Privacy & Practice Policies

(Counselling — UK GDPR, DPA 2018, DPDI Act 2026)

1. Who I Am

I am Leonie Holmes, a UK‑based counsellor, registered with the BACP and working in line with its Ethical Framework.

Data Controller: Melanie Edmunds

Email: leonieholmescounselling@outlook.com

Website: leonieholmescounselling.com

Location: Essex, UK

I am responsible for how your personal information is collected, used, and stored.

2. Information I Collect

2.1 Contact Information

  • Name

  • Email address

  • Phone number

  • Emergency contact (optional)

2.2 Administrative Information

  • Appointment history

  • Invoices and payment records

  • Email correspondence

2.3 Clinical Information (Special Category Dat

  • Risk or safeguarding concerns

  • Protected characteristics (e.g., ethnicity, sexuality, gender identity)

All sensitive data is handled with the highest level of confidentiality.

3. Lawful Bases for Processing

I process personal data under the following lawful bases:

  • Contract — to provide counselling and psychotherapy

  • Legitimate Interests — responding to enquiries, managing appointments, maintaining records

  • Legal Obligation — safeguarding, court orders, HMRC requirements

  • Vital Interests — serious risk of harm

  • Special Category Data — Article 9(2)(h) (healthcare) and Article 9(2)(a) (explicit consent where required)

4. How Your Information Is Used

Your information is used to:

  • Provide counselling

  • Maintain clinical and administrative records

  • Communicate about appointments

  • Manage payments

  • Meet ethical, legal, and safeguarding obligations

  • Discuss anonymised material in supervision

I do not use your data for marketing.

5. Storage of Notes & Data Security

Your data is stored securely using:

  • Encrypted devices

  • Password‑protected systems

  • Secure Outlook email

  • Encrypted OneDrive cloud storage

  • Locked physical storage (if used)

Only I have access to your identifiable information.

6. Retention Periods

  • Adult counselling notes: 7 years after final session

  • Supervision notes: 7 years

  • Financial records: 6 years (HMRC requirement)

  • Enquiry emails: 12 months

  • Safeguarding records: retained per statutory guidance

7. Sharing Your Information

I will only share information when:

7.1 Required by Law

  • Serious risk of harm

  • Safeguarding concerns

  • Court orders

  • 7.2 With Your Explicit Consent

  • GP involvement

  • Multi‑agency work

  • Professional referrals

I do not sell or trade your data.

8. Your Rights

You may request to:

  • Access your data

  • Correct inaccuracies

  • Request deletion (where appropriate)

  • Restrict or object to processing

  • Request data portability

  • Withdraw consent (where consent is the basis)

9. Website Data &

Website Analytics

Your browser may automatically share:

  • IP address

  • Browser type

  • Basic usage data

No advertising or tracking cookies are used.

10. Data Breach Procedure

If a data breach occurs that risks your rights or freedoms, I will:

  • Notify you without undue delay

  • Notify the ICO within 72 hours (if required)

I will secure systems, assess impact, document the breach, and take steps to prevent recurrence.

11. Online Counselling & Supervision Policy

  • Sessions take place via WhatsApp Video using a private, password‑protected account

  • Sessions are not recorded

  • Clients must ensure privacy at their location

  • If connection drops, I will attempt reconnection for 10 minutes, then continue by phone or reschedule

  • Clients confirm their location and provide an emergency contact at each session

  • Online work may not be suitable for everyone; alternatives may be discussed

12. Diversity & Inclusion Statement

I welcome clients and supervisees of all identities, including diversity in:

  • race and ethnicity

  • gender identity and expression

  • sexual orientation

  • disability and neurodivergence

  • age

  • religion or belief

  • relationship style or family structure

  • socioeconomic background

My practice is guided by the BACP Ethical Framework, ongoing CPD, and a commitment to challenging discrimination and inequality.

13. Processor Agreements

Microsoft Outlook (Email)

Microsoft acts as a data processor, providing encrypted email services compliant with GDPR and the Microsoft Data Protection Addendum.

Microsoft OneDrive (Cloud Storage)

Microsoft acts as a data processor, providing encrypted cloud storage with secure access controls and multi‑factor authentication.

I remain the data controller.

14. Safeguarding Statement

I follow UK safeguarding legislation and the BACP Ethical Framework. I may share information if I become aware of:

  • risk of harm to you or others

  • child or vulnerable adult safeguarding concerns

  • serious crime

  • legal requirements

Where possible, I will discuss this with you first. I share only the minimum necessary information.

15. Complaints Procedure

If you have concerns about how your information is handled, please contact me at leonieholmescounselling@gmail.com. I aim to respond within 30 days.

If unresolved, you may contact:

  • Information Commissioner’s Office (ICO) — data protection concerns

  • British Association for Counselling and Psychotherapy (BACP) — ethical or professional concerns

You have the right to make a complaint at any time.

16. How to Raise Concerns

If you have concerns about our work together, you are welcome to raise them in session or by email. I will respond thoughtfully and within a reasonable timeframe. If you feel unable to speak with me directly, or the issue remains unresolved, you may contact the BACP or ICO.

18. Updates to This Policy

This policy reflects the DPDI Act changes effective 19 June 2026. Future updates will be posted on this website