top of page

Privacy Policy

Please ensure you read our privacy policy below concerning our assessment and therapy services. If you have any questions or would like to discuss anything further, please email us at info@unlockpsychology.co.uk and we will be happy to discuss.

Who we are and what service we are providing

Unlock Psychology Ltd is a registered company in England and Wales. It consists of Clinical Psychologists registered with the Health and Care Professions Council (HCPC). We provide psychological assessments and therapy online and face to face in clinic spaces, as well as therapy group programmes, training and consultancy for businesses.
‘We’ refers to Unlock Psychology Ltd and the clinicians that work within it. All individual clinicians therefore follow the below policy.

 

Data Protection & Privacy

We are registered with the Information Commissioners Office (ICO), under registration number ZB284682, the UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals. As a member of the public, you can complain to the ICO if you are unhappy with how an organisation has handled your information. For example, if your information is wrong, lost or has been disclosed to someone else, or if you have not been given access to your personal data.

We respect and comply with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Data (Use and Access) Act 2025. This document outlines how we comply with these regulations.

​

 Legal Basis for Processing Your Data

We process your personal data under the following legal bases:

  • Special Category Data (health information): We process your health data based on your explicit consent and where necessary for the provision of health or social care under Article 9(2)(h) UK GDPR, in accordance with our obligations as registered health professionals.

  • Contact and administrative data: We process this data based on our legitimate interests in providing you with effective therapeutic services and maintaining accurate records, and where necessary for the performance of our contract with you.

  • Informant/third-party data: Where we collect information from family members, caregivers, or other informants as part of your assessment or treatment, we do so with your explicit consent and/or the informant's consent, and on the basis that it is necessary for the provision of health care.

​

How you can consent to us storing your data

In order to gain your consent, we will explain what you are consenting to and ask that you explicitly consent to contact from us. When you provide us with personal information we ask you to explicitly consent to us collecting it and using it for that specific reason only. If we ask for your personal information for a secondary reason, like marketing, we will either ask you directly for your expressed consent, or provide you with an opportunity to say no. If after you opt-in, you change your mind, you may withdraw your consent for us to contact you, for the continued collection, use or disclosure of your information, at any time, by contacting us at info@unlockpsychology.co.uk
 

Why we need your personal data

As health professionals we are required to keep records of the work we do. We only collect and store information which is relevant to our therapeutic or assessment work together, and which will enhance your care. We are permitted to collect and keep this information by law. We routinely audit the effectiveness of the service we offer and for this reason retain information about the outcomes of therapy such as scores on any questionnaires we ask you to complete, or the number of therapy sessions you have. If you do not wish us to include your anonymised data in this way, please let us know.

 

What information we will store

Information Collected from Clients

When you agree to participate in assessment or therapy sessions with us, we will ask you to complete a personal information form. This includes details such as name, age, contact details, next of kin and GP. This is the only document where your full name and contact will appear. In all subsequent documentation your initials and/or a unique number ID will be used.

At assessment and during subsequent sessions you will be sharing information with us about your life experiences, thoughts and feelings. This information constitutes special category data under UK GDPR, specifically mental health information. We collect and process this data for the purposes of carrying out psychological assessments and providing therapy, in accordance with our legal basis outlined above (Article 9(2)(h) UK GDPR and your explicit consent).

These will be recorded in note form and any reference to you is made by using your initials. These records will also include our shared understanding of your difficulties (a formulation) and our plans for treatment. We implement appropriate technical and organisational measures, in an effective way in order to meet regulation requirements and protect your rights. We hold and process only the data that’s absolutely necessary for the completion of our duties (data minimisation). In general, any third-party providers used by us will only collect, use and disclose your information to the extent necessary to allow them to perform the services they provide to you. We are not responsible for the privacy practices of other sites and encourage you to read their privacy statements.
 

Information Collected from Informants and Third Parties

In some cases, as part of a comprehensive psychological assessment or treatment, we may ask for information from people who know you well, such as family members, caregivers, partners, or other professionals involved in your care. We refer to these individuals as "informants."

What informant data we collect: Informants may be asked to complete questionnaires or provide observations about your functioning, behaviour, symptoms, or history. This information typically includes:

  • Their observations of your mood, behaviour, or functioning

  • Historical information about your development or symptoms

  • Responses to standardised questionnaires or rating scales

  • Their relationship to you

​

Legal basis for processing informant data: We collect informant data only with your explicit consent as part of your care, and with the informant's consent to provide that information. Informants will be directed to this privacy policy before providing any information and will be asked to consent to us using their data for the specific purpose of your assessment or treatment.

How informant data is stored: Informant questionnaires and information are stored in the same secure manner as your own data - typically as password-protected documents or in secure Google Forms/Drive folders. Informant data is treated as part of your clinical record and is subject to the same retention periods and confidentiality protections.

Informant rights: Informants have the same data subject rights as outlined in this policy, including the right to access, rectify, or request deletion of their personal information, subject to our professional obligations to maintain your complete clinical record.

 

How we will use your data within our practice

We use the data we hold about you for the following purposes:

  • To contact you about appointments and administrative matters

  • To take notes about our therapeutic work together and maintain continuity of care

  • To prepare psychological assessments, formulations, and treatment plans

  • To process payments and maintain financial records

  • To comply with our professional and legal obligations to maintain accurate clinical records

  • To conduct clinical supervision in accordance with professional guidelines

  • To conduct service audits and quality improvement (using anonymised data)

  • To respond to legitimate requests from other healthcare providers (with your consent)

  • With your explicit consent, for training or research purposes

We will not use your data for any purpose beyond those outlined without obtaining your explicit consent.

 

How we will store and protect your data within our practice

Although no method of transmission over the Internet or electronic storage is 100% secure, in order to protect your personal information we take reasonable precautions and follow industry best practices to make sure it is not inappropriately lost, misused, accessed, disclosed, altered or destroyed.

​

Your data is stored in the following ways:

• Electronic storage of client material: All electronic records that contain personal information are individually password protected and stored on a password protected computer, so that they can only be opened and amended by your clinician. Other clinical materials, such as questionnaires, will be stored in a Google Drive folder that only you and we have access to.

• Storage of paper notes: Paper notes taken during sessions will not contain any identifiable personal information. These notes will be stored in a locked filing system which only we have access to and which is stored at a private residence.

• Questionnaires: We may agree to use questionnaires as outcome measures during treatment. We will ask that you do not add personal information to these documents. These will be stored as password protected documents on a password protected computer, so they can only be accessed by your clinician.  

• Video calls: We use a variety of video conferencing software such as Zoom and Google Meet to conduct our therapy or supervision sessions online. All calls are encrypted.

• Emails: All our email contact will be via our publicly advertised email address info@unlockpsychology.co.uk or by the personal email account of your assigned clinician.

• Appointment scheduling: Initial appointments will be arranged via the email address you provided us when you first got in contact or via telephone.

​

Audio and Video Recordings

We may, with your explicit prior consent, make audio or video recordings of therapy or assessment sessions for the following purposes:

  • Clinical supervision: To enable detailed review of therapeutic techniques and ensure the highest quality of care

  • Training purposes: Only with your separate explicit consent, recordings may be used for training other clinicians (all identifying information would be removed or obscured)

  • Your personal use: If you request a recording for your own therapeutic purposes

How recordings are stored: Any audio or video recordings are stored as password-protected files on encrypted, password-protected devices. Access is strictly limited to your clinician and, where relevant for supervision purposes only, to our clinical supervisor(s).

Retention period: Recordings for clinical supervision purposes are retained only as long as necessary for that supervision session and are typically deleted within 30 days unless there is a specific clinical reason to retain them as part of your record. Any recordings retained as part of your clinical record are subject to the same 8-year retention period as other clinical materials.

Your rights: You may withdraw consent for recording at any time, and may request that existing recordings be deleted. You have the right to request a copy of any recording we hold of you.

We will never make a recording without your explicit prior consent, which will be documented.

 

Third-Party Platforms and Service Providers

To provide our services effectively, we use the following third-party platforms and service providers. Each has been selected based on their security standards and GDPR compliance.  All third-party providers are required to implement appropriate technical and organisational security measures and process your data only on our instructions and for the specific purposes outlined. We have Data Processing Agreements in place with all third-party processors to ensure compliance with UK GDPR requirements.

Google Workspace (including Google Forms and Google Drive): We use Google Workspace to store clinical documents and questionnaires in secure, password-protected folders, administer psychometric measures via Google Forms, and share documents with you securely.

Wix: We use Wix to host our website and manage appointment bookings. When you book an appointment through our website, Wix processes your name, email address, and appointment preferences.

Xero: We use Xero accounting software to manage invoicing and financial records, storing your name, contact details, and payment information for accounting and invoicing purposes.

Starling Bank: Payment processing is handled through Starling Bank in accordance with banking regulations and PCI-DSS standards. We do not store your full banking or card details.

Virtual Assistant Services: We work with a virtual assistant to support administrative functions including appointment scheduling, general correspondence, and administrative tasks. Our virtual assistant may have access to some of your personal and health information where necessary to perform these functions, such as your name, contact details, appointment dates, and limited clinical information needed for scheduling or administrative purposes. The virtual assistant is bound by a strict confidentiality agreement and data processing obligations, has received training on handling sensitive health data securely, and accesses information only through secure, password-protected systems. If you have concerns about information being shared with our virtual assistant, please discuss this with us.

We are not responsible for the privacy practices of these third-party platforms once data leaves our direct control, though we ensure they meet GDPR standards. We encourage you to review their respective privacy policies.

 

Who else can see your information

We must treat all your information as confidential. We can only disclose confidential information if:

- We have your permission

- The law allows it

- It is in your best interests, such as preventing you from seriously harming yourself.

- It is in the public interest, such as if it is necessary to protect public safety or prevent harm to other people.

This means that we cannot share your information unless there is a specific and valid reason for doing so. In all the above scenario’s we would endeavour to notify you and discuss this with you first. However, there may be instances where this is not possible or practical to do so.

As clinical psychologists and therapists we participate in supervision, which involves discussion of clinical cases with another practitioner. This is to ensure we are continuing to practice to the best of our abilities and in accordance with professional guidelines. It means that there is somebody who has an awareness of our practice and can raise any concerns if necessary, to us but also with the regulating organisation (HCPC). During supervision, we will use your first name only to describe clinical involvement and treatment plans in your case. This information will be verbally exchanged. Our supervisor(s) will not hold any clinical notes containing your personal details and will not be provided with access to the clinical records that we hold about you. Our supervisor(s) are also bound by the same rules of confidentiality and information sharing. If you object to us using your first name for this purpose then please discuss this with your clinician.

​

Website Use, Cookies, and Analytics

Our website (hosted on Wix) may use cookies and similar technologies to:

  • Remember your preferences

  • Understand how visitors use our website

  • Improve website functionality and user experience

Types of cookies we use:

  • Essential cookies: Necessary for the website to function, including appointment booking functionality

  • Analytics cookies: Help us understand how visitors interact with our website through aggregated, anonymized data

You can control cookie preferences through your browser settings. Please note that disabling certain cookies may affect website functionality, including the ability to book appointments online.

Website analytics: We may use analytics tools (provided through Wix) to collect anonymized information about website visits, including pages viewed, time spent on site, and referral sources. This data is aggregated and does not identify you personally.

 

How long your information is stored for

In addition to the ICO rules, we are also bound by the professional guidelines of the Health and Care Professions Council (HCPC) and by The British Psychological Society (BPS). These guidelines state that we must keep full, clear and accurate records for everyone that we care for,  treat, or provide services to. As these records form part of your medical history and may be required by you, your doctor(s) or health care team in the future we will keep all patient electronic records for a full 8 years after your treatment has ended.
 

How you can modify the data we hold about you

You have the right to make amendments to the data we hold for you where necessary. You may withdraw your permission for us to hold your personal data at any time. However this must be done in a written format. We routinely share with our clients any letters or reports before they are finalised. There is an opportunity to request amendments at that point.
 

Your Data Subject Rights

Under UK GDPR, you have the following rights regarding your personal data:

Right of Access: You have the right to request copies of the data we hold about you, including how it is being processed, where, and for what purpose. We will respond to your request within 30 days in most cases. For complex requests, we may extend this by a further 60 days and will notify you of the extension.

Right to Rectification: You have the right to request correction of inaccurate or incomplete personal data.

Right to Erasure ('Right to be Forgotten'): You have the right to request deletion of your personal data in certain circumstances. However, this right may be limited by our professional obligation to retain clinical records for 8 years, and by legal requirements to maintain records.

Right to Restriction of Processing: You have the right to request that we restrict how we use your data in certain circumstances, for example if you contest the accuracy of the data or object to processing.

Right to Data Portability: You have the right to receive your personal data in a commonly used and machine-readable format (such as PDF or CSV) and to transmit it to another service provider. We will provide this free of charge.

Right to Object: You have the right to object to processing based on legitimate interests or for direct marketing purposes. Upon receiving an objection, we will cease processing unless we can demonstrate compelling legitimate grounds that override your interests.

Rights Related to Automated Decision Making: We do not use automated decision-making or profiling in our services.

How to exercise your rights: To exercise any of these rights, please contact us at info@unlockpsychology.co.uk. We will respond within 30 days for straightforward requests. We do not charge a fee for most requests, though we reserve the right to charge a reasonable administrative fee for manifestly unfounded, excessive, or repeat requests, or to provide additional copies of data already supplied.

Verification: To protect your privacy, we may need to verify your identity before responding to a data subject rights request.

 

How you can retract consent to hold and process your records

We retain your personal information and health record for 8 years and thereafter they are destroyed. This is in line with UK best practice for adult health and social care records (IGA, 2016). You have a right to retract consent to hold and process your records before that time if you wish. Please let us know if you wish to do so.

 

What happens if there is a breach of security

If for any reason, there is a breach in the way your information is stored or shared then we must take immediate corrective action and also inform the ICO of this breach within 72hours. We would also inform you that a breach has taken place, how that breach occurred, what information was mistakenly disclosed and the steps made to rectify the situation. If you believe we have breached data security in any way, then please notify us immediately via email.

The most frequent type of data breach occurs when an email is sent to somebody else by mistake. In order to reduce the likelihood of this happening we ensure we check each email address before sending an email or where practical reply to an email that you have already sent. Generally, we will only use email to correspond about appointment times or to send widely available information sheets that may be useful to you. It is not usual for sensitive personal information to be contained in any emails. An exception to this may be prior arrangement to use email to provide additional personal information within letters or reports. Any reports or letters containing personal information will be sent from a secure email address or password protected, or you will be a sent a link to a secure Google Drive folder which will only be accessible via your email address.

In the unlikely event that we send an email to the wrong email address we will:

- Email the recipient as soon as possible and ask them to delete the email

- Refer to ICO within 72hours and follow their guidance

- Notify the intended recipient of the breach as soon as possible and within 72hours

 

Changes to this privacy policy

We reserve the right to modify this privacy policy at any time and changes and clarifications will take effect immediately. If we make material changes to this policy, we will notify you via email that it has been updated, so that you are aware of what information we collect, how we use it, and under what circumstances, if any, we use and/or disclose it.

 

How you can raise a complaint

Please note that the work being undertaken is in accordance with the law of England and Wales and any disputes will be subject to it. If you are concerned about the care we have provided to you, we encourage you to speak to us immediately. If you feel we have done something harmful or unethical and you do not feel comfortable discussing it with us, please contact the Health & Care Professions Council https://www.hcpc- uk.org/public/what-should-i-do-if-i-am-unhappy-with-an-hcpc-registered-professional

Complaints relating to the holding of your personal data should also be directed to us in the first instance as the Compliance Officer, via email info@unlockpsychology.co.uk We aim to respond to all complaints within 30 days. To make a complaint directly to the ICO please see https://ico.org.uk/make-a-complaint/

 

Questions and contact information

If you would like to: access, correct, amend or delete any personal information we have about you or simply want more information contact us by email: info@unlockpsychology.co.uk

bottom of page