top of page

Unlock Psychology Ltd Privacy Notice

Please ensure you read our privacy policy below concerning our clinical, training and academic services. If you have any questions or would like to discuss anything further, please email us at info@unlockpsychology.co.uk and we will be happy to discuss.

​

Who we are and what service we are providing

Unlock Psychology Ltd is a registered company in England and Wales. It consists of Clinical Psychologists registered with the Health and Care Professions Council (HCPC), as well as qualified educators and researchers. We provide psychological assessments and therapy online and face to face in clinic spaces, training, research services and consultancy for businesses.
‘We’ refers to Unlock Psychology Ltd and the staff that work within it. All individual staff members therefore follow the below policy.

 

Data Protection & Privacy

We are registered with the Information Commissioners Office (ICO), under registration number ZB284682, the UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals. As a member of the public, you can complain to the ICO if you are unhappy with how an organisation has handled your information. For example, if your information is wrong, lost or has been disclosed to someone else, or if you have not been given access to your personal data.

Our Data Protection Officer is Dr Alastair Pipkin. You can contact the Data Protection Officer with any queries relating to data protection or this Privacy Policy at info@unlockpsychology.co.uk.

We respect and comply with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Data (Use and Access) Act 2025. This document outlines how we comply with these regulations.

​

 Legal Basis for Processing Your Data

We process your personal data under the following legal bases:

  • Special Category Data (health information): We process your health data based on your explicit consent and where necessary for the provision of health or social care under Article 9(2)(h) UK GDPR, in accordance with our obligations as registered health professionals.

  • Contact and administrative data: We process this data based on our legitimate interests in providing you with effective therapeutic, training, academic and research services and maintaining accurate records, and where necessary for the performance of our contract with you.

  • Informant/third-party data: Where we collect information from family members, caregivers, or other informants as part of your assessment or treatment, we do so with your explicit consent and/or the informant's consent, and on the basis that it is necessary for the provision of health care. We also collect third party information for our research services, including details of any supervisors or team members involved in your research project, on the basis that this is necessary to enable a full assessment of the conduct of your research for ethical review and/or in order to provide effective supervision/consultancy services.

​

How you can consent to us storing your data

In order to gain your consent, we will explain what you are consenting to and ask that you explicitly consent to contact from us. When you provide us with personal information we ask you to explicitly consent to us collecting it and using it for that specific reason only. If we ask for your personal information for a secondary reason, like marketing, we will either ask you directly for your expressed consent, or provide you with an opportunity to say no. If after you opt-in, you change your mind, you may withdraw your consent for us to contact you, for the continued collection, use or disclosure of your information, at any time, by contacting us at info@unlockpsychology.co.uk
 

Why we need your personal data

As health and academic professionals we are required to keep records of the work we do. We only collect and store information which is relevant to our therapeutic or assessment, training or research work together, and which will enhance your care and the services we offer. We are permitted to collect and keep this information by law. We routinely audit the effectiveness of the service we offer and for this reason retain information about the outcomes of therapy such as scores on any questionnaires we ask you to complete, or the number of therapy sessions you have. If you do not wish us to include your anonymised data in this way, please let us know.

 

What information we will store

Information Collected from Clients

When you agree to participate in assessment or therapy sessions with us, we will ask you to complete a personal information form. This includes details such as name, age, contact details, next of kin and GP. This is the only document where your full name and contact will appear. In all subsequent documentation your initials and/or a unique number ID will be used.

At assessment and during subsequent sessions you will be sharing information with us about your life experiences, thoughts and feelings. This information constitutes special category data under UK GDPR, specifically mental health information. We collect and process this data for the purposes of carrying out psychological assessments and providing therapy, in accordance with our legal basis outlined above (Article 9(2)(h) UK GDPR and your explicit consent).

These will be recorded in note form and any reference to you is made by using your initials. These records will also include our shared understanding of your difficulties (a formulation) and our plans for treatment. We implement appropriate technical and organisational measures, in an effective way in order to meet regulation requirements and protect your rights. We hold and process only the data that’s absolutely necessary for the completion of our duties (data minimisation). In general, any third-party providers used by us will only collect, use and disclose your information to the extent necessary to allow them to perform the services they provide to you. We are not responsible for the privacy practices of other sites and encourage you to read their privacy statements.
 

Information Collected from Informants and Third Parties

In some cases, as part of a comprehensive psychological assessment or treatment, we may ask for information from people who know you well, such as family members, caregivers, partners, or other professionals involved in your care. We refer to these individuals as "informants." In other cases, for reviewing ethics applications and in providing supervision/consultancy for research projects, we collect information on who else is involved in the research project in order to fully assess the team’s capabilities and to avoid overlap with others’ roles in the case of supervision and consultancy. We refer to these individuals as “supervisors or research team members.”

What informant data we collect: Informants may be asked to complete questionnaires or provide observations about your functioning, behaviour, symptoms, or history. This information typically includes:

  • Their observations of your mood, behaviour, or functioning

  • Historical information about your development or symptoms

  • Responses to standardised questionnaires or rating scales

  • Their relationship to you

We will collect supervisor’s or research team member’s name, job title, affiliation and email address, in order to enable consideration of them in providing our own research services for you.

 

Legal basis for processing informant data: We collect informant data only with your explicit consent as part of your care and services, and with the informant's consent to provide that information. Informants will be directed to this privacy policy before providing any information and will be asked to consent to us using their data for the specific purpose of your assessment or treatment. The same applies to research team members and supervisors, we will confirm that you have made them aware of our privacy notice and your application to us for research services given their involvement in your research project.

How informant data is stored: Informant questionnaires and information are stored in the same secure manner as your own data - typically as password-protected documents or in secure Google Forms/Drive folders. Informant data is treated as part of your clinical record and is subject to the same retention periods and confidentiality protections. Research team member and supervisor data is processed in the same manner as the rest of your research data.

Informant rights: Informants have the same data subject rights as outlined in this policy, including the right to access, rectify, or request deletion of their personal information, subject to our professional obligations to maintain your complete clinical/services record.

​

Information from Students

We operate as an Approved Centre for the CPCAB Level 2 Award in Effective Listening Skills (ELSK-L2), as well as providing continuing professional development courses, online self-help courses and training and workshops for organisations. For these services, we collect and process personal data relating to enrolled and prospective students. We will collect your name, contact details including email, information required for enrolment (such as a personal/academic reference for ELSK-L2, or professional qualification or employment details for certain CPD courses to ascertain eligibility), and payment information. A separate Privacy Notice will be provided prior to formal enrolment for each course. If you have any questions about our training programmes’ data processing, please email us at training@unlockpsychology.co.uk.

 

Information from Students - CBT-L5 Training Programme

We operate as an Approved Centre for the CPCAB Level 5 Diploma in Cognitive Behavioural Therapeutic Skills and Theory (CBT-L5). In connection with this programme, we collect and process personal data relating to enrolled and prospective students, their clinical supervisors, and (in anonymised or pseudonymous form) the clients seen by students during their clinical placements. This processing is distinct from, and additional to, the clinical and therapeutic processing described elsewhere in this policy.  A separate Privacy Notice covering all CBT-L5-related data processing in full is provided to students at the point of enrolment. If you are a student on, or applicant to, the CBT-L5 programme and have not yet received that notice, or have any questions about it, please contact us at training@unlockpsychology.co.uk.

 

Information for Research Services

We provide a range of research and consultancy services, including an independent research ethics committee, supervision and consultation. For the purposes of each, we will process your personal information, including your name, email address, phone number, affiliation and payment information. For each specific service, we will process details of your research projects, our own notes (including those of our ethics panel members or the supervisor in reviewing your project(s)), correspondence, the final approved protocols of studies we consult on and the project’s outcomes. A separate privacy notice is provided for all of our research services and you can contact us at info@unlockpsychology.co.uk with any questions.

 

How we will use your data within our practice

We use the data we hold about you for the following purposes:

  • To contact you about appointments and administrative matters

  • To take notes about our therapeutic work together and maintain continuity of care

  • To prepare psychological assessments, formulations, and treatment plans

  • To enrol you on our training programmes (e.g. ELSK-L2 or CBT-L5, or CPD or online courses)

  • To complete our agreed research services for you, such as consultancy or ethical review

  • To process payments and maintain financial records

  • To comply with our professional and legal obligations to maintain accurate clinical records

  • To conduct clinical supervision in accordance with professional guidelines-

  • To conduct service audits and quality improvement (using anonymised data)

  • To respond to legitimate requests from other healthcare providers (with your consent)

  • With your explicit consent, for training or research purposes

We will not use your data for any purpose beyond those outlined without obtaining your explicit consent.

 

How we will store and protect your data within our practice

Although no method of transmission over the Internet or electronic storage is 100% secure, in order to protect your personal information we take reasonable precautions and follow industry best practices to make sure it is not inappropriately lost, misused, accessed, disclosed, altered or destroyed.

​

Your data is stored in the following ways:

Electronic storage of client material: All electronic records that contain personal information are individually password protected and stored on a password protected computer, so that they can only be opened and amended by your clinician. Other clinical materials, such as questionnaires, will be stored in a Google Drive folder that only you and we have access to.

Storage of paper notes: Paper notes taken during sessions will not contain any identifiable personal information. These notes will be stored in a locked filing system which only we have access to and which is stored at a private residence.

Questionnaires: We may agree to use questionnaires as outcome measures during treatment. We will ask that you do not add personal information to these documents. These will be stored as password protected documents on a password protected computer, so they can only be accessed by your clinician.  

Video calls: We use a variety of video conferencing software such as Zoom and Google Meet to conduct our therapy or supervision sessions online. All calls are encrypted.

Emails: All our email contact will be via our publicly advertised email address info@unlockpsychology.co.uk or by the personal email account of your assigned clinician.

Appointment scheduling: Initial appointments will be arranged via the email address you provided us when you first got in contact or via telephone.

​

Audio and Video Recordings

We may, with your explicit prior consent, make audio or video recordings of therapy or assessment sessions for the following purposes:

  • Clinical supervision: To enable detailed review of therapeutic techniques and ensure the highest quality of care

  • Training purposes: Only with your separate explicit consent, recordings may be used for training other clinicians (all identifying information would be removed or obscured)

  • Your personal use: If you request a recording for your own therapeutic purposes

​

How recordings are stored: Any audio or video recordings are stored as password-protected files on encrypted, password-protected devices. Access is strictly limited to your clinician and, where relevant for supervision purposes only, to our clinical supervisor(s).

Retention period: Recordings for clinical supervision purposes are retained only as long as necessary for that supervision session and are typically deleted within 30 days unless there is a specific clinical reason to retain them as part of your record. Any recordings retained as part of your clinical record are subject to the same 8-year retention period as other clinical materials. For the CBT-L5 training programme, recordings of training sessions are retained for a maximum of 12 months from the end of the relevant course, after which they are securely and permanently deleted.

Your rights: You may withdraw consent for recording at any time, and may request that existing recordings be deleted. You have the right to request a copy of any recording we hold of you.

We will never make a recording without your explicit prior consent, which will be documented.

 

Third-Party Platforms and Service Providers

To provide our services effectively, we use the following third-party platforms and service providers. Each has been selected based on their security standards and GDPR compliance.  All third-party providers are required to implement appropriate technical and organisational security measures and process your data only on our instructions and for the specific purposes outlined. We have Data Processing Agreements in place with all third-party processors to ensure compliance with UK GDPR requirements.

Google Workspace (including Google Forms and Google Drive): We use Google Workspace to store clinical documents and questionnaires in secure, password-protected folders, administer psychometric measures via Google Forms, and share documents with you securely.

Wix: We use Wix to host our website and manage appointment bookings. When you book an appointment through our website, Wix processes your name, email address, and appointment preferences.

Xero: We use Xero accounting software to manage invoicing and financial records, storing your name, contact details, and payment information for accounting and invoicing purposes.

Starling Bank: Payment processing is handled through Starling Bank in accordance with banking regulations and PCI-DSS standards. We do not store your full banking or card details.

Virtual Assistant Services: We work with a virtual assistant to support administrative functions including appointment scheduling, general correspondence, and administrative tasks. Our virtual assistant may have access to some of your personal and health information where necessary to perform these functions, such as your name, contact details, appointment dates, and limited clinical information needed for scheduling or administrative purposes. The virtual assistant is bound by a strict confidentiality agreement and data processing obligations, has received training on handling sensitive health data securely, and accesses information only through secure, password-protected systems. If you have concerns about information being shared with our virtual assistant, please discuss this with us.

MoodleCloud: We use MoodleCloud as our learning management system to administer our training programmes. MoodleCloud stores learner information relating to students on the programme, including enrolment records, assessment submissions, progress and achievement records, attendance, and tutorial information. Access is restricted to authorised staff and the enrolled student.

We are not responsible for the privacy practices of these third-party platforms once data leaves our direct control, though we ensure they meet GDPR standards. We encourage you to review their respective privacy policies.

​

International Data Transfers: Some of the third-party platforms we use, including Google Workspace and Zoom, may transfer or store your personal data outside the United Kingdom. Where such transfers occur, we ensure that appropriate safeguards are in place in accordance with UK GDPR, including reliance on adequacy regulations or the use of the International Data Transfer Agreement (IDTA) or equivalent standard contractual clauses approved by the ICO. Further information about the specific safeguards in place for any particular transfer is available on request by contacting us at info@unlockpsychology.co.uk.

 

Who else can see your information

We must treat all your information as confidential. We can only disclose confidential information if:

- We have your permission

- The law allows it

- It is in your best interests, such as preventing you from seriously harming yourself.

- It is in the public interest, such as if it is necessary to protect public safety or prevent harm to other people.

This means that we cannot share your information unless there is a specific and valid reason for doing so. In all the above scenario’s we would endeavour to notify you and discuss this with you first. However, there may be instances where this is not possible or practical to do so.

​

As clinical psychologists and therapists we participate in supervision, which involves discussion of clinical cases with another practitioner. This is to ensure we are continuing to practice to the best of our abilities and in accordance with professional guidelines. It means that there is somebody who has an awareness of our practice and can raise any concerns if necessary, to us but also with the regulating organisation (HCPC). During supervision, we will use your first name only to describe clinical involvement and treatment plans in your case. This information will be verbally exchanged. Our supervisor(s) will not hold any clinical notes containing your personal details and will not be provided with access to the clinical records that we hold about you. Our supervisor(s) are also bound by the same rules of confidentiality and information sharing. If you object to us using your first name for this purpose then please discuss this with your clinician.

​

Website Use, Cookies, and Analytics

Our website (hosted on Wix) may use cookies and similar technologies to:

  • Remember your preferences

  • Understand how visitors use our website

  • Improve website functionality and user experience

Types of cookies we use:

  • Essential cookies: Necessary for the website to function, including appointment booking functionality

  • Analytics cookies: Help us understand how visitors interact with our website through aggregated, anonymized data

You can control cookie preferences through your browser settings. Please note that disabling certain cookies may affect website functionality, including the ability to book appointments online.

Website analytics: We may use analytics tools (provided through Wix) to collect anonymized information about website visits, including pages viewed, time spent on site, and referral sources. This data is aggregated and does not identify you personally.

 

How long your information is stored for

In addition to the ICO rules, we are also bound by the professional guidelines of the Health and Care Professions Council (HCPC) and by The British Psychological Society (BPS). These guidelines state that we must keep full, clear and accurate records for everyone that we care for, treat, or provide services to. As these records form part of your medical history and may be required by you, your doctor(s) or health care team in the future we will keep all patient electronic records for a full 8 years after your treatment has ended.

For data relating to our regulated qualifications (including our ELSK-L2 and CBT-L5 training programmes), separate retention periods apply in accordance with the requirements of our Awarding Organisation (CPCAB) and our Data Retention and Secure Storage Policy: learner registration, completion, and assessment records are retained for 7 years; internal quality assurance records are retained for 3 years. These periods run from the date of the relevant qualification achievement or, where no qualification is achieved, from the date of withdrawal or completion of the programme.

​

For data relating to our research services (including ethics approval applications), see our separate Data Retention and Secure Storage Policy.  

​

How you can modify the data we hold about you

You have the right to make amendments to the data we hold for you where necessary. You may withdraw your permission for us to hold your personal data at any time. However this must be done in a written format. We routinely share with our clients any letters or reports before they are finalised. There is an opportunity to request amendments at that point.
 

Your Data Subject Rights

Under UK GDPR, you have the following rights regarding your personal data:

Right of Access: You have the right to request copies of the data we hold about you, including how it is being processed, where, and for what purpose. We will respond to your request within 30 days in most cases. For complex requests, we may extend this by a further 60 days and will notify you of the extension.

Right to Rectification: You have the right to request correction of inaccurate or incomplete personal data.

Right to Erasure ('Right to be Forgotten'): You have the right to request deletion of your personal data in certain circumstances. However, this right may be limited by our professional obligation to retain clinical records for 8 years, and by legal requirements to maintain records.

Right to Restriction of Processing: You have the right to request that we restrict how we use your data in certain circumstances, for example if you contest the accuracy of the data or object to processing.

Right to Data Portability: You have the right to receive your personal data in a commonly used and machine-readable format (such as PDF or CSV) and to transmit it to another service provider. We will provide this free of charge.

Right to Object: You have the right to object to processing based on legitimate interests or for direct marketing purposes. Upon receiving an objection, we will cease processing unless we can demonstrate compelling legitimate grounds that override your interests.

Rights Related to Automated Decision Making: We use automated processing in limited circumstances in connection with our training programmes, specifically for the calculation of study hours, test scores and results, and qualification achievement. This processing does not produce legal or similarly significant effects on you; it is used solely to support administrative and qualification management functions. In all other respects, and in particular in relation to the provision of our clinical and therapeutic services, we do not use automated decision-making or profiling.

How to exercise your rights: To exercise any of these rights, please contact us at info@unlockpsychology.co.uk. We will respond within 30 days for straightforward requests. We do not charge a fee for most requests, though we reserve the right to charge a reasonable administrative fee for manifestly unfounded, excessive, or repeat requests, or to provide additional copies of data already supplied.

Verification: To protect your privacy, we may need to verify your identity before responding to a data subject rights request.

 

How you can retract consent to hold and process your records

We retain your personal information and health record for 8 years and thereafter they are destroyed. This is in line with UK best practice for adult health and social care records (IGA, 2016). You have a right to retract consent to hold and process your records before that time if you wish. Please let us know if you wish to do so.

 

What happens if there is a breach of security

If for any reason, there is a breach in the way your information is stored or shared then we must take immediate corrective action and also inform the ICO of this breach within 72hours. We would also inform you that a breach has taken place, how that breach occurred, what information was mistakenly disclosed and the steps made to rectify the situation. If you believe we have breached data security in any way, then please notify us immediately via email.

​

The most frequent type of data breach occurs when an email is sent to somebody else by mistake. In order to reduce the likelihood of this happening we ensure we check each email address before sending an email or where practical reply to an email that you have already sent. Generally, we will only use email to correspond about appointment times or to send widely available information sheets that may be useful to you. It is not usual for sensitive personal information to be contained in any emails. An exception to this may be prior arrangement to use email to provide additional personal information within letters or reports. Any reports or letters containing personal information will be sent from a secure email address or password protected, or you will be a sent a link to a secure Google Drive folder which will only be accessible via your email address.

​

In the unlikely event that we send an email to the wrong email address we will:

- Email the recipient as soon as possible and ask them to delete the email

- Refer to ICO within 72hours and follow their guidance

- Notify the intended recipient of the breach as soon as possible and within 72hours

 

Changes to this privacy policy

We reserve the right to modify this privacy policy at any time and changes and clarifications will take effect immediately. If we make material changes to this policy, we will notify you via email that it has been updated, so that you are aware of what information we collect, how we use it, and under what circumstances, if any, we use and/or disclose it.

 

How you can raise a complaint

Please note that the work being undertaken is in accordance with the law of England and Wales and any disputes will be subject to it. If you are concerned about the care we have provided to you, we encourage you to speak to us immediately. If you feel we have done something harmful or unethical and you do not feel comfortable discussing it with us, please contact the Health & Care Professions Council https://www.hcpc- uk.org/public/what-should-i-do-if-i-am-unhappy-with-an-hcpc-registered-professional

Complaints relating to the holding of your personal data should also be directed to us in the first instance as the Compliance Officer, via email info@unlockpsychology.co.uk We aim to respond to all complaints within 30 days. To make a complaint directly to the ICO please see https://ico.org.uk/make-a-complaint/

 

Questions and contact information

If you would like to access, correct, amend or delete any personal information we have about you, or simply want more information, contact us by email: info@unlockpsychology.co.uk. If you are a student on, or applicant to, any of our training programmes, such as CBT-L5, and have queries relating to your personal data, please contact us at training@unlockpsychology.co.uk.

bottom of page