Privacy Policy

Privacy Policy

This is my Privacy Policy outlining how and why I wish to process your personal data, as well as how I intend to keep it safe. The guidance I’m following does mean it might seem jargon laden so if you have any questions do please contact me. In summary, I will do all I can to keep information I keep about you (contact details provided on the initial contact form and brief notes of sessions) confidential. If you would like more information about WriteUpp the secure, professional, online app I use to store notes online please see

Privacy Policy - Questions and Answers


This privacy policy outlines your rights, and my obligations to you, with regard to the recording and storage of your personal information. In this privacy policy I will let you know what information I need to collect from you before we begin counselling/psychotherapy, and what information I need to collect from you during counselling/psychotherapy. I will also set out how I will look after your personal information, for how long I will store it, and who I will share it with. In addition, I will let you know what you are able to request from me with regard to this information.

What is personal information?

The Data Protection Act 1998 (DPA) defines personal information as any information that can be used to identify a living individual. Individuals can be identified by various means including their name, address, telephone number or email address for example.

Why do you want to process my personal information?

I need to process your personal information in order to fulfil my contractual obligations to you as a counsellor/psychotherapist, for example to assess whether I am able to offer you counsellor/psychotherapy in the first place, and then to deliver effective counselling/psychotherapy to you if therapy commences. Your personal information helps guide both my assessment process, and my clinical decision-making during counselling/psychotherapy. This information is also needed for my insurance, which is required for safe practice, so legitimate interest is the lawful basis for my processing of your personal information.

What are the laws that protect my personal information?

The DPA and the General Data Protection Regulation (GDPR) require that all organisations that store personal information about people may only do so provided that the information is: processed lawfully, fairly and in a transparent manner; collected for specified, explicit and legitimate purposes; adequate, relevant and limited to what is necessary; accurate and, where necessary, kept up to date; kept in a form that permits identification of information subjects for no longer than is necessary for the purposes for which the personal information are processed; and processed in a manner that ensures appropriate security of the personal information.

How will you collect my personal information?

I will collect your personal information in the following ways: via email, via Write Upp forms (an application that meets GDPR security criteria) or over the telephone to arrange an initial consultation, in writing, and in person during our meetings.

How will you treat my personal information?

I will treat your personal information confidentially in a way that is compliant with the DPA and the GDPR. The lawful and proper treatment of your personal information is important to me, not least in order to maintain your confidence in me.

How will you store my personal information?

I will store your personal information both electronically and physically. Your email address and correspondence will be stored in my email account (currently GMail) by nature of you contacting me to arrange sessions (I advise not to send sensitive information via email as email accounts may be vulnerable to being hacked). Your telephone number may be stored in my mobile phone’s SMS should we exchange messages to arrange/cancel sessions this way but not under your name.

Names and contact details are stored electronically on a device that is password protected, and in files that are further password protected and only accessible by me. All other personal information is either stored using WriteUpp, a secure, online GDPR service or stored physically using paper records held securely in locked storage and not inside my consulting room. These records are also only accessible by me and my Therapeutic Will Executor should I become incapacitated. The Therapeutic Executer agrees to only access your details under these circumstances to contact you if I cannot.

How long will you store my personal information?

According to the GDPR, your personal information should be stored for no longer than is necessary. In practical terms, I will usually store your information for a minimum of 7 years following the termination of your treatment. However, I may need to store your information for longer than this, for instance to comply with my insurance terms and conditions.

What types of information will you collect about me?

I will collect several types of information about you and in several different ways.

If you phone me or contact me to request a call back, I will collect the following information: name, telephone number, date and time.

Before committing to provide you with counselling/psychotherapy services, I may ask you to provide me with the following information: name, telephone number, address, availability and roughly the psychological issues that you would like to address.

I will collect initial information during our first session and once we have agreed that counselling/psychotherapy with me is right for you, and your therapy commences that may include: goals for therapy, G.P. contact details, previous therapy, current medication, previous criminal convictions, network of support, financial and employment circumstances, health and physical issues, alcohol and drug use, appetite and sleep, family structure, overview of your family situation, and early memories of caregivers.

What is ‘special category’ information, and why do you need to process this too?

Special category information is defined by the GDPR as being information that is more sensitive than other personal information, and therefore requiring of higher levels of protection. Examples of this type of information could include information about your health, race, sexuality, sex life, or religion. In order to lawfully process special category information, I am obliged to identify a specific condition for processing it under Article 9 of the GDPR and communicate this to you. With this in mind, the condition of the GDPR that I apply to the processing of your special category information is that it is ‘pursuant to contract with a health professional’. This means that, if you begin counselling/psychotherapy with me, or ask me to assess whether or not you are eligible for me to offer counselling/psychotherapy to you, then I will likely need to process some special category information about you. Usually, this is information about your mental health, and I need to process it in order to fulfil my contractual obligations to you in delivering safe, effective counselling/psychotherapy.

What is a ‘data controller’, and who is the ‘data controller’ for Kirstin Bicknell Counselling and Psychotherapy?

The GDPR defines a ‘data controller’ as the person in an organisation who: ‘determines the purposes and means of processing personal data’. For the purposes of the GDPR, the ‘data controller’ is myself, Kirstin Bicknell

Who will my personal information be shared with?

I will share personal information during regular consultations with my professional supervisor/s, who are also members of professional bodies and bound by confidentiality. I will only give your first name along with details from sessions relevant to ensuring good practice. If you know my supervisor personally or professionally I will not share this information with them and will see another independent supervisor.

Otherwise I will only share your information if I have a legal obligation to do so e.g. court order and by law information on drug money laundering or terrorism. I will always seek legal advice from my insurers before releasing any information to the courts or police authority and will only do so if compelled by law or with your consent.

Under very exceptional circumstances and only to prevent immediate substantial harm to yourself or others, some of your personal information may be shared with your G.P. or relevant public authority e.g. the police. I will always seek to discuss this with you first.

Can I ask for a copy of the personal information that you store about me?

Yes. The DPA gives you the right to find out what information that I store about you by requesting a copy of it. Any request that you make to obtain a copy of the personal information that I hold about you is called a ‘Subject Access Request’. You can write to me and ask for a copy of the information that I hold about you. I must respond to your request without delay, and usually within one month at the latest.

Can I request that you delete my personal information?

It forms part of my contract with you that I need to keep your personal information in the way outlined in this policy in order to provide this service so you waive your right to erasure if you contract to having counselling/therapy with me. I will of course treat your information confidentially as outlined above.

Can I object or complain about the processing of my personal information by Kirstin Bicknell Counselling and Psychotherapy?

Yes. Whilst I hope that the policy outlined above will be sufficient to reassure you of the security of your personal information, should you wish to object or complain about the way that your personal information is being handled by me, then do please communicate this to me at the earliest possible opportunity. I will do my best to address your concerns and take steps to try and resolve whatever issues you may raise.

Should you wish to take the matter further, please contact the Information Commissioner’s Office on 0303 123 1123, or visit for more information.

Registered with the Information Commissioner's Office - Registration Number: ZA353379