What data do I collect from you, and for what purposes do I collect it?
Under GDPR, individuals have the right to know how their personal data is collected and used. I am a private practitioner registered with the Information Commissioner’s Office (ICO). I act as both a Data Controller and a Data Processor. This means that I plan procedures for how data is held according to GDPR and collect and store data required within my therapy practice.
Before we commence therapy, we will establish a working agreement that explains my commitment to client confidentiality and data protection and when Confidentiality may be breached. You will need to sign this agreement before we begin.
I will collect your personal details, including your name, date of birth, address, contact number, email address, and emergency contact details. With your permission, I will also collect contact details for your GP and details of any relevant mental or physical health issues and medication.
How do I store your data?
The text below clearly and concisely explains how I store and manage your personal information to maintain your privacy.
Only I can access your personal details stored in a secure digital file, which will be stored separately like all other files. To protect your anonymity, you will be referred to only by your initials in the session notes (summaries of our sessions), digital photographs of the artwork created or used, and any other documents related to your appointments.
To keep track of my schedule, I maintain a diary where your name is replaced by your initials. This diary is kept separately from your personal information and session notes.
I use a password-protected mobile phone to receive and respond to client calls and text messages for communication purposes. Once again, I will refer to you only by your initials.
Also, the artwork produced and printed photograph of the chosen image/artefact will be stored in an art folder or chosen/agreed format in a secure way that we can access during therapy.
To ensure the security of your digital information, I do not use a shared computer. Instead, I store all data related to my clients on a password-protected computer and use a separate email account for client communication. Additionally, I may use password-protected and encrypted cloud-based storage to safeguard your information further.
When do I delete your data?
I will retain your personal information for six months after the completion of psychotherapy in case we have any unresolved administrative matters to address or in case you decide to return. After this period, your information will be permanently deleted.
As per HCPC recommendations, your session notes and photographs of the artworks/artefacts will be kept for seven years and then destroyed.
At the end of therapy, you can keep any physical artwork you created and print photographs of your chosen artefacts. Otherwise, they will also be destroyed.
Any text messages or emails exchanged during the therapy sessions will be deleted within six months (or earlier) from the date of therapy completion.
What circumstances might your data be shared, and with whom?
Supervision is a vital part of my work as an art psychotherapist. As per the guidelines of the HCPC, my work is supervised regularly by a qualified supervisor. The supervisor’s role is to ensure that I work ethically and professionally. During supervision, we refer to you by your first name only, and all discussions between my supervisor and me are kept confidential. Some photographs of the artwork you created or chosen artefacts might also be shared during supervision. However, your anonymity will be maintained at all times.
Additionally, I have appointed a therapeutic executor who will contact and inform my clients in the unfortunate event of my sudden illness or demise. The executor is a qualified art psychotherapist committed to maintaining client confidentiality.
What are the exceptions to Confidentiality:
If I become aware of any situation where you or someone else may be at risk of serious harm, I may have to break Confidentiality. However, I will always try to discuss this breach with you first so that we can come to an agreement about who needs to be informed. If we cannot reach an agreement, and I still believe that you or someone else is at risk, I will discuss the situation with my supervisor and decide how to proceed. In cases where there is a threat of terrorism or drug trafficking, I am legally obligated to inform the authorities.
What are Your Rights:
As per GDPR, you have certain rights regarding the data I hold about you. These rights include the following:
1. Right to be informed: You have the right to know what personal information I collect and store about you.
2. Right to access: You can request to see the information I hold about you. I am legally bound to provide you with a written response within 30 days of receiving your request.
3. Right to rectification: If you believe that any of the information that I hold about you is incorrect, incomplete, or unnecessary, you can request that I rectify it. However, if I am required by law to keep a record, I may not be able to comply with your request.
Ethical Framework:
I abide by the Health & Care Professions Council (HCPC) standards of proficiency for arts therapists, which can be found at: https://www.hcpc-uk.org/standards/standards-of-proficiency/arts-therapists/
Last updated on 3rd April 2024
Copyright © 2025 Art-Led Psychotherapy - All Rights Reserved.