Unfortunately, we are currently full and unable to take on any new clients. Please check on here again to see updates. Many thanks. Fresh Thinking Therapy.
01695 351395 liz@freshthinkingtherapy.co.uk

Privacy Policy

Data Protection Policy 

This data protection policy is designed to ensure that the rights to privacy of individuals are protected. Fresh Thinking Therapy is committed to the principles set out in the General Data Protection Regulation (GDPR) and have reviewed the company’s personal data processing activities as a limited company providing psychological assessment, treatment and reports in compliance with the provisions of the regulation.

Assessment/Therapy Cases

    • Names, addresses, dates of birth and other personal data as provided by the client/patient or their rehabilitation company/insurer/solicitor. 
    • Health information as provided by the client/patient or their rehabilitation company/insurer/solicitor.
    • Personal data in invoices and copy receipts, accounting records, tax returns and related information.

Legal cases

    • Names, addresses, dates of birth and other personal data contained in witness statements and other evidence relevant to the legal issues;
    • Health information contained in medical records, together with information on sex, race and ethnic origin;
    • Personal data in invoices and copy receipts, accounting records, tax returns and related information.

Special category data: information revealing an individual’s racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic and biometric data, health information and data in relation to a person’ s sex or sexual orientation.

The special category personal data the company holds includes: 

    • Medical and other health records
    • Information on sex, race and ethnic origin

 Processing: covers any activity involving personal data, including holding, storage and destruction. The Information Commissioner says it is difficult to image an activity involving personal data that does not fall within the definition.

Therapists and the office manager processes personal data in order to carry out their work as a manager, provider of psychological assessments, therapy and expert witness work and when carrying out other functions necessary to my business.

 The data processing activities include: compiling and storing assessment and therapy notes and reports, compiling and storing expert reports, sending and receiving emails externally, submitting invoices and filing them with receipts, uploading documents onto the cloud, holding supervisees’ details on hard copy/electronic files, archiving and destroying information, making appointments.

 Sharing of personal data: Fresh Thinking Therapy shares personal data externally only when necessary to achieve  business purposes. In particular, data is shared with the following: 

    • Digital typing/transcription services
    • Rehabilitation companies and solicitors
    • Cloud storage providers
    • Accountants and other professional advisers
    • HMRC
    • GP’s or professionals who contribute to your care.

Special category data is encrypted before it is shared. There is no transfer of data abroad.

 Data controller: decides the why and the how of personal data processing. A controller can be a sole trader, a partnership, a private or public limited company or a large multi-national organisation. It decides why it needs to collect personal data and how to process it. As a limited company The director of Fresh Thinking Therapy is the data controller for the purposes of this policy.

Data processor: processes personal data in accordance with the written instructions of the data controller. The therapist, the Office Manager and Director are data processors.

Legitimising conditions: The processing of personal data is unlawful unless a legitimising condition, or lawful basis, applies. Fresh Thinking Therapy generally rely on the following legitimising conditions:

    • Legitimate interest as a business

When processing special category data, Fresh Thinking Therapy generally relies on one of the following additional legitimising conditions:

    • Legal claims
    • Explicit consent
    • Processing as necessary for the purposes of medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services

Fresh Thinking Therapy avoids relying on the consent basis where possible. In order to be valid, consent must be freely given and as easily withdrawn as it was to give it.

 Data protection principles: Where there is a lawful basis for processing personal data, Fresh Thinking Therapy takes proportionate steps to ensure we carry out our personal data processing activities in accordance with the various conditions or principles contained in the GDPR.

Accountability: This principle is designed to ensure that data protection is embedded in an organisation at all levels of decision making and becomes fundamental to its culture. Not only must Fresh Thinking Therapy comply with the General Data Protection Regulation but we must be able to show that we comply. It is for this reason that this policy, and the appended policies have been written. The director ensures that these policies are implemented.

Data protection by design: This is an aspect of the accountability principle. It means that data protection risks are evaluated and eradicated and reduced at the very earliest stage, whenever there is a significant change in processes or procedures which entail a risk to data subjects. Examples: a substantial upgrade to an IT system, outsourcing such as engaging a new cloud provider. Data Protection Impact Assessments are carried out by the data protection lead in these and other circumstances where there is likely to be a high risk to data subjects.

Data protection by default: minimisation: Another important principle is data minimisation. In other words, no more data should be collected, shared and stored than is strictly necessary. The retention period for the personal data we store is seven years (or seven years following your 18th birthday if you are a child), as necessary due to legal and professional requirements.

Security: This is one of the most important principles. We have taken physical, organisational and technical measures to ensure that personal data is secure. Hard copy as well as electronic data is processed in accordance with the company’s security policy.

Personal data breach: The data protection lead is responsible for responding to personal data breaches. Fresh Thinking Therapy will notify the Information Commissioner as necessary, and also data subjects where the risk to them is high.

Breaches which carry any risk to data subjects will be reported to the Information Commissioner’s Office (ICO) within 72 hours, together with a summary of the nature of the breach, the steps taken to reduce the risk to data subjects, and measures to prevent the breach from happening again. The company has a data breach policy.

Rights of data subjects: Data subjects have eight rights which include:

  • Right to be informed about what the company does with personal data;
  • Right of access to personal data by means of a subject access request;
  • Right to rectification of inaccurate data, and to add to the information the company holds about the data subject if it is incomplete;
  • Right to erasure, otherwise known as the right to be forgotten;
  • Right to restrict the processing of personal data;
  • Right to object to the processing the company carries out based on its legitimate interest.

The company must respond to requests from data subjects within one month. There is a procedure in place for responding to requests.

Data Protection Risk Register: All personal data processing activities are recorded in the data protection risk register. Personal data breaches are recorded in the risk register, whether they are reportable or not. The risk register contains a copy of all audits, risk assessments and Data Protection Impact Assessments. The data protection lead holds the risk register.

Enforcement and disciplinary action: Failure to comply with the General Data Protection Regulation is a criminal offence in many cases and can result in large fines.


Data Breach Policy

1. When there is a personal data breach, as the Information Commissioners Office (ICO) advises, Fresh Thinking Therapy will :

Tell it all. Tell it fast. Tell the truth.

  1. The designated data protection lead (Elisabeth Thompson)  is responsible for handling personal data breaches. In particular, she will evaluate what the breach is and how it occurred, and the associated risk to data subjects and the company.
  1. If there is a risk to data subjects, the breach will be reported to the ICO within 72 hours. If the report is late, an explanation will be given as to why.
  1. Where the risk to data subjects is high, the breach will be reported to them individually if at all possible. If there is a large number of data subjects at risk, it may not be logistically possible to do so, in which case a press release will be given and notification provided on the company website.
  1. Encryption of personal data will likely significantly reduce the risk to data subjects following a breach, and we encrypt all personal data such as identification records and medical and health records.
  1. The ICO will want to know how the breach occurred, what steps are being taken to reduce the risk, and how a similar breach is to be avoided in future. The initial report will contain no more than a summary of the position. The data protection lead will seek authority to obtain legal advice before submitting the initial and any subsequent reports.
  1. A thorough investigation and corrective action will be necessary so as to reduce the risks to data subjects arising out of any breach, and to make sure that something similar does not happen again in future.
  1. Where a breach of the company’s computer systems is suspected, the data protection lead will gain the support of the company’s IT provider in order to identify the nature of any breach of computer systems.
  1. The theft of data, whether as a result of shortcomings in the physical security arrangements on the premises, or the hacking and penetration of computer systems, will be reported immediately to the police.
  1. The breach, investigation and corrective actions will be documented and filed on the data protection risk register, as will the report made to the ICO.
  1. All personal data breaches, however minor, and whether reportable or not, will be recorded in the data protection risk register, held by the data protection lead. 


Data Subject Request Policy

1. The rights of data subjects include the following:

  • Right of access to personal data by means of a subject access request;
  • Right to rectification of inaccurate data;
  • Right to erasure, otherwise known as the right to be forgotten;
  • Right to object to processing;
  • Right to restriction on processing;
  1. In order to respond to requests in a timely manner Fresh Thinking Therapy recognise the importance of centralised efficient information management systems. Fresh Thinking Therapy reviews how it organises and stores data so as to enable easy and efficient retrieval.
  1. Fresh Thinking Therapy stores data in relation to each client, whether it be an organisation or individual, on electronic files and on a database dedicated to each. The files contain the information Fresh Thinking Therapy have been provided with, together with identity check documents, and invoices and receipts. Relevant emails and letters are also stored on these files.
  1. Hard copy files are stored in locked cabinets with access restricted. Identification records and special category data are encrypted on electronic files, with similarly restricted access.
  1. The data protection lead (Elisabeth Thompson) is responsible for responding to requests from data subjects and must do so within one month. The period may be extended by a further two months where that is necessary. In these circumstances the data subject must be informed within one month that more time is needed and given the reason why.
  1. Requests from data subjects need not be in writing. There is no standard wording and they may be made casually over the telephone. On receipt of a request, the data protection lead (Elisabeth Thompson) logs it in the data protection register on Write Upp
  1. The data protection lead (Elisabeth Thompson) may seek to obtain the data subject’s agreement to limiting the request to what is being sought. Otherwise, all the data subject’s personal data is covered and, in response to a subject access request for example, must be provided.
  1. On receipt of a request, the data protection lead (Elisabeth Thompson) retrieves the relevant files from Write Upp, email folders and inboxes as necessary. It is important to remember how broad the definitions of personal data and processing are, and reference should be made to the data protection policy.
  1. Where a request for a copy of personal data is made electronically, it should be provided electronically.
  1. Any request for personal data relating to a legal case should be referred to the Claimant’s instructing solicitors to deal with.
  1. If the data protection lead does not wish to accede to a request, he or she should seek legal advice.


Security Policy 

  1. This security policy is designed to ensure that Fresh Thinking Therapy complies with the security requirements of the General Data Protection Regulation, and the rights to privacy of data subjects are protected.
  1. In compliance with Article 32  Fresh Thinking Therapy have implemented appropriate physical, organisational and technical measures to ensure a level of security appropriate to the risk.
  1. Fresh Thinking Therapy is a limited company with 2 employees and associates, trainees and volunteers. There is an office but no client information is left there. All client information is based on Write Upp and on the computer which is based at the data processor’s home. 

Security measures

The following security measures have been taken: 


  • All hard copy material is stored in locked filing cabinets, with restricted access;
  • Electronic devices are arranged so they cannot be viewed by casual passersby, particularly visitors;
  • Electronic special category data is encrypted with restricted access;
  • No transportable USB memory sticks are used.
  • Electronic data is backed up off site;
  • No data is stored on laptops;
  • Computers and other electronic equipment are disposed of in a safe manner by an outsourced and certificated provider.


  • This policy is regularly reviewed and Elisabeth Thompson (Data protection lead) is committed to ensuring it is implemented;
  • Elisabeth Thompson is responsible for data protection and other data protection policies;
  • Elisabeth Thompson  has sufficient resources to carry out its role effectively as data protection lead;
  • Breach of this security policy is a disciplinary offence.


  • . Technical measures
  • Anti-virus and anti-spyware tools are installed on all computers and laptops;
  • All computers, including laptops and mobile phones, are encrypted/password protected;
  • Personal data is encrypted before it is uploaded onto the cloud;
  • Personal data shared by email are encrypted and password protected as appropriate;

Security measures are tested and evaluated once a year;

Whenever a new project, process or procedure is introduced which carries a high risk to data subjects, a Data Protection Impact Assessment is carried out, at the instigation of Elisabeth Thompson (Data Protection lead)

Latest from Twitter

Remember your mental health is always a priority ♥️

Improve your mental health and feel more positive by trying these tips from @NHSuk 👇

Read more on Twitter →

Copyright © 2020 Fresh Thinking Therapy

  • BABCP Accredited
Privacy Policy · Cookie Policy