top of page

Last updated: 26/02/2026
 

I, Dr Kristy Potter, am committed to keeping any personal data you share with me during our work together safe and secure. I will not share your information with anyone unless I have a professional or legal obligation, or you have asked me to do so. This Privacy Notice explains how I collect, use, store, and protect your personal data in the course of providing psychological services, online programmes, and digital resources.

Introduction 
 

I am responsible for protecting your privacy and any personal information you may share with me when we work together. For this purpose, under the UK General Data Protection Regulation (UK GDPR) and the Data Protection (Bailiwick of Guernsey) Law, 2017, I am a “data controller”. This means I am responsible for taking measures to ensure your data is safe, and for deciding how long data is kept and who, if anyone, it may be shared with.

This Notice explains the kinds of personal data I may collect about you and that are necessary for us to work effectively together. It also explains how I store and handle the data and how I keep it safe. 

First of all, it’s important to understand a few terms. “Personal data” is information that identifies you. This may include information about your therapy, your use of online programmes, your communications with me, and any records I hold in connection with services you access.

“Processing” your data includes various activities using your data. These may include collecting, recording, organising, using, disclosing, storing and deleting it. 

A “Condition for processing data” is essentially my justification for processing the information. In most circumstances, I process your personal data because it is necessary for the provision of psychological care and to meet my professional and legal obligations. In some situations, I will also rely on your explicit consent (for example, if you ask me to contact another professional on your behalf)

The law requires me: 

  • To process your data in a lawful, fair and transparent way- I promise to always be clear about what data I am processing and why; 

  • To only collect your data for explicit and legitimate purposes – I will only collect data that is relevant to the services you access, including therapy and online programmes. 

  • To only collect data that is relevant, and limited to the purpose(s) I have told you about- I won’t record any data that isn’t directly relevant to your conditions; 

  • To ensure that your data is accurate and up to date – I am required to ensure data is up to date, I may check with you from time to time to make sure of this; 

  • To ensure that your data is only kept as long as necessary for the purpose(s) I have told you about – I have strict policies on how long I will keep your information after which it will be securely destroyed; 

  • To ensure that appropriate security measures are used to protect your data – I am very careful about my security arrangements and constantly update my systems and procedures. 

The following sections should answer any questions you have but if not, please let me know. It is likely that I will need to update this Privacy Notice from time to time, and you are welcome to come back and check this at any time or contact me by any of the means shown below. 

Conditions for processing your data. 

The law on data protection sets out a number of different conditions or justifications if you like for which an organisation or individual may collect and process your personal data. When collecting your personal data, I will always make all of this very clear to you. Most commonly, I will process your data on the following lawful grounds: 

1.Your Explicit Consent 

In most situations, I collect and process your data because it is necessary for the provision of psychological care and to meet my professional obligations. In some circumstances, I will also rely on your explicit consent (for example, if you ask me to contact another professional on your behalf). I discuss aspects of my clinical work in supervision with my supervisor (another psychologist or psychotherapist) to ensure that my practice is safe and effective, and as required by my professional standards. I do not reveal your identity when I share information in supervision, and my supervisor does not share your personal information with anyone else. If applicable, I may contact a referrer or another professional to discuss your referral, provide a summary of your treatment and progress, or request further sessions. I will discuss this with you in advance and, where appropriate, obtain your consent.

If you do not engage in therapy for a prolonged period, your record will be retained and then securely deleted in line with the retention period set out in this notice (currently six years after our work ends, unless a longer period is required by law).

  1. Contractual obligations

When we begin working together, I will ask you to agree to my therapy contract. This is normal practice and lays out what we expect of one another. For example, I promise to give you the support you asked for, in return you promise to promptly pay your fees. By entering into these terms, we enter into a contract together. Where you purchase an online programme or digital content, processing your personal data is also necessary to fulfil that purchase contract.

 

  1. Vital use of data 

I may also use your data, typically in an emergency, where this is necessary to protect your life, or someone else’s life. In a small number of cases where other lawful bases do not apply, I will process your data on this basis and in your best interest. 

I do not discuss your personal information with third parties, except for the purposes of supervision. However, if my professional opinion was that there was an immediate and serious risk that you might harm yourself or someone else then I may have to share your personal information with a third party such as your GP or the emergency services without first obtaining your consent. This might be because it is not practically possible to obtain your consent or because attempting to do so might lead to a delay in accessing help and therefore endanger your life or that of another. 

In situations where I did have to share your personal information with third parties to protect you or another, I will only share your personal information so far as it is relevant and necessary to protect you or someone else. I will inform you what personal information I shared and to whom. 

  1. Legal Obligation. 

It is possible that your personal information may be requested by the Police, a Court of Law, Coroners Office or Professional Body in which circumstances I would have no option but to comply with the law. 

  1. Legitimate interest 

In certain circumstances, I may require your data to pursue my legitimate interest in a way which might reasonably be expected as a Clinical Psychologist. When I process data in this way, I will make sure there isn’t a chance of any impact upon your rights, freedom or interests. I will never use my Legitimate Interest to process your sensitive data such as your case notes relating to your mental health. 

Special category data. 

I collect information about your current and previous psychological and physical health, and where relevant sexual health, and your current and previous social and family circumstances during your appointments. I will also collect information about you when you voluntarily complete questionnaires. This sensitive personal information is defined as “Special Category Data” and I collect it because I am providing psychological assessment or treatment to you. "Special categories" of particularly sensitive personal data require higher levels of protection. I need to have clear justification for collecting, storing and using this type of personal data. I aim to collect and process only the special category data relevant to your mental health. 

How I might collect your data: 

I collect your data in different ways that may include, but are not limited to: 

  • When you write to me about any subject by any means; 

  • When you enquire about my services but do not engage; 

  • When you attend an appointment; 

  • When you complete questionnaires;

  • When you access or engage with our website.

  • When you purchase or access online programmes, digital courses, or downloadable materials;

  • When you create an account to access members-only or digital content;

  • When you subscribe to receive free resources, newsletters, or programme updates.

I collect personal data in order to deliver my services. The data collected is most likely in electronic format but can also be in paper form 

For your security, I use appropriate organisational and technical security controls to safeguard your data (for example, strong passwords, access controls, device security and, where appropriate, encryption).

Use of data processors

I use trusted third-party service providers (“data processors”) to support the delivery of my services. This may include secure practice management software, encrypted email, video-conferencing platforms, and secure cloud storage. All processors are selected carefully and are required to meet appropriate data protection and security standards. I remain responsible as the data controller for your personal data. Payment information for online purchases is processed securely via third-party payment providers (such as Wix Payments, Stripe or equivalent secure providers). I do not store full card details on my own systems. These providers process personal data in accordance with their own privacy policies and applicable data protection law.

 

In the unlikely event of a personal data breach that is likely to result in a high risk to your rights and freedoms, I will inform you without undue delay and take appropriate steps in line with data protection law.

Online Programmes and Digital Content

In addition to providing psychological therapy, I also offer online educational programmes and digital resources. When you purchase or access digital content, I may collect and process:

• Your name

• Email address

• Billing information

• Account login credentials

• Records of programme access

 

This information is processed for the purposes of:

• Providing access to purchased content

• Administering your account

• Managing payments

• Meeting contractual and legal obligations

 

Participation in online programmes does not constitute psychological therapy and does not create a clinical relationship.

Email Communications and Marketing

 

If you subscribe to receive updates, free resources, newsletters, or information about online programmes, I will process your email address for this purpose.

 

You may unsubscribe from marketing communications at any time using the link provided in emails or by contacting me directly.

 

Marketing communications are sent via secure email marketing platforms, which act as data processors and comply with relevant data protection regulations.

 

I will not sell or share your personal data for unrelated third-party marketing purposes.

 

Marketing emails are only sent where you have opted in or where there is another lawful basis to do so.

 

Children and young people

When I work with children or young people, personal data may be shared with those who have parental responsibility, in line with legal and professional guidance. As children mature, their right to confidentiality will be balanced carefully with parental involvement. This will be discussed clearly at the outset of therapy.

I am committed to your data protection rights. 

You have important rights under the UK GDPR and the Data Protection (Bailiwick of Guernsey) Law, 2017. Here’s a brief explanation of them.

Right to Object 

You have the right to object to my processing or use of your personal information. But remember in some cases I am bound by law to process your data. Where I rely on your consent to process your personal data (for example, to share information with another professional), you have the right to withdraw that consent at any time. However, please remember that if you withdraw your consent, because of the nature of my services, I will not be able to continue supporting you. 

Right to a copy of your information and a chance to correct inaccuracies. 

You have the right to request a copy of any information about you that I may hold at any time to check whether it is accurate. To ask for that information, please contact me in the normal way. To protect the confidentiality of your information and the interests I will ask you to verify your identity before proceeding with any request for information. If you have authorised a third party to submit a request on your behalf, I will ask them to prove they have your permission to request such information. 

Right to be Forgotten 

You have the right to ask me to forget you from my records. I will uphold this right unless there is a legal obligation such as a contractual agreement or it is in my legitimate interest to keep your data. 

Right to be informed 

You have a right to be informed, to know what I am doing with your data and why. I promise to publish privacy notices wherever they may be required to clearly explain our reasons. 

Right to Restriction 

You have the right to ask me to stop processing your data for a number of difference reasons. For example, it might be because you think the data I hold about you is incorrect. Or maybe you think I am doing something wrong. Please contact me for further details. 

Your right of portability. 

If I hold information about you and you want me to ‘port’ it or send it to another organisation that does similar work to me or provides a similar service, you can ask me to do this. This service will be free of charge and I will endeavour to provide this service without undue delay. 

Data retention and how long I may keep information

Whenever I collect or process your personal data, I will only keep it for as long as is necessary for the purpose for which it was collected. For therapy clients, I retain personal information and clinical records for six years after our work ends, unless a longer period is required by law. For purchasers of online programmes or digital content, personal data and transaction records are retained for as long as necessary to fulfil contractual, accounting and legal obligations. Marketing subscription data is retained until you unsubscribe or request deletion. At the end of the relevant retention period, records are securely deleted or destroyed.

How to complain about our processing of your data 

If you feel that your data has been handled incorrectly, or you are unhappy with the way I have dealt with your query regarding the way I use your personal data, you have the right to complain to the Office of the Data Protection Authority (ODPA), Guernsey, which regulates data protection in the Bailiwick of Guernsey.

ODPA Guernsey: https://www.odpa.gg  |  Tel: +44 (0)1481 742074  |  Email: enquiries@odpa.gg

If you are based in the UK, you may also complain to the Information Commissioner’s Office (ICO): https://ico.org.uk/make-a-complaint/

If you would like to discuss any aspect of this policy or the way we process your information, please contact me; 

Email: admin@drpotterpsychology.co.uk

bottom of page