GARETH TAYLOR COUNSELLING

EMDR | Integrative Counselling & Psychotherapy | Supervision

Tenterden, Kent | Online & In Person

In accordance with the UK General Data Protection Regulation (UK GDPR)

Last updated: May 2025 | Version 1.1

1. Introduction

This Privacy Notice explains how Gareth Taylor Counselling (‘I’, ‘me’, ‘my’) collects, uses, stores, and protects your personal information when you access my counselling, psychotherapy, or clinical supervision services — whether in person, online, or via this website.

I am committed to protecting your privacy and handling your data with the care, confidentiality, and professionalism it deserves. This notice complies with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

Please read this notice carefully. If you have any questions, you can contact me using the details in Section 2.

2. Data Controller

The data controller responsible for your personal information is:

Gareth Taylor

Gareth Taylor Counselling

Tenterden, Kent

Email: info@garethtaylorcounselling.com

Website: www.garethtaylorcounselling.com

As a sole practitioner, I am personally responsible for the data I hold and the decisions about how it is processed.

3. What Personal Data I Collect

3.1 Clients

When you engage with me as a client, I may collect the following categories of personal data:

Contact and Identity Information

  • Full name and preferred name
  • Email address and telephone number
  • Home address (if relevant to your care)
  • Date of birth

Health and Therapeutic Information

This is classified as special category data under UK GDPR and is handled with additional care.

  • Presenting issues and reasons for seeking therapy
  • Mental and physical health history (where relevant)
  • Medication and medical history (where relevant)
  • Session notes and clinical records
  • GP or other professional details (where relevant to safeguarding or care coordination)

Financial Information

  • Fee agreements and payment records (invoices, receipts)
  • Bank details are not held; payments are made via BACS or agreed methods only

3.2 Supervisees

If you engage with me for clinical supervision, I collect:

  • Name, contact details, and professional registration information
  • Notes from supervision sessions (including anonymised client material you bring)
  • Details relevant to your professional development

3.3 Website Visitors

If you visit my website, I may collect:

  • Name and email address if you submit a contact or enquiry form
  • Technical data such as IP address, browser type, and page visits (via cookies — see Section 10)

4. Legal Basis for Processing

Under UK GDPR, I must have a lawful basis for processing your personal data. The following bases apply:

Contract (Article 6(1)(b)): Processing your data is necessary to fulfil the therapeutic or supervisory contract between us — including session notes, fee records, and communication.

Legitimate Interests (Article 6(1)(f)): I process certain data where I have a legitimate professional interest in doing so, such as maintaining clinical records for continuity of care, or responding to enquiries.

Legal Obligation (Article 6(1)(c)): In some circumstances I may be required to process or disclose data to comply with legal obligations, including safeguarding duties.

For special category data (health information), the additional legal basis is:

  • Article 9(2)(h): Processing necessary for the provision of health or social care treatment and the management of health care systems.
  • Schedule 1, Part 1, Paragraph 2 of the Data Protection Act 2018 (health care purposes).

5. How I Use Your Personal Data

I use the personal data I collect for the following purposes:

  • To provide counselling, psychotherapy, or supervision services
  • To maintain accurate clinical records for continuity of care
  • To communicate with you about appointments, fees, and service matters
  • To coordinate care with other professionals (with your consent, except in safeguarding situations)
  • To fulfil my ethical and legal obligations as a practitioner registered with the National Counselling & Psychotherapy Society (NCPS)
  • To process fees and maintain financial records
  • To respond to enquiries submitted via the website

I will never use your data for marketing purposes without your explicit consent, and I will never sell or share your data with third parties for commercial purposes.

6. Confidentiality and When I May Share Your Information

Confidentiality is a cornerstone of effective therapy. Everything you share in sessions is treated as strictly confidential. However, there are limited circumstances in which I may need to share information:

6.1 Clinical Supervision

As an ethical practitioner, I receive regular clinical supervision. Your material may be discussed with my supervisor to support good practice. This is always done anonymously — your name and identifying details are not shared.

6.2 Safeguarding

If I believe there is a serious and immediate risk of harm — to you, to a child, or to another person — I have an ethical and potentially legal duty to break confidentiality. I would always aim to discuss this with you first, unless doing so would put you or someone else at greater risk.

6.3 Legal Requirements

I may be required to disclose information in response to a court order or other legal obligation. I will inform you of this unless I am legally prohibited from doing so.

6.4 Emergency Medical Situations

If there is a medical emergency during a session, relevant information may need to be shared with emergency services.

6.5 Professional Regulatory Bodies

In the event of a formal complaint or investigation by the NCPS or another regulatory authority, I may be required to share relevant records.

In all other circumstances, your data will not be shared with any third party without your explicit written consent.

7. Data Storage and Security

I take the security of your personal data seriously and use appropriate technical and organisational measures to protect it.

Physical Records

  • Paper notes and documents are stored in a locked cabinet in a secure location
  • Paper records are not removed from the secure location unnecessarily

Digital Records

  • Digital records (including session notes and correspondence) are stored on password-protected devices
  • Devices are protected with up-to-date security software
  • Encrypted and secure platforms are used for online therapy (e.g. Zoom with waiting room enabled, or equivalent)
  • Emails containing sensitive information are handled with care; highly sensitive data is not sent via unencrypted email

Third-Party Processors

Where I use third-party services (such as practice management software, a booking system, or a video platform), I ensure they are compliant with UK GDPR and have appropriate data processing agreements in place. Current processors include:

  • [Name of booking/scheduling system, e.g. Acuity Scheduling or Calendly] — appointment management
  • Microsoft Teams — online video sessions (Microsoft processes data under their UK GDPR-compliant Data Processing Agreement)
  • Email provider — client communications (provider details available on request)

These providers are used solely to facilitate the delivery of services and are contractually prohibited from using your data for any other purpose.

8. How Long I Keep Your Data

I retain personal data only for as long as is necessary for the purposes for which it was collected, or as required by professional guidance and law.

Client records (including session notes and correspondence) are retained for a minimum of 7 years following the end of the therapeutic relationship. For clients who are children or young people at the time of therapy, records are retained until the client’s 25th birthday, or for 8 years following the end of the work — whichever is longer.

These retention periods are based on guidance from the NCPS and reflect the standard limitation period for potential legal claims.

Financial records (invoices, payment records) are retained for 6 years in line with HMRC requirements.

Website enquiry data is retained for 12 months unless a client relationship is established, at which point it falls under the client record retention policy.

After the relevant retention period, records are securely destroyed — paper records are shredded and digital records are permanently deleted.

9. Your Rights Under UK GDPR

You have the following rights in relation to your personal data. To exercise any of these rights, please contact me using the details in Section 2.

Right of Access

You have the right to request a copy of the personal data I hold about you. This is known as a Subject Access Request (SAR). I will respond within one calendar month.

Right to Rectification

If you believe any information I hold is inaccurate or incomplete, you have the right to request that it be corrected.

Right to Erasure (‘Right to be Forgotten’)

You may request that I delete your personal data. However, this right is not absolute — I may need to retain certain records to comply with legal obligations or professional guidance (see Section 8).

Right to Restrict Processing

You have the right to request that I limit how I use your data in certain circumstances — for example, while a complaint is being investigated.

Right to Data Portability

Where processing is based on your consent or a contract, and carried out by automated means, you have the right to receive your data in a structured, commonly used, machine-readable format.

Right to Object

You have the right to object to processing based on legitimate interests. I will stop processing unless there are compelling legitimate grounds that override your interests.

Right to Withdraw Consent

Where processing is based on your consent, you have the right to withdraw that consent at any time without affecting the lawfulness of processing carried out before withdrawal.

Rights Related to Automated Decision-Making

I do not use automated decision-making or profiling. All decisions about your care are made by me as a qualified practitioner.

If you are dissatisfied with how I handle a data request, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO):

  • Website: www.ico.org.uk
  • Helpline: 0303 123 1113

10. Cookies and Website Data

My website may use cookies — small text files placed on your device — to improve your experience and to understand how the site is used. These may include:

Strictly Necessary Cookies

These are essential for the website to function. They cannot be disabled.

Analytics Cookies

I may use tools such as Google Analytics to understand how visitors use the site. This data is anonymised and aggregated. No personally identifiable information is collected through analytics.

Contact Form Data

If you submit an enquiry form, the data you provide (name, email, message) is stored securely and used only to respond to your enquiry.

You can manage or disable cookies through your browser settings. Note that disabling some cookies may affect the functionality of the website. A full Cookie Policy is available on the website.

11. Children and Young People

Where I work with clients under the age of 18, I obtain appropriate consent from a parent or legal guardian prior to commencing work. Records relating to young people are handled with additional care in line with the guidance in Section 8.

This website is not directed at children under the age of 13, and I do not knowingly collect data from children via the website.

12. International Transfers

I offer online therapy and supervision to clients across the UK and internationally. Where I use third-party tools (such as video platforms) that may process data outside of the UK or EEA, I ensure that appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) or an adequacy decision by the UK government.

13. Changes to This Privacy Notice

I may update this Privacy Notice from time to time to reflect changes in the law, my services, or how I handle data. The current version will always be available on my website and the date of the most recent update is shown at the top of this document.

If significant changes are made that affect your rights or how I process your data, I will notify you directly where possible.

14. Complaints

If you have any concerns about how I handle your personal data, please contact me in the first instance using the details in Section 2. I will aim to respond within 14 days.

If you remain dissatisfied, you have the right to complain to the ICO (see Section 9).

Gareth Taylor Counselling | info@garethtaylorcounselling.com | www.garethtaylorcounselling.com

Registered Member NCPS | ICO Registration No: ZB556234