top of page

Privacy Policy

Dr Fiona Marfleet: Privacy Policy


If you are considering entering into a period of therapy, you will want the assurance of knowing that any personal information, that is provided by you, will remain private. This privacy policy is intended to give you that peace of mind by describing how I will keep your personal information safe and secure, and to assure you that it will only be used for the purpose it was given to me.

Within this privacy notice, I will provide detail of what I will do with your personal information, from initial point of contact, through to after your therapy has ended, including:

  • Why I am able to process your information and what purpose I am processing it for

  • Whether you have to provide it to me

  • How long I store it for

  • Whether there are other recipients of your personal information

  • Whether I intend to transfer it to another country

  • Whether I do automated decision-making or profiling, and

  • Your data protection rights.

If you have any questions about this data protection policy you can contact me via email on

The term ‘Data Controller’ is used in this notice. This term describes the person or organisation that collects and stores and has responsibility for people’s personal data. I am a sole trader and the Data Controller.

I am registered with the Information Commissioner’s Office ZB598212.


Contact details 

Name: Dr Fiona Marfleet

Address: New Inn House, 7 Wotton Road, Kingswood, Gloucestershire GL12 8RA

Phone Number: 07551 957922




Lawful Basis for processing of personal data

GDPR states the need for ‘lawful basis’ for processing of personal data. They are as follows:

  • When enquiring about starting therapy with me: Legitimate interest

  • While having therapy with me: Contract

  • After having/completing therapy with me:  Legitimate interest

During therapy, you may disclose sensitive personal information. Within GDPR, this information is referred to as ‘special category personal information’. This could be data revealing or concerning racial or ethnic origin; political opinions; religious or philosophical beliefs; trade union membership; genetic data; biometric data; data concerning health; data concerning sex life; and data concerning sexual orientation.

The lawful basis for my processing any such data is that it is for provision of health treatment and necessary for a contract with a health professional (i.e. a contract between you and I).


How I will use your information

Initial contact

I will require your contact details and will use your contact information for contact purposes only. I will not pass your information to any third party nor remove or transfer your data to another country.
Information shared within the initial appointment will be used to form the aims and goals of the therapy and will be kept with the notes of your following sessions. Should you decide not to proceed, this data will be kept under the retention schedule (see below) and then destroyed.

While you are accessing therapy

Therapy works through open communication, sharing of thoughts, feelings, beliefs, experiences. These inform the therapeutic process however, you have a choice regarding how much you wish to share. Brief notes of the sessions will be kept on paper in a locked cabinet with a coded identification. Your contact details will be kept on my password protected PC and my PIN-protected mobile phone (kept and used for business only).

When you have finished your therapy

The notes will be kept in line with the retention schedule (see below) and then destroyed. Your contact details will be kept in line with the retention schedule and then deleted from the PC and mobile phone.

Data processing

Consent in relation to communication: the individual has given clear consent for their data to be processed for the specific purposes of contact between therapist and client.

Consent in relation to records: the individual has given clear consent for records of their sessions, including initial assessment, to be processed in order to enable the provision of therapy.

I do not use your data for any automated decision-making or profiling purposes.

The type of personal information I collect 

I currently collect and process the following information:

  • Personal details

  • Contact details (email and phone)

  • Emergency contact details (should you become ill during a session)

  • Family, lifestyle and social circumstances

  • Employment and education details

We may also process sensitive classes of information that may include:

  • Physical or mental health details

  • Racial or ethnic origins

  • Religious or other beliefs of a similar nature

  • Offences and alleged offences


Your data protection rights

Under data protection law, you have rights including:

  • Your right of access - You have the right to ask me for copies of your personal information. 

  • Your right to rectification - You have the right to ask me to rectify personal information you think is inaccurate. You also have the right to ask me to complete information you think is incomplete. 

  • Your right to erasure - You have the right to ask me to erase your personal information in certain circumstances. 

  • Your right to restriction of processing - You have the right to ask me to restrict the processing of your personal information in certain circumstances. 

  • Your right to object to processing - You have the the right to object to the processing of your personal information in certain circumstances.

  • Your right to data portability - You have the right to ask that I transfer the personal information you gave me to another organisation, or to you, in certain circumstances.

You are not required to pay any charge for exercising your rights.

Please contact me if you wish to make a request (see contact details above and information regarding Subject Access Requests below).


How to complain

Your privacy is important to me. I endeavour to meet the highest quality standards when processing your personal and sensitive data. Complaints and concerns can help identify areas for improvement and I welcome you raising any issues you have with me. 
If you do have any concerns about my use of your personal information, you can raise this informally or make a complaint to me (see contact details above). 

You can also complain to the ICO if you are unhappy with how I have used your data.

The ICO’s address:           

Information Commissioner’s Office

Wycliffe House

Water Lane





Helpline number: 0303 123 1113

ICO website:


Data retention schedule

  • Emails: reviewed every year at the end of March. Deleted on deletion of session notes (see below)

  • Contact details: Deleted on deletion of session notes (see below).

  • Paper diary: Destroyed 3 months following end of use.

  • Client records/session notes: Retained for 8 years after final treatment session.

  • Waiting list: Reviewed every year at the end of March. Old list destroyed and new list created, including transferring relevant data from the old list.

  • Continuing Professional Data record: Retained and updated on an ongoing basis.

  • Supervision record: Retained for 8 years.

  • Insurance policies: 40 years from date policy ended.

  • Complaints: 2 years from complaint being resolved.

  • Right to erasure request: 8 years from request being submitted and completed.

  • Subject Access Request: 8 years, alongside session notes, or 2 years from case closure if request is made after 6 years of storing data.


Data breach

All personal data is kept securely either in paper form in a locked cabinet in a secure location or on my password protected PC and Mobile.

In the case of a data breach, I will comply with the regulations set out by the Information Commissioner’s Office under article 33 of the GDPR:

  1. In the case of a personal data breach, the data controller shall, without undue delay, and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the ICO, unless the personal data breach is unlikely to result in risk to the rights and freedoms of the individual/s. Where the notification to the ICO is not made within 72 hours, it shall be accompanied by reasons for the delay.

  2. The notification referred to in paragraph 1 shall at least:

    1. Describe the nature of the personal data breach including where possible, the approximate number of data subjects concerned and the categories (e.g. session notes, phone numbers) and approximate number of personal data records concerned;

    2. Communicate the name and contact details of the data controller where more information can be obtained;

    3. Describe the likely consequences of the personal data breach;

    4. Describe the measures taken, or proposed to be taken, by the controller to address the personal data breach, including where appropriate, measures to mitigate its possible adverse effects.

  3. Where, and in so far as, it is not possible to provide the information at the same time, the information may be provided in phases, without undue further delay.

  4. The controller shall document any personal data breaches, comprising the facts relating to the personal data breach, its effects and the remedial action taken. That documentation shall enable the supervisory authority to verify compliance with this Article.

  5. In the event that a data breach will likely cause a risk to the rights and freedoms of client data, the data controller must communicate the nature of the breach in clear, concise and plain language, to the client/s involved, without delay.

  6. If a breach occurs but the data controller has gone to appropriate lengths to protect the data held on the client (e.g. password encryption of electronic files), or if the data controller has taken subsequent action to prevent the risk (e.g. immediately blocking a mobile device) then notifying the client will not be required.


Subject Access Requests 

A Subject Access Request (SAR) permits individuals to request a copy of their personal information.

A SAR must be acted upon within one calendar month in most instances. Where the request is complex, an extra two months can be taken however, the requester must be informed of the delay.

There are no fees unless there is a disproportionate fee to the organisation for sending out the information. Application for SAR should be held alongside session records, unless application was made after 6 years of the end of treatment, in which case the SAR will be held for a further 2 years after closure of SAR.

A SAR will include information we hold about you. I will:

  • Give you a description of it;

  • Tell you why we are holding it;

  • Tell you who it could be disclosed to; and

  • Let you have a copy of the information in an intelligible form.

SARs should be put in writing to myself (see contact details above). A response may be provided informally over the phone, with your agreement, or formally, by letter or email. If any information held is noted to be incorrect ,an individual can request a correction be made to their own personal information.This request should be made in writing to myself.

Further information on SAR, including making a SAR, can be found here:

bottom of page