Privacy Notice (GDPR)

1. Introduction

Under Article 29 of the General Data Protection Regulation (GDPR), it is necessary to have a clear procedure which a business may follow when personal data stored or processed by a business is subject to a breach.

This policy must not be used in isolation, it must be read and be followed alongside the Dawn Lister Therapy Centre ‘Privacy Notice’. 

2. What constitutes a personal data breach?

A personal data breach under the GDPR is defined as "a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed by the company".

3. What is the breath notification regime?

The breach notification regime under the GDPR will apply as follows:

i) Obligation for data controllers to notify the supervisory authority (Information Commissioners Office)

Timing: Without undue delay and, where feasible, not later than 72 hours after becoming aware of it.

Exemption: No reporting if the breach is unlikely to result in a risk to the rights and freedoms of natural persons.

ii) Obligation for data controller to communicate a personal data breach to data subjects

Timing: Without undue delay: the need to mitigate an immediate risk of damage would call for a prompt communication with data subjects whereas the need to implement appropriate measures against continuing or similar data breaches may justify more time for communication.

Exemption: No reporting if – 

• The breach is unlikely to result in a high risk for the rights and freedoms of data subjects
• Appropriate technical and organisation protection were in place at the time of the incident (e.g. encrypted data)

4.  Documentation requirements

i) Internal breach register

Obligation for the data controller to document each incident “comprising the facts relating to the personal data breach, its effects and the remedial action taken”.  

ii) Communication with supervisory authority

There is a need to describe the nature of the personal data breach, including, where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of data records concerned).

iii) Communication to affected individuals.

Describe in clear and plain language the nature of the personal data breach and provide at least the following information:

a) The name and contact details of the Data Protection Officer or other contact point where more information can be obtained.

b) The likely consequences of the personal data breach.

c) The measures taken or proposed to be taken by the data controller to address the personal data breach, including, where appropriate, to mitigate its possible adverse effects.

Version 2 

Reviewed: 1.11.25

Date for review: November  2027

1. The purpose of this policy

According to GDPR “a data subject should have the right of access to personal data which have been collected concerning him or her, and to exercise that right easily and at reasonable intervals, in order to be aware of, and verify, the lawfulness of the processing.” This policy sets out the procedure following a Subject Access Request (SAR).

This policy must not be used in isolation, it must be read and be followed alongside the Dawn Lister Therapy Centre ‘Privacy Notice’.

2. The rights of Data Subjects

Data subjects have the legal right to know whether you are processing any personal data about them as an individual and, if so, to be given:

• the purposes of you processing the data on them
• the categories of personal data concerned, personal or sensitive
• the recipients to whom the personal data have been or will be disclosed, in particular, recipients in third countries or international organisations
• where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period
• the existence of the right to request from the controller rectification or erasure of personal data or restriction on processing of personal data concerning the data subject or to object to such processing
• the right to lodge a complaint with a supervisory authority
• any available information as to the source if you were not the originating data collector
• the existence of automated decision-making, including profiling. Detail needs to be available on what technologies are used here and what result this has on the data subject and their data

The response to the data subject needs to be within 1 month of first receipt of the SAR.

3. The Procedure

The DLTC will follow the procedure set out below and use the forms detailed within the steps when processing Subject Access Requests:

3. Responding to a SAR

The Data Controller is responsible for reviewing all provided documents to identify whether any third parties are identified in it and for either omitting or redacting identifying third party information from the documentation or obtaining written consent from the third party for their identity to be revealed.

If the requested data falls under one of the following exemptions, it does not have to be provided:

• Crime prevention and detection
• Negotiations with the requester
• Information used for research, historical or statistical purposes
• Information covered by legal professional privilege

The information will be provided to the data subject in electronic format unless otherwise requested and all the items provided are listed on a schedule that shows the data subject’s name and the date on which the information is delivered.
In all cases care should be taken to redact all personal data or confidential information that the data subject should not see.

Version 2 /8.11.2025

Date for review:   November 2026

Subject Access Request (SAR) form

SECTION 1: Details of the person completing the SAR

SECTION 2: Is this SAR about you?

Accepted identification is anything that is issued by the government that contains a photograph, such as a passport or driving licence.

SECTION 3: Details of the data subject

SECTION 4: SAR information

Please supply the detail behind the SAR and what it is you need:

Please return this form with the identification required to Dr Eleanor Sorrell or Dr Marta Karczewska or Ms Dawn Lister

*The information within this form will be used exclusively for the purposes of this SAR. Once the SAR has been completed your personal data will be deleted. However, we will maintain your name in our SAR register for audit purposes.

1. Introduction

Under Article 17 of the General Data Protection Regulation (GDPR) individuals have the right to have personal data erased. This is also known as the ‘right to be forgotten’.

The right is not absolute and only applies in certain circumstances.

This procedure must not be used in isolation, it must be read and be followed alongside the Dawn Lister Therapy Centre ‘Privacy Notice’.

2. Circumstances in which the right to erasure applies

All people connected with our operations, this is who attend, use, work from or hire rooms at the Centre (Clients, Patients, Supervisees, Self-employed therapists, Counselling Trainees, Room Hirers and Those accompanying clients to the centre) have the right to have their personal data the DLTC collects erased if:

• the personal data is no longer necessary for the purpose which we originally collected or processed it for;
• we are relying on consent as your lawful basis for holding the data, and the individual withdraws their consent;
• we are relying on legitimate interests as your basis for processing, the individual objects to the processing of their data, and there is no overriding legitimate interest to continue this processing;
• we have processed the personal data unlawfully (ie in breach of the lawfulness requirement of the 1st principle);
• we have to do it to comply with a legal obligation; or
• we have processed the personal data to offer information society services to a child

Additionally, the DLTC does not process data for direct marketing purposes, unless explicit permission is asked of the person (i.e. when joining a mailing list) but if our client objects to that processing, it would also be a condition in which the right to erasure applies.

3. Data collected from children

Within the GDPR there is an emphasis on the right to have personal data erased if the request relates to data collected from children. Collecting personal data from children will not be a common practice for the DLTC, however if we process data collected from children, we will give particular weight to any request for erasure if the processing of the data is based upon consent given by a child – especially any processing of their personal data on the internet.

4. Circumstances in which we would tell other organisations about the erasure of personal data

The GDPR specifies two circumstances where we need to tell other organisations about the erasure of personal data:

• the personal data has been disclosed to others; or
• the personal data has been made public in an online environment (for example on social networks, forums or websites).

The DLTC does not intend to share personal data with others. However, should such circumstance occur we would contact each recipient and inform them of the erasure.

5. Circumstances in which the right to erasure not apply

In line with the GDPR regulations, at the DLTC the right to erasure does not apply if processing is necessary for one of the following reasons:

• to exercise the right of freedom of expression and information;
• to comply with a legal obligation;
• for the performance of a task carried out in the public interest or in the exercise of official authority;
• for archiving purposes in the public interest, scientific research historical research or statistical purposes where erasure is likely to render impossible or seriously impair the achievement of that processing; or
• for the establishment, exercise or defence of legal claims.

GDPR also specifies two circumstances where the right to erasure will not apply to special category data, and the DLTC follows these guidelines:

• if the processing is necessary for public health purposes in the public interest (e.g. protecting against serious cross-border threats to health, or ensuring high standards of quality and safety of health care and of medicinal products or medical devices); or
• if the processing is necessary for the purposes of preventative or occupational medicine (e.g. where the processing is necessary for the working capacity of an employee; for medical diagnosis; for the provision of health or social care; or for the management of health or social care systems or services). This only applies where the data is being processed by or under the responsibility of a professional subject to a legal obligation of professional secrecy (e.g. a health professional).

6. Refusal to comply with a request for other reasons

In some well justified circumstances, the DLTC reserves a right to refuse to comply with a request for erasure, particularly if it is manifestly unfounded or excessive.

In these cases, we may occasionally:

• request a "reasonable fee" to deal with the request; or
• refuse to deal with the request.

If we refuse to comply with a request for erasure we would inform the Client / Patient / Supervisee / Self-employed therapist / Counselling Trainee / Room Hirers / Those accompanying clients to the centre without undue delay and within one month of receipt of the request, providing he details of:

• the reasons we are not taking action;
• their right to make a complaint to the ICO or another supervisory authority; and
• their ability to seek to enforce this right through a judicial remedy.

We should also provide this information if we request a reasonable fee or need additional information to identify the individual.

7. Procedure of recognising a request

The GDPR does not specify how to make a valid request, and therefore at the DLTC we recognise that clients can make a request for erasure verbally or in writing. We also understand that a request does not have to include the phrase 'request for erasure' or ‘Article 17 of the GDPR’, as long as one of the conditions listed above apply.

At the DLTC we intend to check with the requester that we have understood their request, as this can help avoid later disputes about how you have interpreted the request. We would also keep a log of verbal requests (please see Appendix A), where we would record details of the requests we receive, particularly those made by telephone or in person.

8. Compliance Timeframe

At the DLTC we will act upon the request without undue delay and at the latest within one month of receipt. We calculate the time limit from the day after we receive the request (whether the day after is a working day or not) until the corresponding calendar date in the next month.

If the request is complex or we have received a number of requests from the same individual, we would occasionally extend the time to respond by a further two months. In this case we will let the individual know without undue delay and within one month of receiving their request and explain why the extension is necessary.

9. ID Checks

In line with GDPR regulations if we have doubts about the identity of the person making the request we would can ask for more information. We would only request information that is necessary to confirm who the requester is. We would take into account what data we hold, the nature of the data, and what you are using it for.

The DLTC would let the individual know without undue delay and within one month that we need more information from them to confirm their identity. In these cases Psychology South Essex will not comply with the request until you have received the additional information.

10. Procedures of information erasure

a) Electronic files kept locally

The DLTC follows the guidelines of the International Data Sanitization Consortium (IDSC) in order to erase electronic data. The IDSC suggest that the best practice methods for the permanent erasure of personal data records are:

• Crypto erasure - with the use of encryption software that erases the key needed to decrypt personal data.
• Data erasure - with the use of software that securely overwrites data on a storage device, rendering it unrecoverable.

The electronic deletion will be documented, with a certificate generated by the software to prove erasure. This record will be available should regulators wish to audit your data records to confirm legal compliance to ‘right to be forgotten’ requests.

b) Electronic files kept on the encrypted cloud storage

The DLTC follows the guidelines of the International Data Sanitization Consortium (IDSC) in order to erase electronic data kept on the encrypted cloud storage. The DLTC keeps data at storage cloud hosts which are most reliable and certified as being compliant with GDPR and the most widely accepted security and privacy standards and regulations in the world, such as ISO 27001/2, ISO27018/17 and SOC 2. The data kept in cloud storage will be erased in line with the cloud storage erasure policy and procedures. A log containing a general description of what information has been destroyed will be kept.

c) Physical data

Physical data will be erased by placing them in paper shredder and further disposing of in an appropriate safe confidential waste system. A log containing a general description of what information has been destroyed will be kept.

Version 5 /8.11.2025

Date for review:   November 2026

Appendix A - Log of verbal data erasure requests