Data Protection Policy

Compassionate Change: DATA PROTECTION POLICY


Compassionate Change needs to gather and use information about individuals in order to provide psychological assessment, therapy, supervision, teaching and training activities. This information is gathered and retained as required to fulfil our contract with you or because there is a legitimate interest in our needing to collect this information (e.g. so that we can communicate with you directly about the services we are providing to you). Individuals can include clients, referring organisations and agencies, statutory organisations, suppliers, business contacts, employees and other people the company has a relationship with or may need to contact.

This policy describes how personal and sensitive data is collected, handled and stored (if you contact us or when we contact you) to meet the company’s data protection standards. Compassionate Change uses the information we collect in accordance with all laws concerning the protection of personal data, including the Data Protection Act 1998 and the GDPR 2018. As per these laws, Compassionate Change is the data controller; if another party has access to your data we will tell you if they are acting as a data controller or a data processor, who they are, what they are doing with your data and why we need to provide them with the information.

If your questions are not fully answered by this policy, please contact our Data Protection Officer (Dr Shelley Kerr If you are not satisfied with the answers from the Data Protection Officer, you can contact the Information Commissioner's Office (ICO)

Our Commitment:

Compassionate Change is committed to the protection of all personal and sensitive data for which it holds responsibility as the Data Controller and the handling of such data in line with data protection principles as specified by the UK Data Protection Act (1998) and updated by the General Data Protection Regulation 2018.

Changes to data protection legislation shall be monitored and implemented to remain compliant with all requirements.

The member of staff responsible for data protection is: Dr Shelley Kerr.

Compassionate Change is also committed to ensuring that its staff are aware of data protection policies, legal requirements and adequate training is provided to them. Staff members are responsible for ensuring data is handled and processed in line with the policy and data protection principles.

The requirements of this policy are mandatory for all staff employed by Compassionate Change and applies to all contractors, supplies and other people working on behalf of the company.


The data processing activities of Compassionate Change are registered with the Information Commissioner’s Office (ICO) as required of a recognised Data Controller. Details are available from the ICO:

Changes to the type of data processing activities being undertaken shall be notified to the ICO and details amended in the register.

Breaches of personal or sensitive data shall be notified immediately (or as early as possible once the breach has been identified) to the individual(s) concerned and the ICO.

Personal and Sensitive Data:

All data within the control of Compassionate Change shall be identified as personal, sensitive or both to ensure that it is handled in compliance with legal requirements and access to it does not breach the rights of the individuals to whom it relates.

The definitions of personal and sensitive data shall be as those published by the ICO for guidance: definitions/

The principles of the Data Protection Act shall be applied to all data processed:

  1. Processed fairly and lawfully
  2. Obtained only for lawful purposes, and is not further used in any manner incompatible with those original purposes
  3. Accurate and, where necessary, kept up to date,
  4. Adequate, relevant and not excessive in relation to the purposes for which it is processed
  5. Not kept for longer than is necessary for those purposes
  6. Processed in accordance with the rights of data subjects under the DPA
  7. Protected by appropriate technical and organisational measures against unauthorised or unlawful processing and against accidental loss, destruction or damage
  8. Not transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection of the personal information


Fair Processing / Privacy Notice:

Compassionate Change aims to be transparent about the intended processing of data and ensure that individuals are aware of how their data is being used and how to exercise their rights under the GDPR. This information will be notified to clients via the company’s privacy statement, and, where relevant, be written in a form understandable by those defined as ‘Children’ under the legislation. A version will also be available on our website:

Notifications shall be in accordance with ICO guidance transparency-and-control/

The intention to share data relating to individuals to an organisation outside of Compassionate Change shall be clearly defined within notifications and details of the basis for sharing given. Data will be shared with external parties in circumstances where it is a legal requirement to provide such information.

Any proposed change to the processing of individual’s data shall first be notified to them.

Data Access Requests (Subject Access Requests):

All individuals whose data is held by Compassionate Change, has a legal right to request access to such data or information about what is held. Subject Access Requests (SARs) should be made in writing to the nominated Data Protection Officer, Dr Shelley Kerr, by letter or email ( Responses to such requests made by individuals will be made within 30 days and will usually be processed free of charge. Verification of the identity of anyone making a Subject Access Request will be required before information can be shared.

We may withhold such personal information to the extent permitted by law. In practice, this means that we may not provide information if we consider that providing the information will violate your vital interests.

Data Storage and Security:

Data which is stored on paper (e.g. case notes, letters, printouts of emails), will be kept in a secure, locked filing cabinet when not required and will not be accessible to unauthorised personnel.

Data printouts and data stored on paper will be shredded and disposed of securely when it is no longer required and/or has reached the end of the data retention period (see Data Retention and Disposal section below).

Data which is stored on removable media, such as CD or DVD, will be kept in a secure, locked filing cabinet when not being used.

Data which is stored electronically is protected from unauthorised access by the use of strong passwords which are not shared between employees and SSL-encrypted connections. Electronic data will be stored in designated drives and servers which meet acceptable security standards, and all computers and servers containing such data will be protected by approved security software and a firewall. Regular checks will be performed to ensure security hardware and software is functioning properly.

Electronic data will be backed up regularly and these backups will be tested regularly, in line with the company’s standard backup procedures. Where data is uploaded to cloud computing services, these will be compliant with GDPR.

Security of data shall be achieved through the implementation of proportionate physical and technical measures. Nominated staff shall be responsible for the effectiveness of the controls implemented and reporting of their performance.

The security arrangements of any organisation with which data is shared shall also be considered and these organisations will be invited to provide evidence of the competence in the security of shared data.

Data Use and Security:

Employees should treat all data covered by this policy as confidential and only access that which is required for the purpose of their work. When access to confidential information is required, this will be requested from the nominated Data Protection Officer, Dr Shelley Kerr.

Employees should keep all data secure by following sensible precautions and following the guidelines of this policy. Requests for clarification and help should be made to the nominated Data Protection Officer.

When working with personal data, employees of Compassionate Change will ensure the screens of their computers are locked by a password when left unattended.

Access to and updating of personal data will always be from the central copy of any data.

Personal and sensitive data will not be shared informally, either by telephone or email, unless consent of the client has been obtained.

Personal and sensitive data shared formally, either by spoken or written communication, will be done only with the explicit consent of the client (and or parent/guardian for minors aged under 16 years). Data will be encrypted before being transferred electronically.

In certain circumstances, such as safeguarding concerns, the Data Protection Act (1998) allows for personal data to be disclosed to other professional and law enforcement agencies. Under these circumstances. Compassionate Change are legally obliged to disclose such data.

Data accuracy:

Compassionate Change will take reasonable steps to ensure personal and sensitive data is kept accurately and is up to date.

Data will be held in as few places as necessary. A central system is utilised to access personal data pertaining to contact details such as name, address, telephone number(s), and email address. Staff should take every opportunity to ensure such data is current, for example, confirming contact details at appointments. Inaccuracies and amendments will be updated to the client’s file and central system database as soon as possible.

Clients will be encouraged to update the personal information Compassionate Change holds about them. Please contact the Data Protection Officer. We may require additional verification that you are who you say you are to process this request.

Data Retention and Disposal:

Compassionate Change recognises that the secure disposal of redundant data is an integral element to compliance with legal requirements and an area of increased risk.

All data, paper or electronically held, will be securely destroyed or eradicated after a period of 7 (seven) years (or the age of majority plus 7 years, if the client was a minor when treatment ended), as per the requirements of our professional bodies regarding the management of client data.



Policy prepared by:                      Dr Shelley Kerr, Clinical Psychologist

Approved by management on:     August 24th 2021

Policy operational on:                  August 24th 2021

Policy review date:                      August 24th 2023

Scroll to Top