Data Protection Policy
The 2016 General Data Protection Regulations classify me as a data controller and require me to tell you how I protect your data. In the process of undertaking psychotherapy sessions, some of your personal data will be stored and processed. This document is provided in order to make as transparent as possible how I use it, where I keep it and what I do with it. For more information please refer to the EU GDPR website: https://www.eugdpr.org/
Personal Data Processed and Stored
- In my role as a psychotherapist in private practice I collect the following information which could identify you: your name, phone number, email address, and if appropriate your address and GP details. This is so that I have methods of contacting you. In case of my ill health this information can be accessed by an executor (named in my professional will) who would need this information in order to contact you. This contact information is stored electronically on a password protected file.
- I also keep professional notes of each psychotherapy session, identified by your initials and the date of the session. I use this to keep a record of our work as it progresses. This information is stored electronically and again is password protected. Only myself and my executor have access to this password.
- Your contract documents are stored on paper in a secure locked filing cabinet.
- Your phone number is stored by initials on my phone which has a lock-screen.
- You may make a Subject Access Request to access your personal data, which I would need to respond to within 30 days.
Data Retention / Deletion - I delete ‘administrative’ type texts or emails that you send me once they have been acted upon, e.g. arranging sessions. If I receive a more in-depth email relating to session content then I will store this electronically and password protect the document.
- As advised by my professional insurance the professional session notes will be kept securely in case of them being required for legal claims.
Data Sharing - As stated in my contract there are limited situations where I may share your information, such as if I believe you or someone else is at risk of significant harm. I would always inform you first that I need to share my concerns with another professional (e.g. GP or Care Coordinator).
- In rare cases I my be obliged by law to share the content of our sessions – this would be if you disclosed matters relating to terrorism or money laundering. In this unlikely event I would always inform you before doing so.
Updated June 2026
Data Protection Complaints Policy
This policy outlines how Dave Wakeham handles complaints from clients regarding the processing of their personal data, special category data (such as health and therapy notes), and the exercise of their data protection rights. This practice is committed to managing all data protection queries and complaints transparently, securely, and in accordance with the Data (Use and Access) Act 2025 (DUAA) and the UK GDPR.
1. How to Make a Complaint
If you believe your personal data has been mishandled, or if you are unhappy with how a data protection right (such as a Subject Access Request) has been handled, you can lodge a complaint directly with this practice.
To ensure your complaint is routed correctly, please use one of the following methods:
- Electronic Form: Complete the secure contact form accessed by clicking on the link on the Practice Website Side Bar.
- Email: Send an email directly to dave@westberkshirepsychotherapy.co.uk with the subject line "Data Protection Complaint".
- Post: Write to Dave Wakeham c/o Bramham Therapy, 47 Cheap Street, Newbury, Berkshire RG 14 5BX
Information Required
To protect your privacy and clinical confidentiality, we must verify your identity before investigating the complaint. Please provide:
- Your full name and contact details.
- A clear description of your data protection concern (e.g., specific records, a suspected data breach, or automated processing concerns).
- Any relevant dates or context regarding the issue.
2. Handling Process and Timelines
As a sole data controller, I personally oversee all data complaints to maintain strict therapeutic boundaries and medical confidentiality.
The handling process follows these strict statutory phases:
- Acknowledgment (Within 30 Days): We will formally acknowledge receipt of your complaint via your preferred communication method within 30 calendar days of receiving it.
- Investigation (Without Undue Delay): We will review our data systems, clinical logs, and security protocols to objectively assess the issue.
- Updates: If an investigation is complex and requires more time, we will contact you to provide an interim update and an expected resolution timeframe.
- Final Outcome: We aim to conclude investigations and issue a formal, written outcome within three months from receipt, in line with ICO Draft Guidance.
3. Resolving Outcomes
The written outcome will clearly explain our findings and any remedial actions taken. If a mistake has occurred, remedies may include:
- Correcting or deleting inaccurate data entries.
- Restricting specific data processing activities.
- Updating physical or digital security measures for clinical notes.
- Providing a formal explanation or apology.
4. Escalation to the Information Commissioner's Office (ICO)
Under the DUAA 2025, you are generally required to raise your data protection complaint directly with this practice first. However, if you remain unsatisfied with our final response, or if we fail to respond to you within the statutory timeframes, you retain the legal right to escalate the matter to the regulator:
- Website: https://ico.org.uk/make-a-complaint/
- Telephone: 0303 123 1113
5. Record Keeping
To comply with our statutory audit duties under the DUAA, this practice maintains an internal, confidential log of all data protection complaints. This log records the nature of the complaint, the dates received and acknowledged, actions taken, and the final outcome. In line with industry standards and legal accountability, these administrative logs are securely stored for six years.
Updated June 2026
Digital Policy
Keeping Boundaries:
The nature of an online presence can blur interpersonal boundaries: it is important to me to be as clear as possible about how boundaries may be challenged in an online environment. As a general rule, I like to keep clinical work in the consultation room as much as possible. However, the nature of the digital world can sometimes stretch these boundaries, so I offer the best clarity I can below. If you have any questions or suggestions arising from this they are most welcome to be brought for discussion in the therapy room.
Email:
I do not currently use an email encryption programme, so any emails we exchange may be vulnerable to viruses or human error. For this reason, I recommend you are thoughtful about what you include in emails to me, and which email addresses you choose to use with me, and that you rely on email only for non-confidential information such as setting up appointment times. Where possible it is best to keep confidential material for discussion between us in the therapy room.
Please be aware that all emails are retained in the logs of Internet Service Providers, which means that whilst it is extremely unlikely to happen, their contents are potentially accessible by system administrators. In addition there is always the risk of vulnerability to viruses and unintended forwarding or replication.
If you are very concerned about the confidentiality of your emails, you may wish to contact me by telephone instead.
Invoicing:
I usually send invoices as attachments to emails. If you would prefer not to receive invoices by email, please let me know and I can bring you a printed copy at the end of each calendar month.
Text Messages:
Text messaging can be very convenient for informing me about running late for a session or other similar reasons. For anything more involved or complex text messaging struggles to convey context, so in these cases I would advise bringing the issue to our session, or if this is not possible then phoning me and leaving a message. As above please be mindful of what material you send which you may wish not to be recorded.
Telephone and On-line Video Messaging:
At present I do offer remote sessions via encrypted video conferencing software such as Zoom, where it is not possible to meet face to face. I would want to discuss any such sessions with you in advance. This may involve you downloading particular software or logging into a web-based application. When engaging via video conferencing, we both agree not to record sessions. It is also crucial that you’re sure that the environment from which you are conferencing with me is safe, secure, and private.
I do not normally provide telephone sessions, although there are potential situations where we may need to make contact over the phone. Where possible this will be discussed in advance during our sessions together.
Facebook & Linked In:
I maintain a business Facebook page and Linked-In account for professional reasons. Although I have an online presence in this way, I would prefer that our relationship remains as much as possible between us in the therapy room. Whilst it is your choice, for reasons of confidentiality and preserving our therapeutic relationship I would advise not 'liking' my Facebook page.
I also have a private Facebook account kept for my personal life. I aim to keep this as private as possible. It would not be appropriate for me to be Facebook ‘friends’ with former or current clients. Potentially there is the possibility of an unexpected overlap between social networks. If this is the case then it would be something we would need to discuss in our sessions together.
Google:
I am aware that you will likely have ‘googled’ me before we make contact. If you have any questions or queries arising from such searches then I suggest we talk about this together as soon as possible. As a general rule I do not ‘google’ clients as I believe information about you is best communicated directly from you.
Updated June 2026
