Data Protection Policy - Stepping Stones Psychology

DATA PROTECTION POLICY Of Stepping Stones Psychology & All of our services

Protecting your personal data is a fundamental priority in my practice. This policy outlines how your information is collected, stored, accessed, and shared in line with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. It also explains the measures in place to ensure your data is handled lawfully, securely, and transparently, whether you are engaging in therapy or clinical supervision.

There are limitations to online security, however I will endeavour to keep all your data as secure as possible by using encryption software for online sessions and a secure email.
I keep brief, anonymised factual notes about our sessions. They are kept in a password-protected document in a digitally secure location.
You may request to view notes at any time, and can amend any inaccurate information within them. They exist solely for the purpose of our work together, however in rare cases where they are relevant to a court case they may be required as evidence and be requested through a Court Order.
Clinical client notes will be kept for 7 years after our last contact, and also after the client reaches the age of 18, and then destroyed.
I use an encrypted email. Our email history can be deleted at your request.
I will store your number on my password protected phone in an anonymised way. I will only send texts that do not breach your confidentiality. Our text history can be deleted at your request.
Some of my administrative and business operations are supported by trusted third parties who may, in limited circumstances, have access to personal or sensitive data. For example, administrative tasks such as email management and appointment scheduling may be handled by my personal assistant (PA), who operates under a signed Non-Disclosure Agreement (NDA) and Data Processing Agreement (DPA), and follows strict confidentiality protocols.
Additionally, sensitive data may be stored on and accessed via secure third-party platforms such as my scheduling system (Acuity/Squarespace), my bank, and my accountant. These services are GDPR-compliant, and I ensure that no third party is granted access to any client-related data without prior confirmation of their compliance with GDPR regulations and data security standards.
I take data protection seriously and follow all applicable laws, including the General Data Protection Regulation (GDPR) and the UK Data Protection Act, to safeguard your information.
I am also registered with the Information Commissioners Office as a data controller, and will remain GDPR compliant

By agreeing to engage in therapy or supervision with me, you confirm that you have read and understood this data protection policy and acknowledge how your personal data is processed, stored, and protected in accordance with GDPR and other applicable laws.