Updated April 2021

This statement helps you understand what data I hold about you and what I do with it.  You can find much more information about what my legal obligations are to you on-line (go to

The type of data I collect about you

Generally, I will have your full name, your contact details and some details for an ‘emergency contact’ person, and a brief outline of what brings you to therapy.  I will let you know what information I need that is optional, and what is necessary for us to work together.

All of these details you will supply at the beginning of our work together, either in person, electronically or where you have put information on the ‘Contact me’ page of my web site.  Periodically I will check that this data is correct/ has not changed if our work is medium to long term.

I only collect what information is necessary to keep me safe as a lone worker, and to make sure I can contact you.  Information on what brings you to therapy will only be written in brief notes which are anonymised as this may include medical and other sensitive information about you.  This information is only collected to ensue that I am best qualified to be able to help you.

I do not make any ‘automated decisions’ on the data I hold about you.

How the data is stored

I keep short, written notes on sessions we have together.  These are stored in a locked cabinet and are stored under a client code (no names are used in these notes). 

I also use a password protected spreadsheet with personal details (such as your name, contact details and client code, etc), securely held.  I also have your email address stored electronically and all relevant emails will be kept electronically for the duration of our work together.

How long data is stored for

All records will be stored securely for the length of our work together and thereafter kept for 5 years in a secure location.  It is good practice and an industry standard to keep client notes and relevant emails for this long.  Incidental emails may be deleted.

NHS Covid-19 app

If we work together in person I will may you to ‘check in’ using the NHS app by scanning the QR code for each session. For more about this please see

How to get access to your information

Please ask me if you would like to know what information I hold about you or would like to update or correct any of your information.  You can do this at any time, even after we have stopped working together.  My contact details are at the bottom of this statement.

ICO Registration

I am registered with the Information Commissioners Office (ICO).  My trading name is ‘Anna Halls Counselling’ and my reference number is ZA571517.  If you wish to complain to the ICO about me or any way in which I handle your data, then you can do so via the ICO web site (

Third Parties

I regularly use DocuSign to allow you to sign documents electronically, and Zoom when working online, and am not responsible for their policies or data usage. If you are concerned about how these companies use your data then you can read more about them by clicking these links:

I also use Google Mail, and the NHS trace and test app, and as above I have no control over their data policies and usage.

If you would like to avoid using these sites for data protection or safety reasons, then please talk to me and we will find a solution.

Your rights

Below is a brief summary of your rights regarding data I hold about you.  You can request to see any data I hold about you at any time.

For further information

Please talk with me if you have any concerns or questions about your data.



Data subject rights

The GDPR gives individuals eight data subject rights, which are listed below:

  • Right to be informed: organisations must tell individuals what data is being collected, how it’s being used, how long it will be kept and whether it will be shared with any third parties.
  • Right of access: individuals have the right to request a copy of the information that an organisation holds on them.
  • Right of rectification: individuals have the right to correct data that is inaccurate or incomplete.
  • Right to be forgotten: in certain circumstances, individuals can ask for the data an organisation holds on them to be erased from their records.
  • Right of portability: individuals can request that organisation transfer any data that it holds on them to another company.
  • Right to restrict processing: individuals can request that an organisation limits the way it uses personal data.
  • Right to object: individuals have the right to challenge certain types of processing, such as direct marketing.
  • Right related to automated decision-making including profiling: individuals are free to request a review of automated processing if they believe the rules aren’t being followed.

The General Data Protection Regulation 2018