Privacy Policy

1) Introduction- why we need this policy

As your therapist I will always aim to be respectful, collaborative and transparent with you, treating your personal information with the utmost care during and after any work we do together. This Privacy Policy explains how I collect, use, store and protect your personal data when you visit my website at drjokirk.co.uk, contact me by phone or email, attend workshops or courses, or work with me for assessment or therapy.

I am registered with the Information Commissioner’s Office (ICO) as the data controller for your personal information, which means I am responsible for ensuring it is processed lawfully, fairly and securely, and for being clear about what data is held, why it is held, how long it is kept, and when it may be shared. Where required, your consent will be sought and can be reviewed or withdrawn, subject to legal and professional obligations.

Further information about data protection rights is available from the Information Commissioner’s Office (ICO) at https://ico.org.uk.

2) Accountability statement- what I will do to follow these principles

In accordance with UK GDPR, I will keep appropriate records of processing activities, review my security arrangements, assess risks to individuals’ rights and freedoms, and maintain procedures for managing and reporting data breaches.

3) Conditions for processing your data – when I can collect your data

The law on data protection sets out conditions or justifications for which I may collect and process your personal data. Most commonly, I will process your data on the following lawful grounds:

· With your explicit consent.

In most situations, I can collect and process your data with your explicit consent.

· We will have some contractual obligations to each other.

When we begin working together, I will ask you to agree to my therapy contract. This is normal practice and lays out what we expect of one another. For example, I promise to give you the support you asked for, in return you promise to promptly pay your fees. This means we enter a contract together. The “Contractual obligation” is not sufficient to allow me to process your sensitive personal data which is why I ask you for your explicit consent.

· Vital use of data.

I may process your personal data in an emergency where this is necessary to protect your life, or the life of another person. This lawful basis applies only in situations involving an immediate and serious threat to life where it is not possible to obtain consent in time, or where attempting to do so would cause harmful delay.

In such circumstances, I will only process or share the minimum personal information necessary to enable emergency support or intervention.

· Legal obligation.

It is possible that your personal information may be requested by the Police, a Court of Law, Coroner’s Office or Professional Body. In these circumstances I have to comply with the law.

· Legitimate interest.

In certain circumstances, I may process personal data where this is necessary for my legitimate interests as a Clinical Psychologist and where this would be reasonably expected. Examples include maintaining basic contact records, managing appointments, issuing invoices, responding to enquiries, and ensuring the safe and effective running of my practice. I will always consider your rights and freedoms before relying on this basis and I do not use legitimate interest to process special category data such as therapy notes or mental health records.

· Your safety and the safety of others.

On rare occasions, I may process special category personal data without your consent where I believe this is necessary to safeguard you or another person from serious harm. This may include situations involving child protection, adult safeguarding, or significant risk that does not meet the threshold of an immediate threat to life.

In these circumstances, processing is carried out in accordance with the Data Protection Act 2018 and is supported by an Appropriate Policy Document. Where possible, I will inform you of any information shared and the reasons for this, unless doing so would increase risk.

4) Why do I need to collect your personal data?

This enables me to:

· Know who you are, so that I can communicate with you in a personal way. The legal basis for this is my legitimate interest.

· Provide services to you. The legal basis for this is the contract with you.

· Process your payment for services. The legal basis for this is the contract with you.

· Provide you with a useful and relevant website. The legal basis for this is my legitimate interest.

· Process & respond to feedback from you as appropriate.

5) What information do I collect and process?

To provide you with the best service, I collect personal data from you. The data may be collected in electronic format or in paper form. This includes:

· Your name and date of birth

· Your contact details including a postal address, telephone number(s) and email address.

· Details of your GP and an emergency contact.

I may also hold information about you:

· When you write to me about any subject by any means

· When you enquire about my services but do not engage.

· When you attend an appointment I make session notes.

· When you complete questionnaires.

· If you attend training, reflective practice, or group sessions.

· When you access or engage with our website.

· From third parties; for example, if I receive a referral from another professional (such as your GP or a Social Worker), or if you share any reports with me.

My processing activities may also include personal information identifying other important people in your life such as your partner, family members or friends.

I will need to ask for certain personal information to deliver the services you have asked for and to give you the best possible experience when you engage with me.

6) Special category data

During our sessions together I will gain information about your current and previous psychological and physical health, and where relevant sexual health, and your current and previous social and family circumstances. I will also collect information about you when you voluntarily complete questionnaires. This sensitive personal information is defined as “Special Category Data” and I collect it because it is needed for me to provide the psychological assessment or treatment to you. "Special categories" of particularly sensitive personal data require higher levels of protection. I need to have clear justification for collecting, storing and using this type of personal data. I aim to collect and process only the special category data relevant to your therapy or involvement with me.

7) How do I use the information that I collect?

I process personal data in line with the data protection principles outlined in Section 2 and apply these to my day-to-day clinical and administrative practice.

I use the data collected from you in the following ways:

· To communicate with you about appointments and practical arrangements.

· To manage the administrative and financial aspects of my practice, including invoicing.

· To keep appropriate records of the services provided, including clinical notes.

· To meet professional requirements, including accessing clinical supervision. As required by my professional bodies, I will also discuss some of your personal information in supervision with another psychologist or psychotherapist to ensure that my practice is safe and effective. My supervisor does not share your personal information with anyone else.

· To share information with other parties, as agreed. If appropriate I might write to your referrer or other professionals to summarise or update them of your treatment and progress. I will obtain your consent and show you the content of such letters before sending them.

· Where relevant, to record limited information about significant others where this is necessary for clinical understanding or safeguarding.

· To address complaints or respond to legal or regulatory matters.

8) Where do I keep the information?

I make every effort to safeguard your information. I keep your information securely as described below.

· Paper Records: Any paper records, including clinical records, are kept in a locked cabinet, with access restricted to me.

· Computer Records: I use a personal computer that is password protected and encrypted. Access to the computer is restricted to me only, and passwords are not shared. Where backups are used, these are stored securely and encrypted.

· Mobile devices: I use a smartphone for some work-related communication. This device is password protected and encrypted.

· Security measures: All devices used for work purposes have up-to-date antivirus protection and security software installed. Devices are locked when not in use.

· Electronic storage and servers: My practice is based in the UK. I take reasonable steps to ensure that any electronic systems or cloud-based services I use are hosted on servers located within the UK or the European Economic Area (EEA), in accordance with UK data protection requirements. Appropriate security and encryption measures are in place to protect data stored in this way.

9) How long do I keep the information?

This depends on what contact we have:

· If you make contact and do not become a client of mine, I keep your information for a period of six months. All your personal information is then permanently and securely deleted.

· If you go on to work with me, I keep your clinical record for seven years after you stop being a client.

· Where the client is a child, records are kept until age 18, and for seven years after this.

· I keep electronic invoices for six years to comply with HMRC requirements.

The need to use your personal information will be reassessed on a regular basis, and information which is no longer required for any purposes will be securely deleted or disposed of.

If you would like us to keep our information for future reference, then please let me know in writing when we end our work.

10) Who do I send information to?

I send information to you and anyone else that I am required by law to inform.

If the therapy has been established through a third party (e.g. a GP, Local Authority or Adoption / Fostering Charity, or Private Health Insurance Company, or funded by the NHS or Adoption Support Fund), I will provide reports to them as agreed in their individual terms and conditions / contractual arrangements.

All information that is sent electronically as attachments is sent securely, for example encrypted and password protected, or via secure platforms (e.g. Egress).

In rare safeguarding situations, information may be shared without consent for safeguarding reasons, as explained in Section 3.

If I hold information about you and you want me to ‘port’ it or send it to another organisation that does similar work to me or provides a similar service, you can ask me to do this. This service will be free of charge, and I would aim to provide this service promptly.

11) How can you see the information that I have about you?

You can make a subject access request (SAR) by contacting me, Dr Jo Kirk. Before processing a request, I may ask for additional information to verify your identity. In some circumstances, I may need to withhold personal information, as permitted by law. In practice, this means that I may not provide information where I believe that sharing it would be likely to cause serious harm to you or to another person, or where disclosure would conflict with my safeguarding responsibilities. In this situation I can apply a condition known as the DPA 2018 Schedule One Part 2 Section 18 to safeguard either children or adults at risk.

While the primary purpose of clinical notes is to support effective therapy, I will aim to support access wherever it is appropriate and safe to do so. I may charge a reasonable fee if your request is repetitive or excessive, or I may refuse to comply with your request in these circumstances.

I try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, I will notify you.

12) What if information I have about you is incorrect or needs to be updated?

It is important that my records are accurate. If you believe there to be any errors, either because you move house or change your phone number, or if there is something that I have recorded inaccurately please contact me so that I can correct this. As before I may request additional verification that you are who you say you are.

If you provide me with corrected data, I will treat this with the same care and checks as any other data access request and once I have amended the systems, I will send you a copy of the updated information in the same format.

13) How can you have your information removed?

If you want me to remove your data, I will need to determine whether there is any information I am required to keep, for example in case HMRC need to inspect my records. Where data can be deleted, I will do so without delay. I will let you know if any information needs to be retained, and the retention periods described above will apply.

14) What correspondence will I have with you?

To provide a good service, it may be helpful to send information to you via email, SMS, or WhatsApp. An email confidentiality notice is at the bottom of my emails. Attachments including sensitive information will typically be password protected and the password will be sent separately. Your preferences for communication methods are agreed in the Terms and Conditions.

15) Changes to this Privacy Policy

I may need to update this Privacy Policy following any changes to the law, and you may want to check it for updates. If there are any really important changes to the policy or how I use your information I will let you know, and where appropriate ask for your consent.

16) Further information

If your questions are not fully answered by this policy, or if you do have a complaint, I would be grateful if you could please contact me so that I can try to resolve it for you. If you are not satisfied with the answers, you can contact the Information Commissioner's Office (ICO). You can contact them on 0303 123 1113 or www.ico.org.uk/concerns

If you are based outside the UK, you have the right to complain to the relevant data protection supervisory authority in your country.

Dr Jo Kirk GDPR Privacy Policy

Version 1 January 2026

Dr Jo Kirk

Location

Contact