​

This Privacy Notice explains how I collect, use, store and protect your personal information when you enquire about or receive counselling services from me.

I am committed to protecting your privacy and processing your personal information fairly, lawfully and transparently in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

​

Sarah McMurray is the Data Controller for the personal information you provide in connection with counselling services.

​

Depending on the services you receive, I may collect:

• your name, address, telephone number and email address;

• date of birth;

• GP name and surgery details;

• emergency contact details;

• information about your reasons for seeking counselling;

• information relating to your health and wellbeing where relevant to counselling;

• appointment dates and attendance records;

• brief clinical notes relating to our counselling sessions;

• payment records and invoices.

 

I aim to collect only the information necessary to provide safe and effective counselling.  I collect information:

• directly from you when you contact me;

• through my client enquiry or registration form (Google Forms);

• during counselling sessions;

• through email, telephone or text communications;

• when you make payments for counselling.

​

I process your personal information in order to:

• provide counselling services safely and effectively;

• arrange and manage appointments;

• maintain appropriate clinical records;

• communicate with you regarding your counselling;

• manage payments and accounting records;

• fulfil my professional, ethical and legal obligations;

• protect you or others where there is a serious risk of harm.

​

Under UK GDPR, the lawful basis for processing your personal information is:

Article 6(1)(b) – Contract

Processing is necessary to provide the counselling services you have requested.

Where appropriate, I may also rely on:

Article 6(1)(f) – Legitimate Interests

To manage my counselling practice safely, securely and professionally.

Because counselling involves information about health and wellbeing, I also process special category personal data under:

Article 9(2)(h)

Processing necessary for the provision of health or social care or treatment and the management of health care services.

Where this lawful basis does not apply, I will explain any alternative lawful basis where required.

​

Everything discussed during counselling is treated confidentially.

Your information will not normally be shared with anyone else unless:

• you have given your permission;

• I am legally required to do so;

• there is a serious safeguarding concern;

• disclosure is necessary to prevent serious harm to you or another person;

• disclosure is required by a court.

As part of good professional practice, I receive regular clinical supervision. Information discussed in supervision is anonymised wherever possible and supervisors are also bound by professional standards of confidentiality.

​

I use Google Workspace services, including Gmail, Google Meet and Google Forms, for communication and administration.

While these services use industry-standard security measures, no electronic communication can be guaranteed to be completely secure. Please avoid sending highly sensitive information by email unless you understand and accept the associated risks.

Google may process or store some personal information outside the United Kingdom. Where international transfers occur, Google applies appropriate safeguards in accordance with UK data protection law.

​

I take appropriate technical and organisational measures to protect your personal information.

These include:

• password-protected electronic devices;

• secure electronic storage;

• locked storage for paper records;

• restricted access to client information;

• secure destruction of records when they are no longer required.

​

In line with professional guidance and insurance requirements, I normally retain counselling records for seven years after counselling has ended.

If counselling involves a child or young person, records may be retained until the client's twenty-fifth birthday or for seven years after therapy ends, whichever is longer.

After the relevant retention period, records are securely destroyed unless I am required by law to retain them for longer.

Financial records are retained for the period required by HM Revenue & Customs.

​

Under UK data protection law you have the right to:

• request access to the personal information I hold about you;

• request correction of inaccurate or incomplete information;

• request erasure of your personal information where applicable;

• request restriction of processing in certain circumstances;

• object to certain types of processing;

• request a copy of your information in a portable format where applicable.

These rights are not absolute. There may be circumstances where legal, professional or ethical obligations require me to retain certain records or limit the information that can be disclosed.

​

Some personal information is necessary for me to provide counselling safely and ethically. If you choose not to provide essential information, I may be unable to offer counselling services.

​

I do not use automated decision-making or profiling when processing your personal information.

​

If you have any questions about how I use your personal information, please contact me in the first instance.

If you remain dissatisfied, you have the right to complain to the Information Commissioner's Office (ICO).

Website: www.ico.org.uk

Telephone: 0303 123 1113

You may also raise concerns regarding my professional conduct with the British Association for Counselling and Psychotherapy (BACP).

​

I may update this Privacy Notice from time to time to reflect changes in legal requirements or professional practice. The most recent version will always be available on request.

Version 1.0 – June 2026