In accordance with the Data Protection Act 2018 and the UK GDPR, as amended by the Data (Use and Access) Act 2025, this Privacy Notice sets out the ways in which I collect, store, and share your data within my private practice, as well as through the use of my website.

Introduction

I am a sole trader. For data protection purposes, I am the ‘data controller’ of the personal data that you provide to me.

As set out in Chapter 2 Article 5 of the UK GDPR, there are seven core data protection principles to which my psychotherapy practice adheres. Personal data shall be:

1. processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);
2. collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (‘purpose limitation’);
3. adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);
4. accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);
5. kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed (‘storage limitation’);
6. processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’);
7. handled in a way that allows me, as the data controller, to be responsible for, and be able to demonstrate compliance with, the above principles (‘accountability’).

How I Discard Documents with Personal Information

All physical documentation is held in secure storage. Any papers in note form, handwriting, or documents requiring disposal are securely shredded. Large volumes of files are transferred to a certified professional shredding organisation and destroyed in my presence.

How Long I Will Keep Your Personal Data

I retain parent and client records for a period of 6 full tax years following the conclusion of therapy. This 6-year timeframe is determined by the statutory limitation period for civil claims under Section 5 of the Limitation Act 1980, professional clinical guidance, and the run-off requirements of my professional indemnity insurance provider. Once this period has elapsed, all corresponding personal data and clinical notes are securely destroyed.

Client Statutory Rights and Access Timeframes

The client is the child or young person receiving psychotherapeutic services. Under the UK General Data Protection Regulation (UK GDPR), clients hold specific statutory rights regarding the personal information maintained:

• Accessing Records (Subject Access Request): A client can request a copy of the personal data held about them at any time. In accordance with the UK GDPR, these records will be provided securely and free of charge within one calendar month from the date the client's identity is verified. Highly complex requests may be extended by an additional two months, with notification provided within the first month.
• Data Redaction and Statutory Exemptions: Released records are limited to the specific client's own personal data. In compliance with the Data Protection Act 2018, information identifying third parties, or clinical notes meeting the statutory "Serious Harm" threshold, will be withheld or redacted to maintain confidentiality.
• Child Confidentiality and Parental Requests: Following Information Commissioner’s Office (ICO) guidelines, a child is the sole data subject. Access requests made by parents or legal guardians are not automatic and are subject to the young person's consent, competence assessment, and an evaluation of their best interests. Confidential information will be withheld if disclosure compromises the young person's safety, wellbeing, or the therapeutic contract.
• Client's Right to Raise a Complaint: If a client believes their data has been mishandled, or that an access request has not been addressed appropriately, they hold a statutory right to lodge a complaint directly. In accordance with Information Commissioner’s Office (ICO) principles, where the client is a child or young person, any parental or guardian complaints regarding data access will be evaluated against the young person's right to confidentiality and their best interests. Complaints can be submitted formally by filling in the online form or by using the email address provided on my practice website at www.plastikprizm.co.uk. The complaint will be acknowledged within 30 days of receipt.

— June 2026