Privacy Policy

The Edinburgh Practice is committed to the protection of client data. We are registered with the ICO and all handling of client’s personal data is done so in line with the terms of the General Data Protection Regulation, known as GDPR. This recently revised Privacy Policy aims to give you more information on the data we hold on you, what we do with that data, whom we share your data with and your rights under GDPR.

The Edinburgh Practice uses the information we collect in accordance with all laws concerning the protection of personal data, including the Data Protection Act 1998 and the GDPR 2018. As per these laws, The Edinburgh Practice is the data controller; if another party has access to your data, we will tell you if they are acting as a data controller or a data processor, who they are, what they are doing with your data and why we need to provide them with the information.


The Edinburgh Practice needs to gather and use certain information about clients and prospective clients in line with the information contained in our referral forms. This policy describes how this personal data is collected, handled and stored to meet the company’s data protection standards – and to comply with the law.

What data we gather

We may collect the following information to enable us to work with you safely and effectively, and to enable the efficient dissemination of appointment reminders and invoicing:

  • Name and address (postal and email)
  • Date of birth
  • Phone number
  • Email correspondence
  • GP details
  • Details of private health insurance policies (where relevant)
  • Bank details

During the course of initial contact and then subsequent treatment and therapy, we will inevitably also collect a significant amount of other personal data relevant to assessing and treating your presenting psychological and psychiatric difficulties. This is to enable us to offer you the service you have sought from us.

How we use this data

Collecting this data helps us:

  • Contact you to set up assessment and therapy appointments
  • Link you up with an appropriate clinician
  • Conduct a thorough psychological or psychiatric assessment
  • Devise and implement an effective treatment plan (therapy)
  • Invoice for the services rendered
  • Communicate (when necessary and agreed with you) with relevant third parties to support your treatment and manage risks

Controlling information about you

Any personal information we hold about you is stored and processed under our data protection policy, in line with The Data Protection Act 1998 (in force on the date this statement became operational) and the General Data Protection Regulation (Regulation (EU) 2016/679) adopted on 27th April 2016 and enforceable from the 25th May 2018.

Your data will be kept for the lifetime of your status as a client with us. When you cease to be a client with us, your data will be kept for a minimum period of seven years, and a maximum period of ten years in accordance with General Medical Council guidelines. If you are a child, your data will be retained until 7 years after your 18th birthday.

You have the right to ask for your data to be deleted but The Edinburgh Practice does not have to comply with this request if there is a legitimate reason for continuing to retain this data, for example possible future legal requests.

The Edinburgh Practice has the right to retain your data for the minimum seven-year period so that it can respond effectively to any questions or complaints that may later be raised by you and/or your representatives. This is in line with best practice guidance.

The Edinburgh Practice keep electronic invoices for seven years as this is the required length to comply with HMRC requirements. After seven years we delete the invoices. Our accountant is based in the UK and all their computer systems are in the UK.


We will always hold your information securely:

  • All client files and therapy notes are uploaded and kept securely in our practice management software systems.
  • Access to your personal information is restricted on a ‘need-to-know’ basis only i.e. for those concerned directly with your care and with your account. A non-disclosure agreement is in place with our accountants who have access to The Clarify Group Ltd
  • Bank Statements and therefore bank account details and personally identifiable information.
  • Data is backed up daily
  • We use personal computers that are located on our business premises. The computers are password protected and the hard drives are encrypted. Passwords are changed every 90 days and it is company policy that passwords are not shared.
  • To prevent unauthorised disclosure or access to your information, we have implemented strong physical and electronic security safeguards. In the unlikely event of a data protection breach we will notify the Information Commissioner’s Office (ICO) so that their procedures can be followed. We will also notify all individuals whose data may have been accessed to alert them to the breach and any potential risks.

Data accuracy

Should, during the course of your contact with us, any personal data be subject to change for example if you move, change GP practice, change your name, we would be grateful if you could notify us at the earliest opportunity so we can ensure our records are up to date.

Please contact our Data Protection Officer, Dr Fiona Wilson, if you wish to update the accuracy of the personal data we hold about you. We may require additional verification that you are who you say you are to process this request. If you wish to have your information corrected, you must provide us with the correct data and after we have corrected the data in our systems we will send you a copy of the updated information.

Subject access requests

All individuals who are the subject of personal data held by The Edinburgh Practice are entitled to:

  • Ask what information the company holds about them and why.
  • Ask how to gain access to it.
  • Be informed of how to keep their data up to date.
  • Be informed of how the company is meeting its data protection obligations.

If you would like to request a copy of the data we hold about you, this is called a subject access request. Subject access requests should be made in writing or email to the Data Protection Lead, Dr Fiona Wilson. We will aim to provide the relevant data within 30 days. We will always verify the identity of anyone making a subject access request before handing over any information. We may withhold such personal information to the extent permitted by law. In practice, this means that we may not provide information if we consider that providing the information will violate your vital interests.

Disclosing data for other reasons

In certain circumstances the Data Protection Act allows The Edinburgh Practice to disclose data (including sensitive data) without the data subject’s consent.

These circumstances include:

  • Carrying out a legal duty
  • Protecting vital interests (for example safety) of a Data Subject or other person
  • If the data subject has already made the information public
  • Conducting any legal proceedings, obtaining legal advice or defending any legal rights
  • Providing a confidential service where the data subject’s consent cannot be obtained or where it is reasonable to proceed without consent: e.g. where we would wish to avoid forcing stressed or ill data subjects to provide consent signatures.

Under these circumstances, The Edinburgh Practice will disclose relevant data. However, we will take all reasonable steps to notify the individual whose data is being disclosed about the disclosure. We will also ensure that any such data request is legitimate, reasonable and necessary.

Risk Issues

Anything discussed during a consultation is strictly confidential and will not be passed on to third parties without the explicit permission of the client. Please note that due to the nature of psychological and psychiatric assessment, therapy, and treatment, there are two exceptions to this rule: (1) under the professional’s Duty of Care we are obliged to contact the relevant services if we believe that the client is an immediate danger of harming themselves or others (the clinician will aim to inform the client of this prior to the disclosure); (2) mental health professionals are required by their accrediting bodies to undertake regular professional supervision. This involves the discussion of the professional’s caseload with a supervisor and ensures standards and best practice are being met.

Receiving communications from The Edinburgh Practice

The Edinburgh Practice will not send you any marketing emails. We will only contact you for administrative or clinical reasons relating to the care which you are receiving or have received at the practice.

When submitting your completed referral form to access our services, you will be asked on the form to indicate your preference for contact which will be duly noted and you have the opportunity when completing this form to opt in to receive appointment reminders via email.

Inbound related Correspondence

The Edinburgh Practice has a strict policy of maintaining confidentiality for all inbound information received via email, telephone or writing from third parties. Communication between The Edinburgh Practice employees or self-employed clinicians to third parties is held in accordance with GDPR guidelines. More information on how we hold this information can be found here.

For Further Information

If your questions are not fully answered by this policy, please contact our Data Protection Officer (Dr Fiona Wilson). If you are not satisfied with the answers from the Data Protection Officer, you can contact the Information Commissioner’s Office (ICO)

This statement is updated annually and was last updated on the 6th of December 2021.

If you have any questions about this policy, please email