Privacy Policy

Privacy Notice – Moving Towards

 

I Ronda Embick, operating as Moving Towards , the data controller, collect and store the information needed to provide safe, private psychology services. I am registered with the Information Commissioner’s Office (ICO). I keep records securely, only share information when necessary or lawful, and you can ask to see, correct or delete the data I hold about you. Contact ronda@movingtowards.co.uk or 07345 127438 for any data queries. 

 

This notice explains in more detail how I collect, use, and protect your personal information when you work with me. If you would like this privacy notice in an Easy Read format, large print, or another accessible format please contact me.

 

Information I Collect

I collect information directly from you, and sometimes from referrers, family members, or insurance companies. This may include, but is not limited to:

  • Name, contact details, date of birth, emergency contact
  • Health information relevant to therapy (history, medication, presenting issues)
  • Session notes and correspondence
  • Payment and insurance details

Sensitive information (e.g. health details, religious beliefs, sexual orientation) may be recorded if relevant to your care.

This includes “special category data” under UK GDPR, processed under Article 9(2)(h) for the provision of health care.

 

Lawful Bases

 

You can always choose whether to give consent for optional activities (for example, non‑essential communications). For core therapy tasks (such as keeping clinical records, scheduling, or complying with safeguarding law) I rely on other lawful bases so that your care is not disrupted if consent is withdrawn.

 

I process your information under UK GDPR using:

  • Contract – to provide therapy services you have requested, including maintaining clinical records and managing appointments.
  • Legal obligation – to comply with tax law, safeguarding duties, and professional regulatory requirements.
  • Legitimate interests – to administer my practice efficiently (e.g., appointment confirmations and reminders, secure communications, audit logs) and ensure safe and effective service delivery. I assess necessity and balance this against your rights and freedoms. You have the right to object to processing based on legitimate interests at any time. Please tell me in session, by phone, or by email and I will update your preferences.
  • Vital interests – if urgent risks to health or safety require disclosure.
  • Consent – for optional purposes such as sharing information with family members or insurers when not legally required, or for non‑essential communications.

Sources of Information

  • Directly from you
  • With your consent: from family members/carers, healthcare professionals making referrals, or insurance companies (for referrals or invoicing)
  • Without consent, where required by law or in safeguarding situations: from local authorities, safeguarding organisations, or emergency services, if necessary to protect you or others from serious harm

Data Storage and Security

 

Your records are stored securely in encrypted systems. Access to clinical records is restricted to me and managed through secure log‑in via a system called Konfidens (UK‑based). I use IONOS (EU‑based) platform for my webpage, contact form, and email. Both of these meet recognised security standards. I do not keep paper records of your information.  Clinical records refer to therapy notes, assessments, formulations and correspondence.  I have a Data Processing Agreement with Konfidens and IONOS which sets out their obligations in relation to security, breach notification and assistance with data subject rights. A copy of these DPAs are available on request.

 

Breach Notification

I maintain security measures and an incident response plan to reduce the risk of personal data breaches. If a breach is likely to result in a high risk to individuals’ rights and freedoms, I will notify the Information Commissioner’s Office without undue delay and normally within 72 hours of becoming aware. I will inform affected clients where required and explain the nature of the breach, the likely consequences, the steps taken to reduce harm and what you can do to protect yourself. I will keep a record of all breaches and the actions taken. If you have questions about a breach, please contact me at ronda@movingtowards.co.uk or 07345 127438.

 

Online Sessions

 

Online sessions are conducted using Konfidens. Konfidens processes audio, video, chat messages and connection metadata as a data processor on my behalf. I have a written data processing agreement with Konfidens and have assessed its security and data‑storage practices. I do not record sessions unless we agree in advance. If recording is required, I will explain why, how the recording will be stored, and obtain your explicit consent. If you have concerns about using Konfidens, please tell me and we will discuss alternatives.

 

Retention

 

Record keeping and retention periods are set in line with HCPC/BPS guidance, recommendations and legal requirements.

  • Therapy records: 7 years after therapy ends or last contact
  • Safeguarding records: minimum 7 years (longer if required) after therapy ends or last contact
  • Financial/tax records: I retain financial and tax records for 6 years after the end of the tax year to support accounting and any potential HMRC enquiries.
  • I keep your contact details in your clinical record to support care and to verify identity for information requests.

Sharing

 

I only share information when necessary and lawful:

  • Data processors:
    • Konfidens – provides the client portal and practice management system, used to securely store therapy records, appointments, and payments.
    • IONOS – provides website hosting, email services, and website analytics.
    • I have written data processing agreements for both of these in place to protect your information.
  • Other healthcare professionals involved in your care
  • Insurance companies (for referrals or invoicing)
  • Professional advisors (e.g. supervisors, accountants)
  • HMRC, safeguarding authorities, or other organisations legally entitled to relevant information
  • Emergency services or local authorities if urgent risks are identified

I do not share your information for marketing or with unrelated third parties.

 

I carry out a Data Protection Impact Assessment for any new systems.

 

Automated Decisions

I do not use automated decision making or profiling to provide therapy or make clinical decisions. If this changes I will update this notice and explain the implications.

 

Subject Access Requests

You can request a copy of the personal information I hold about you by emailing ronda@movingtowards.co.uk or calling 07345 127438. I may ask for proof of identity before releasing information. I will acknowledge your request promptly and respond within one calendar month; in complex cases I may extend this by up to two further months and will tell you if I do so. I will provide a copy of the data I hold about you, an explanation of how it is processed, and details of any recipients where applicable. To help me process your request quickly, please include your full name, date of birth, contact details, and a description of the records you want. If you are requesting on someone else’s behalf, please include proof of your authority to act. I keep a record of Subject Access Requests, identity checks, consents and any decisions to redact or refuse, together with the legal basis for those decisions.

 

Deletion

You can ask me to delete your data; I will assess whether any legal or clinical reasons require retention (for example, safeguarding, HMRC, or ongoing complaints). If I cannot delete some or all data I will explain why and tell you how to request an internal review or complain to the ICO. If deletion is assessed to be appropriate to do so, I will contact Konfidens who will delete all copies of controller data and provide written certification that deletion has been completed within 20 business days of the cessation date. I will provide you with confirmation when deletion is completed and store a copy of this in the subject access requests log.
 

Refusal and Redaction 

In limited circumstances I may redact or withhold information (for example, where disclosure would identify another person, is subject to legal privilege, or the request is manifestly unfounded or excessive). I will only withhold what is necessary, will document the legal reason, and will explain to you which exemption I relied on and why. You may ask for an internal review or complain to the ICO if you disagree with the decision.

 

Supervision

As part of good professional practice, I access supervision to support safe and effective therapy. When I discuss my work in supervision, I take care to anonymise or limit identifying details wherever possible. Supervisors are bound by the same professional and confidentiality standards.

 

In the unlikely event that I am unable to continue practising due to illness, incapacity, or death, Konfidens provides a professional will feature. This allows my nominated supervisor limited access to your contact details (name, email, and phone number) solely for the purpose of informing you and supporting continuity of care. Supervisors do not have access to clinical records and are bound by the same professional and confidentiality standards. This arrangement is considered good practice within psychology. 

 

Confidentiality

I am bound by a professional duty of confidentiality. Information you share in therapy is private and will only be disclosed with your consent, or when required by law or to protect you or others from serious harm.

 

I do not currently provide services to clients under 18. If I do in future I will obtain appropriate parental or guardian consent where required and update this notice with the safeguards and consent arrangements I will use.

 

Cookies

My website uses cookies to improve functionality and understand how visitors use the site.

  • Essential cookies are required for the site and client portal to function securely.
  • Analytics cookies (IONOS WebAnalytics) collect information such as pages visited, referrer, browser type, and time spent on the site. These cookies help me understand how my website is used and improve its performance.

Analytics cookies are only set if you give consent through the cookie banner. You can withdraw consent at any time by adjusting your browser settings or cookie preferences.

 

International Data Transfers

  • Konfidens UK based, data stored in the UK
  • IONOS: Germany based, data stored in the EU. The UK recognises the EU/EEA as providing adequate protection.

Your Rights

You have rights under UK data protection law, including:

  • Access, correction, deletion
  • Restriction or objection to processing
  • Data portability
  • Withdrawal of consent (where consent is the lawful basis)
  • To lodge a complaint with the Information Commissioner’s Office (contact details below)

Complaints

If you have any concerns about our use of your personal data, you can make a complaint to me using the contact details below:

  • Telephone: 07345 127438
  • Email: ronda@movingtowards.co.uk

If you remain unhappy with how I've used your data after raising a complaint with me, you can also complain to the ICO:

 

Information Commissioner’s Office 
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

 

Helpline number: 0303 123 1113
Website: https://www.ico.org.uk/make-a-complaint

 

Last updated 01.12.2025 · Version 1.0.

This notice and my data arrangements are reviewed at least annually and updated when processes or processors change. The latest version will always be available on my website.

 

We need your consent to load the translations

We use a third-party service to translate the website content that may collect data about your activity. Please review the details in the privacy policy and accept the service to view the translations.