Sample: How we use your personal data and consent form 


This leaflet aims to provide details about what information >>Insert Organisation<< collects about our clients and how we use it.

>>Insert Organisation<< need to use personal information so that we can make sure our clients receive the care, information, advice, treatment and support that is right for them. We only collect information that is vital to ensuring the best possible service to our clients and the efficient operation of >>Insert Organisation<<.

To be compliant with General Data Protection Regulations, we are required to gain explicit consent from our clients to collect and use their data in the ways described below. Client consent is sought and recorded once the client has had an opportunity to consider this information and ask any questions. (See appendix 1-  consent form).  

Client Rights under General Data Protection Regulations and the Data Protection Act (2018).

>>Insert Organisation<< clients have the following data subject rights with regard to their personal data:

  • The right to be informed about the collection and use of personal information as described in this leaflet.
  • The right to access recorded data by making a Data Subject Access Request (See instructions below).  
  • The right to rectification. Where a client believes that any information recorded about them is not accurate, they can contact >>Insert Organisation<< to request that this information is rectified (See instructions below).  
  • The right to erasure. Clients can make a request at any time for data to be erased. (See instructions below).  
  • The right data portability. Clients can make a request to receive their personal data in a transportable format. Once received the client is responsible for the confidentiality of their own data (See instructions below).  
  • >>Insert Organisation<< clients have the right to object to any personal data being collected, however if this is the case, therapeutic work may be limited and, in some situations, unable to commence or continue. This is because >>Insert Organisation<< are required to keep appropriate records to comply with the requirements of our insurance provider, professional ethical body and for legal and safeguarding purposes.

Requests to access, rectify, erase or receive personal data can be made verbally to your counsellor or therapist or in writing to XXXXXXX XXXXXXXXXX or via email at [email protected]<<Insert Organisation<<.org Requests are normally responded to within 3 working days and processed within 1 month.

The types of Information we collect and how we use it

Type: Personal Data

  • Personal Contact information
  • GP Contact Information
  • Assessment Information
  • Clinical Contact information including clinical notes, risk assessment, dates of appointments and data collected at sessions.
  • Discharge information 
  • This information is highly protected and only accessible by those with involvement in the service users treatment pathway.


>>Insert Organisation<< staff may, on a need-to-know basis, access these details to

·   Manage/reschedule or cancel client bookings

·   Contact the client

·   Manage client requests

·   Improve client experience

·   Use anonymised data for other purposes, such as data analysis, identifying usage trends, determining the effectiveness of our promotional campaigns and to evaluate and improve our services and access to our services.

Type: Therapeutic data

When clients choose to participate in receiving a service from >>Insert Organisation<< a record of the progress of each session will be recorded. Counselling and therapeutic work is a highly collaborative endeavour and clients are encouraged to participate in agreeing what information from the session is pertinent for the record. It is likely to include some of the following.

·   The information shared by the client (previous experience, feelings, tendencies, counselling and psychological wellbeing history etc.)

·   Any activity practised under guidance

·   Session progress

·   Plans agreed in the session

·   Any relevant medical information

·   Overall progress using a range of outcome measures

Use: We may use or process this data for the following purposes:

·   To manage the performance and progress of the session.

·   To build an accurate picture and understanding, so that the service can be tailored to meet the client’s needs and contribute to maintaining safety.

·   Access to client data is limited to those involved in providing the service to the client.

·   Where appropriate >>Insert Organisation<< shares information about clients with other organisations involved in their care or treatment. This is usually done in consultation and agreement with the client, or a guardian or a relative where appropriate.

·   In certain circumstances >>Insert Organisation<< are required by law to report information to appropriate authorities, for example where there are issues of safety to the public.

>>Insert Organisation<< has a legal duty to maintain full and accurate records of the care they give. It is vital that >>Insert Organisation<< obtains accurate information from our clients. Accurate and up-to-date information ensures appropriate care is provided to the correct client and our resources are adequately managed. For this reason, we ask that our clients let us know any changes to their personal details as soon as possible.

Information will be gathered and may be shared in line with the General Data Protection Regulation (GDPR) as it applies in the UK, tailored by the Data Protection Act 2018 to facilitate collaborative working with our partners in Healthcare and to deliver safe and effective client care.

Other uses of patient information

To investigate complaints, legal claims or untoward incidents In order to deal with issues raised or to process a client complaint or legal claim, staff within >>Insert Organisation<< will access their medical records and may share information with staff within >>Insert Organisation<<, as well as, external third parties where applicable.

>>Insert Organisation<< takes client safety very seriously. If an incident occurs which was not expected >>Insert Organisation<< will investigate and the staff involved in a clients care, with support from >>Insert Organisation<< may require access to health care records. When reporting an incident staff have access to basic client information.

Ethnicity information

We ask for our patient ethnicity information so that we can understand the needs of clients from different groups and provide better and more appropriate services. We want everyone, no matter what their ethnic group, religion or culture, to be able to use our services easily and effectively. Ethnic group data can help staff ensure that you access appropriate services and can help us understand an individual’s needs.

Religion and Beliefs

Our clients are at the heart of everything we do. >>Insert Organisation<< understands in order to provide the best customer care, we must treat each other and our clients with dignity and respect. As part of this >>Insert Organisation<< collects information on clients’ religion, this enables us to make arrangements designed to support individual client’s spiritual needs and preferences whilst they are in our care.

Quality Improvement and Audit

The quality of care and the treatment our clients receive is sometimes reviewed through the process of quality improvement and clinical audit. This may involve the reviewing of client records. Any information collected from this review is anonymised so that individual clients cannot be identified. Anonymous statistical information may also be passed to organisations or individuals with legitimate interest, including universities, professional bodies and research institutions. Where it is not possible to use anonymised information, personal identifiable information may be used for essential healthcare purposes. This will only happen with client consent or under other special circumstances.


Some research will require clients direct involvement in which case the circumstances of information to be shared will be fully explained to the client and express consent is required. If a client does not consent they will not be included in the trial. Sometimes, researchers need access to individual medical files. The researchers must present their case to check that their research is appropriate and worthwhile prior to starting clinical trials, which is when your consent would be asked for. Sometimes it may be impractical (or even impossible) to contact individuals for their consent, in which case the researchers must be able to show that there is enough benefit to the public at large to justify accessing information without consent.

Access to records Under the General Data Protection Regulation (GDPR) as it applies in the UK, tailored by the Data Protection Act 2018  

Clients and staff are entitled to find out what information we hold about them. This is known as a “right of subject access” and it applies to all records, including health records. Although individuals are entitled to receive a copy of their records a charge may be made to cover administration costs.

Keeping information secure

Information about our clients may be processed electronically in our client management system, on paper or a mixture of both, and a combination of working practices and technology are used to ensure that client information is kept confidential and secure. Access to personal information is limited by permissions to only those staff who are involved in the delivery of the service to the client. All >>Insert Organisation<< staff have received training in information governance and data protection.

>>Insert Organisation<< takes the security of personal information very seriously. Everyone working for >>Insert Organisation<< has a legal duty to keep information about clients confidential. >>Insert Organisation<< abides by Information Rights Legislation and good practice guidance regarding the personal information. Any breaches of security or incidents relating to Information Governance are investigated, actioned and reported to >>Insert Organisation<< Board of Directors.

In order to support our staff in ensuring personal information is kept securely >>Insert Organisation<< has a number of policies which set out the requirements staff must fulfil when accessing or sharing personal information.

Furthermore, all staff receive Information Governance Training every year which includes topics such as information security, confidentiality and data protection.

How long we keep your data

We are required to keep client records for a period of XXX Years.

Compliments, comments and complaints

 We are committed to ensuring our clients receive the very best care; when issues are drawn to our attention, we make every effort to restore our high standards immediately.

For compliments, comments informal/formal complaints, please contact: >>Insert Organisation<< Admin Team, Tel: XXXXXXXXXXXX  Email: [email protected]>>Insert Organisation<<.org

Further information If you would like to know more about how we use personal information or if, for any reason, you do not wish to have your information used in any of the ways described in this leaflet, please speak to the practitioner handling your care.

You can also contact our Information Governance Lead, XXXXXXX on XXXXX XXXXXXX, email: [email protected]>>Insert Organisation<<.org

Personal Data Processing Consent form (circle answers)

I have had an opportunity to read and discuss the ‘How we use your personal data leaflet’. Yes/No*

I am aware of the type of personal information that will be collected and used by <<Insert Organisation>> Yes/No*

I understand why the information is recorded, how it is used, how it is protected and for how long it is stored. Yes/No*

I understand my rights under the General Data Protection Regulations Yes/No*

I give my consent to the following:

To participate in Counselling or Therapy   Yes/No*   

Recording of session records in the client information system  Yes/No*

To be contacted by the service Yes/No*

Sharing of information with other involved agencies Yes/No* 

Sharing info with NOK  Yes/No*