Client Privacy Notice

Last Updated: 19th February 2026.

Download Client Privacy Notice as PDF

Client Privacy Notice

I take the privacy, including the security, of the Personal Information I hold about you seriously. This privacy notice tells you how I collect Personal Information about you and how I hold, use, and protect that Personal Information in compliance with the UK GDPR and Data Protection Act 2018. You should read this privacy notice carefully so that you know and can understand why and how I use the Personal Information I collect and hold about you.

It is important that you keep your Personal Information up to date. If any of your Personal Information changes, please contact me as soon as possible to let me know. If you do not contact me to keep your information updated, it may prevent me from providing the services you have requested.

Data Controller Contact Information

I am Keith Johnston, a counsellor based in Coleraine, Northern Ireland. I am the Data Controller of the personal information I collect, hold and use about you, as explained in this notice.

As the Data Controller, I am registered with the Information Commissioner’s Office (ICO), the UK’s independent body set up to uphold information rights (Registration reference: ZB928100). This registration is a legal requirement for individuals or organisations that process personal data. My registration with the ICO signifies my commitment to handling your personal information responsibly and in accordance with UK data protection law, including the UK GDPR. It provides an extra layer of assurance that I am accountable for the data I hold and process.

If you have any questions about how I handle your personal information, or if you wish to exercise any rights under data protection law, please contact me at:

Key Definitions

The key terms used in this privacy notice are defined below, for ease:

  • Data Controller: the organisation or person responsible for deciding how Personal Information is collected, stored, and used.
  • Data Processor: a Data Controller may appoint another organisation or person to carry out certain tasks on its behalf in relation to the Personal Information.
  • Personal Information / Data: any information from which a living individual can be identified. It does not apply to information that has been anonymised.
  • Special Category Data: certain very sensitive Personal Information requires extra protection under data protection law. Sensitive data includes information relating to health, racial and ethnic origin, political opinions, religious and similar beliefs, trade union membership, sex life, and sexual orientation. It also includes genetic information and biometric information.

What Personal Information I Collect

I collect personal information directly from you, typically via a client details form, and through subsequent assessment, communication or counselling sessions. The information I collect can include:

  • Personal Details: Full name, address, date of birth/age, telephone number, email address, gender, pronouns, NHS number and client code (an internal identifier assigned to you).
  • Emergency Contact Details: GP contact information. Details of an emergency contact and their relationship to you. Information on your emergency contact’s awareness of your counselling.
  • Consent to Contact: Whether I have permission to leave voicemails, send text messages, or send emails to you. Whether you give explicit consent to contact your GP or emergency contact in an emergency.
  • Medical Conditions and Current Medication: Any medical conditions and details of medications you are taking.
  • Mental Health and Well-being:
    • Current mental health concerns, presenting challenges, issues, or ongoing stressors.
    • Current mood and emotional state including responses and scores from standardised assessments.
    • Relevant family history (e.g., family of origin structure, family history of mental health conditions, suicide, self-harm, or alcohol/drug misuse).
    • Any risks or safety concerns (including self-harm, risk of suicide, risk of harm to others, or behaviours that could put you or others at risk).
    • Previous counselling experiences, and any other healthcare professionals currently supporting you.
    • Responses and scores from standardised assessments.
  • Physical Health and Lifestyle Details: Your sleep patterns, appetite, eating habits and use of substances. Your daily routines or activities including work, education, caring responsibilities, hobbies or interests, that inform your well-being.
  • Social & Family Context: Information about your living arrangements, personal relationships and support networks.
  • Session Records: Brief notes recorded after each session to capture key topics, observations, mental or emotional states, and any risk-related concerns you share. Worksheets, images, or additional notes created or used during sessions to facilitate therapeutic work.
  • Communications: Any written or digital communications exchanged between us, including letters, emails, text messages, or call logs.
  • Scheduling & Attendance Records: Times and dates of booked appointments, any cancellations or rescheduling, and related attendance information.
  • Relevant Court or Legal Proceedings: Family court, criminal justice or other legal matters you are involved in or that are impacting your well-being.
  • Session Preferences and Accommodation Needs: Preferences for session format, pace or communication style. Sensory, communication or accessibility accommodations required to ensure your comfort or safety.
  • Additional Information: Topics or issues you’d like to address in counselling, your goals or expectations for counselling, other details that may affect your well-being.

Special Category Data

Some of the information I collect is considered special category data under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. I collect and hold the following types of special category data about you:

  • Health: Your medical conditions, medication, and mental and physical well-being. This includes current mental health concerns and emotional state; relevant family history (mental health, risk factors); disclosed risks (to self/others); past therapy and current support from other healthcare professionals; responses to well-being assessments; and details on sleep, appetite, eating habits, and substance use.

I may hold the following special category data if provided by you:

RacePoliticsSex lifeEthnic originReligionSexual orientationGender identity

In addition to the Article 6 lawful bases described below, processing special category data requires a separate condition under Article 9 of UK GDPR. I rely on the following conditions:

  • Provision of Health or Social Care, in accordance with Article 9(2)(h) (read together with the Data Protection Act 2018, Schedule 1, Part 1, Paragraph 2): This is the primary condition under which I process your health and well-being data. The counselling I provide constitutes a health service delivered by a professional subject to a duty of confidentiality under the BACP Ethical Framework.
  • Vital Interests, in accordance with Article 9(2)(c): In rare emergency circumstances, to protect your life or someone else’s where there is a serious, imminent risk to safety and you are unable to give consent.
  • Legal Claims, in accordance with Article 9(2)(f): Where processing is necessary for the establishment, exercise or defence of legal claims, for example in response to a court order or professional complaint.

I do not routinely ask for information about criminal convictions or offences. However, if you disclose information about involvement in legal proceedings (which may include criminal proceedings) this may be noted. Such information, if it pertains to criminal convictions or offences, would be processed with utmost care to provide more informed, relevant, safe, and ethical counselling to you.

Why I Collect Your Personal Data

Purpose of Collection

  • Provide Appropriate Counselling Services: To tailor our sessions and interventions to your specific needs, considering personal and family history, mental health status, information from standardised assessments and any relevant social or lifestyle factors that may influence your well-being.
  • Manage Communication & Administration: To schedule appointments, confirm attendance, handle cancellations, and maintain clear channels of communication (e.g., via email or text messages).
  • Keep Accurate Session Records: To document the key themes, observations, risks, and notable changes from each counselling session (e.g., keeping brief notes, worksheets, images). These notes help me deliver effective support, to ensure continuity of care and to adhere to professional standards and insurance obligations.
  • Assess Risk & Ensure Safety: To identify and respond to potential risks affecting your welfare or the welfare of others (e.g., self-harm, suicidal ideation, or risk of harm to others). In urgent situations, I may contact your GP, emergency contact, or emergency services if necessary for your safety or the safety of others.
  • Accommodate Individual Needs: To consider a range of personal circumstances or differences that may affect how you process, communicate, or engage with therapy, and to make adjustments that ensure sessions remain accessible, supportive, and beneficial to you.

Lawful Bases for Processing

Under UK GDPR, I must have a lawful basis for processing your personal data. I rely on the following lawful bases:

  • Contract, in accordance with Article 6(1)(b): This is the primary basis for processing your personal data. It covers the provision of counselling services you have requested, including scheduling and managing your appointments, conducting counselling sessions, maintaining session records, and communicating essential session details.
  • Legal Obligation, in accordance with Article 6(1)(c): To comply with legal obligations that apply to my counselling practice. This includes disclosing information when required by law, such as court orders or statutory duties related to safeguarding and the prevention of harm.
  • Vital Interests, in accordance with Article 6(1)(d): In rare circumstances, to protect your life or someone else’s if there is a serious, imminent risk to safety.
  • Legitimate Interests, in accordance with Article 6(1)(f): For essential practice operations supporting the provision of services, such as retaining records after counselling ends (for professional, insurance and legal purposes), maintaining clinical will arrangements for continuity of care, protecting IT systems, and ensuring the overall efficiency of the counselling service. These interests do not override your fundamental rights or freedoms.

For some of the purposes described in this notice, I may rely on more than one lawful basis, because the appropriate basis may differ depending on the circumstances.

Where I process special category data (such as health information), I do so primarily under Article 9(2)(h) of UK GDPR, as described in the Special Category Data section above. This requires both an Article 6 lawful basis and a separate Article 9 condition to be met.

How I Use Your Information

  • Counselling Sessions: Your data helps me tailor my therapeutic approach to support your emotional well-being and mental health.
  • Session Records: I keep brief session notes and other relevant information to deliver effective support and ensure continuity of care.
  • Safety & Emergencies: If I have serious concerns about your safety or someone else’s, I may use your emergency contact or GP details to seek extra support.
  • Communication: I use your contact details to schedule appointments, provide updates, or respond to your queries.

Sharing Your Information

  • Professional Supervision: As is standard in counselling practice, in my professional supervision I may discuss clinical material in an anonymised manner to ensure effective and ethical practice. No personally identifiable data is shared.
  • Healthcare Professionals, Emergency Services or Emergency Contact: If needed to protect your vital interests (e.g., imminent risk of harm), I may share limited information with your GP, your emergency contact, a hospital, or the emergency services. While I routinely collect Emergency Contact information as a precautionary measure, I only use or share this information in actual emergencies.
  • Professional or Legal Requirements: Confidential information may be disclosed when required by law (e.g., a court order), or relevant professional membership bodies, including situations where it is necessary to respond to formal inquiries or legal claims.
  • Third-Party Services and Data Processors: See the Third-Party Services and Data Protection section for information on how your data is processed and stored by trusted third parties.
  • Clinical Will: In the unforeseen event that I become seriously incapacitated or die, I have appointed a trusted professional colleague as my Clinical Executor. This colleague is a qualified practitioner bound by the same ethical and legal standards of confidentiality and data protection under the GDPR. The Clinical Executor will have limited access to your contact information solely for the purpose of informing you of the situation and discussing suitable arrangements for your continued care, such as referrals to another qualified therapist. No therapeutic content or sensitive personal data will be disclosed. The lawful basis for this limited sharing is Legitimate Interests (Article 6(1)(f)), reflecting our mutual interest in ensuring appropriate continuity of care.

I do not sell or trade your personal data to any third parties.

Data Retention

I retain your personal data for 7 years following the end of our counselling relationship. This period reflects the 6-year limitation period for civil claims (Limitation Act 1980) plus a 1-year buffer, and also accounts for professional body complaints procedures (BACP allows complaints up to 3 years after events), professional indemnity insurance requirements, and legal considerations. After that period, I will securely destroy or permanently anonymise your data.

Your Rights

Under UK GDPR, you have the following rights regarding your personal data:

  • Right to Be Informed: You have the right to clear, transparent, and easily understandable information about how I use your data (this Privacy Notice fulfils that right).
  • Right to Request Access: Also known as “subject access”. You can request a copy of the personal data I hold about you and information on how I process it.
  • Right to Correction: You have the right to request that any incorrect personal data is corrected, and that any incomplete personal data is completed.
  • Right to Erasure (Where Applicable): In some circumstances, you may be entitled to have your data erased. However, because your health and well-being data is processed under Article 9(2)(h) for the provision of health or social care, the right to erasure does not apply to that data while it is held for this purpose (Article 17(3)(c) of UK GDPR). I may also need to retain certain records to meet professional standards, insurance requirements, or legal obligations. If you request erasure, I will consider your request carefully and explain any reasons why data must be retained.
  • Right to Restrict Processing: In certain circumstances, you can ask me to limit how your data is used.
  • Right to Data Portability: Where processing is based on contract, you may request that I transfer your personal data in a structured, commonly used format to you or to another provider.
  • Right to Object: You may object to processing that relies on Legitimate Interests. If I can demonstrate compelling grounds for processing or if processing is otherwise required by law, your objection may not override these grounds.

To exercise any of these rights, please contact me using the contact details in the Data Controller Contact Information section. I will respond as quickly and comprehensively as possible, in accordance with my professional and legal obligations.

I may need certain information from you so that I can verify your identity. I do not charge a fee for exercising your rights unless your request is unfounded or excessive. If your request is unfounded or excessive, then I may refuse to deal with your request.

Data Storage, Security Measures and Encryption

I take reasonable and appropriate steps to protect your data against unauthorised access, loss, or misuse. Accordingly, I use multiple layers of protection to safeguard your information.

Online Form Encryption

I use Jotform’s Encrypted Forms to collect new client details via end-to-end encryption (E2EE). This means form data is encrypted on the client’s device and remains encrypted in transit to Jotform and while stored by Jotform at rest. The data can only be decrypted (unlocked) by me with my access code.

As a result of this end-to-end encryption (E2EE), no one, including Jotform, can view your personal data without possessing my account password and access code.

Once received from Jotform, I move your data into a secure, local password-protected system.

Local Data Storage & Encryption

  • Encrypted Local Data Storage: All local data, except for data stored on a mobile phone, is securely stored using AES-256 encryption, a widely recognised industry standard. The data remains encrypted when not in active use ensuring it cannot be accessed without a valid encryption key.
  • Data Stored on Mobile Phone: To facilitate communication between us, your initials, phone number, appointment times, our call logs, and text messages may be stored on a mobile phone without additional encryption. Access to the mobile phone is secured with biometric authentication (fingerprint recognition) or a strong passcode to prevent unauthorised access.
  • Emails on Mobile Phone: Emails you send to me may also be stored on my mobile phone. These emails are stored in an encrypted format managed by the Email Service Provider’s app (see the Email, Secure Email & Calendar section). The app can only be accessed and the data decrypted using biometric authentication or a strong passcode on the device.

Secure Cloud Backup

I maintain offsite encrypted backups using a cloud backup service, ensuring that no single event (e.g., hardware failure, local disaster) will cause the permanent loss of your data.

The data is end-to-end encrypted (E2EE), ensuring that your data remains protected. The data is encrypted before it ever leaves my local system, is encrypted during transfer and remains encrypted on the cloud backup storage.

The encryption key is never shared with the cloud storage provider, which means they have absolutely no access to the data. Only I can decrypt and view the information.

Physical Notes

In the rare event I keep physical notes or printed records, these documents are stored in locked cabinets or drawers. Access is strictly limited to me.

With these measures in place, no third party can access your decrypted data. I regularly review these security practices to ensure they meet or exceed data protection requirements.

Third-Party Services and Data Protection

I use trusted third-party data processors to facilitate my services. When these services involve processing your Personal Data, I ensure that appropriate legal and security arrangements are in place to protect your information, in line with UK GDPR.

  • Where a third party acts as a Data Processor on my behalf, I will have a formal Data Processing Agreement (DPA) in place. This contract outlines their responsibilities and obligations, including in respect of the security of Personal Information.
  • Where a third-party service provider acts as a Data Controller for the services they provide, I undertake due diligence to ensure they have robust data protection measures, meet their own legal obligations under data protection law, and have appropriate safeguards (such as adequacy decisions, the UK-US Data Bridge, or the UK Addendum to EU Standard Contractual Clauses for international transfers, where applicable) before I use their services.

The specific role of each third party (as Data Processor or Data Controller) and the nature of my arrangement with them are further clarified below. Third parties include but are not limited to:

Online Form Hosting & eSignatures

Jotform Ltd. (UK/EU) & Jotform Inc. (US)

Address: Jotform Ltd., 25 Cabot Square, London E14 4QZ · Jotform Inc., 4 Embarcadero Center, Suite 780, San Francisco CA 94111

Use: To collect form submissions and electronic signatures.

Role: Data Processor – storing this data and only processing it in ways I instruct.

Security: Form submissions are end-to-end encrypted (E2EE), meaning your form data is encrypted at every stage. Neither Jotform nor any third party can decrypt your submissions unless they have my private access code. For eSignatures, your name, email address and IP address are processed by Jotform.

Compliance: GDPR compliant, Data Processing Addendum (DPA) in place.

International Data Transfers: Jotform offers EU-based server storage (Frankfurt, Germany), which is covered by the UK adequacy regulations for the EEA. Where data is processed on US-based servers, Jotform relies on the UK Addendum to EU Standard Contractual Clauses to ensure your data remains protected.

Policies: Privacy Policy · GDPR Compliance

Secure Cloud Backup

Dropbox, Inc.

Address: Dropbox, Inc., 1800 Owens Street, San Francisco, CA 94158, USA.

Use: Offsite backup of locally encrypted data, ensuring that no single event (such as hardware failure or local disaster) causes permanent loss of your records.

Role: All data is encrypted locally on my system before upload. I hold the only decryption key. Dropbox stores encrypted files it cannot decrypt, access, or read. Because Dropbox cannot identify any personal data within the encrypted files, it is not acting as a data processor of your personal data. Dropbox does process limited account-level information (my account credentials and file metadata such as file sizes and timestamps) under its own privacy policy.

Security: Data is encrypted on my device using AES-256 before upload. Encrypted files are transferred to Dropbox over SSL/TLS and stored on Dropbox servers with their own server-side encryption. The combination means your data is protected both in transit and at rest, but the critical safeguard is the local encryption, which ensures that only I can access the content.

International Data Transfers: Dropbox, Inc. is certified under the UK Extension to the EU-US Data Privacy Framework (the UK-US Data Bridge). However, because the data stored by Dropbox is encrypted and unreadable without my decryption key, the international transfer risk to your personal data is effectively mitigated regardless of server location.

Policies: Privacy Policy · GDPR Compliance

Email, Secure Email & Calendar

Proton AG / Proton Europe sàrl (ProtonMail)

Address: Proton AG, Route de la Galaise 32, 1228 Plan-les-Ouates, Switzerland · Proton Europe sàrl, rue de Grünewald 94, L-1912 Luxembourg.

Use: Sending and receiving standard and secure emails and managing a secure calendar.

Role: GDPR Compliant. Under GDPR, ProtonMail primarily acts as a Data Controller for its service operation and infrastructure. However, I remain responsible for any personal data I store or transmit via ProtonMail in the course of my counselling practice.

Security: ProtonMail employs zero-access end-to-end encryption (E2EE) where possible. Messages sent between ProtonMail accounts are encrypted automatically. Emails to non-ProtonMail addresses are secured via SSL/TLS in transit but may not be fully encrypted on the recipient side. ProtonMail also offers a Secure Email service where the email will be encrypted on their servers and the recipient receives a link to view the secure email which can only be decrypted with the correct password. To operate all email services ProtonMail must have access to sender and recipient email addresses, the IP address incoming messages originated from, attachment name, message subject, and message sent and received times. They do not have access to secure email message content. Calendar events are similarly protected by Proton encryption protocols, though metadata (e.g., organisers’ names, times) may be processed by Proton’s servers. I ensure strong passwords and carefully manage device and account access.

Compliance: ProtonMail operates under Swiss and GDPR-aligned privacy regulations. They have robust technical and organisational measures in place. ProtonMail is not engaged strictly as a Data Processor on my behalf. Nonetheless, I remain compliant by having technical safeguards and ensuring data subject rights and data protection principles are upheld.

International Data Transfers: ProtonMail’s servers are located in Switzerland, which holds a UK adequacy decision. This means personal data can be transferred to Switzerland without additional safeguards. Encrypted data may traverse other networks in transit, but remains protected by end-to-end encryption throughout.

Policies: Privacy Policy · GDPR Overview

Updates to This Privacy Notice

I may periodically update this Privacy Notice to reflect any changes in my practice or in professional or legal obligations.

Data processors may be added or changed but will always ensure equivalent or stronger protections are in place. For an up-to-date list of processors, please check this Privacy Notice periodically.

When I make significant updates that materially affect your privacy rights or how your data is processed, I will notify current clients directly (e.g., by email or during a session) and provide the revised notice. Previous clients may find revised notices online at www.counsellingwithkeith.com/privacy

Questions or Concerns?

If you have any questions about this Privacy Notice or how I handle your data, please contact me at:

You can view The UK General Data Protection Regulation (UK GDPR) at: www.legislation.gov.uk/eur/2016/679/contents

You can view The Data Protection Act 2018 at: www.legislation.gov.uk/ukpga/2018/12/contents

You can view The Data (Use and Access) Act 2025 at: www.legislation.gov.uk/ukpga/2025/25/contents

For further details on data protection and your rights, you may also consult the Information Commissioner’s Office (ICO) at ico.org.uk or by calling 0303 123 1113.

For the latest version of this privacy notice or alternative formats, please visit: www.counsellingwithkeith.com/privacy

Headshot of a smiling person, Keith Johnston, with long brown hair, a beard, and glasses, wearing a green turtleneck sweater, in front of a leafy green background.
BACP Professional Standards Authority accredited register Collective Mark with text "Registered Member 394964 MBACP".