GDPR & Data Protection Policy
Debbie Thorley Therapies
1. Introduction
This policy outlines how Debbie Thorley Therapies collects, stores, and processes personal data in compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
As a registered and accredited counsellor, I am committed to maintaining the confidentiality and security of client information, ensuring that all personal data is handled lawfully, fairly, and transparently.
2. Data Controller Details
Name: Debbie Thorley
Business Name: Debbie Thorley Therapies
Address: Stirling Place, 22-24 High Street, Cleator Moor, CA25 5LB
Email: hello@DTTherapies.co.uk
Phone: 07359 609452
3. What Data I Collect
I collect and process the following types of personal data from clients:
Personal details: Name, address, phone number, email address.
Sensitive personal data (special category data): Health information, GP details (if provided), and therapy session notes.
Session records: Brief anonymised notes summarising key points from sessions.
Online session data: Limited data related to video or telephone counselling (e.g., platform used, date/time of session).
Payment details: Invoices and transaction records (via secure payment platforms).
4. Legal Basis for Processing Data
I process personal data under the following lawful bases:
Consent – Clients provide explicit consent for the collection and storage of their data.
Contractual necessity – Data is required to deliver counselling services.
Legal obligation – Certain records must be retained to comply with legal or regulatory requirements.
Legitimate interests – Maintaining minimal session records to provide effective therapy and professional accountability.
5. How I Store and Protect Data
I take appropriate security measures to protect personal data:
Paper notes – Stored in a locked filing cabinet, accessible only to me.
Digital records – Stored securely on a password-protected device with encryption.
Emails and messages – Kept securely and deleted when no longer required.
Online sessions – Conducted via secure, GDPR-compliant platforms (e.g., Zoom, Microsoft Teams).
6. Data Retention
Session notes are retained for 5 years following the end of therapy, in line with professional guidelines.
Contact details and email communications are deleted within 6 months after therapy ends, unless required for ongoing professional obligations.
Financial records are kept for 6 years, as required for tax and accounting purposes.
7. Sharing of Data
I do not share client data with third parties unless:
Required by law (e.g., safeguarding concerns, court orders).
Clients request data to be shared (written consent required).
In supervision, where case discussions are anonymised.
8. Client Rights
Clients have the right to:
Access their data (receive a copy of personal information held).
Rectification (request corrections to inaccurate or incomplete data).
Erasure (“Right to be forgotten” – request deletion of data where appropriate).
Restrict processing (request limited use of their data).
Object to processing based on legitimate interests.
Data portability (request transfer of their data in a structured format).
Requests can be made in writing to hello@DTTherapies.co.uk, and I will respond within one month.
9. Confidentiality & Limits
Confidentiality is fundamental to my counselling practice. However, I may need to break confidentiality if:
A client is at serious risk of harm to themselves or others.
There is a legal obligation to disclose (e.g., safeguarding concerns, terrorism, drug trafficking).
I adhere to the BACP ethical Framework https://www.bacp.co.uk/ethical-framework-for-the-counselling-professions-2018
Where possible, I will discuss this with the client before taking action.
10. Complaints
If clients have concerns about how their data is handled, they can contact me at hello@DTTherapies.co.uk. If unresolved, they may contact the Information Commissioner’s Office (ICO):
Website: www.ico.org.uk
Phone: 0303 123 1113
11. Policy Review
This policy is reviewed annually or when significant changes occur in data protection law.
Last reviewed: February 2025
