Data Protection & Privacy Policy

Introduction

Anita T. Duke trading as Anita Duke Therapy (the ‘data controller’, referred to below as “I”, “me”, “my”, “mine”) is committed to complying with the terms of the UK General Data Protection Regulation (GDPR) and Data Protection Act 2018, and the Data (Use and Access) Act 2025 for the responsible and secure use of your personal information. 


I have a legitimate interest in holding and processing personal data to provide counselling, psychotherapy, coaching and wellbeing services. The purpose of this policy is to let you know what information I collect, the reason I hold it, for how long, and your rights and responsibilities. 


What I use your information for

I hold and process any personal data provided by you in accordance with the data protection principles set out by the General Data Protection Regulation. I solely and lawfully use your personal data to provide and administer professional therapy, coaching and wellbeing services, to maintain clinical records and general practice management, to comply with my professional obligations (e.g. safeguarding), and to meet the requirements of my professional bodies and insurer.


What personal data I collect

I request and process the following personal data:


  • Enquiries (via professional directory/email/telephone/website) - name and contact details as necessary for a response.
  • First session intake form - name, address, date of birth, phone number, email address, emergency contact and GP details. I require this information for the ethical provision of my services and in case of emergency.
  • Medical/clinical assessments - If you give informed consent to continue with therapy, I will collect medical and mental health information relevant to your general wellbeing and provision of my services on the lawful basis of contract. I may also invite the completion of clinical assessments at intake and at appropriate stages of therapy. I require this information to assess your needs and progress, assess and monitor any therapeutic risk, and identify any health‑related factors relevant to the safe and ethical provision of the therapies I offer.
  • Clinical Records - Once you agree to work with me I keep the following clinical records in accordance with guidance from my professional bodies and insurer:
  • Copies of signed agreements
  • Any professional clinical correspondence written or received
  • Copies of any clinical or risk assessments undertaken - anonymised using a coding system.
  • Therapy log - session dates, attendance, key themes, risk/action taken (if relevant) - hand-written and anonymised using a coding system.


In addition I keep brief, hand-written, anonymised notes to support the effective and ethical provision of therapy. I use these as a personal 'aide-memoire’ of presenting themes and interventions so they may contain some conjecture and process. No personal data is contained within these.


 What information I share

I will never sell your data or use it for marketing purposes. I will not disclose your details to any person or organisation without your knowledge and consent, unless for a professional or legal requirement as follows:


  • If I identify a child or vulnerable adult safeguarding issue.
  • If I perceive a serious, imminent risk of harm being caused by or to you or another person.
  • If I identify a potential national security or terrorist threat, or a potential act of money laundering or drug trafficking, all of which I am legally required to disclose.
  • If I am legally required to disclose information following court subpoena, in the act of public interest, or by other regulations to which I am subject.


How long I retain your information

Client records are stored for 7 years following the completion of our therapeutic relationship in accordance with guidance from my professional bodies and insurer. After this period, records will be securely and permanently destroyed.


How I keep your information safe

I take the security of your data seriously and take all reasonable precautions to prevent the loss, alteration, or misuse of information you provide. I will only store records relevant to contracted clients or open enquiries from prospective clients.


I take every reasonable measure to keep any electronic information shared with me secure, by using password protected applications and equipment. All paper records are filed in lockable storage. Records containing identifiable personal data (e.g intake forms, signed agreements and professional clinical correspondence) will be stored separately from pseudonymised therapy logs, medical forms and aide-memoire notes.


Electronic communications

I may send email communications in connection with my services. For ease of use and compatibility, this will not be sent in an encrypted form unless you request this. Email and the transmission of information via the internet, unless encrypted, is never completely secure. Whilst I do my best to keep my systems password and virus protected, I cannot take responsibility for electronic communications being virus-free, neither can I guarantee the security of information transmitted via email, mobile, text or internet messaging, Zoom, or website forms. Any correspondence shared with me electronically is sent at your risk. 


I delete text and voice messages once dealt with. Email communications are deleted unless containing clinical information relevant to sessions. The latter will be either stored on password protected equipment, or printed and stored with clinical paper records with personal data redacted.


Websites and third parties

To provide you with the best online experience my website uses cookies. A "cookie" is a small piece of information that a website assigns to your device while you are viewing a website. Cookies allow you to navigate between pages efficiently and make the interaction quicker and easier. Cookies do not contain any information that personally identifies you. You may remove cookies by following the instructions of your device preferences.


My website uses analytics to collect information about use of the site. I may also occasionally use Google Analytics to collect anonymous data relating to user behaviour and ‘web traffic’ statistics which I use to improve the website and my services. No user-specific data is stored by my website, and the analytical tools do not collect any personal Information.


My website may contain hyperlinks to other websites. I am not responsible for the content, functionality, or accuracy of these, and they are not covered by this policy. I recommend that you read the privacy policy of any website before providing personal information.


When working with clients referred to the practice by a third-party agency, charity or EAP, I cannot be responsible for any personal data held by the referring third party. Please see their separate privacy policy. I will not share any sensitive clinical information with the agency unless you have given your consent.


I cannot be responsible for your data or confidentiality when using third party applications, electronic banking, or card payment services. Please be aware that my name will appear on your records if paying by electronic bank transfer or card. If you pay by bank transfer your details will appear on my statements, which I may be legally required to evidence for tax purposes. 


 Your rights and responsibilities

By contacting me through my website, a professional directory, phone, email, or any other means, it is understood that you have consented for me to contact you to discuss my services. If you decide to commence therapy, I will ask for your consent to process and store your personal data as part of the intake process. It is your responsibility to ensure that I have your up-to-date contact and emergency information thereafter, and to notify me of any other changes to your personal information whilst in therapy. 


Under GDPR you have the right to make a request to see copies of the listed personal data I hold about you. You may also ask me to correct, update or erase the record, or to object to processing, subject to applicable exceptions in the case of counselling records. To exercise any of these rights an access request should be emailed to anita@anitaduketherapy.co.uk using the subject header ‘data access request’. I will respond within 30 days. If the request could be considered excessive or subsequent copies of data are requested, I reserve the right to charge an access fee. 


Complaints Procedure

Under the Data (Use and Access) Act 2025 (Section 164A, Data Protection Act enforced, 19 June 2026), you have a statutory right to raise a data protection complaint before escalating to the Information Commissioner's Office. If you have any concerns about how I have handled your personal data, please submit your complaint in writing to: anita@anitaduketherapy.co.uk using the subject header 'Data Use and Access Complaint'. I will acknowledge this within 30 days of receipt, and will investigate and provide a response without undue delay. You will be kept informed throughout this process.


I will do my utmost to resolve any concerns you have. If for any reason you remain dissatisfied with my response, you may then escalate your complaint to the Information Commissioner’s Office (ICO) directly at ico.org.uk or by calling 0303 123 1113.


Changes to this policy

This Privacy Policy is reviewed annually but may also be amended between reviews to ensure it accurately reflects how and why I use your personal data. The date the policy was last modified is shown below.



Anita T. Duke trading as Anita Duke Therapy is registered with the Information Commissioner’s Office

(Ref: ZA07885 254319).




Policy last modified: June 2026