General Data Protection Regulation 2018 Privacy Notice incorporating the

UK Data (Use and Access) Act 2025

 This privacy notice explains how Mindful Consultancy Ltd (“the Company”) processes data to comply with the General Data Protection Regulation (GDPR) 2018. The Company is a Data

Controller registered with the Information Commissioner’s Office under reference ZA552004. The company is committed to protecting your personal data and collecting only necessary data, processing it in a fair, lawful and transparent manner, keeping it no longer than necessary and thereafter securely destroying it.

The Company has implemented appropriate physical and procedural measures to protect your personal data from improper access, use, alteration, destruction and loss. The lawful basis under which the Company processes personal data is called ‘contract’ for active clients. You are entering into an agreement for the supply of a service - counselling - and as a representative of the Company a counsellor processes your data in order to either provide that service or to determine if the service is appropriate. Some of the information you may disclose is considered ‘special category’ data. This is sensitive information that might include data about, for example, your health, mental health, sexual orientation, religious, cultural and political beliefs etc. The Company takes extra care with such information. The lawful basis under which the Company processes special category data is that it is providing a health and/or social care service. The Company will never sell or share your personal data with other organisations for marketing or promotional, sales or other purposes. It does not use any form of automated

profiling or decision-making.

Once therapy ends, the lawful basis switches to Legitimate Interests. This allows the company to safely retain records for a set period as outlined below.

Data processing is carried out in alignment with the BACP Ethical Framework for the Counselling Professions.

Enquiries that don’t convert: If a counsellor is contacted by an individual via the website contact form, but that individual does not proceed to therapy, the counsellor will securely delete their email and name within 3 months.

What information is collected?

In addition to contact details, a counsellor keeps notes about counselling sessions which may include sensitive information that has been disclosed. A counsellor may also keep a record of creative work used or produced during a session.

Where is this information kept? Client contracts and all session notes are stored in a

locked filing cabinet. Material from sessions is stored in a way which is not personally identifiable. Telephone numbers are stored under initials only on a mobile phone that is secured with a PIN number. Email correspondence is accessed on accounts that are password protected, and all computers used are secured with a password.

Who is this information shared with? Counsellors have regular supervision with supervisors in accordance with BACP guidelines, and these are the only people with whom they talk with in the normal course of business about their work. Supervisors are bound by the same terms of confidentiality. Clients are identified by first name only. In the event of a counsellor becoming incapacitated in some way, a supervisor is able to access only the contact details of clients. The other occasions when data might be shared is when you give consent to do so such as when a referring agency is involved and a certain level of reporting has been agreed at the outset, or when a counsellor is obliged to break confidentiality where life or safety is seriously threatened (in which case your doctor will be informed with or without your consent), or where required by law.

How long are records kept?

Personal data is kept for 7 years from the date of the last counselling session together. This is a requirement of the Company’s professional insurers. It could be useful and relevant for a client returning to counselling. After 7 years documents are disposed of securely by shredding them.

What are your rights?

You can:

·      request access to a copy of the personal data held about you.

·      ask for inaccurate or incomplete personal data held about you to be changed or completed.

·      ask for your personal data to be deleted where it is no longer necessary for it to be used.

·      ask a counsellor to provide you or a third party with some of the personal data held about you in a commonly used form, so it can be easily transferred.

·      ask a counsellor to restrict the personal data used about you where you have asked for it to be erased or where you have objected to use of it.

Note that some of these rights only apply in certain circumstances and the Company may not be able to fulfil every request. Searches must be reasonable and proportionate under the DUAA framework. Please contact a counsellor if you wish to exercise any of these rights, or if you want to discuss any aspect of these privacy practices.

Personal Data Complaints Procedure

If you have any concerns or wish to raise a complaint about how the company handles your personal data, in line with the UK Data (Use and Access) Act 2025 (DUAA), please contact me directly at ruth.martin.counselling@gmail.com in the first instance. I will formally acknowledge your complaint within 30 days, investigate it without undue delay, and keep you informed of the outcome. The 30 day time period only begins after I have received necessary clarifications or proof of identity. If you remain dissatisfied following my response, you retain the right to escalate your complaint to the Information Commissioner's Office (ICO).

Clinical Will Arrangements

In the event of a counsellor’s sudden death or incapacitation, a trusted “Clinical Trustee” who is also an employee or director of the Company (an accredited counsellor) will be granted minimal,

secure access to client contact details to safely transition or notify them.