top of page

Privacy Notice for Therapy Clients

I, Dr Katherine Preedy (Preedy Psychology Ltd.) provide psychology services (training workshops, supervision, psychological therapy and assessment). You may be aware of new laws relating to General Data Protection Regulation (GDPR) that are in effect from 25 May 2018.  The purpose of GDPR is to provide a set of standardised data protection laws across all EU member countries.  This privacy policy explains how I comply with these laws and explains the personal or sensitive information that I collect, store and process about you as a data controller.

1. What are your rights?


I am committed to protecting your rights to privacy. They include:

  • Right to be informed about what I do with your personal data

  • Right to have a copy of all the personal information I process about you

  • Right to rectification of any inaccurate data I process, and to add to the information I hold about you if it is incomplete

  • Right to be forgotten and your personal data destroyed

  • Right to restrict the processing of your personal data

  • Right to object to the processing we carry out based on our legitimate interest

2. Why do I collect information about you?


I collect information about you to provide you with psychological assessment and treatment and because it supports the provision of a safe and professional service. It is therefore in my legitimate interests as a Registered Psychologist to collect your personal data. I also collect sensitive ‘special category’ data (such as details about psychological difficulty). My lawful reason for doing so is that it is necessary for the provision of safe and professional (mental) health treatment (psychological therapy). You do not have to agree to share information with me, however, in many cases I may not be able to offer you a service if you do not.

Another lawful reason for processing your data may be Legal Obligation. If I am processing “special category data” about you, this is my second lawful reason to do so. This is likely to apply if you are being assessed as part of a litigation claim.

I may also collect information about you if I am providing supervision, training or other services to you. If you are a supervisee I will have a contract with you, which will be my lawful reason to process your data.


I may also ask for information on how you found our service for the purpose of my own marketing research.  No information you provide is passed on without your consent.  I will never sell your information to others.

3. What information do I collect about you?


In order to provide a safe and professional service I collect information about you that includes personal and sensitive information. I collect information about you that may include personal information, such as:


  • Name

  • Address

  • Telephone numbers

  • Date of birth

  • Gender (or preferred identity)

  • Age

  • Date of Birth

  • Relationships & children

  • Occupation

  • Address

  • Telephone/SMS number

  • Email address 


In addition to the personal information above, I may also collect sensitive information including:


  • Medical conditions (if relevant)

  • Prescribed medication.

  • Psychological history and current difficulties.

  • Relationships and history (including therapy history)

  • Sexuality (if relevant)

  • Offences

  • Financial information, including bank account details (if you are a self-funded client)

  • Session/ contact details and notes

  • Signed therapy/ GDPR agreement

  • any illicit substance use

  • Completed outcome measures

Some of this information will be collected directly from you, it may also be collected from a referring agency such as GP, psychiatrist, healthcare provider or intermediary company. In such cases I will also collect and process personal data provided by that organisation. This includes basic contact information, referral information, and health insurance policy number and authorisation for psychological treatment. Please be aware that if you do not provide the personal information requested, then I may be unable to provide a therapy service to you.


I also process personal data pursuant to my legitimate interests in running my business such as keeping invoices and receipts and documents relating to accounts, VAT and tax returns.



I will only use the information you supply to me to support your supervision. Data that I collect about you, in addition to the above, may include:

  • Bank details for payments

  • Curricula vitae

  • Professional registration details

  • Information regarding previous supervision


Where I want to disclose information to a third party, for example in providing a reference I will not do so without disclosing it to you beforehand unless disclosure is required by law.

4. Web access collection of information

I collect information when you voluntarily complete contact forms. If you complete a web-based enquiry form, I will also collect any information you provide to me. I use cookies on my website to gather information about visitors in order to monitor the quantity of website traffic.  I do not identify you or any other individuals from this information. Here is my Cookie Policy.

5. How do I use the information that I collect

  • To respond to your enquiries

  • To communicate with you about appointments

  • To offer you high quality psychological assessment and treatment including liaison with others involved in your care, where relevant and with your consent.

  • To create invoices.



6. How do I store and share the information about you?


I take your privacy very seriously and I am committed to taking reasonable steps to protect any individual identifying information that you provide to me. Once I receive your data, I make best efforts to ensure its security on my systems. All personal information provided is stored in compliance with EU General Data Protection Regulations (GDPR) rules. 


Your data may be stored in the following ways:

  • Written assessment and session notes. Only initials are written on assessment and session notes or in a diary. Whenever possible, notes are transported separately from your contact details and both are kept in locked cabinets.

  • Email correspondence between us is stored in my email account including your email address and anything you disclosed in emails. I regularly delete emails, however, please be aware that email is not a secure mode of communication and you may prefer to communicate personal information to me directly in person or on the telephone. My smartphone and computer are password protected.

  • Electronic information (e.g. a report) is held in highly secure encrypted cloud storage or on an encrypted hard-drive. These are password protected. Malware and antivirus protection is installed on all computing devices.  Mobile devices are protected with a passcode. When electronic information needs to be shared this will be done in a password protected format.

  • Your telephone number may be stored in my SMS if we have communicated in this way. 

  • If you choose to pay me by electronic bank transfer then I may hold a record of this transfer through my bank. This data is secured by the bank’s data security systems.

  • I use cookies on my website to gather information about visitors in order to monitor the quantity of website traffic.  I do not identify you or any other individuals from this information.



7. How long do I keep your information for?

I do not keep your data for longer than is necessary.


Administrative data is retained for up to seven years as necessary, in the unlikely event there are queries from HMRC and the VAT commissioner. Where it is not necessary to retain the data for seven years, it is destroyed as soon as possible.


The sensitive personal data defined above is stored, where necessary, for seven years in compliance with professional guidance and indemnity obligations. After this time, this data is deleted at the end of each calendar year. Where this is not necessary, it is destroyed on the conclusion of the work.


Basic contact information held on a mobile phone is deleted within 6 months of the end of therapy.



8. Who do I share your personal information with?


I take your privacy very seriously and your information is kept confidential at all times. I work to strict professional and contractual codes of confidentiality and where possible I will anonymise information so that individual people cannot be identified. I will only use your personal information to provide the services you have requested from me.

  • Reports to referrers or private health insurance companies: If you were referred to me by a psychiatrist, with your consent, I may write them an assessment and discharge report. Some insurance companies require reports to grant funding / extension of treatment. Reports are sent securely in password protected documents. I will share appointment schedules with that organisation for the purposes of billing.

  • Supervision / consultation: It is a professional requirement that I have supervision. I therefore discuss my work with two supervisors (registered psychologists equally bound to keep information confidential). I do not disclose your name to them.

  • Therapeutic will: In the event of my death, should you still be in therapy with me, my Therapeutic Executor (registered psychologist) would access your contact details to advise you of this and to ensure the ongoing security / appropriate deletion of your data.

  • Risk and safeguarding: In certain circumstances, such as where I believed there was significant risk to you (e.g. suicide), to others (e.g. child protection) or where a crime was reported to me, I may have a legal and professional obligation to share information with third parties without seeking your prior permission. 


I will not share your personal information with third-parties for marketing purposes.

9. How you can access your information and correct it, if necessary?

I try to be as open as it can be in terms of giving people access to their personal information. Individuals can find out if I hold any personal information by making a ‘subject access request’ or ‘Right of Access’ under the Data Protection Act and the General Data Protection Regulation. I will then supply to you:

  • A description of all data I hold about you

  • Inform you how it was obtained (if not supplied by you)

  • Inform you why, what purposes, I am holding it

  • What categories of personal data is concerned

  • Inform you who it could be disclosed to

  • Inform you of the retention periods of the data

  • Inform you around any automated decision making including profiling

  • Let you have a copy of the information.


To make a request to me for any personal information I may hold please put the request in writing. You may ask me to correct or remove information you think is inaccurate.  However, I reserve the right to refuse a request to delete a client’s personal information where this is therapy records. Therapy records are retained for a period of 7 years in accordance with the guidelines and requirements for record keeping by The British Psychological Society (BPS; 2000)[1] and The Health and Care Professions Council (HCPC; 2017)[2].

10. Complaints or queries


I try to meet the highest standards when collecting and using personal information. For this reason, I take any complaints I receive about this very seriously. I encourage people to bring it to my attention if they think that my collection or use of information is unfair, misleading or inappropriate. I would also welcome any suggestions for improving my procedures. If you do have a complaint, contact me at so I can investigate the matter on your behalf.


If you are not satisfied with the response from me or believe I am not processing your personal data in accordance with the law you have the right to raise your complaint with the Information Commissioner’s Office (ICO).  My ICO registration number is ZA133278 and I (Dr Katherine Preedy) am the named Data Controller.

Contact information ICO: Website:  Telephone: +44 (0) 303 123 1113

Dr Katherine Preedy

Chartered and Clinical Psychologist


[1]The British Psychological Society (2000). Clinical Psychology and Case Notes: Guidance on Good Practice. Leicester: Division of Clinical Psychology, BPS.

[2]Health and Care Professions Council (2017). Confidentiality – guidance for registrants. London: HCPC.

Read my Cookie Policy or go back to the home page.

bottom of page