Privacy notice

Please take a minute to read through this statement of legal and ethical requirements of practice regarding data protection and transparency of information storage and usage. 


Counselling Professional Body

I am bound by the Codes of Ethics and Practice of the British Association of Counselling & Psychotherapy (“BACP”).  A copy of the code of practice and ethics are available on request, or may be viewed on the BACP web site:


Client personal information GDPR: Privacy Policy

Your personal information is stored securely and confidentially, either electronically, using codes with password protection or in paper format which is stored in a locked cabinet, coded for protection.  The data collected is used to enable effective communication during the therapeutic process, it is used in a safe and ethical manner in accordance with the BACP Ethical Framework and the EU General Data Protection Regulations (GDPR) 2018.  I will only store any personal information which is relevant to the therapeutic relationship.



It may become necessary to share your data with a third party if I feel you, or someone else close to you, is at risk of significant harm.  Unless the risk is imminent, this will be discussed with you before appropriate disclosure.  I do have a legal obligation to break confidentiality in compliance with a court order, concerns over child protection and information or knowledge regarding fraud, drug trafficking, money laundering or acts of terrorism.  


Personal information I hold

You have the right to know what personal information I hold, why I hold it, how it is stored, who has access to it, and for how long I hold it.  I will keep the following personal information so that I can work safely and professionally with you, in line with the guidelines of the BACP

1.    Your name, address, gender and pronouns– I keep this information password protected, only I will see this information. These are kept separate from your session notes. I will keep this personal information for seven years.  After that time it is destroyed.  This is required by my professional liability insurer and by my professional organisation (BACP).  

2.    Your phone number and email address - My phone is locked with a passcode (and has finger print i.d.) when I am not using it.  Your email address is held in my Gmail account.  Neither my computer nor my mobile are shared with anyone else.  This information is needed in case I have to contact you (for example for rescheduling sessions or sending an invoice).  I also keep your email address in case we agree to work therapeutically via email, either as a regular arrangement or just occasionally.  I will remove this personal information when we have finished our work.

3.    Emergency contact name and phone number (if you wish) – I keep this information password protected with your name and contact details.  It is unlikely that I would ever use this information, but I hold it in case I become concerned for your welfare and I cannot get hold of you.  You and I may agree together on some other reason that I might contact this person, based on your best welfare.  When we finish working together, I will delete this personal information.  Only I will see this information.

4.    Relevant medical information – I keep this personal information in password protected electronic form or paper form along with your name and contact details.  It may be relevant to keep or share certain medical information if you have any health conditions such as seizures, diabetes, etc which may impact a session, or you have any allergies that I should be aware of.  Only I will see this information and I will delete this personal information when we finish working together.

5.    Session notes – notes may include dates and times of attendance and brief notes on important themes from the session.  I do not keep detailed session notes.  I keep brief session notes on my password protected computer.  Your name or other identifying details are not kept with your session notes; only a code is used.  Notes are used to remind me of important points I want to be sure to remember and/or to discuss in supervision.  The notes will be destroyed when our work finishes.  If you would like me to retain them for a longer period, please discuss this with me.  Only I will see this information.

6.    Payment information and invoices – I make a note of payments you have made and invoices on a password-protected financial spreadsheet for my business.  I am required by law to retain certain financial information for tax purposes.  I keep financial information for 7 years as advised by HMRC.  Payment by BACS or cash will be processed by my bank, transactions may be viewed by employees of the bank and tax HMRC.  When payment is made via BACS, your account name or reference (or the name of the person who is paying) may show up on my online or paper bank statements.  You have the right to discuss alternative payment options with me.

7.    My emails/texts to you, and yours to me– I may delete emails / texts after I have noted the contents (for example, emails around scheduling).  Electronic correspondence will also be held by the corresponding app (Gmail, Phone’s SMS, WhatsApp).  I may keep emails/texts if I consider them necessary to our work.  I will delete emails/texts when our work ends and only I will  see the information.

8.    Website –my website does not contain any personal information about my clients.  If you click on the email link to contact me, the website will momentarily collect and send it to my Gmail account for the purposes of our initial contact.



Sharing information

I use a personal mobile phone.  Please consider this in the information you leave in the message.  All messages will be played and deleted daily, except in holiday periods.


Your Rights under GDPR:

·      To be informed what personal information I hold (i.e. this document).

·      To see the personal information I hold about you (free of charge for the initial request).

·      To rectify any inaccurate or incomplete personal information.

·      To withdraw consent to me using your personal information.

·      To request your personal information be erased. Though I can decline if the information is needed for me to        practice lawfully and competently

·      To receive the personal information which you previously provided, and the right to transfer that information to another party.


Data Controller

For the purposes of the General Personal information Protection Regulations (GDPR) 2018, the personal information “controller” is Williamina Baillie –or WB Counselling, Certificate Nbr. ZA528782. If you have any other questions regarding how your therapy client personal information GDPR is processed and handled, please do not hesitate to discuss with me.