GDPR policy

General Data Protection Rules (GDPR) Summary

Privacy notice

New data protection laws take effect from 25th May 2018, known as General Data Protection Rules (GDPR). We already work hard to ensure your data is protected and this document will set out how the Psychologists associated with this website will continue to comply with data protection principles.

Your right to be informed (Article 13)

Data controllers

All Psychologists on the website are classed as data controllers for their own patients. This means that they are all responsible for handling and processing data (your information) in compliance with GDPR. All Psychologists on the website are HCPC registered and all are independent practitioners. Dr Karen Hathaway and Dr Amy Wood-Mitchell will additionally handle the website enquiries, before passing them onto your Psychologist.

What data is processed

In addition to the data you provide to us within the web enquiry form, your Psychologist will collect a registration form at the initial contact, to know more about the nature of the difficulties experienced and how to best get in contact with you or your child’s school/GP in case of an emergency, or to liaise around your child’s care (with your permission, except in cases of serious risk). This to ensure you/your child’s safety and is our duty of care, within professional guidelines.

We also keep session notes in accordance with guidelines from our professional body and there may be letters, notes or outcome measures associated with the work we do with you.

If you are referred by a health insurer or solicitor, they will provide us with information relevant to your claim/treatment, including contact information, referral information and policy number.

Data storage

If you provide a paper copy of registration forms, these will be stored in a locked box. If an electronic copy is provided, these will be password protected and stored on a password protected, encrypted laptop/folder.

When you submit an enquiry through the website it will be sent securely via email to Dr Karen Hathaway and Dr Amy Wood-Mitchell. The information will then be sent on to securely to the Psychologist you will be seeing. The email server used is GDPR compliant.

Any emails which come through on the Psychologists’ mobile phones are secured with a password/mobile thumb print/facial identification software.

Letters and reports will be password protected when sent via email. We avoid sending personal information in the body of the email and subject heading of emails

Any other information, such as session notes, reports etc are stored on a password protected, encrypted laptop/folder, with anti virus software and regularly backed up.

Data retention

Session notes, registration forms and identifiable information will be kept for a minimum period of 7 years after you (if you are over 18) or your child (if they are under 18) turns 18. After this period they will be deleted/destroyed at the end of each calendar year.

Website enquiry forms will be deleted within 6 months of therapy ending by the Psychologist who is seeing you, and within a month of the enquiry being received by Dr Karen Hathaway/Dr Amy Wood-Mitchell (if they are not your Psychologist).

Why we collect data (the lawful basis for doing so)

We have a legitimate interest in using this data to provide psychological treatment, in accordance with the guidelines of our governing body. We will only use your data for the purpose of providing these services to you and for processing payment for these services.

Who we might share information with

We take the protection of your data seriously and no information you provide is passed on without your consent. However, there may be circumstances where we gain consent to share your information for payment reasons (e.g. such as with your health insurance provider for the purpose of billing) or linked to your claim/assessment (e.g. a solicitor where an assessment/treatment has been instructed).

We may also request consent to share information with other agencies/people where we think it would be beneficial to your/your child’s treatment (e.g. with parents or school). However, we would not do so unless you give us consent for this.

Therapy sessions are confidential. Young people aged 16 or over are able to consent to the sharing/not sharing of therapeutic information (except in cases of serious risk where we may have to override this to protect the young person/others). For instance, we may think it is beneficial to a young person to share information with a parent/caregiver, but they may decline this consent, and we would adhere to this unless we were seriously concerned about safety or we thought that the child did not have capacity to make this decision. Young people aged under 16 are also often able to provide/withhold consent, where they are deemed to be competent to make this decision to share information, however we would generally also seek the consent of parents/caregivers.

In exceptional circumstances, we may need to pass information on to other agencies/parties without consent. This would be in cases of risk where there is a need to keep you/your child safe, such as serious self harm. For example, if we were seriously worried about a child’s safety we would generally pass this information to a parent/caregiver (unless we thought this would put the young person at further risk of harm) even if consent was withheld.

This also applies when a disclosure is in the public interest (e.g. the safety of others) or where there is a legal duty (e.g. a serious crime has been committed/miscarriage of justice). We are duty bound to do this by our professional guidelines. Whilst we are not obliged to gain your consent for this, we will always discuss this with your first (unless doing so would increase the risk to you or another person).

To ensure good practice, all Psychologists also maintain professional registration via supervision with another qualified professional. Not all cases/patients would be discussed with a supervisor, though if you/your child was discussed, full names would not be used and the supervisor would also be compliant with GDPR. Only ‘need to know’ information would be shared, for the purposes of advice and consultation and to ensure you are receiving optimal treatment.


If you wish to raise a complaint about your Psychologist’s practice you can contact the Health Care Professions Council

If you think we haven’t complied with data protection laws you can also complain to the Information Commissioner’s Office.

You right to access (Article 15)

If you wish to change your registration forms, you can complete a new copy and send to your Psychologist. If you wish to retract your registration forms and thereby retract your consent to hold your records (by doing so this would terminate sessions for you/your child as we are unable to practice without this information), you can notify your psychologist who can terminate sessions.

If you would like to see your session notes, please discuss this with your Psychologist, who may need to discuss this with the governing body (HCPC) and British Psychological Society (BPS) depending on the nature of the request.

Your right to rectification (Article 16)

If factual errors or omissions have been made in either the registration forms you have provided, or in reports/correspondence your psychologist has provided to you about you/your child, then you can request that these be amended. If this information has been shared with another agency (e.g. school) your Psychologist will contact the recipients to inform of the amendments.

Your right to erasure (Article 17)

If you would like your registration forms and data erased, your Psychologist would need to contact the governing body (the HCPC) to ascertain whether they are legally able to do this on a case by case basis (e.g. dependent on the age and circumstances of the young person). Psychologists keep notes of sessions in order to support them to provide you with the best care and it is a requirement of the governing body. We are bound by rules as to how long we have to keep this information, therefore we would need permission from our governing body for these to be deleted, which may not be provided.

Your right to restrict processing (Article 23)

If you put sessions on hold/terminate sessions, your Psychologist will no longer take session notes/liaise with professionals about your case (except where there is serious risk).

Your right to data portability (Article 20)

Should you wish to move to another practitioner and you would like your notes to be transferred over, your Psychologist can provide them with your background information and a summary of works completed/a phone discussion, with your consent. Should you want a more in depth report, there may be a charge associated with this.

Your right to object (Article 21)

Your Psychologist will not email you with marketing information and will not pass your details on to other organisations.

Your right not be subject automated decision making (Article 22)

Judgments will not be made about your care based on algorithmic decision-making.

If your rights under GDPR or any of the above information is unclear, please do not hesitate to discuss with your Psychologist.