GDPR and Privacy

Inner Space Counselling is registered with the Information Commissioner’s Office (ICO), which means your data is managed in line with UK law and current privacy standards.

What is GDPR and how does it affect me?

The General Data Protection Regulation (GDPR) came into effect in 2018, replacing the 1998 Data Protection Act. It sets clear rules about how your personal and sensitive information is stored, shared and protected.

This includes any identifiable information such as your name, contact details, health-related data, session notes and any communication (e.g. emails, texts or messages).

GDPR ensures that:

  • You know what information is being collected

  • You consent to how it’s used

  • Your data is kept safe, private and only kept for as long as necessary

Why do you need this information?

I collect only the information I need to offer you safe and effective therapy.

This may include:

  • Your name, contact details and emergency contact (used only with your consent)

  • Relevant background or medical history

  • Session notes to support continuity and clinical care

  • My website may also collect anonymous usage data (e.g. through analytics tools), but no personal details are collected or shared.

How is my information kept secure?

  • Your privacy is taken seriously and your data is stored securely:

  • Paper notes are kept in a locked filing cabinet

  • Digital notes are stored on secure, encrypted cloud servers

  • Work phones and email accounts are protected with strong passwords and PINs

  • Any personal data sent by email is sent as a password-protected attachment, with the password shared separately

  • As a therapist, I am registered with the ICO and follow their guidelines to protect your data in line with UK law.

How long will my data be stored?

In line with professional guidelines from the British Association for Counselling and Psychotherapy (BACP) and my insurance provider (Oxygen), your data will be kept for 10 years after your final session.

After that, it will be securely destroyed in the January following the end of that retention period.

Can I request my records be deleted?

Yes – under GDPR, you have the right to request your records be deleted at any time. This must be done in writing (email or post is fine).

If you request deletion:

  • Paper records will be shredded

  • Digital records will be permanently erased

  • A note confirming your deletion request will be kept, but no other information will be stored

Is what we talk about confidential?

Yes – everything you share in therapy is confidential.

I may speak about sessions in supervision (which is required for ethical therapy practice), but no identifying details are shared. My supervisor is also bound by GDPR and confidentiality guidelines.

If we see each other outside of sessions, I won’t initiate contact, to protect your privacy. You’re always welcome to speak to me, but I won’t break confidentiality by acknowledging our work together.

Will you share my information with other professionals?

Only with your permission. If I need to contact another healthcare professional (e.g. your GP), I will ask for your signed consent first.

Are there any exceptions to confidentiality?

In some rare situations, I may need to break confidentiality without your consent. This includes:

  • If you are at serious risk of harm to yourself or someone else

  • If I’m legally required to disclose information (e.g. in cases involving terrorism, money laundering or drug trafficking)

Where possible, I will always try to speak to you before sharing any information.

Any questions?

If you have any concerns or would like to know more about how your data is handled, you’re always welcome to ask. I aim to be open, transparent and respectful in how your information is treated.