UK GDPR & Data Protection Policy

The Mindful People Group Ltd

1. Purpose of This Policy
‍
This policy explains how The Mindful People Group Ltd (“we”, “us”, “the organisation”) collects, uses, stores, and protects personal information relating to clients, trainee counsellors, therapists, and staff. It sets out our commitment to confidentiality and privacy in accordance with the UK GDPR and the Data Protection Act 2018.

This policy ensures that individuals understand:

• What information we collect,
• Why we collect it,
• How it is used and protected, and
• What rights they have regarding their personal data.

2. Data Controller Details

The Mindful People Group Ltd is the Data Controller for all personal data processed.

Company: The Mindful People Group Ltd
Registered Address: 32 Southern Avenue, London, SE25 4BS
Email for Data Protection Queries: privacy@mindfulpeople.co.uk
Data Protection Lead: The Director of The Mindful People Group Ltd

3. Commitment to Confidentiality

Confidentiality is central to therapeutic work. We treat all information shared with us with respect, care, and discretion.

All therapists, trainees, supervisors, and staff are required to uphold strict confidentiality in line with:

• Professional ethical standards,
• Legal requirements, and
• Organisational policies.

Clients are informed about confidentiality and its limits during their initial assessment.

4. Limits to Confidentiality

Confidentiality may need to be broken without consent in the following circumstances:

• If there is a serious and immediate risk of harm to the client or another person.
• If a child or vulnerable adult is at risk.
• If required by law (e.g., acts of terrorism, money laundering, serious criminal activity).
• If ordered by a court.

Where appropriate and safe, the client will be informed before information is shared.

5. Information We Collect

We collect only the information necessary for the safe and effective provision of therapy and training services.

This may include:

• Personal identifiers (name, age, contact details)
• Assessment notes
• Therapy notes (if applicable)
• Risk information
• Communication records
• Information required for trainee counsellors, supervision, or training attendance
• Payment information (where relevant)

We do not collect more information than is needed for legitimate service provision.

6. Legal Basis for Processing Personal Data

Under UK GDPR, we process data under the following lawful bases:
‍

Standard Personal Data (Article 6)

• Article 6(1)(b) – processing necessary for the performance of a contract (providing counselling services).
• Article 6(1)(f) – legitimate interests (safe, ethical, and professional practice, administration, and supervision).
• Article 6(1)(c) – compliance with legal obligations (e.g., safeguarding duties).

Special Category Data (Article 9 - Required for therapy services)

We process special category data (including mental health information) under:

• Article 9(2)(h) – necessary for the provision of health or social care.
• Article 9(2)(a) – explicit consent, when required for specific non-essential processing.

7. How Your Information is Stored

We take all reasonable steps to protect personal information.

Electronic Data

• Kept on encrypted, password-protected systems.
• Only authorised staff and trainees have access.
• Access is restricted on a need-to-know basis.

Paper Records

• Stored in secure, locked storage.
• Never taken off-site without authorisation.

No information is stored on personal devices or unapproved systems.

8. Data Retention

• Clinical session notes:
  We do not retain clinical session notes.
• Assessment information: Retained for up to 7 years to comply with legal and professional requirements.
• Trainee counsellor records: Retained for up to 7 years, depending on organisational needs.
• Administrative records: Retained as required for tax, safeguarding, or regulatory compliance.

After the retention period, all information is securely destroyed or permanently deleted.

9. Your Rights Under UK GDPR

Individuals have the legal right to:

• Access the personal data we hold
• Request correction of inaccurate information
• Request deletion of information (where legally applicable)
• Request restriction of processing
• Object to certain types of processing
• Withdraw consent where consent is the lawful basis
• Lodge a complaint with the ICO (see below)

Requests will be carefully considered, although some information may need to be retained to meet legal, ethical, or professional obligations.

10. Sharing of Information

We only share information when necessary, appropriate, and lawful.

This may include sharing with:

• Supervisors supporting trainee counsellors
• Safeguarding services (children/adults)
• Emergency services (when urgent risk is present)
• A client’s GP (where necessary for risk management and, where possible, with client consent)

We never share information for:

• Marketing,
• Sales, or
• Commercial gain.

Where third-party systems (e.g., email providers, booking systems, secure video platforms) process personal data, they do so under contract and in compliance with GDPR.

11. Data Breaches

All staff, trainees, and therapists must report any actual or suspected data breach immediately to the Data Protection Lead.

We will:

1. Investigate the breach
2. Take appropriate remedial action
3. Notify affected individuals if necessary
4. Report the breach to the ICO within 72 hours if legally required
5. Review practices to prevent future breaches

All breaches are documented.

12. Complaints to the ICO

If you have concerns about how your data has been handled, you may contact the:

Information Commissioner’s Office (ICO)
Website: www.ico.org.uk
Phone: 0303 123 1113

You are encouraged to contact us first so we can address any issues promptly.

13. Review of this Policy

This policy is reviewed annually or sooner if:

• Legal or regulatory changes occur, or
• Issues arise that require updates.

Any revisions will be communicated to staff, trainees, and relevant stakeholders.