Privacy Notice: Data Protection


Why do we need to process information about you?

In providing you with our services, Compassionate Change will need to handle your personal information. Personal information is details about you from which you can be identified, such as your name and contact details. Depending on what services you receive from us, we may process additional sensitive data such as information about your health. This information is essential to inform, facilitate and provide assessment and therapeutic services which are appropriate to your individual needs.

Under the requirements of the Health Care Professions Council (HCPC), Compassionate Change are obliged, according to the legitimate interests of provision of our services, to keep documentation of your personal data to allow us to provide assessment and therapy services to you.

Lawful basis for processing your information

The lawful basis for my holding and using your information is in relation to the delivery of a contract to you as an accredited health care professional.

What information will you hold?

Information about you will be held in the form of written notes, emails, questionnaires, and letters, in addition to our practice management records and invoices. This information could be collected at any point during your contact with us and/or during your receipt of services from us.

We take hand written notes when we meet you. This will often include personal and sensitive information you have shared about your life. Your therapist may also record their professional impression at times. These notes may be used to create a report on the services that we provide to you, to you or to an approved third party (i.e. your insurer). Mostly, however, our written notes serve simply as an aide memoire for your therapist to ensure continuity of treatment over time.

Your information will be collected, managed and stored solely for the purposes of us providing you with psychological services or training.

How do we use the information that we collect?

We use the information we collect:

  • To communicate with you so that we can inform you about your appointments

with us, we use your name, your contact details such as your telephone

number, email address or postal address;

  • To deliver the correct service to you, we use your name, your contact details

and the details about your purchases;

  • To create your invoice using our accounting package, we use your name, and may use your email address, address, date of birth, and insurance details;
  • To provide you with psychological services and maintain a record of your care, we use information about your health and life.
  • To optimise our website so that users can find the information they need.

Where do we keep the information?

We keep your information in the stores described below.

On our company computers

We use personal computers that are located on our business premises. The computers are password protected and the hard drives are encrypted. Passwords are changed regularly and are not shared beyond those who need access to a given computer.

Where cloud services are used, these meet GDPR requirements and all data is securely encrypted when stored there.

Electronic notes and emails are also accessed via mobile devices; these devices are password protected and not shared.

Your client record

Notes are routinely taken during and/ or after sessions as a record of care. These notes are predominantly made on paper and stored in your file in a locked filing cabinet in our secure office.

We also record some aspects of our interaction with you in Microsoft Excel Spreadsheets, Word Documents, and save these on a computer in our office.

Occasionally we will transfer summaries of care or reports with yourself or third parties (e.g. your GP, your insurer) via email. These reports are either password protected word documents or pdf files.

In our practice management

We occasionally need to transfer our accounts Excel Spreadsheet to our (UK-based) accountant. This is done using encrypted transfer and our accountant has stated that their company’s processes are GDPR compliant.

How long will you store my information for?

We will hold information about you for as long as you receive services from us and for seven (7) years following the date of our last contact with you. If our identified client is a minor, we will hold information about the services that we have provided to them for seven years past the age of majority.

Paper-based information will be electronically scanned and stored after the point your case file is closed to the service (usually defined as your last appointment).

Once scanned, paper-based information will be shredded and disposed of in confidential waste. Electronically held files will be securely and deleted after seven years (or if a minor, when they reach the age of majority plus seven years).

You also have the right to ask for your information we hold on you to be erased prior to this time by contacting our Data Protection Officer, Dr Shelley Kerr at our main office (Unity Street, Bristol, BS1 5HH), or via email to

However, if you want to have your data removed, we do have to determine if we need to keep the data. For example, if there is an on-going legal matter related to your case or if your request falls within the timeframe that our governing practice body has a requirement that we hold data for (around seven years). In this instance, we may not be able to erase your data before that time has passed or any court action is ended.

How can I access the information you hold?

You can ask to access the information we hold by writing to our Data Protection Officer, Dr Shelley Kerr at our main office (7 Unity Street, Bristol, BS1 5HH), or via email to, to make a Subject Access Request (SAR). You can also ask for your information to be transferred to another provider of psychological services. We will respond to your request within 30 days.

Verification of the identity of anyone making such a request will be required before information can be shared.

What if I believe the information you hold about me is incorrect?

Whilst you are receiving services from Compassionate Change, we will aim to keep the information we hold about you up-to-date. We would encourage you to tell us as soon as possible if your personal data changes so that we can update our records.

You can also let us know if you believe the information we hold about you is inaccurate, needs amending or updating, by contacting our Data Protection Officer, Dr Shelley Kerr. We will aim to update your information within 72 hours.

How can I have my information removed?

If you want to have your data removed we have to determine if we need to keep the data, for example in case HMRC wish to inspect our records or if in doing so we would breach our professional organisations data retention requirements (see above). If we decide that we should delete the data, we will do so without undue delay.

Protecting your Information

Compassionate Change is committed to keeping the information we hold about you secure. To protect your personal data, we follow the guidelines and recommendations in line with our professional bodies (The Health Care Professionals Council, Association of Clinical Psychologists UK) and regulatory bodies such as the Information Commissioners Office. More detailed information can be found in our Data Protection Policy, which complies with the requirements detailed in the Data Protection Act (1998) and the General Data Protection Regulations (2018). This document is available on request.

We have physical, electronic, and operational procedures in place to protect your data. In the unlikely event of our security processes being compromised leading to a significant breach of your information, we will endeavour to inform you within 72 hours.


The confidentiality of your personal information is very important to Compassionate Change. All our services are confidential, and we will not share your information unless we judge that there is a serious risk of harm to yourself or others, or with your written consent, or when we are legally obliged to do so. Confidential information is restricted only to those who have a reasonable need to access it.

Who can I contact if I have concerns about my data management?

Should you have any concerns about the management of your data by Compassionate Change, please contact our Data Protection Officer, Dr Kerr, in the first instance. If we are unable to resolve your concerns, you have a right to complain to the Information Commissioner’s Office: concerns/


Policy prepared by:  Dr Shelley Kerr, Clinical Psychologist

Approved by management on:     August 24th 2021

Policy operational on:                  August 24th 2021

Policy review date:                      August 24th 2023

Scroll to Top