Legal & Privacy Policy

Privacy Policy

Relating to:
Andrew Harvey Psychotherapy
C/o Health Dynamics Associates
4, Staple Inn
High Holborn
07403 171499

I am a registered psychotherapist working independently in private practice. I practice mainly at: Staple Inn, High Holborn, London, WC1V 7QH.  I may also work at other locations and, from time to time, online.  All working arrangements will be confirmed in your ‘Contract for Therapy’.  I am registered with the Information Commissioner’s Office.  


Your privacy is very important to me and you can be confident that your personal information will be kept safe and secure and will only be used for the purpose it was given to me. I adhere to current data protection legislation, including the UK General Data Protection Regulation (EU/2016/679) (the UK GDPR), the Data Protection Act 2018 and the Privacy and Electronic Communications (EC Directive) Regulations 2003.

The UK General Data Protection Regulations (UK GDPR) requires me to inform you of your rights and my obligations to you with regard to the processing and control of your personal data. This Privacy Notice explains why I collect personal information, how I use it and how I keep it secure. If you have any questions about this notice, please raise it in our next session as a first step.

My lawful basis for holding and using your personal information

The UK GDPR states that I must have a lawful basis for processing your personal data at each stage in the process. I have explained these below:

  • If you have had therapy with me and it has now ended, I will use legitimate interest as my lawful basis for holding and using your personal information.
  • If you are currently having therapy or if you are in contact with me to consider therapy, I will process your personal data where it is necessary for the performance of our contract.
  • The UK GDPR also makes sure that I look after any sensitive personal information that you may disclose to me appropriately. This type of information is called ‘special category personal information’. The lawful basis for me processing any special categories of personal information is that it is for provision of health treatment (in this case counselling/psychotherapy) and necessary for a contract with a health professional (in this case, a contract between me and you).

How I use your information

First contact.

When you contact me with an enquiry about my services, I will need to collect information to help me satisfy your enquiry. This will include; name, date of birth, occupation, living arrangements and an outline of the reason why you are seeking counselling/psychotherapy. Alternatively, your General Practitioner (GP) or other health professional may send me your details when making a referral or a trusted individual may give me your details when making an enquiry on your behalf. If you decide not to proceed, I will ensure that all your personal data is deleted once you inform me of your decision.

While you are accessing counselling/psychotherapy.

I will give you a ‘Contract for Therapy’ outlining my working methods and my terms of service. I will also request your explicit consent for holding your special category data. This will be a request for the details of your GP and other relevant healthcare practitioners involved in your care. It may also include a request for the details of any relevant medication that you might be taking. This is ‘special category’ information.

I will keep a record of your personal details to help the efficient running of the counselling/psychotherapy services that I provide. These details include:

  • Personal and contact details which may include your first and last name, home address, e-mail address and telephone numbers.
  • Outcome questionnaire scores (PHQ 9 / GAD 7)
  • Brief session notes, where appropriate.
  • Financial information regarding sessions attended and paid. Depositor names may appear on my bank statements where electronic payments have been made.
  • A record of any letters, e-mails and other communications between us. For security reasons I do not retain e-mail for more than one month. If there is relevant information contained in an e-mail that needs to be retained for therapeutic or safeguarding reasons, I will scan it into the secure bacpac system and then delete the original e-mail.
  • Please note that I cannot guarantee the security of e-mail communications. Please do not use e-mail for any confidential communication.

Notes held by me for the purposes of our work together do not constitute part of your official medical record.


Rest assured that everything you discuss with me is confidential. That confidentiality will only be broken if I have reason to be concerned about the possibility of harm being caused to yourself or another or if I have concerns about the safeguarding of a child or vulnerable adult. I will always try to speak to you about this first, unless there are risk and safeguarding issues that prevent this.

How I protect your personal data.

I treat your data with the utmost care and have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. Access to your personal data is restricted so that it can only be retrieved by me.

Wherever possible all records are kept electronically. All electronic records are two-level password-protected and are stored using a cloud-based system called bacpac which is encrypted to NHS standards and approved by the British Association for Counselling and Psychotherapy (BACP). Any temporary physical records are anonymised and are kept in a locked storage unit only for as long as is necessary and then immediately shredded. All website interaction is secured using ‘https’ technology. In the unlikely event of a breach, I will notify you and any applicable regulator, where I am legally required to do so.

How long will I keep your personal data?

I keep personal and special category data for the duration of our work together and thereafter as required by statutory, legal, regulatory, government (e.g. HMRC), contractual (e.g. insurance) and governing professional bodies (e.g. BACP). I do not retain personal data for longer than is necessary. Electronic records are archived and then deleted as soon as possible. Any physical records are scanned into the bacpac system and then shredded immediately.

With whom will I share your personal data?


I will not share, transfer or sell your personal data to any third parties for marketing purposes.

Professional third parties

I may need to communicate your personal data to a health professional, for example, your GP. However, I will not disclose personal data about you without your agreement except in situations where there is a significant concern about harm to yourself or to others. Where possible, I will discuss this with you first.


Under certain circumstances I am legally obliged to share personal data (e.g. a court order).

Clinical Supervision

I am required by my Codes of Ethical Practice (BACP, UKCP, FPC) to consult on casework with senior colleagues from time to time in order to ensure that I am working to the high professional standards that are expected of me and for my continuing professional development. In all such cases, any identifying details will be disguised, anonymised or withheld. My professional colleagues are all bound by the same ethical responsibilities as I am to ensure your privacy and confidentiality.

Professional Executors

If I become unexpectedly unable to practice and unable to contact you, I have nominated two colleagues as my ‘Professional Executors’ who would contact you to let you know and to enquire about your wish for further therapy. Please note that these colleagues will have access to your contact details only and this is only in event of my sudden incapacitation. This is a requirement of my Codes of Professional Practice (BACP, UKCP, FPC)

Your rights

The UK GDPR gives you certain rights in relation to the data I hold about you. If you wish to exercise these rights, please let me know in the session or contact me as indicated above. Under the UK GDPR you can:

  • Find out what information I hold about you
  • Access a copy of the information I hold about you
  • Rectify inaccurate or incomplete personal data
  • Object to me processing your personal information
  • Ask me to delete or restrict how I use your personal information
  • Have your personal data sent to another data controller
  • Complain to a regulator if you think I have not complied with data protection laws. You can lodge a complaint with the Information Commissioner’s Office at

Review of this Privacy Notice

I keep this Privacy Notice under regular review. It was last updated in January 2024.

Visitors to my website

When someone visits my website, I use a third party service, Google Analytics to collect standard internet log information and details of visitor behaviour patterns. I do this to find out things such as the number of visitors to the various parts of the site. This information is only processed in a way that does not identify anyone. I do not make, and do not allow Google Analytics to make, any attempt to find out the identities of those visiting my website.

I use legitimate interests as my lawful basis for holding and using your personal information in this way when you visit my website.

I use Google so that I can continually improve my service to you, You can read Google privacy notice here.

I use WordPress as the content management system for our website – find out about WordPress and data protection.

Like most websites we use cookies to help the site work more efficiently – find out about our use of cookies.

No user-specific data is collected by me or any third party. If you fill in a form on my website, that data will be temporarily stored on the web host before being sent to me.


Images courtesy of Unsplash.