Privacy Policy

ThoughtShift Counselling privacy notice

Last updated: 27/3/2026

I am committed to complying with the UK General Data Protection Regulation and the Data Protection Act 2018 and following guidance issued by the Information Commissioner's Office.

ThoughtShift Counselling is the data controller responsible for your personal information.

This privacy notice tells you what to expect us to do with your personal information.

· Contact details

· What information we collect, use, and why

· Lawful bases and data protection rights

· Where we get personal information from

· How long we keep information

· Who we share information with

· Duty of Confidentiality 

· Data Breaches

· How to complain

Contact details

Email: thoughtshiftcounselling@proton.me

What information I collect, use, and why

I collect or use the following information to provide patient care, services, pharmaceutical products and other goods:

· Name, address and contact details

· Gender

· Pronoun preferences

· Date of birth

· Emergency contact details

· Occupation/Employment Status

· GP Details 

· Health information (including medical conditions, allergies, medical requirements and medical history)

· Information about care needs (including disabilities, home conditions, medication and dietary requirements and general care provisions)

· Test results (including psychological evaluations, scans, bloods, x-rays, tissue tests and genetic tests)

· Payment details (including card or bank information for transfers and direct debits)

· Records of meetings and decisions

· Call recordings

I also collect the following special category information to provide patient care, services, pharmaceutical products and other goods. This information is subject to additional protection due to its sensitive nature:

· Health information

I collect or use the following information for safeguarding or public protection reasons:

· Name, address and contact details

· Emergency contact details

· GP Details 

· Health information (including medical conditions, allergies, medical requirements and medical history)

· Information about care needs (including disabilities, home conditions, dietary requirements and general care provisions)

· Relevant information from previous investigations

· Test results (including psychological evaluations, scans, bloods, x-rays, tissue tests and genetic tests)

· Records of meetings and decisions

I also collect the following special category information for safeguarding or public protection reasons. This information is subject to additional protection due to its sensitive nature:

· Health information

I collect or use the following personal information to comply with legal requirements:

· Name

· Contact information

· Safeguarding information

I also collect the following special category information to comply with legal requirements. This information is subject to additional protection due to its sensitive nature:

· Health information

(In short) Why I collect this information

• To      provide therapy services safely, and effectively
• To      maintain professional records required by ethical and legal standards
• To      contact you regarding appointments, updates, or emergencies
• To      protect your wellbeing in cases of risk 
• To send      invoices and comply with tax or legal obligations 

Lawful bases and data protection rights

Under UK data protection law, I must have a “lawful basis” for collecting and using your personal information. There is a list of possible lawful bases in the UK GDPR. You can find out more about lawful bases on the ICO’s website.

Which lawful basis we rely on may affect your data protection rights which are set out in brief below. You can find out more about your data protection rights and the exemptions which may apply on the ICO’s website:

· Your right of access - You have the right to ask for copies of your personal information. You can request other information such as details about where I get personal information from and who we share personal information with. There are some exemptions which means you may not receive all the information you ask for. Read more about the right of access.

· Your right to rectification - You have the right to ask to correct or delete personal information you think is inaccurate or incomplete. Read more about the right to rectification.

· Your right to erasure - You have the right to ask me to delete your personal information. Read more about the right to erasure.

· Your right to restriction of processing - You have the right to ask me to limit how we can use your personal information. Read more about the right to restriction of processing.

· Your right to object to processing - You have the right to object to the processing of your personal data. Read more about the right to object to processing.

· Your right to data portability - You have the right to ask that I  transfer the personal information you gave us to another organisation, or to you. Read more about the right to data portability.

· Your right to withdraw consent – When  consent is used as a lawful basis you have the right to withdraw your consent at any time. Read more about the right to withdraw consent.

If you make a request, I must respond to you without undue delay and in any event within one month.

To make a data protection rights request, please contact me using the contact details at the top of this privacy notice.

My lawful bases for the collection and use of your data

My lawful bases for collecting or using personal information to provide patient care, services, pharmaceutical products and other goods are:

· Contract – I have to collect or use the information so we can enter into or carry out a contract with you. All of your data protection rights may apply except the right to object.

· Legal obligation – I have to collect or use your information so we can comply with the law. All of your data protection rights may apply, except the right to erasure, the right to object and the right to data portability.

· Vital interests – collecting or using the information is needed when someone’s physical or mental health or wellbeing is at urgent or serious risk. This includes an urgent need for life sustaining food, water, clothing or shelter. All of your data protection rights may apply, except the right to object and the right to portability.

· Legitimate interests - I am copllecting or using your information because it benefits you, my organisation or someone else, without causing an undue risk of harm to anyone. All of your data protection rights may apply, except the right to portability. My legitimate interests are:

For more information on our use of legitimate interests as a lawful basis you can contact us using the contact details set out above.

My lawful bases for collecting or using personal information for safeguarding or public protection reasons are:

· Legal obligation – I have to collect or use your information so we can comply with the law. All of your data protection rights may apply, except the right to erasure, the right to object and the right to data portability.

· Legitimate interests – I am collecting or using your information because it benefits you, our organisation or someone else, without causing an undue risk of harm to anyone. All of your data protection rights may apply, except the right to portability. My legitimate interests are: 

For more information on our use of legitimate interests as a lawful basis you can contact us using the contact details set out above.

· Vital interests – collecting or using the information is needed when someone’s physical or mental health or wellbeing is at urgent or serious risk. This includes an urgent need for life sustaining food, water, clothing or shelter. All of your data protection rights may apply, except the right to object and the right to portability.

My lawful bases for collecting or using personal information to comply with legal requirements are:

· Legal obligation – I have to collect or use your information so we can comply with the law. All of your data protection rights may apply, except the right to erasure, the right to object and the right to data portability.

Where I get personal information from

· Directly from you

· Website contact form

· Intake/Contracting forms 

· Third parties:

· Organisation - One Allan Park (if referred from here)

How long I keep information

Clinical records are typically retained for 7 years after therapy ends.

For clients under 18, records may be kept until the client reaches age 25 or in accordance with professional guidelines.

After the retention period, records will be securely deleted or destroyed.

ThoughtShift Counselling takes appropriate measures to protect personal data:

Notes taken during therapy sessions are kept separately from your personal data

Electronic Records 

· stored on password-protected/fingerprint devices 

· protected by encryption where possible

· regular software updates and security protections applied

· end to end encrypted email system 

Paper Records 

· stored in locked cabinets

· accessible only by the therapist

Online Sessions

· secure video platforms are used where possible

· clients are encouraged to attend sessions in a private space

Sessions are not recorded unless explicitly agreed, and consent gained

For more information on how long I store your personal information or the criteria I use to determine this please contact us using the details provided above.

Who I share information with

· Other health providers (eg GPs and consultants)

· Organisations I need to share information with for safeguarding reasons

· Emergency services

· One Allan Park (If your sessions came through One Allan Park your name may appear on their booking system)

Confidentiality and information sharing 

Client information is treated as confidential.

Information may only be shared when: 

· the client has given explicit consent

· there is a serious risk of harm to the client or others

· there are safeguarding concerns involving children or vulnerable adults

· disclosure is required by law or court order

· information is discussed in clinical supervision

In supervision, no identifying details will be disclosed 

Duty of confidentiality

I am subject to a common law duty of confidentiality. However, there are circumstances where I will share relevant health and care information. These are where:

· you’ve provided me with your consent (we have taken it as implied to provide you with care, or you have given it explicitly for other uses);

· I have a legal requirement (including court orders) to collect, share or use the data;

· on a case-by-case basis, the public interest to collect, share and use the data overrides the public interest served by protecting the duty of confidentiality (for example sharing information with the police to support the detection or prevention of serious crime);

· If in England or Wales – the requirements of The Health Service (Control of Patient Information) Regulations 2002 are satisfied; or

· If in Scotland – I have the authority to share provided by the Chief Medical Officer for Scotland, the Chief Executive of NHS Scotland, the Public Benefit and Privacy Panel for Health and Social Care or other similar governance and scrutiny process.

Data Breaches

In the event of a data breach:

· the breach will be assessed promptly

· steps will be taken to mitigate any harm

· where required, the breach will be reported to the Information Commissioner's Office within 72 hours

· affected individuals will be informed if there is a high risk to their rights or freedoms

How to complain

If you have any concerns about my use of your personal data, you can make a complaint to me using the contact details at the top of this privacy notice.

If you remain unhappy with how I have used your data after raising a complaint with me, you can also complain to the ICO.

The ICO’s address:           

Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Helpline number: 0303 123 1113

Website: https://www.ico.org.uk/make-a-complaint