Data Protection and Privacy Policy

Updated: 13th May 2018


This policy describes the information that I gather and how I manage that information when you contact me or attend to see me as client / supervisee. This is to maintain standards of privacy and confidentiality compliant with the General Data Protection Regulation (GDPR), Data Protection Act (1998) and the British Psychological Society Clinical Psychology and Case notes Guidance on Good Practice (DCP, 2000). The data controller responsible for this policy and the website is Dr. Nick Bell, Clinical Psychologist, based in Edinburgh, UK. If you have any questions in relation to my use of your details, contact me at

1. What personal information do I collect?

I collect information about you for the purposes described below on the basis of your consenting to this. I gather information about you in order to provide an effective clinical service. For example:

  • To know who you are so that I can communicate with you.

  • Verify your identity so that I can be sure I am dealing with right person.

  • Deliver a service to you under the terms of an agreed clinical contract.

  • Contact you, should I need to share information. I would only do this where there is a concern regarding a risk of harm to you or others or under other specific circumstances as outlined in this policy.

The information I collect broadly includes:

  • Your name, date of birth and your contact details including a postal address, telephone number(s) and electronic contact such as email address.

  • Information required to deliver a clinical service to you under the terms of an agreed clinical contract. This includes GP name and contact details, your background history and information relevant to your attendance to see me.

  • I may also collect information about you from third parties; for example, if I need to gather information from another health professional (such as your GP) to complete a clinical assessment. I would only do this with your consent.


2. How will your information be used?


I use the data collected from you in the following ways:

  • To communicate with you so that I can inform you about your appointments with me. I use your name, your contact details such as your telephone number, email address or postal address.

  • To deliver an effective service to you, I will use your name, your contact details and the details gathered at your initial assessment appointment. I use written notes taken at the end of each session to record attendance and to provide an effective service to you. This is in line with guidance from my regulatory body (HCPC) and professional organisation (BPS).


3. Where do I keep your personal information?


I keep records in electronic and paper based (file) formats:

a. Electronic person identifiable information is kept on an encrypted external data-locker secure memory device (Kingston data locker) backed up to a cloud in encrypted form.

b. Paper based recording: During therapy appointments I am required to record relevant information that you provide to me. I do this by taking handwritten notes during sessions which are stored in a physical file. I may use this information to create a report, should you or your insurance provider request it. The paper based file also includes the information sheet you complete at the assessment appointment giving personal details (eg. date of birth and GP contact details). Your psychology therapy notes/file are stored in a locked filing cabinet secured to a wall in a secure location or in a locked metal portable file case when I am travelling to and from appointments.

c. Mobile phone storage: I may keep your mobile or other contact telephone number stored in the memory of my mobile phone. This would be for contacting you at short notice should the need arise. Only your first name is stored. The mobile phone I use is 4 digit pin protected.


4. How long do I keep your personal information?


I retain your psychology file/notes for 7 years in accordance with guidance issued by our professional body, the British Psychological Society. After this time, I will shred your file/notes and delete any electronic copies of reports relating to you.


5. Who do I disclose your personal information to?


I will send psychological reports to you, or to another health professional/provider or insurance company authorised by you. In addition, I may have to share data I collect if I am required to share data with the legal authorities to fulfil my obligations under Scottish law or if there is a significant risk to you or others. Under Child Protection legislation, I may be required to contact child protection services if you disclose information that indicates that a child may be currently still at risk.


If I wish to access or share your data in any way not described in this privacy policy, I will contact you beforehand and only proceed with your explicit consent.


All reports that are sent electronically are sent as attachments that are password protected or via secure email systems such as Egress.

6. Website:


Data collected by third parties

The website is hosted by The privacy policy, which can be viewed at, applies to this site. This website has SSL certification (a Secure Sockets Layer or SSL certificate is a digital certificate that authenticates the identity of a website and encrypts information sent to the server using SSL technology). The website platform I use complies with the EU-US Privacy Shield Framework and the Swiss-US privacy shield framework. The website platform I use will therefore be compliant with GDPR from May 2018.



I use Gmail as my email client. Gmail is a secure and encrypted email service and is fully GDPR compliant.


Contact form on the website:

When submitting the contact form on my website, the submitted data is sent to me securely via, the web hosting provider. I use this data to contact you in relation to your enquiry. Access to data I collect is limited to me and other members of the Psychology and Counselling Cooperative (Encompass Edinburgh) of which I am part where we require that data to perform our duties.


Data submitted via the email contact form on the Contacts page or via email directly to will be kept for approximately 6 months and then deleted unless there is a legitimate reason to keep this longer (eg. if you become a client and this forms part of the client case record).


7. Record of payments and retention of payment information:


I keep records of invoices, payments and receipts for accounting purposes. We are required to retain this information for 6 years in line with HMRC requirements. After six years I delete and/or shred this information.


8. Your rights:

How can I see all the information you have about me?

You can make a subject access request (SAR) by contacting me. I may require additional verification that you are who you say you are to process this request. I will aim to provide you with this information within one month of your written request. I may withhold such personal information to the extent permitted by law. In practice, this means that I may not provide information if I consider that providing the information will violate your vital interests.


What if my information is incorrect?

Please contact me. I may require additional verification that you are who you say you are to process this request. If you wish to have your information corrected, you must provide me with the correct data and after I have corrected the data in our systems I will send you a copy of the updated information in the same format as the subject access request.


How can I have my information removed?

If you want to have your data removed I have to determine if I need to keep the data, for example in case HMRC wish to inspect my records. If I decide that we should delete the data, I will do so without undue delay.


How do I make a complaint?

If you wish to raise a complaint on how I have handled your data, you can contact me to have the matter investigated [].
If you are not satisfied with my response or believe I am not processing your data in accordance with the law you can complain to the Information Commissioner’s Office:


9. Changes to this privacy policy:


I may occasionally make changes to this data protection and privacy policy. Following any changes, the date at the top of the privacy policy will be updated. If any change allows for the wider access to or sharing of data, such changes will only apply to data collected after the date of the updated privacy policy.

Dr. Nick Bell, Clinical Psychologist