Privacy Policy 

This Privacy Policy is intended to clarify under the General Data Protection Regulation (GDPR) all aspects regarding the collection, protection and retention of all data provided by you as client at my private practice. I am regarded as both a Data Controller and Data Processor as I gather, store and process data in my work as counsellor and psychotherapist. 

1. Data Held

At commencement of a therapy agreement (contract), new clients will be asked for relevant personal data including name, address, contact phone number, contact email address, GP and emergency contact names and phone numbers, and any current medications. This data will be held by me in paper form in a locked filing cabinet in my home.

Personal data also includes anonymized session notes which I will maintain separately to the above, in a locked filing cabinet at my home. These brief notes are for the express purpose of reflecting on and developing the therapeutic process and to serve as a memory aid of the themes that are important and recurring.
This data will not be shared with any other party without explicit consent, unless there is a legal requirement or court order to do so (e.g. information concerning child sexual abuse), or where there is immediate risk of substantial harm to the client or to others.
I do not store, or have access to, any client’s debit or credit card details. 
Clients who avail of optional card payment facilities consent to the privacy policy of the third-party card payment company which is publicly available at (see Appendix 1).

2. Data Retention

All personal data will be held by me for a period of 7 years from the date of cessation of therapy / counselling, in line with legal requirements and the professional guidelines of the Irish Association for Counselling and Psychotherapy (IACP). They will then be securely shredded. Data will be held for longer if necessary if there is an ongoing or pending court case or complaint.

3. Electronic Data Records

Any emails or text messages received by me (either through my email account or through a website owned and managed by me, or through other websites on which I am listed (including will be deleted as soon as they have been responded to, or at maximum within a period of one month thereafter. In the event of these communications being relevant to therapy, they will be printed off and stored with session notes, with any identifiable names, address, or contact details being redacted. Names and phone numbers will be stored in the contact section of my smartphone but will not identify the individuals in any other way. The smartphone will be secured and password protected.

4. Access to Personal Data

Clients have the right to access their data records via a Subject Access Request (SAR). This access will be arranged within 30 days. Clients may request the updating or correction of data held. Clients may request the return, a hard copy or deletion of their data.  This is subject to legal requirements that I must hold data for a minimum of 7 years.

5. Data Breaches

I will notify any affected party of any serious breach of any identifiable data. This would include incidents such as theft, loss, fire, or unauthorized access by another person. The Office of the Data Protection Commissioner will be notified of any serious breach of data.

6. Client Consent Forms in Contract

All clients will be asked to sign a consent to my holding of relevant personal data as part of our therapy agreement (contract) for working together. This signed agreement will be held in a locked file at my home and a copy will be given to the client.


Appendix 1
Debit and Credit Card Payments

For those availing of optional debit and/or credit card payment facility, please note that I use the SumUp card payment service. I do not collect or store any debit or credit card numbers or other card details. Clients may pay by cash if they prefer not to use card payment facilities.

By choosing to avail of the optional card payment facility, clients consent to the SumUp privacy policy which is publicly available at

Extracts from privacy policy of SumUp card payment service (correct as at 19/05/2018):

“Cardholder Data Security

6.1.  SumUp is responsible for the security of cardholder data which is processed, transmitted and stored within our systems. To this end, SumUp is certified as compliant under the Payment Card Industry Data Security Standard (PCI-DSS). SumUp applies best industry practice to safeguard this sensitive data and to ensure that it operates in line with these requirements, and to this end SumUp undergoes annual audits to ensure that we continue to meet this high standard.

6.2   SumUp is required to maintain all Transactional Data for AML purposes for a minimum period of 5 years after the relationship with you, our Customer, ends. We maintain your Cardholder customers information, in some instances name, email or telephone number which is used for receipt issuing purposes, in line with this legal requirement.”

Copyright Andrew McLellan