top of page

General Data Protection Regulation (GDPR) Statement

Privacy Statement about Personal Information Collected, Stored, Processed and Kept by Formulate Psychology.

The General Data Protection Regulation (GDPR) is concerned with the personal information about you that we collect, store and share. This document details our GDPR policy.

Personal Information 

As psychologists we will collect both personal and sensitive data. The reason we collect your personal information is to enable us to deliver psychological therapy. We collect information at the point of initial contact (which might be email, website contact page, phone call or SMS) as well as during the initial assessment session and any subsequent therapy sessions.

The information we collect may include the following; name, gender (or preferred identity), age, date of birth, relationships, occupation, address, GP name and practice address, e-mail address, prescribed medication, current psychological difficulties, historical psychological difficulties, lifestyle and social circumstances, telephone number contact details (plus permission to send SMS and leave voice messages), psychological therapy history including any current or historical psychiatric diagnoses, medical conditions relevant to psychological therapy, risk information such as suicidal and self harming history and alcohol and drug use.

Information Storage

We have implemented technical measures to ensure your personal and sensitive data remains secure. Your information may be stored in the following ways:

·         Paper; written notes which will include the initial email you sent or website contact sheet, therapy contracts. It may also include work done together in therapy that cannot be produced electronically. This will be kept in a locked filing cabinet.

·         Electronic notes; brief session notes will be stored on a secure cloud platform which is GDPR compliant.         

Smartphone; We will store your contact information in our contacts but will use a non-identifiable code rather than your name.

·         Email/SMS; your email address and correspondence will be stored in our email account (currently Gmail) by nature of you contacting us. Your telephone number may be stored in our SMS should we exchange messages this way, but stored via a non-identifiable code rather than your name. Electronic correspondence will also be held by the corresponding app (Gmail, Phone’s SMS) all of which are GDPR compliant.

·         Dropbox; Should you wish for us to share documents via dropbox we can set up a shared dropbox account and all the information shared will be held by us and dropbox which is GDPR compliant.

·         Session recordings; If either of us wishes to record any part of our sessions, this would require additional discussion and prior agreement.

·         Electronic devices; all electronic devices (including computers, laptops and mobile phones) used to access stored information will themselves be password protected.

How we may Process and Share your Personal Information

·         Supervision; We have regular supervision with other qualified psychologists and therapists. Supervision is for our practice to ensure we are adhering to professional standards and evidence-based ways of working. All of our supervisors are GDPR compliant and thus we are considered joint data controllers.

·         Therapeutic Will; Your name and contact details will be shared within Formulate Psychology, who will act as Therapeutic Executors / joint data controllers. This is so you will be contacted in the event of our death, should you still be in therapy with us. We are all Psychologists and are GDPR compliant. 

·         Sharing Information with your GP/Other Health Professionals; Some clients like their GP (or other professionals involved in their mental health care such as a Psychiatrist or an insurance mental health care team) to be kept informed of the work they are doing in psychological therapy. This might include sending assessment/progress/discharge reports or having telephone conversations disclosing personal and sensitive information pertaining to you. We can discuss what and how much information is disclosed and you will be given an opportunity to make amendments before any letter/report is sent. We will only send reports or have telephone discussions of this kind if we have your permission to do so and you can withdraw consent for any further correspondence at any point during our work together (assuming there is no duty of care to disclose information-please see the point below). Your GP and other health professionals should be GDPR compliant (we would check to ensure this before sending any confidential information) and thus would be considered joint data controllers.

·         Duty of Care and Confidentiality; All the information you share with us is treated confidentially unless you request I share it, for example with your GP. The only exclusion to confidentiality is if we suspect there is a risk of harm, either to you or someone else. If we thought there was such a risk, we would discuss it with you if at all possible so we could consider how we can best manage the risk, which may include involving your GP or other care agencies. Only information relevant to managing the risk would be shared. If we don’t have your permission to share information and we deem there to be serious and imminent risk to yourself or someone else then our professional codes of conduct and the law may require that we inform an authority and share your personal information without your knowledge and permission (known as whistle-blowing for example in cases of suspected terrorism).

·          E-mail Exchange; Although Gmail is GDPR compliant, any confidential (e.g. personal and sensitive) information that we need to send to you will be password protected and then attached to the email. We will inform you of the password in person or via a separate email / different method. We advise you to share confidential information with us in the same way.

·         Postal Mail; Should we send any confidential mail in the post (to you or your GP) this will be clearly marked confidential.

·         Erasing Your Information; When we have finished working together we will hold onto your information for seven years. This is in line with professional code of practice and is, for example, so that we have a reference of our work in situations such as you returning to psychological therapy in the future. After this time has passed we will shred the written information and securely delete any electronically held information.

Your Rights

You have the following rights…

·         To be informed what information we hold (i.e. to be given or have access to this document)   

·         To see the demographic information we have about you (free of charge for the initial request)

·         To make a ‘subject access request’ (SAR) for copies of your records. There may be an  administrative charge for this and these will be provided within one calendar month of the request being made.

·         To rectify any inaccurate or incomplete personal information

·         To withdraw consent to us using your personal information e.g. to withdraw consent for us to telephone you and request that we contact you via email only

·         To request your personal information to be erased (though we can decline whilst the information is needed for us to practice within our own professional code of ethics and conduct).


If you wish to assert any of these rights you should contact us via our email address.


We reserve the right to make changes to this privacy policy at any time by sending a notice to you via our agreed method of contact.

bottom of page