21st March 2019 

Data protection


This is a privacy notice in accordance with the General Data Protection Regulation 2016/679 (GDPR), which is an EU regulation on data protection and privacy applicable to all individuals within the European Union and the European Economic Area.

Jonathan Dyson Therapy is the business name of sole trader Jonathan Dyson. I, Jonathan Dyson, am the data controller and processor for Jonathan Dyson Therapy.

The security of your data is of the upmost importance to me. Confidentiality and respect for privacy are fundamental to my therapeutic ethos and business practice.

The basis on which I store client data is that of “legitimate interests”. This means that the data is necessary for me to fulfil the terms of the therapeutic contract between us (ie to provide therapy) and it is data that you would reasonably expect me to hold and use.

For those who enquire about therapy, the data that I hold includes any information that you have communicated to me by email/text message/answerphone message/video-platform message.

For those who book and attend at least one session, the data I hold includes:

  • Basic information such as name, email address, phone number, video-platform contact information
  • Information that you supply to me as part of the work that we do together
  • Notes and records of our therapeutic work together
  • Emails, texts and video-platform messages sent between us
  • Information supplied by relevant third parties such as GPs, insurance companies, Employment Assistance Programmes (EAPs)
  • Information related to your online booking such as date and time

  • Health data is regarded as a special category of data by the GDPR. The condition for processing this special data is that it is necessary for medical diagnosis and the provision of healthcare or treatment “pursuant to contract with a health professional”.

    Data is not shared with anyone, except with your permission or under rare circumstances without your permission when there is a serious and immediate risk of harm to you or someone else, in accordance with the ethical code of the British Association for Counselling & Psychotherapy (BACP).

    The data that I hold is primarily used to enable me to provide therapy.


    Details of where data is held:

    In terms of communications, I use a secure web-based email client, Gmail, to send and receive emails, access to which is password-protected. Any emails sent between us are accessed from and stored on my computer and phone devices, which are passcode-protected. Email communications may also be securely archived to my Dropbox and iCloud accounts, which are password-protected. Any text messages sent between us remain on my iPhone, which is passcode-protected. Messages exchanged within video platforms Skype and FaceTime are stored on the video platforms, which are password-protected. Please refer to the relevant privacy statement for information on how each of these companies/applications holds and processes your data. Answerphone messages are deleted immediately. Other relevant information is stored on my computer and phone devices and may be archived to Dropbox and iCloud.

    My website is hosted by WebHealer. Website traffic is monitored by Google Analytics. Please refer to the relevant privacy statement for information on how these companies hold and process your data.

    Session notes are written by hand. They are not stored on any computer or phone or other electronic device. The notes are anonymised, meaning that you are identified in them only by an alpha-numeric code, which is unintelligible to anyone other than myself. The notes are securely stored in a locked filing cabinet. I do not audio-record or video-record therapy sessions.

    Certain information relating to your online booking is held securely by BookingBug and by PayPal, which processes payments. I do not have access to any personal financial information such as your card payment details. For the purposes of accounting I access certain aggregated information from PayPal but it does not contain personal client data or personal financial information. Please refer to the relevant privacy statement for information on how each of these companies holds and processes your data.

    If you access my services via a health insurance company, EAP or via a therapist directory you should refer to the relevant privacy statement for information on how these companies/organisations hold and process your data and what data they may request of me.

    Your data is kept for seven years, in accordance with professional and business requirements. After this time any paper records are shredded and computer records deleted. Anonymised session notes may be retained for longer than this for the purposes of scientific/historical research.

    If there is any breach of data security I will aim to give full details to the Information Commissioners Office and to any person affected within 72 hours of the breach and do everything within my power to minimise any potential impact.


    You have certain rights with regards to the data held:

    The right of access. I will provide you with all data I hold on you as soon as practicable following a request and ideally within 30 days, unless this is impossible due to holidays or illness.

    The right to rectification. If any data I hold on you is incorrect, please let me know and I will delete any computer records and shred any paper records as soon as I can following a request and ideally within 30 days, unless this is impossible due to holidays or illness.

    The right to erasure. If you wish me to erase your data please let me know and I will delete any computer records and shred any paper records as soon as I can following a request and ideally within 30 days, unless this is impossible due to holidays or illness. However, please note that data may be retained for scientific research, historical research or statistical purposes but this would never include session notes or personal identifying data such as your email address or phone number.

    The right to restrict processing. This would usually be a stop-gap measure before correction of any errors or before erasure.

    The right to data portability. This might apply if you want your notes sent to another therapist, for example, but this is also covered in effect by the right of access, ie I can send your data to you so that you can share it with someone else.

    The right to object to:
  • processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling). I do not engage in such activities.
  • direct marketing. I do not engage in direct marketing.
  • processing for the purposes of scientific/historical research and statistics. For this, you must provide grounds for your objection.
  • automated decision-making and profiling. I do not engage in automated decision-making or profiling.


  • This privacy statement is intended to be comprehensive and accurate under the terms of the GDPR. If you feel that this is not the case, please contact me.

    Jonathan Dyson
    10 Almeida Street
    London N1 1TA
    United Kingdom

    +44 (0)7502 992898

    [email protected]
    www.jonathandysontherapy.com