Data & Privacy

How I handle your information

  • This page explains how Susan Whitby Consulting collects, stores, and protects your personal data in line with UK GDPR and the Data (Use and Access) Act 2025.

  • I am ICO-registered, GDPR compliant, DUAA 2025 compliant

Privacy Policy

Last updated: 19 June 2026

1. Who I am

  • This is the privacy policy of Susan Whitby, a registered psychoanalytic psychotherapist providing therapy services.

Contact email: susanvwhitby@outlook.com

ICO registration number: ZB074558

  • I am registered with the Information Commissioner's Office (ICO) as a data controller, which means I am responsible for deciding how your personal data is used and for keeping it safe.

2. What personal data we collect

I collect and process the following types of personal data:

Contact and identity information:

  • Your name, address, telephone number, and email address

  • Emergency contact details

Health and therapy-related information:

  • Presenting issues and reasons for seeking therapy

  • Relevant medical and mental health history

  • Session notes documenting our therapeutic work together

  • Assessment information and treatment plans

  • Any correspondence between us relating to your care

Important: Health and therapy-related information is classified as "special category data" under Article 9(1) of the UK GDPR. This type of data receives enhanced legal protection because of its sensitive nature. I take additional care to ensure this information is kept secure and confidential.

Enquiry information:

  • Details you submit via the contact form on my website, including your name, email address, and the content of your message

3. How we collect your data

I collect your personal data directly from you in the following ways:

  • When you first contact me to enquire about therapy

  • During my initial consultation and intake process

  • Throughout our therapy sessions together

  • Via email, telephone, or other direct communication

  • When you complete intake forms or questionnaires

  • When you submit an enquiry through the contact form on my website

I do not collect personal data about you from third parties unless you have given explicit consent for this, or in exceptional safeguarding circumstances.

4. Why we process your data — lawful basis

Under UK GDPR, I must have a valid legal reason (known as a "lawful basis") for processing your personal data. Because therapy involves health-related information, I rely on two separate legal bases:

Article 6 basis — for general personal data:

Article 6(1)(b) UK GDPR — processing is necessary for the performance of the therapeutic contract between us. This means I need to process your data to provide you with the therapy services you have engaged me to deliver.

Article 9 basis — for special category health data:

Article 9(2)(h) UK GDPR — processing is necessary for the provision of health or social care treatment by a health professional. This allows me, as a registered psychotherapist, to process your health information as part of your therapy.

5. Professional obligations and CPD

I am required by the United Kingdom Council for Psychotherapy (UKCP) to attend regular clinical supervision. This is an essential part of maintaining high standards of care and continuing professional development.

When I discuss therapeutic work with my supervisor:

  • Your name and any identifying details are NOT shared with my supervisor

  • I use anonymised or pseudonymised case material only

  • My supervisor is a qualified professional bound by the same confidentiality obligations as I am

  • My supervisor is bound by their own professional body's ethical framework

Supervision helps me reflect on my practice and ensures you receive the best possible care. Your privacy is fully protected throughout this process.

I am bound by the UKCP Code of Ethics

6. Clinical will — what happens to your records if I am unable to practise

I am currently putting clinical will arrangements in place. A clinical will ensures that, in the event I am suddenly unable to practise due to serious illness, incapacity, or death, your records will be handled appropriately by a designated colleague who is also bound by professional confidentiality obligations.

Once these arrangements are finalised, I will inform clients of the details. If you have any questions about this in the meantime, please contact me.

7. Who we share your data with

I treat everything you share with me in therapy as confidential. However, I use certain third-party services to operate my practice and website:

  • Squarespace — my website runs on Squarespace, which is an all in one Content Management System and website hosting provider and may collect certain technical data  about visitors including basic analytics and certain cookies to ensure the website is running smoothly

Each of these services is bound by a data processing agreement. Links to their privacy policies are available on request.

I never sell your personal data.

I will not share your therapy records with anyone without your explicit consent, except in the limited circumstances described in Section 12 (Confidentiality exceptions) below.

8. International data transfers

Some of the third-party services I use may transfer personal data outside the United Kingdom:

Squarespace – data may be transferred to USA

The USA does not currently have a UK adequacy decision. Where data is transferred to the USA, I rely on Standard Contractual Clauses (SCCs) or International Data Transfer Agreements (IDTAs) as appropriate safeguards, in accordance with UK GDPR Chapter V and the updated requirements of the Data (Use and Access) Act 2025.

You can request a copy of the relevant transfer safeguards by contacting me.

9. How long we keep your data

I retain your personal data only for as long as necessary. The retention periods are:

• Therapy records (adult clients)

  • Retention period: 7 years after our last session

  • Reason: Per British Psychological Society (BPS) guidance and professional indemnity insurance requirements

• Financial records

  • Retention period: 6 years

  • Reason: HMRC legal requirement

• Website enquiries (non-clients)

  • Retention period: 12 months

  • Reason: Legitimate business purposes

After the applicable retention period, records are securely destroyed. Paper records are shredded using a cross-cut shredder, and electronic records are permanently deleted using secure methods.