Data Protection & GDPR Policy

National Alliance of Counsellors and Psychotherapists (NACP)
Effective: January 2025

1. Purpose

This policy sets out the data protection responsibilities of NACP members in line with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. It ensures client data is handled lawfully, fairly, transparently, and securely, and helps members manage records in a professional, ethical, and compliant way.

2. Scope

This policy applies to all NACP members who handle personal data, including:

  • Client records (paper or electronic)
  • Emails and messages containing personal information
  • Invoices, supervision notes, and appointment logs
  • Contact details, consent forms, and assessments

It also applies to personal data held about supervisees, colleagues, and referrers.

3. Key Principles of Data Protection

Under UK GDPR, members must ensure that personal data is:

  1. Processed lawfully, fairly and transparently
  2. Collected for specified, explicit and legitimate purposes
  3. Adequate, relevant and limited to what is necessary
  4. Accurate and kept up to date
  5. Stored no longer than necessary
  6. Handled securely using appropriate technical and organisational measures
  7. Accountable — able to demonstrate compliance

4. Lawful Basis for Processing Client Data

Most members will rely on the following lawful bases for processing personal data:

  • Contractual obligation – to deliver a therapy service to the client
  • Legitimate interest – to keep records that support safe, effective practice
  • Legal obligation – to comply with laws such as safeguarding or court orders
  • Consent – for specific actions, such as sharing information with third parties

Members must clearly explain this to clients in their privacy notice or initial contract.

5. Your Responsibilities as a Data Controller

As a private practitioner or small business, most members are independent data controllers. This means you are responsible for:

  • Registering with the Information Commissioner’s Office (ICO) if required
  • Creating a Privacy Notice for clients, outlining how their data is handled
  • Keeping data secure, including session notes, emails, and devices
  • Responding to Subject Access Requests (SARs) within 30 days
  • Reporting serious data breaches to the ICO within 72 hours

NACP encourages all members to seek supervision or legal advice if unsure.

6. Secure Data Storage

Members must ensure that client data is:

  • Stored securely using encrypted digital systems or locked physical storage
  • Password-protected on all devices used to access or process client information
  • Not shared via unsecured channels (e.g. personal email or public Wi-Fi)
  • Backed up safely and securely where needed

7. Retention of Records

Members must:

  • Retain client records for a reasonable period (commonly 5–7 years) unless legal or contractual obligations require otherwise
  • State clearly in their contract how long data will be stored
  • Securely delete or destroy data when no longer needed, using appropriate methods (e.g. shredding, digital wiping)

8. Working with Third Parties

If you use third-party services (e.g. practice management software, cloud storage, virtual assistants), you must:

  • Check they are GDPR compliant
  • Ensure data processing agreements are in place
  • Only share the minimum necessary data, for legitimate purposes

9. Breaches of Data Protection

A personal data breach includes:

  • Loss or theft of client records
  • Unauthorised access or sharing of data
  • Accidental deletion or alteration of personal information
  • Sending sensitive data to the wrong person

If a breach occurs, you must:

  • Record the incident and any corrective actions taken
  • Notify the ICO within 72 hours if the breach poses a risk to individuals
  • Inform affected individuals where appropriate
  • Seek supervision or legal advice as needed

10. NACP’s Role and Member Accountability

While NACP provides guidance, individual members are responsible for their own data practices. Members may be asked to:

  • Confirm they are registered with the ICO (where applicable)
  • Provide a copy of their privacy notice upon request
  • Demonstrate secure storage and documentation practices
  • Participate in audits or spot checks as part of membership compliance

11. Policy Review

This policy is reviewed annually or in response to changes in legislation, ICO guidance, or NACP governance requirements.

📩 Support and Resources

For questions or concerns about GDPR and data protection:
📧 info@nacp.co.uk
🔗 www.nacp.co.uk
📄 ICO Guidance: www.ico.org.uk