Data Protection, Privacy & Information Governance

Contents

  1. Privacy Policy

  2. Data‑Handling Complaints Procedure (DUAA‑Compliant)

  3. Appropriate Policy Document (APD)

1. Privacy Policy

(DUAA‑aligned)

Introduction

This Privacy Policy explains how DHB Counselling collects, stores, uses, and protects your personal data in line with:

  • UK GDPR

  • Data Protection Act 2018

  • Data (Use and Access) Act 2025 (DUAA)

It also outlines your rights and how you can exercise them.

What Information I Collect

I collect only the information necessary for counselling, including:

  • contact details

  • referral information

  • clinical notes

  • emails and messages

  • relevant background information you choose to share

How Your Information Is Stored

  • Paper notes are kept in a locked filing cabinet accessible only to me.

  • Electronic records are stored securely on encrypted, password‑protected devices.

  • Emails are stored securely and retained in line with my retention schedule.

Contingency Arrangements

If I die or become incapacitated, a designated Contingency Counsellor will:

  • notify you

  • ensure your records remain secure

  • arrange safe destruction in line with this policy

 How Long Your Data Is Kept

  • Clinical records: 7 years after our work ends

  • Emails and electronic communications: 7 years

  • Data‑handling complaints (DUAA requirement): 6 years

After this time:

  • paper records are cross‑cut shredded

  • electronic records are permanently deleted

Sharing of Information

I will not share your personal data without your explicit consent unless:

  • required by law (e.g., court order)

  • necessary for safeguarding or risk of serious harm

 Your Rights

You have the right to:

  • access your data

  • request corrections

  • request deletion (in certain circumstances)

  • restrict processing

  • request portability

  • raise a data‑handling complaint

Subject Access Requests will be acknowledged within 30 days and completed within one month, with DUAA “stop‑the‑clock” provisions applied if clarification is needed.

How to Contact Me

Email: diane@dhbcounselling.co.uk
Tel: 07421123500

2. Data‑Handling Complaints Procedure

(Fully DUAA‑compliant)

If you ever have concerns about how your personal data has been handled, you have the right to raise a complaint. I will respond with care, transparency, and respect.

 How to Raise a Complaint

You can raise a concern verbally or in writing.

Please include:

  • your name

  • how I can contact you

  • a description of your concern

You do not need to use legal language.

 What Happens Next

Acknowledgement (within 30 days)

I will acknowledge your complaint within 30 days.

Investigation

I will review:

  • the data involved

  • how it was handled

  • any relevant records

  • whether any breach or error occurred

If I need more information, I will pause the timeline (“stop the clock”) until it is received.

Outcome (within 3 months)

You will receive a clear written response within 3 months, including:

  • findings

  • actions taken

  • steps to prevent recurrence

 

If You Are Not Satisfied

You may escalate your concern to the Information Commissioner’s Office (ICO):

ICO Helpline: 0303 123 1113
Website: ico.org.uk

 Record Keeping

DUAA requires me to keep a record of all data‑handling complaints for 6 years.
These records are stored securely and separately from clinical notes.

 3. Appropriate Policy Document (APD)

Processing of Special Category Data

This APD explains how DHB Counselling meets the legal requirements for processing special category data.

 Purpose of This Document

As a counsellor, I process sensitive information relating to your mental health and wellbeing. This document outlines:

  • why I process this data

  • the lawful basis

  • retention periods

  • safeguards

  • your rights

 Lawful Basis for Processing

UK GDPR Article 6(1)(b)

Processing is necessary for the counselling contract.

UK GDPR Article 6(1)(c)

Processing is necessary for legal obligations.

 Conditions for Processing Special Category Data

I rely on:

UK GDPR Article 9(2)(h)

Provision of health or social care.

DPA 2018 Schedule 1, Part 1 (2) & (3)

Health care and management of health services.

 Safeguards

I use:

  • secure storage (paper and electronic)

  • encrypted devices

  • minimal data collection

  • strict access controls

  • confidentiality agreements with my Contingency Supervisor

No data is shared without your consent unless legally required.

 Retention and Deletion

  • Clinical records: 7 years

  • Emails: 7 years

  • Data‑handling complaints: 6 years

After this period, all data is securely destroyed.

 Your Rights

You may:

  • access your data

  • request corrections

  • request deletion (in certain circumstances)

  • restrict processing

  • request portability

  • raise a complaint

 Review Schedule

This APD is reviewed:

  • annually

  • after any data‑handling incident

  • when laws or guidance change

Last reviewed: June 2026