After each therapy session I will make some basic notes in a password-protected Word document to remind me of what we discussed. My notes are “pseudonymised”, i.e. they do not mention your name and instead use a code based on your initials. After we have finished working together, I will transfer the notes off my computer and on to a password-protected memory stick. The notes and the paper form will normally be deleted 7 years after we finish working together.
Under data legislation (specifically the General Data Protection Regulation or GDPR) I am the “data controller” for this data, and the lawful basis on which I process it is that of “legitimate interests”, in other words I have a legitimate interest in recording and keeping this data to enable me to do my job as your therapist. When we first meet I will usually also ask for your agreement to this, and so your consent is an additional lawful basis for the processing.
You have a number of rights under the GDPR, including the right to see your data and amend it if it is incorrect. You can also ask for it to be deleted before the usual 7 years have elapsed. You can read full details of your rights and other aspects of the GDPR on the website of the Information Commissioner’s Office (ICO).
I would be required to break confidentiality and contact an external authority about you in the very unlikely event that I believed that there was a risk that you would cause serious harm to yourself or to someone else, particularly a child, or that you were involved in a murder or a terrorism or money-laundering offence. In addition I could be compelled by a Court order or a police warrant to release your data (including my notes) to the authorities.
In addition I am required by my professional counselling organisations to obtain supervision for all client work, in order to ensure that I continue to offer a high standard of counselling and therapy to all my clients. So I have regular meetings with a supervisor (an experienced therapist) at which I discuss my client work, which may include my work with you. However, I do not discuss any unnecessary personal information about you with my supervisor.
In other words, we will never have access to any of your bank card details, and no such details will ever be stored on our own server.