative Purposes

I may also process personal data to:

  • comply with legal and regulatory obligations

  • ‍maintain accurate records

  • respond to queries, complaints, or claims

‍3. Lawful Basis for Processing

‍Under the UK GDPR, I rely on the following lawful bases:

  • Contract – to provide counselling services

  • Consent – particularly for processing special category (health) data

  • ‍ Legal obligation – for tax, safeguarding, and regulatory requirements

  • Legitimate interests – for the effective management of my practice

You have the right to withdraw consent at any time where it is relied upon.

‍4. Where I Get Your Information From

‍Personal information is collected:

  • Directly from you

  • From other health or care providers (where relevant)

  • From third parties such as:

    • counselling directories (e.g. BACP, Counselling Directory)

    • insurance providers or Employee Assistance Programmes (EAPs) (e.g. Bupa, Aviva)

5. Confidentiality

‍I am subject to a common law duty of confidentiality. Information you share in counselling will be kept confidential unless there is a valid reason to disclose it.

Confidentiality may be broken where:

  • you have given consent

  • there is a legal requirement (e.g. court order)

  • ‍there is a serious risk of harm to you or others

  • disclosure is justified in the public interest (e.g. prevention of serious crime)

‍Where possible, this will be discussed with you first.

‍ ‍6. Who I Share Information With

I do not sell or share your data for marketing purposes. Your information may be shared where necessary with:

  • Professional supervisors (anonymised where possible)

  • Other health professionals (e.g. GPs, consultants)

  • Insurance providers or intermediaries

  • Organisations involved in safeguarding

  • Legal or regulatory authorities where required

  • Service providers supporting my practice

7. Use of Third-Party Services

I use third-party providers to support my practice, including platforms such as Zoom, Microsoft Teams, GoDaddy, and Squarespace.

These providers may process limited personal data on my behalf. I take reasonable steps to ensure they handle your data securely and in line with data protection law. ‍

8. Data Retention

I retain personal data only for as long as necessary to fulfil the purposes for which it was collected, including legal, ethical, safeguarding, and insurance requirements.

Retention periods are as follows:

  • Client records (including session notes and clinical correspondence) – retained for 7 years after the end of the therapeutic relationship

  • ‍Contact and administrative information – retained for the duration of the relationship and up to 2 years after last contact, unless included in the client record

  • Appointment records – retained for 2 years, unless part of the clinical record

  • ‍Financial records – retained for 6 years in line with legal requirements

  • Correspondence – retained for up to 2 years, unless clinically relevant

  • Supervision notes (anonymised where possible) – retained for 7 years

  • Safeguarding records – retained for at least 7 years, and longer where necessary

At the end of the retention period, data is securely deleted or anonymised. ‍

9. Data Security

‍I take appropriate technical and organisational measures to protect your personal data. This includes:

  • secure storage of paper records

  • ‍password-protected electronic systems

  • ‍restricted access to personal data

10. Your Data Protection Rights

‍Under the UK GDPR, you have rights including:

  • ‍the right to access your personal data

  • ‍the right to request correction of inaccurate data

  • the right to request erasure (in certain circumstances)

  • the right to restrict or object to processing

  • the right to data portability

  • the right to withdraw consent at any time (where applicable)

I will respond to any request without undue delay and within one month.

‍11. How to Complain

If you have concerns about how your data is handled, you can raise this with me directly by emailing rhian@centredselftherapy.co.uk.

‍You also have the right to lodge a complaint with the Information Commissioner's Office: