GDPR
1. Purpose of This Policy This policy sets out how Lori Sutherland, collects, stores, processes, and protects personal data in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the principles of good practice in counselling.
As a counselling service based in Scotland, we are committed to maintaining the privacy, confidentiality, and rights of our clients in all aspects of data handling.2. Data Controller The data controller is:
Name: Lori Sutherland
Address: 146 Duddingston Road West
Email: lorisutherlandtherapy@gmail.com
ICO Registration3. Lawful Basis for Processing We collect and process personal data under the following lawful bases:
- Consent – Explicit consent is obtained before collecting any personal or sensitive data.
- Contract – To provide a therapeutic service as per our counselling agreement.
- Legal Obligation – To comply with legal and regulatory requirements.
- Vital Interests – Where necessary to protect life or prevent serious harm.
- Legitimate Interests – For internal practice management or supervision purposes, in ways that do not override client rights.4. What Data We Collect We may collect the following personal and special category (sensitive) data:
- Full name, date of birth, contact details
- GP details and emergency contact
- Session notes and assessment records
- Communication history (email, text, etc.)
- Payment details (if applicable) 5. How Data is Stored Client records are stored securely:
- Electronic records: password-protected devices and encrypted storage
- Paper records: locked filing cabinet accessible only to the therapist
- Cloud storage (if used): compliant with UK GDPR standards (e.g., end-to-end encrypted platforms based in the UK/EU or with appropriate safeguards)6. Data Retention Client data is retained for 7 years after the end of therapy (or 7 years after a child turns 18), in line with professional and insurance guidelines. After this period, data is securely destroyed.7. Confidentiality and Disclosure All data is treated as strictly confidential. Exceptions to confidentiality include:
- If there is risk of serious harm to the client or others
- Where required by law (e.g., court order, terrorism, money laundering)
- With the client’s explicit written consent8. Subject Access Requests (SARs) Under UK GDPR, individuals have the right to access personal data held about them.
Clients can:
- Request a copy of their personal data
- Request correction of inaccurate data
- Request data erasure (unless legal grounds prevent it)
- Request restriction or objection to certain processing
How to Make a SAR:
- Email or write to the data controller (details above)
- Include proof of identity (e.g., passport or driving licence)
- We will respond within one month (may extend to two months if complex)
There is no fee for a SAR unless the request is excessive or repetitive. 9. Data Breaches In the event of a data breach, we will:
- Contain and assess the breach
- Notify the Information Commissioner’s Office (ICO) within 72 hours if required
- Notify affected clients if there is a high risk to their rights and freedoms10. Client Rights Clients have the following rights:
- To be informed about data use
- To access their data
- To correct inaccurate data
- To have their data erased
- To restrict processing
- To data portability
- To object to processing
- To lodge a complaint with the ICO11. Complaints If you are concerned about how your data has been handled, please contact us directly in the first instance. If unresolved, you may complain to the:
Information Commissioner’s Office (ICO)
Website: https://ico.org.uk/
Phone: 0303 123 1113 This policy was last reviewed on 10th January 2025.