Privacy Policy

Data protection & privacy policy

This policy aims to explain, in clear, accessible English, the principles that I, Gemma Nightingale, follow to protect your data privacy.

Questions? Get in touch
Please contact me if, after reading this document, you have any questions about how I handle your data. I will respond within 7 days, to the best of my ability.
Email: gemma@nightingalecounsellingyorkshire.org

Legal and ethical parameters
I am bound by UK law, including the General Data Protection Regulation (GDPR) and the Data Protection Act 2018.
I also operate within the BACP ethical framework, and strive always to treat your data as I would want mine to be treated. In other words, I am committed to protecting and respecting your privacy.
Gemma Nightingale is registered with the ICO as data controller for Nightingale Counselling Yorkshire, registration number ZB736422.

Necessity and purpose of data collection
It is necessary for data to be collected and stored, in order for me to:

process enquiries, assessments, and provide you with a safe and effective psychotherapy service
communicate about and confirm bookings and payments
manage my accounts and business records, payments in, refunds, taxes, etc.
comply with my legal and regulatory requirements, including my ethical duty of care to maintain accurate clinical notes, including assessing risk of harm to self and others (as mentioned in the client-counsellor agreement)
Assess the progress made in therapy against standard metrics for psychotherapy, (adapted from the GAD7, PHQ9 and WHO5) and against each client’s chosen aims.
Analyse data that has been grouped anonymously, in order to spot trends, for example to see how different genders or ages of client progress over different periods of time.

The data I collect
I collect the following types of information

Your identity and contact details:

name, address, phone number, email address, date of birth. Normally provided via my website contact form, but can also be passed to me via directory listings enquiry forms, in accordance with their privacy policy. This may also be taken verbally, in person, or over the phone, or in a referral to me by another clinician (it is their responsibility to pass me this information only if ethical and legal).

Therapeutic information:

any initial details you provide me with during your enquiry, via online forms, email, telephone or online video to outline why you want therapy and how you think it may help you.
Any information sent to me by third parties, such as your GP, insurer, employer (it is their responsibility to pass me this information only if ethical and legal).
Any and all subsequent information that you tell me during therapy sessions, regardless of the medium used, e.g. in person, online video, telephone or even email sessions. These session notes will also contain my clinical observations, reflections and assessments on your wellbeing, my progress and our relationship.
Any and all progress metrics we mention in or between our sessions, when you answer my questions or self-score your progress against your therapeutic aims.
Any incidental or therapeutic information that you give me between sessions, for example in emails to arrange your next session, may belong in your notes, if it is necessary, in my clinical judgement to provide a complete picture of your situation, our logistical arrangements (bookings, timings and payments) and our relationship.

Billing information:

Any payment information that is fed to me via my website’s booking platform when you pay (I only use reputable web hosting services, email platforms and payment handlers. They do not share your bank or card details with me)
Any payment details that appear in our bank accounts of who has paid for your therapy and when. This is not linked to your therapy notes and is used to reconcile my accounts.
Any arrangements for a third party (e.g. employer, insurance company or family member) to be invoiced or to pay for your therapy.
Any records outlining how many sessions you have booked, paid for, attended, failed to attend. In the case of block bookings, a record of how many sessions you have left to claim.

Cookies:

My website uses cookies to gather information about visitors in order to monitor the number of website visitors over time and their interaction with the site. This helps me improve the website to be more useful and user friendly. No information about your individual identity is gathered by cookies.

The legal basis for processing your data

Consent: For processing sensitive health data and contacting your GP, if required or permitted.
Contract: To provide therapeutic services as agreed.
Legal Obligation: For compliance with legal requirements, such as tax regulations.
Legitimate Interest: For record-keeping and practice management.

How I store and secure your data
I am committed to protecting your data.

Data from which you could be identified, (such as name, address, DOB and email address) may appear in my booking systems, online calendars, and be handled by my third-party service providers, e.g. for webhosting, website building, booking and payment systems, email services and video meetings. I have taken reasonable steps to check that all such providers are competent and trustworthy.

Identity data are kept separately to your clinical notes, which are stored against your client code.

Paper notes written during sessions are typed up within 48 hours and burned.

I do not record client sessions, nor use voice recognition software afterwards to process clinical notes, as I believe there is often some transfer of audio to the cloud for this functionality to work.

To reduce risk of data breaches, I do not use AI nor cloud-based storage for your clinical notes, benchmarking/progress measures, nor for supervision notes, nor the central session log. These are stored securely offline, on electronic memory devices that are VeraCrypt encrypted and password-protected.

Paper documentation, such as your signed client-counsellor agreement and any anonymised paper-based therapeutic forms or activities, are kept securely in a location not accessible to the public.

Keeping your data
All clinical notes and paper records are kept for a minimum of 7 years after your final session, but will then be deleted within 8 years, unless you have given permission for them to be kept longer.

Entries in the client log (anonymised) will show the dates, locations, and number of sessions that you attended and a very brief description of the broad theme of each session. This and anonymised progress metrics will be retained indefinitely for clinical effectiveness monitoring purposes.

Supervision, safeguarding, and legal requests for data
I have regular supervision, where I discuss my work, my wellbeing and my continuing professional development. This is a requirement of my membership of the BACP register, to ensure that members offer a consistently safe and high-quality service to all our clients. Supervision includes discussing some details of my client work, however, I never reveal client names to any supervisors, and I only work with supervisors who are bound by and committed to similar principles of confidentiality.

If my client work leads me to believe that anyone is at risk of significant harm, I have a duty of care to deal with the situation appropriately. Such safeguarding may include raising my concerns with the client, with my supervisor, or with the BACP. All clients are informed of this when we discuss the client-counsellor agreement, and are made aware that this may result in appropriate authorities being informed of a significant risk of harm.

I take my duty to protect the confidentiality of your sessions extremely seriously and will always seek legal advice before responding to any request by police, or by the courts, to submit any clinical notes for investigation. I would also consult with my supervisor and the BACP for ethical guidance in such an instance.

Under GDPR, you have the following rights:

Access: Request a copy of your data, in a portable format if desired.
Rectification: Correct inaccurate or incomplete data.
Erasure: Request the deletion of your data (subject to legal obligations).

If a client requests any of these, I will seek advice from BACP, and from supervision, and will respond within a reasonable time. I aim to honour client instructions, but have a duty of care to balance this with my other legal and ethical obligations.
If a client is unhappy with the outcome of this process, they may then lodge a complaint directly with the Information Commissioner’s Office (ICO), quoting NCY registration ZB736422:

Website: https://ico.org.uk
Or Phone: 0303 123 1113

Changes to This Privacy Policy
I may update this Privacy Policy from time to time. This is the latest version, v3.

Privacy Policy

Data protection & privacy policy

This policy aims to explain, in clear, accessible English, the principles that I, Gemma Nightingale, follow to protect your data privacy.

Questions? Get in touch Please contact me if, after reading this document, you have any questions about how I handle your data. I will respond within 7 days, to the best of my ability. Email: gemma@nightingalecounsellingyorkshire.org

Necessity and purpose of data collection It is necessary for data to be collected and stored, in order for me to:

process enquiries, assessments, and provide you with a safe and effective psychotherapy service

communicate about and confirm bookings and payments

manage my accounts and business records, payments in, refunds, taxes, etc.

comply with my legal and regulatory requirements, including my ethical duty of care to maintain accurate clinical notes, including assessing risk of harm to self and others (as mentioned in the client-counsellor agreement)

Assess the progress made in therapy against standard metrics for psychotherapy, (adapted from the GAD7, PHQ9 and WHO5) and against each client’s chosen aims.

Analyse data that has been grouped anonymously, in order to spot trends, for example to see how different genders or ages of client progress over different periods of time.

​

The data I collect I collect the following types of information

Your identity and contact details:

​

Therapeutic information:

any initial details you provide me with during your enquiry, via online forms, email, telephone or online video to outline why you want therapy and how you think it may help you.

Any information sent to me by third parties, such as your GP, insurer, employer (it is their responsibility to pass me this information only if ethical and legal).

Any and all progress metrics we mention in or between our sessions, when you answer my questions or self-score your progress against your therapeutic aims.

​

Billing information:

Any payment information that is fed to me via my website’s booking platform when you pay (I only use reputable web hosting services, email platforms and payment handlers. They do not share your bank or card details with me)

Any payment details that appear in our bank accounts of who has paid for your therapy and when. This is not linked to your therapy notes and is used to reconcile my accounts.

Any arrangements for a third party (e.g. employer, insurance company or family member) to be invoiced or to pay for your therapy.

Any records outlining how many sessions you have booked, paid for, attended, failed to attend. In the case of block bookings, a record of how many sessions you have left to claim.

​

Cookies:

My website uses cookies to gather information about visitors in order to monitor the number of website visitors over time and their interaction with the site. This helps me improve the website to be more useful and user friendly. No information about your individual identity is gathered by cookies.

The legal basis for processing your data

Consent: For processing sensitive health data and contacting your GP, if required or permitted.

Contract: To provide therapeutic services as agreed.

Legal Obligation: For compliance with legal requirements, such as tax regulations.

Legitimate Interest: For record-keeping and practice management.

How I store and secure your data I am committed to protecting your data.

Identity data are kept separately to your clinical notes, which are stored against your client code.

Paper notes written during sessions are typed up within 48 hours and burned.

I do not record client sessions, nor use voice recognition software afterwards to process clinical notes, as I believe there is often some transfer of audio to the cloud for this functionality to work.

Entries in the client log (anonymised) will show the dates, locations, and number of sessions that you attended and a very brief description of the broad theme of each session. This and anonymised progress metrics will be retained indefinitely for clinical effectiveness monitoring purposes.

Under GDPR, you have the following rights:

Access: Request a copy of your data, in a portable format if desired.

Rectification: Correct inaccurate or incomplete data.

Erasure: Request the deletion of your data (subject to legal obligations).

​

​

Website: https://ico.org.uk

Or Phone: 0303 123 1113

Changes to This Privacy Policy I may update this Privacy Policy from time to time. This is the latest version, v3.

Nightingale Counselling Yorkshire

Email your non-urgent request and I will respond within 48 hours:

This is not a crisis response service. If you need urgent help, call an ambulance or Samaritans on 116 123 in the UK.

Questions? Get in touch
Please contact me if, after reading this document, you have any questions about how I handle your data. I will respond within 7 days, to the best of my ability.
Email: gemma@nightingalecounsellingyorkshire.org

Necessity and purpose of data collection
It is necessary for data to be collected and stored, in order for me to:

The data I collect
I collect the following types of information

How I store and secure your data
I am committed to protecting your data.

Changes to This Privacy Policy
I may update this Privacy Policy from time to time. This is the latest version, v3.