Privacy Policy

Privacy Policy

Last updated: 17 June 2026

Who we are

Celia Flack Counselling is a counselling and psychotherapy practice run by Celia Flack. We are registered with the Information Commissioner’s Office (ICO) under registration number ZA490527.

You can contact us at: celiaflackcounselling [at] yahoo.com

Our full compliance documents are available at: https://celiaflackcounselling.policydiary.co.uk

What personal data we collect

We collect and process the following types of personal data:

Contact information:

  • Your name, address, telephone number, and email address
  • Emergency contact details

Health and therapy-related information:

  • Your presenting issues and reasons for seeking therapy
  • Relevant medical and mental health history
  • Session notes and records of our therapeutic work together
  • Risk assessments and any safety concerns discussed

Administrative information:

  • Appointment dates and times
  • Payment records and invoices
  • Correspondence between us

Website enquiries:

  • Your name and email address when you submit our contact form
  • The content of your enquiry

Health and therapy-related data is classified as “special category data” under Article 9(1) of the UK GDPR because it concerns your physical or mental health. This type of data receives enhanced legal protection, and we take additional care to keep it secure.

How we collect your data

We collect your personal data directly from you in the following ways:

  • When you first contact us to enquire about therapy (by phone, email, or our website contact form)
  • During our initial assessment or intake session
  • Throughout our therapeutic work together, during sessions
  • Through any correspondence between us, including emails and telephone calls

We do not collect personal data about you from any other source without your knowledge.

Why we process your data — lawful basis

Under UK GDPR, we must have a valid legal reason (a “lawful basis”) to process your personal data. Because therapy involves health-related information, we need two separate legal bases:

Article 6 basis (general personal data):

Article 6(1)(b) UK GDPR — processing is necessary for the performance of the therapeutic contract between us. When you engage our services, we enter into a contract to provide you with counselling or psychotherapy. We need to process your personal data to fulfil that contract.

Article 9 basis (special category health data):

Article 9(2)(h) UK GDPR — processing is necessary for the provision of health or social care treatment by a health professional. As a qualified counsellor and psychotherapist, we process your health data in order to provide you with appropriate therapeutic care.

The additional condition required under UK law is found in the Data Protection Act 2018, Schedule 1, Part 1, paragraph 2 (health or social care purposes). This processing is carried out by a qualified counsellor subject to the professional obligation of confidentiality under the ethical framework of BACP.

Professional obligations and CPD

We are required by BACP to attend regular clinical supervision. Supervision is an essential part of safe and effective therapeutic practice, and it helps us to provide you with the best possible care.

We may discuss our therapeutic work with our supervisor. When we do so:

  • Your name and any identifying details are NOT shared with our supervisor
  • We use anonymised or pseudonymised case material only
  • Our supervisor is a qualified professional bound by the same confidentiality obligations as we are
  • Our supervisor is bound by their own professional body’s ethical framework

Supervision discussions are confidential and your identity is protected at all times.

Clinical will — what happens to your records if we are unable to practise

We have appointed a Clinical Executor — a trusted fellow therapist — who will act on our behalf if we become seriously ill, incapacitated, or die.

If this situation arises, our Clinical Executor will:

  • Contact you to let you know what has happened
  • Offer you the opportunity to be referred to another therapist if appropriate
  • Handle your records in accordance with our confidentiality policy and UK GDPR
  • Ensure all client records are securely stored or destroyed in line with our retention policy

Our Clinical Executor is bound by the same professional and legal confidentiality obligations as we are. This arrangement ensures your privacy is protected and you are not left without information or support.

Who we share your data with

We take your confidentiality seriously and limit who has access to your personal data.

Clinical supervisor: As explained above, we discuss our work in supervision using anonymised or pseudonymised material only. Your name and identifying details are not shared.

Employee Assistance Programme (EAP) or referral platform: If you were referred to us through an Employee Assistance Programme or similar referral service, we may share limited information with them as part of the commissioning arrangement. This is typically limited to confirmation of attendance and session numbers, not the content of our work together.

External bookkeeper: Our bookkeeper has access to invoice data only (your name and payment amounts) for accounting purposes. They do not have access to your therapy records or any clinical information.

Third-party digital services: We use the following third-party services which may process your data:

  • WordPress — our website platform
  • Jetpack — provides basic website analytics and security features
  • Zoom — for online therapy sessions where applicable

Each of these services is bound by a data processing agreement. Links to their privacy policies are available on request.

We never sell your personal data.

International data transfers

The following third-party services we use may transfer personal data outside the United Kingdom:

  • Jetpack (Automattic Inc, USA)
  • WordPress (Automattic Inc, USA)
  • Zoom (Zoom Video Communications Inc, USA)

The USA does not currently have a UK adequacy decision. Where data is transferred to the USA, we rely on Standard Contractual Clauses (SCCs) or International Data Transfer Agreements (IDTAs) as appropriate safeguards, in accordance with UK GDPR Chapter V and the updated requirements of the Data (Use and Access) Act 2025.

You can request a copy of the relevant transfer safeguards by contacting us.

How long we keep your data

We keep your personal data only for as long as necessary. Our retention periods are:

Type of recordRetention periodReason
Therapy records7 years after our last sessionIn line with the Limitation Act 1980 and standard professional indemnity insurance requirements
Financial records (invoices, payments)6 yearsHMRC legal requirement
Website enquiries (non-clients)12 monthsLegitimate interest in responding to potential enquiries

After the applicable retention period, records are securely destroyed. Paper records are shredded. Electronic records are permanently deleted.

Your rights under UK GDPR

You have the following rights regarding your personal data:

Right to be informed: You have the right to know how we collect and use your personal data. This privacy policy fulfils that right.

Right of access: You can request a copy of the personal data we hold about you. This is known as a “subject access request.” Under the Data (Use and Access) Act 2025, we will conduct a reasonable and proportionate search to locate your data.

Right to rectification: If any personal data we hold about you is inaccurate or incomplete, you can ask us to correct it.

Right to erasure: In some circumstances, you can ask us to delete your personal data. However, this right may not apply where we are required to keep records under professional guidelines or for insurance purposes.

Right to restrict processing: You can ask us to limit how we use your data in certain circumstances.

Right to data portability: Where technically feasible, you can ask us to transfer your data to another organisation in a commonly used format.

Right to object: You can object to certain types of processing, although this is unlikely to apply to therapy records processed under contract or health purposes.

Rights related to automated decision-making: You have the right not to be subject to decisions based solely on automated processing. We do not use automated decision-making in our practice.

To exercise any of these rights, please contact us at: celiaflackcounselling [at] yahoo.com

We will respond to your request within one month. There is no fee for most requests, but we may charge a reasonable fee if your request is clearly unfounded or excessive.

Data protection complaints — your right under the Data (Use and Access) Act 2025

You have the right to make a data protection complaint directly to us if you believe we have not handled your personal data correctly.

To make a complaint:

We take all complaints seriously and will respond within 30 days.

If you are not satisfied with our response:

You have the right to escalate your complaint to the Information Commissioner’s Office (ICO):

  • Website: ico.org.uk
  • Telephone: 0303 123 1113
  • Address: ICO, Wycliffe House, Water Lane, Wilmslow, SK9 5AF

Confidentiality exceptions

Everything you share with us in therapy is treated as confidential. However, there are specific circumstances where we may need to share information without your consent:

  • Risk of serious harm: If we believe you or someone else is at immediate risk of serious harm, we may need to share information with emergency services or other appropriate professionals.
  • Safeguarding concerns: If we become aware of a child or vulnerable adult who may be at risk of abuse or neglect, we have a legal and ethical duty to report this to the appropriate authorities.
  • Court order: If a court orders us to disclose information, we are legally required to comply.
  • Terrorism: Under the Terrorism Act, we are required to report certain information to the police if it relates to terrorism.

We will always try to discuss any disclosure with you first, unless doing so would itself put someone at risk.

Changes to this policy

We review this privacy policy annually and whenever our practices change significantly.

If we make any significant changes that affect how we handle your personal data, we will inform you directly.