top of page

Privacy Policy

This privacy policy explains how I use the personal information I collect about you as a psychological therapy client. I promise to keep any data you share with me during our sessions safe and secure. I promise not to share it with anyone unless I have a professional or legal obligation. 

​Why do I collect information about you?

There are a number of lawful reasons that I use (or 'process') your personal information. One of the lawful reasons is called 'legitimate interests'.

Broadly speaking Legitimate Interests means that I can process your personal information if I have a genuine and legitimate reason and I am not harming any of your rights and interests.

So, what does this mean?  When you provide your personal details I use your information for our legitimate business interests. Before doing this, though, I will also carefully consider and balance any potential impact on you and your rights. You have important rights detailed in UK GDPR and Data Protection Act 2018.

​What personal information do I collect?

To make sure that you are assessed and/or treated safely, I will record your personal information, such as your name, address, as well as notes about your appointments, results of assessments and letters relating to your therapy.

In addition to the personal information above, I may also collect sensitive information regarding:

  • Medical conditions (if relevant)

  • Prescribed medication

  • Psychological history and current difficulties

  • Sexuality

  • Offences (including alleged offences)

  • Financial information, including bank account details (if you are a private patient/client)

How do I store the information about you?

Under UK Data protection law,  which includes the UK GDPR, I would be “Data Controller” which means I am responsible for taking measures to ensure your data is safe and for policies on such things as how long data is kept for and who if any, I might share it with. I am therefore legally required to take reasonable steps to protect any individual identifying information that you provide.  Once I receive this information, I will make best efforts to ensure its saved safely and securely.

All personal information provided is stored in compliance with EU General Data Protection Regulations (GDPR) rules. 

How long do I  keep your information for?

We will retain your information as set out in the NHS Code of Practice for Records Management (Records Management Code of Practice for Health and Social Care 2016).

Who do I share your personal information with?

Your information is kept confidential at all times and is not shared elsewhere unless in specific circumstances which are outlined below.

I may also use your data, typically in an emergency, where this is necessary to protect your life, or someone else’s life. In a small number of cases where other lawful bases do not apply, I will process your data on this basis and in your best interest.

I do not discuss your personal information with third parties, except for the purposes of supervision. However, if my professional opinion was that there was an immediate and serious risk that you might harm yourself or someone else then I may have to share your personal information with a third party such as your GP or the emergency services without first obtaining your consent. This might be because it is not practically possible to obtain your consent or because attempting to do so might lead to a delay in accessing help and therefore endanger your life or that of another.

In situations where I did have to share your personal information with third parties to protect you or another, I will only share your personal information in so far as it is relevant and necessary to protect you or someone else. I will inform you what personal information I shared and to whom.

By contacting Dr Jo Middleton by email you can also get more details on:

  • agreements we have with other organisations for sharing information;

  • circumstances where we can pass on personal data without consent, for example, to prevent and detect crime and to produce anonymised statistics; and

  • how we check that the information we hold is accurate and up to date.

In many circumstances we will not disclose personal data without consent.

Your information may be shared with outside organisations if they are directly involved in your care/case, for instance, your insurer if they are funding your treatment, your GP, or others involved in your care.  We will discuss with you who we would discuss your care with, and what details we would share with them.


In many circumstances we will not disclose personal data without consent.  However, when we investigate a complaint we may need to share personal information with other relevant bodies.  If we do need to share your information, we will always try and ask for your permission for this.  We may not be able to ask your permission under special circumstances where we are legally required to do so.

How you can access your information and correct it, if necessary?

We try to be as open as we can be in terms of giving people access to their personal information. Individuals can find out if we hold any personal information by making a ‘subject access request’ or ‘Right of Access’ under the Data Protection Act and the General Data Protection Regulation.  We will then supply to you:

  • A description of all data we hold about you

  • Inform you how it was obtained (if not supplied by you)

  • Inform you why, what purposes, we are holding it

  • What categories of personal data is concerned

  • Inform you who it could be disclosed to

  • Inform you of the retention periods of the data

  • Inform you around any automated decision making including profiling

  • Let you have a copy of the information in an intelligible electronic form unless otherwise requested.

To make a request for any personal information we may hold you need to put the request in writing.  We want to make sure that your personal information is accurate and up to date.  You may ask us to correct or remove information you think is inaccurate.

Your rights

You have rights around your personal data and how we handle it. If at any point you believe the information we process on you is incorrect and you want it corrected, you request to see this information, you request the data to be transferred, you object to our processing your Personal Information, or you request to have it deleted, then please contact the Data Protection Officer.

Complaints or queries

I do my best to meet the highest standards when collecting and using personal information. For this reason, I take any complaints very seriously. I encourage people to bring it to my attention if they think that our collection or use of information is unfair, misleading or inappropriate. We would also welcome any suggestions for improving our procedures. If you do have a complaint, contact the Data Protection Officer who will investigate the matter on your behalf.

If you are not satisfied with the response from us or believe we are not processing your personal data in accordance with the law you have the right to raise your complaint with the Information Commissioner’s Office (ICO).

Contact information ICO:
Telephone: +44 (0) 303 123 1113

Changes to this privacy notice

We keep our privacy notice under regular review and we will place any updates on this web page. This privacy notice was last updated on 22.05.2018.

How to contact me

Dr Jo Middleton is the clinician that you are supplying your personal information to and can be contacted by email:


To enquire about appointments or for further information please contact me

Your Privacy : Text
bottom of page