PRIVACY POLICY | Jenny Brown Counsellor & Intuitive Psychotherapist Droitwich

0f9cdb_3dcf832d68d74bfcbc954dd456047ea8_

Website Privacy Policy

Jenny Brown Counselling — Complete Compliance Framework (UK GDPR & DUAA 2025/2026)

1. Introduction & Practice Overview

Trust, safety, and confidentiality are fundamental pillars of the therapeutic relationship. This Privacy Policy outlines how Jenny Brown Counselling ('the Practice', 'I', 'my') collects, utilizes, stores, and protects your personal data and sensitive 'special category' health records. This policy operates in strict compliance with the UK Data Protection Act 2018, the UK General Data Protection Regulation (UK GDPR), and the Data Use and Access Act (DUAA) 2025/2026. As a sole trader and Registered Member of the BACP, I act as the sole Data Controller for this practice. I am formally registered with the Information Commissioner's Office (ICO).

2. Types of Data Collected

To provide a professional and ethical counselling service, I collect two distinct types of data:
• Personal Identification Data: Names, dates of birth, home addresses, contact phone numbers, email addresses, and emergency next-of-kin contact points.
• Special Category Sensitive Data: Clinical intake forms, mental health and lifestyle histories, brief therapeutic session tracking notes, and relevant psychological or medical parameters essential for treatment.

3. Data Collection Methods

Your data is gathered directly from you across specific touchpoints to prevent unauthorized interception:
• Website Enquiries: Information you voluntarily submit via contact forms or direct digital outreach.
• Intake Assessment: Background data gathered orally or via paper/digital intake forms during initial consultations.
• Therapeutic Record Keeping: Brief ongoing professional summaries drafted at the conclusion of each active therapeutic session.

4. Security Safeguards & Locked Physical Storage

Your data is protected through rigorous security measures tailored to protect your confidentiality:
• Physical Manual Filing: In accordance with professional standards, all handwritten clinical notes, intakes, and paper records are organized systematically as a manual filing system and stored securely inside a locked filing cabinet. Access keys are strictly restricted to the Data Controller.
• Digital Protection: Digital contact parameters, emails, or digital communication points are stored on password-protected, encrypted devices utilizing industry-standard firewalls.

5. Lawful Basis for Data Processing

Under UK data protection frameworks, I process your records using the following strict legal grounds:
• Contractual Necessity (UK GDPR Article 6): Processing is mandatory to establish, execute, and deliver the specific therapeutic counselling contract you have requested.
• Provision of Health or Social Care (UK GDPR Article 9): The processing of sensitive health-related data is carried out under the legal condition of providing direct health or social care treatment, governed by professional ethical boundaries.

6. Data Retention Protocols

Your personal data and physical clinical case notes are not kept indefinitely. In strict compliance with professional insurance indemnities and BACP ethical frameworks, all active client files and manual paperwork are safely retained inside locked physical storage for a maximum period of 7 years following the formal conclusion of your treatment. Once this retention timeline has expired, all digital parameters are permanently wiped, and all manual paperwork is securely destroyed via professional cross-cut shredding.

7. Third-Party Sharing Boundaries

Your data is treated with absolute confidentiality and is never sold, distributed, or shared with third parties for marketing or commercial use. Data is only disclosed under the following narrow circumstances:
• Professional Supervision: In alignment with BACP requirements, client cases are periodically reviewed with an accredited clinical supervisor. No full names or identifying parameters are ever shared.
• Legal & Safeguarding Obligations: Data may be shared if strictly mandated by a court order, or if I hold a reasonable belief that disclosure is essential to prevent severe risk of harm or protect life (Safeguarding Ground under DUAA).

8. Statutory Rights & The New DUAA Complaints Procedure

Under UK law, you hold clear statutory rights regarding your data, including the right to request access to your files (Subject Access Requests), the right to rectify mistakes, and the right to request erasure where applicable. In accordance with the complaints procedure updates implemented under the Data Use and Access Act (DUAA) 2025/2026, a structured resolution track is available if you have concerns regarding how your data is handled:

Formal Data Complaints & Resolution Track

1. Internal Filing Pathway: If you have a query, concern, or formal dispute regarding the storage, processing, or confidentiality of your files, you agree to submit this complaint directly to the Data Controller – Jenny Brown in writing via email at jennybrowncounsellor@hotmail.com

2. Acknowledgment & Review: The Practice will formally acknowledge your complaint and open an internal review. A comprehensive, formal resolution response will be delivered to you in writing within 30 days of filing.

3. Regulatory Escalation (The ICO): If you remain unsatisfied with how your data concern has been handled, or if you disagree with the final outcome of the internal review, you retain the absolute statutory right to escalate your complaint to the national supervisory authority, the Information Commissioner’s Office (ICO). You can contact them directly via their official website: www.ico.org.uk.