GDPR Policy

GDPR Policy for counselling sessions

The General Data Protection Regulation (GDPR) relates to any of your personal information that I may collect, store or share. This page outlines my GDPR/privacy policy.

I am registered with the Information Commissioners Office in the UK (ICO) (security number CSN5986266) and adhere to the GDPR guidelines. As I am self-employed, I operate as the data controller for Nine Keys.

Personal information that I collect

When you contact me, and as part of our initial assessment, I will ask you for the following information:

  1. Name, telephone number, email address, address
  2. Gender, date of birth
  3. Key relationships, occupation
  4. GP name and address, plus any medical conditions relevant to counselling or that may present in the counselling room, including any prescribed medication
  5. Emergency contact and relationship to you
  6. Counselling history and current reasons for seeking counselling

How I will store your information

  • Mobile phone

I will store your contact information (name, mobile number, email address and address – item 1 above) and your emergency contact information (item 5 above) on a mobile phone that is reserved for counselling purposes. This allows me to contact you when necessary, but does not allow the information to be shared elsewhere. I use WhatsApp for business on this phone to send messages, so any correspondence between us will be stored there.

  • Laptop

All other information collected during the assessment session (items 2-6 above) will be stored electronically on a password protected laptop that will be kept in a locked filing cabinet in my home or office. This laptop utilises two-part verification for all external purposes (enhanced security measure).

  • Paper

I usually make brief notes after each session and sometimes during supervision (see section on supervision below). I will store your anonymised session notes in a file (identified only by your first name). This will be kept in a locked filing cabinet in my home or office when not in use.

  • Email/text messaging/WhatsApp

Any emails you send me will be saved as a PDF and stored on my laptop, then deleted from my email account. 

Any text messages or WhatsApp messages will be stored in my phone until they are deleted by me (usually at the end of our last session together). Electronic correspondence will also be held by whatever method you use to contact me, unless/until you delete it yourself (e.g. by WhatsApp, by your email provider or on your phone).

  • Virtual counselling

Should we use any virtual or distance methods of counselling, such as telephone or video conferencing, there will be a record of when the calls were made, but no information about what is discussed will be recorded or saved by me.

If we carry out any sessions via email/messaging (as above), the content of the session(s) will be stored on my laptop as a PDF and deleted from my email once the session is over. I use a password-protected account on my computer for my counselling work, separate to my personal account. My email is dedicated to counselling work and only available via this password-protected account on my computer. This ensures no overlap between personal and professional use of my electronic devices.

  • Website

None of your personal information is stored on my website.

How I may share your personal information

  • Supervision

All counsellors and therapists are required to attend monthly supervision with another therapist who is qualified in supervision (a supervisor), and who adheres to the same ethics and confidentiality requirements as all counsellors.

The supervision process is to ensure the highest standards in my practice. It is about how I work with you. In order to protect your privacy, my supervisor will not know you personally or professionally. I will refer to you only by your first name, and I may refer to your information verbally when it’s helpful to my professional practice and to how I can best support you. None of the content of these conversations are recorded, though I may make paper notes for my own use.

  • Therapeutic Will

Your name and contact details will be shared with my Therapeutic Executor. This is so that should I die unexpectedly while you are still in therapy with me, you will be contacted and offered alternative support.

  • Emergencies

With your consent wherever possible, if you or your health are at risk, I may share your contact information with an emergency healthcare service (e.g. Mental Health Crisis Team).

If you share with me your intention to cause harm to another person or organisation (e.g. terrorism), I may be legally required to inform an authority without seeking your permission. In such a situation, I may also be required to share your personal information without your knowledge.

How long do I hold your information?

When we have finished working together, I will delete electronic copies of your information and correspondence within one month. I will hold onto your session information (written or electronic) for up to seven years past the end of our working together. This is so that I have a reference of our work in situations such as you returning to counselling in the future. After this time has passed, I will shred the session information.

Your rights

You have the following rights:

  • To know what information I hold about you (outlined on this page).
  • To see the information I hold about you (free of charge for the initial request).
  • To amend any inaccurate or incomplete personal information I hold about you.
  • To withdraw consent to me using your personal information.
  • To request that I delete any personal information I hold about you (though I can decline if the information is needed for me to practice lawfully and competently).

You can complain to the ICO if you are unhappy with how I have used your data. Please see below for contact information.

Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF // 0303 123 1113

Please note

A copy of this statement will be emailed to you before we first meet for counselling, along with a counselling contract. I would be very happy at this point to explain anything that is not clear. If we agree to work together, I will ask you to confirm via email, before our first session, that you agree to the terms of this GDPR statement and to the terms of the contract.


This document outlines what I have done to ensure the confidentiality of your data and personal information, according to legal requirements. However, it is important to be aware that I do not have control over external software, apps or service providers, including those that you use. As such, it is important that you are happy with the services you use at your end. In addition, there are sometimes rare and unforeseen data breaches over which I have no control, such as hacking incidents.