Privacy Notice

Practitioner: Emily Heseltine
Last updated: 24/06/26

ICO Registration: Registered with the Information Commissioner’s Office (ICO). Registration number: ZB968837

This Privacy Notice explains how I collect, use, store, and protect your personal data when you engage in counselling with me. It should be read alongside my Counselling Agreement.

​

I am committed to protecting your privacy and handling your personal information in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

​

1. Data Controller

​

I, Emily Heseltine, am the Data Controller of your personal information. This means I determine how and why your personal data is processed.

​

2. Information I collect

​

To provide counselling safely and effectively, I may collect and process the following information:

• Contact details (name, address, email address, telephone number)

• Emergency contact details

• Relevant health and personal information that you choose to share

• Session notes and clinical records

• Appointment details and correspondence

• Payment and invoicing records

 

This may include special category data (health information) as defined under UK GDPR.

​

3. How I use your information

​

I use your personal data to:

​

• Provide safe and appropriate counselling services.

• Assess risk and support your wellbeing.

• Manage appointments and communicate with you.

• Maintain accurate clinical records.

• Process payments and manage administration.

• Meet legal, ethical, and professional obligations.

 

4. Lawful basis for processing

​

Under UK GDPR, I process personal data on the following lawful bases:

​

• Contract: to provide counselling services as agreed with you

• Legitimate interests: for necessary administration and professional practice management (e.g. scheduling, record keeping, communication)

• Legal obligation: where required by law

• Vital interests: in rare situations involving serious risk of harm.

• Health or social care provision (Article 9(2)(h)): for the provision of counselling and psychotherapy services, including the processing of health-related data.

 

5. Confidentiality and limits

 

Everything you discuss in therapy is treated as confidential. However, confidentiality may be broken in the following limited circumstances:

​

• If there is a serious risk of harm to you or others

• If there are safeguarding concerns involving a child or vulnerable adult

• If I am required to disclose information by law or a court order

 

Where possible and appropriate, I will seek to discuss any disclosure with you first unless doing so would increase risk or breach legal requirements.

​

6. Supervision

​

As part of my professional and ethical practice, I receive regular clinical supervision.

In supervision, I may discuss aspects of my work to ensure safe and effective practice. All information shared is anonymised and identifying details are removed wherever possible. My supervisor is bound by confidentiality.

​

7. How your information is stored and kept secure

​

Your information is stored securely using:

• Password-protected electronic systems

• Encrypted or secure digital platforms where applicable

• Locked storage for any paper-based records

• Restricted access (only me as your therapist)

 

I take appropriate technical and organisational measures to protect your data from loss, misuse, or unauthorised access.

​

8. Third-party data processors

​

To provide my counselling services, I may use limited third-party service providers to support the administration of my practice. These may include:

​

• email service providers.

• secure electronic storage or record-keeping systems (if applicable)

• banking services used to process payments

 

Where third-party providers are used, they act as data processors and only process your personal data on my instructions. They are required to comply with UK GDPR and implement appropriate security measures to protect your information.

​

I ensure that any service providers used are appropriate for handling personal and sensitive data.

 

9. Data retention

 

 Records relating to adults are retained for 7 years after therapy ends. Records relating to children and young people are retained until the client reaches the age of 25. after this period they are securely destroyed unless there is a lawful reason to retain them for longer.

​

This retention period is necessary for:

​

• Professional accountability

• Legal limitation periods

• Insurance requirements​

​

10. Your data protection rights

Under UK GDPR, you have the following rights:

​

• The right to access your personal data (Subject Access Request)

• The right to rectification of inaccurate information

• The right to erasure (in certain circumstances)

• The right to restrict processing.

• The right to object to processing in certain circumstances.

• The right to data portability (where applicable)

 

If you make a request, I will respond within one calendar month, in line with UK GDPR requirements.

Please note that some rights may be limited in the context of counselling records where legal, safeguarding, or professional obligations apply.

 

11. Complaints

​

If you have concerns about how your data is handled, please contact me in the first instance so I can try to resolve the issue.  (Complaints procedure on request)

​

If you are not satisfied with my response, you also have the right to complain to:

Information Commissioner’s Office (ICO)
https://ico.org.uk/

​

You may also raise concerns with my professional body (if applicable).

​

12. Contact details

​

Emily Heseltine
Email: info@emilyheseltine.co.uk
Phone: 07592450993