Privacy Notice (GDPR)

Last updated: 15/09/2025

Controller: Elfie Carson Counselling 

Email: elfiecarsoncounselling@gmail.com Phone: 07421128146

This notice explains how I collect, use, store and share personal data about clients and website users, and your rights under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. 

Summary

I collect personal information so I can provide counselling safely and manage my private practice (booking, notes, payment, safeguarding). Some information I hold is sensitive - e.g. health/therapy records - and I treat it with extra care. The lawful bases I rely on include explicit consent, performance of a contract, and compliance with legal obligations. 

What personal data I collect

  • From clients (during referral/therapy): 

  • Identity and contact details: name, address, email, phone, next of kin, GP name and address.

  • Presenting issues, psychological/medical history, session notes, risk/safeguarding information.

  • Appointment and contact records, invoices and payment records.

  • Where relevant, correspondence from third parties (with your consent) such as GP or other professionals.

From website visitors: cookies, IP address, form submissions (if you contact me via the site).

This practice processes health and therapeutic information which is a special category of personal data and handled accordingly. 

How and why I use your data (purposes)

I will process your personal data for the following purposes:

  • To provide counselling and clinical record keeping (assessment, treatment planning, reviewing progress). 

  • To manage appointments, payments and the contractual relationship (booking, invoices). 

  • To meet legal obligations (e.g. tax / accounting requirements, safeguarding or statutory reporting where required). 

  • For limited administrative or website purposes (e.g. analytics, site performance).

  • Where required for legal or safeguarding reasons, I may share information with appropriate authorities (e.g. police, courts, or statutory safeguarding bodies).

Special category (sensitive) data

Health and therapy records are special category data under UK GDPR. I will normally rely on explicit consent to process this information for therapeutic purposes. In some limited circumstances (e.g. safeguarding, legal obligation, or vital interests) I may process without consent where permitted by law. BACP guidance and legal resources inform best practice for confidentiality, disclosure, and record-keeping. 

Who I share data with

I will not share your therapy notes or personal data with third parties without your explicit consent except where:

  • Required by law or to prevent serious harm (safeguarding, court order).

  • For practice management: accountants, insurers, or IT/hosting providers who act as processors under contract and only have access as needed.

  • Clinical supervision: I may discuss anonymised or identified information in supervision — where possible I will anonymise, and if identifying information is used I will normally seek your consent beforehand, except when required for safeguarding. This is in line with BACP practice. 

Data retention — how long I keep your data

I retain client records in line with professional guidance: typically a minimum of 6 years for adults after your last session; for young people records are usually kept until they reach age 25 (or as otherwise required by law or best practice). Administrative and financial records (for tax purposes) are retained for the period required by HMRC and ICO guidance. 

How I keep your data secure

I use appropriate technical and organisational measures to protect your information, including:

  • Secure (password-protected) electronic records; encrypted backups where possible.

  • Locked storage for paper records when not in use.

  • Secure systems for online appointments (only using GDPR-compliant video providers).

  • Limited access: only I and authorised processors (e.g. supervisor, accountant) can access identifiable data.

If a data breach affects your rights or freedoms I will follow ICO guidance on breach notification and inform you and the ICO where required. 

Cookies and website analytics

My website uses basic cookies (e.g. functional cookies and limited analytics). These are used to improve the website and to respond to enquiries. You can control cookies through your browser settings. 

Your rights

Under UK GDPR you have the right to:

  • Request access to the personal data I hold about you (subject access request).

  • Request rectification of inaccurate or incomplete data.

  • Request erasure (“right to be forgotten”) — subject to legal and professional record-keeping obligations.

  • Request restriction of processing or object to processing (for certain processing grounds).

  • Request portability of data you have provided to me in a commonly-used machine-readable format.

  • Withdraw consent at any time where processing is based on consent (this won’t affect processing done before withdrawal).


To exercise any of these rights, contact me at: elfiecarsoncounselling@gmail.com. If you are unhappy with how I handle your data you may also complain to the Information Commissioner’s Office (ICO). 

Changes to this notice

I may update this privacy notice from time to time (for example, to reflect changes in law, guidance or practice). The latest version will always be on my website with the “last updated” date.

Contact & complaints

Contact for data matters: elfiecarsoncounselling@gmail.com 

If you remain dissatisfied after contacting me, you can complain to the Information Commissioner’s Office (ICO): https://ico.org.uk