top of page
Logo editable 1.png

How do you use my data?

GDPR & Forward Thinking

“GDPR (General Data Protection Regulation) is the most significant piece of privacy and data protection in twenty years. It took effect on 25th May 2018 and from that date we are required to ensure that we gain a new data protection and privacy consent from all clients.

We are committed to complying with GDPR and take you and your child’s personal data seriously.


The following will tell you about how we use your data, and your rights regarding your personal information:


1. What kinds of personal information about you do we process?


We process both general data and what is known as “Special category data”. Special category data is information about you / your child that GDPR states as being more sensitive, such as information about physical and mental health.

2. What is the source of your personal information?


We obtain personal information about you and your child from you, your child, and/or the person/agency who referred you.

3. What do we use your personal data for?


We only ever use your personal data and that of your child for matters relating to their care/assessment/treatment, or relating to the arranging of our appointments.  If we to ever need to use your data for any other purpose, your informed consent to share information would be sought in advance.


4. Where do you store my data?


We store your data in two places:


– Electronic records (contact details; electronic therapy notes, letters and reports) are stored within our Practice Management system (WriteUpp).  This is a secure, GDPR compliant system, used by many NHS trusts and other health organisations in the UK and worldwide. 


– Paper records (therapy notes; psychometric measures etc) are stored in a secure filing cabinet either at the one of our offices (Whitehouse; Woodmill); or your Clinical Psychologist's office (if you are seen remotely).


5. What are the legal grounds for our processing of your personal information (including when we share it with others)?

The conditions for processing Special Category Data are listed in Article 9(2) of the GDPR:. 


(a) the data subject has given explicit consent to the processing of those personal data for one or more specified purposes, except where Union or Member State law provide that the prohibition referred to in paragraph 1 may not be lifted by the data subject;


(b) processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by Union or Member State law or a collective agreement pursuant to Member State law providing for appropriate safeguards for the fundamental rights and the interests of the data subject;


(c) processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent;


(h) processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3;


6. When do we share your personal information with other organisations?


We will only share information with other organisations, such as school; CAMHS; G.P. with your consent. Where you have been referred by an outside organisation (e.g. GP; Psychiatrist etc) we would usually share information relevant to your child’s treatment with them as this is best-practice.  We would discuss this with you in advance.

The only time we would potentially need to share personal information without consent is in the case of Safeguarding concerns, where we need to share information with another agency (e.g. Health; Social Care; the Police) in order to keep your child, or another person, safe from harm; or where we have a duty to report a crime. We would inform you if this were to happen.  This would only happen if it were absolutely necessary and would be guided by our duties under the relevant Laws, and our professional obligations as stated by the Health * Care Professions Council (HCPC).

If you have been referred to our service as part of your care from NHS CAMHS, we will need to share the information we hold about you and your child with them (CAMHS), including, but not limited to: therapy notes, appointments dates and times and psychometric data. We would also need to share information with your Child's G.P.


7. How and when can you withdraw your consent?


You can withdraw consent at any time – please inform your Psychologist if you want to do this.  Please note, we are obligated to retain some personal data for a certain time period (see below).


8. Is your personal information transferred outside the UK or the EEA?


Your personal information we hold digitally is stored on WriteUpp, who in turn store the data in the UK and within the EEA.  This includes all clinical data once your child is seen by our service.

Please note, information you provide through our website (, including contact forms, registration forms and feedback forms are processed using the 'Wix Ascend' platform.  Wix say the following about how they manage data:


"Wix has servers all over the world, including Europe and the United States, as well as backup servers in multiple locations.  If the Processing of the User Customer Data involves transfer of such data outside of the European Economic Area (EEA) and the European data protection regulations apply to the transfers of such data, these transfers will be conducted in compliance with all applicable data protection regulations".

"If you are in Europe, the U.K., or Switzerland, when we transfer your Personal Information to a location outside of Europe, We will make sure that (i) there is a level of protection deemed adequate by the European Commission or (ii) that the relevant Standard Contractual Clauses are in place (i.e., the applicable module of the Standard Contractual Clauses for the transfer of personal data to third countries pursuant to Regulation (E.U.) 2016/679 of the European Parliament and of the Council from June 4, 2021, as available here, and the ICO’s International Data Transfer Addendum to the E.U. Commission Standard Contractual Clauses version B1.0, in force from 21 March 2022, as it is revised under Section ‎‎18 of its Mandatory Clauses).

When Wix transfers E.U. Personal Information to a third country that the European Commission did not find will adequately protect your information, Wix ensures that it has taken additional measures to comply with the European data protection laws".

You can read more about how Wix manages data here:

9. What should you do if you or your child’s personal information changes?


Please inform your Psychologist or contact, and we can update the system.


10. Do you have to provide your personal information to us?


You do not have to provide personal data, however, we will be unable to provide your child with a service without relevant personal information, including (but not limited to), you and your child's names; the name and contact details of anyone else with Parental Responsibility; your child's date of birth'; the name of their school; and the name and address of their G.P.


11. Do we do any monitoring involving processing of your personal information?


No.  Your data is only used for the purposes of arranging appointments or providing your child’s care.


12. For how long is your personal information retained by us?


We are obliged to retain some data for 7 years post-discharge from our service.  As a minimum, this would include their name; date of birth; a description of the reason for referral; the services we provided (including the rationale for providing those services and any clinical decisions made); reason for discharge from our service; and outcome at discharge. 


If you have not received a service from us (but for example were on our waiting list) you can contact us to remove all of your / your child's data from our system.  If we are obliged to keep any information under these circumstances, we would discuss this with you.

13. What are your rights under data protection laws?

  1. The right to be informed

  2. The right of access

  3. The right to rectification

  4. The right to erasure

  5. The right to restrict processing

  6. The right to data portability

  7. The right to object

  8. Rights in relation to automated decision making and profiling.


14.  Accessing your data


If you want to access the data that we hold about you or your child, you can make a request in writing to your Psychologist.  They will comply with the request within 30 days.  Please note that we may have to redact some information provided by your child due to our professional code of conduct around confidentiality.  Please talk to your Psychologist if you have any concerns about this.


14. Your right to object


If you object to our storing / using you or your child’s personal information, please discuss it with your Psychologist.  You can withdraw your consent at any time, but it may mean that we cannot continue to provide a service, and we may be duty bound to hold some information we hold for a period of time.


15. Marketing?


We will never use your data for marketing purposes.  Your data will never been passed on to third parties without your knowledge and consent.

16. What happens if there is a breach of your data under Data Protection?


In the unlikely event this should happen, we would inform you as soon as possible after we have been made aware of the breach, and inform the Information Commissioner’s Office (ICO) within 72 hours.


17. Who can I talk to about Data Protection?


You can talk to your Psychologist if you have any questions.  Each Psychologist is registered with the ICO for the purposes of storing data about you and your child.  They are responsible for the storage and management of the clinical data about your child (e.g. information gathered during assessment; therapy session notes etc) . If you want to know more about our data protection policies as a Practice, you can contact Dr Xav Brooke, who is the lead for Data Protection at Forward Thinking, via our admin (

18. What can I do if I am not happy about the way my data is handled by my clinician?

Please talk to your clinician in the first instance as they are responsible for the storage of your personal data.  If you are still unhappy, you can contact Dr Xav Brooke, one of the Partners in the Practice, or make a complaint to the ICO. Having spoken with your Psychologist, please contact if you continue to feel unhappy.

bottom of page