Data Protection Policy
Data Controller: Lynne Bargewell ICO Registration Number: Z3485050
Last Updated: June 2026
1.Overview and Purpose
This policy outlines how Lynne Bargewell trading as Durham Counselling & Psychotherapy collects, handles, stores, and disposes of personal and sensitive client data. As a sole practitioner, I act as the Data Controller. I am committed to protecting client privacy in compliance with the UK GDPR, Data Protection Act
2018, the Data Use and Access Act (DUAA), and the ethical framework of the British Association for Counselling and Psychotherapy (BACP).
2.Lawful Bases for Processing Data
To process data legally under the UK GDPR, I rely on two specific pillars:
Personal
Data (Article 6)
- Contract: Processing is required to fulfil the therapeutic contract and deliver counselling services to you.
- Legal Obligation: Processing is required to comply with statutory financial records or court orders.
Special Category Data (Article 9)
Mental health details and session notes constitute highly sensitive health data. I process this under:
- Article 9(2)(h): The provision of health or social care treatment.
- Explicit Consent (Article
- 9(2)(a)): Obtained directly from the client during intake for specific processing, such as audio recording or specialised tools.
3.Types of Data Collected
I only collect the minimum amount of data required to safely and effectively run my practice:
- Contact Details: Name, date of birth, address, phone number, and email.
- Therapeutic Information: Relevant medical history, psychiatric history, and psychological background.
- Clinical Process Notes: Brief, strictly factual summaries of each session.
- Financial Records: Invoices, session dates, and payment history.
4.Data Storage and Security Measures
I enforce rigorous technical and physical barriers to ensure data safety:
Electronic Records
- Anonymisation: Clinical notes use client codes or first names only, separating identifying data from session themes.
- Encryption: Laptops and mobile phones are password protected.
Physical Records
- Physical Security: Any paper intake documents or brief hardcopy records are filed in a heavily locked metal cabinet
5.Data Retention and Destruction
- Standard Client Records: Retained for 5 years following the final therapeutic session tonsatisfy professional liability insurance and ethical frameworks.
- Enquiry Data: For prospects who do not begin therapy, details are permanently wiped after 1 week.
- Destruction Protocol: Hardcopy items are put through a cross-cut security shredder. Digital databases are permanently deleted.
6.Information Sharing and Confidentiality Limits
Client data remains entirely private and is never distributed to third parties for marketing purposes. It is shared exclusively under the following strict scenarios:
- Clinical Supervision: monthly discussion with a qualified supervisor to safeguard professional standards.
- Safeguarding: If a client or another vulnerable individual is at clear, imminent risk of serious physical harm.
- Legal Mandate: When compelled by a valid court order or statutory requirement. I will strictly limit any shared data to the precise scope requested, redacting non-essential details
7.Your Data Protection Rights
Under data protection laws, clients hold clear rights regarding their data:
- Right of Access: Clients may issue a Subject Access Request (SAR) to receive copies of their records.
- Right to Rectification: Clients can ask me to update inaccurate contact details or factual errors instantly.
- Right to Erasure: Clients can request the deletion of data. Note: Factual medical/therapeutic notes are exempt from immediate erasure due to legal defence and insurance mandates.
- Right to Restrict
- Processing: Clients can withdraw specific consents (e.g., opting out of automated text reminders) at any time.
8.Data Breach Procedure
In the unlikely event of a security breach involving your personal data (such as a stolen device or a hacked account):
- I will isolate and contain the breach immediately.
- If the breach presents a risk to your rights and freedom, I will notify the Information Commissioner’s Office (ICO) within 72 hours.
- I will notify affected clients directly without delay, outlining what data was exposed and the steps taken to mitigate harm.