Data protection

Appropriate Policy Document

Last updated: 14 June 2026
Version: 1.0

This Appropriate Policy Document explains how Step by Step Counselling processes special category personal data, and any criminal offence data, and how that processing meets the requirements of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

Some of the conditions I rely on to use this data, in particular the conditions I use when I have to share information to protect someone at risk, require me to keep an Appropriate Policy Document under Part 4 of Schedule 1 to the Data Protection Act 2018. This document meets that requirement. For completeness it also covers the special category data I process in order to provide counselling, where a policy document is not strictly required. It should be read alongside my privacy notice.

Who this document covers
The data I process and my conditions for processing it
Why I do not rely on consent for this data
How I comply with the data protection principles
How long I keep this data
Review and retention of this document

1. Who this document covers

The data controller is me personally.

Controller: Alison Swindin, trading as Step by Step Counselling

Email: [email protected]

Phone: 07459 036603

ICO registration number: ZB564131

BACP membership number: 401434

Counselling necessarily involves health and other sensitive information, so almost all of the client information I hold is special category data, mainly information about a person's physical or mental health. This document explains the conditions I rely on to process it and how I keep it safe.

2. The data I process and my conditions for processing it

Special category data is data that needs extra protection under Article 9 of the UK GDPR, such as information about health. To process it lawfully I need both a lawful basis under Article 6 and a separate condition under Article 9, and for some conditions a further condition in Schedule 1 to the Data Protection Act 2018. The conditions I rely on are set out below.

Providing counselling and keeping clinical records

Lawful basis (Article 6): Article 6(1)(b), performance of the therapy contract, and Article 6(1)(f), legitimate interests, for keeping records after therapy ends.

Special category condition (Article 9): Article 9(2)(h), the provision of health or social care or treatment, given effect by paragraph 2 of Schedule 1 to the Data Protection Act 2018. This applies because the processing is carried out by me, a counsellor who is subject to the duty of confidentiality in the BACP Ethical Framework. A policy document is not strictly required for this condition, and it is included here for completeness.

Sharing information to safeguard a child or an adult at risk

Lawful basis (Article 6): Article 6(1)(c), legal obligation, or Article 6(1)(f), legitimate interests, and Article 6(1)(d), vital interests, where there is a risk to someone's life.

Special category condition (Article 9): Article 9(2)(g), substantial public interest, given effect by paragraph 18 of Schedule 1 (safeguarding of children and of individuals at risk). This is one of the conditions that requires this Appropriate Policy Document. It applies because I may have to disclose information, sometimes without consent, to protect a child or a vulnerable adult from serious harm, as my ethical framework and the law allow.

Responding to a serious and immediate risk to life

Special category condition (Article 9): Article 9(2)(c), vital interests, where someone's life is at risk and they are unable to give consent.

Meeting legal obligations and defending legal claims

Lawful basis (Article 6): Article 6(1)(c), legal obligation, for example where the law requires me to report certain very serious crimes such as terrorism or money laundering. For keeping records in order to defend a complaint or legal claim I rely on Article 9(2)(f), the establishment, exercise or defence of legal claims. Any criminal offence data is processed only where I have a lawful condition to do so, for example to comply with a legal obligation or under a Schedule 1 condition.

For my counselling records, I do not rely on a client's consent as my Article 9 condition. Records must be created and kept accurately, and held for a set period, even if a client later withdraws consent, and no one should feel that the therapy itself depends on agreeing to data processing. The health and social care condition is the appropriate basis instead.

For protective disclosures, I cannot rely on consent either, because I may need to share information to protect someone at risk even where consent has been refused or cannot safely be sought. The substantial public interest and vital interests conditions are the appropriate bases in those situations.

4. How I comply with the data protection principles

I follow the data protection principles in Article 5 of the UK GDPR in the following ways.

Lawfulness, fairness and transparency: I have identified an Article 6 lawful basis and an Article 9 condition, with a Schedule 1 condition where one is needed, for all of this processing. My privacy notice and the therapy agreement explain in plain language what I do and why.
Purpose limitation: I use this data only to provide counselling, to run my practice, and to meet my legal and ethical obligations. I do not use it for marketing or any unrelated purpose.
Data minimisation: I collect only what I need. Session notes are brief and factual and are kept separately from clients' contact details.
Accuracy: I keep records accurate and up to date, and clients can ask me to correct anything that is wrong.
Storage limitation: I keep this data only for the periods set out in my privacy notice and in section 5 below, and then securely destroy it.
Integrity and confidentiality: paper records are kept in a locked cabinet, contact details are kept separately from session notes, digital records are stored on encrypted, password protected devices with automatic screen locks, I do not store card details, email is encrypted in transit and I avoid sending sensitive information by email, and I have a clinical will so that records are handled safely if I am suddenly unable to manage them.
Accountability: I am registered with the ICO, I follow the BACP Ethical Framework, I keep this document and my privacy notice up to date, I attend regular clinical supervision and continuing professional development, and I carry out a data protection impact assessment where a type of processing is likely to be high risk.

5. How long I keep this data

I keep this data only for as long as I need it. The main periods are:

Therapy session notes for adults: six years after the end of therapy, in line with BACP good practice and the standard limitation period.
Therapy session notes for clients under 18: until the client reaches age 25, in line with BACP guidance.
Contact details, kept separately from notes: six years after the end of therapy.
Initial enquiries that do not proceed to counselling: deleted within three months of last contact, or sooner on request.
Financial and tax records: six years after the end of the tax year, as required by HMRC.
Text messages and emails about appointments: deleted within one month unless they contain clinically relevant information.

After the retention period the records are securely destroyed, with paper records shredded and digital records permanently deleted. The full retention schedule is set out in my privacy notice.

6. Review and retention of this document

I review this document regularly, and whenever the law or my practice changes. I keep it for as long as I carry out the processing it describes, and for at least six months after that processing stops. I make it available to the Information Commissioner's Office on request.

This document should be read alongside my privacy notice, which gives fuller detail about the information I hold, how I keep it secure, and your rights.

Back to home