1. Who I am and how to contact me

I am John Barber, a UKCP-registered psychotherapist. I am the data controller for the personal information I collect and hold in connection with my practice.

Contact: contact@johnbarber.org

ICO Registration Number: ZC139528

2. What this notice covers

This privacy notice explains what personal information I collect, why I collect it, how I use and protect it, and what your rights are. It applies to anyone who contacts me, enquires about therapy, or works with me as a client.

I am committed to handling your information with care, discretion, and in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

3. What personal information I collect

I may collect and hold the following information:

  • Your name, email address, and telephone number

  • Emergency contact details

  • Relevant background information you share with me, including personal, relational, and medical history

  • Clinical records made in the course of our work together, including session notes, attendance records, and correspondence

  • Payment and invoicing records (I do not store card or bank details)

The information I hold about you will be limited to what is necessary for the safe and effective provision of psychotherapy services.

4. Why I collect this information and my lawful basis for doing so

Under UK GDPR, I must have a lawful basis for processing your personal data. Because psychotherapy involves health information, I must also meet an additional condition for processing special category data.

I process your personal information for the following purposes:

  • To provide psychotherapy services to you

  • To maintain appropriate clinical records as part of safe and ethical professional practice

  • To communicate with you regarding appointments and enquiries

  • To meet my professional, legal, and regulatory responsibilities

  • To maintain financial and accounting records where required

The lawful bases I rely on are:

  • Performance of a contract — our therapeutic agreement

  • Legitimate interests — maintaining appropriate professional records and administering my practice

  • Compliance with a legal obligation — where applicable, including financial and tax record-keeping requirements

  • Provision of health care — for special category (health) data under Article 9(2)(h) UK GDPR and Schedule 1, Part 1 of the Data Protection Act 2018

5. How long I keep your information

Clinical records are generally retained for seven years after the end of therapy, in line with professional guidance and insurance requirements.

Where a client was under 18 at any point during therapy, records may be retained until the client’s 25th birthday, or for seven years after the end of therapy, whichever is longer.

Financial records may be retained for longer where required for tax, accounting, or legal purposes.

After the applicable retention period has passed, paper records are securely shredded and digital records are permanently deleted.

6. How I store and protect your information

Your personal information is held securely and is accessible only to me. I take reasonable technical and organisational steps to protect the confidentiality and security of your information, including the following:

  • Paper notes and records are stored in a locked and secure location

  • Digital records are stored using Google Drive, provided by Google LLC

  • Access to digital records and accounts is protected by strong, unique passwords

  • Devices used to access client information are password protected

  • Video therapy sessions are conducted via a secure platform

Google LLC may process data outside the UK. Google states that it uses appropriate safeguards for international data transfers in accordance with UK GDPR requirements.

Please be aware that standard email is not generally considered a fully secure form of communication. While I take reasonable steps to protect personal information sent electronically, email should not be regarded as completely secure.

7. Who I share your information with

Your information is treated as strictly confidential. I do not share your personal data with third parties except in the following circumstances:

  • Clinical supervision — As required by UKCP, I discuss my clinical work with a qualified supervisor. Identifying details are minimised wherever possible, and my supervisor is bound by professional confidentiality obligations.

  • Risk of serious harm — If I believe there is a serious risk to your safety or the safety of another person, I may need to share information with appropriate services or professionals. Wherever possible, I would aim to discuss this with you first.

  • Legal requirement — If I am required to disclose information by a court order or other legal obligation.

  • Safeguarding — If information comes to light suggesting a risk to a child or vulnerable adult, I may need to share information with appropriate safeguarding authorities.

  • Health insurers — If therapy is funded through a health insurer (such as AXA Health or Aviva), limited information may need to be shared for billing or authorisation purposes.

  • Other health professionals — Information would only be shared with your GP or other professionals with your explicit consent, except in exceptional circumstances relating to serious risk or safeguarding.

I will never sell, rent, or share your personal data for marketing or commercial purposes.

8. Your rights

Under UK GDPR you have the following rights in relation to the personal data I hold about you:

  • Right of access — you can request a copy of the information I hold about you

  • Right to rectification — you can ask me to correct inaccurate information

  • Right to erasure — you can request deletion of your data, subject to my professional and legal record-keeping obligations

  • Right to restriction — you can ask me to restrict how I use your data in certain circumstances

  • Right to object — you can object to certain types of processing

  • Right to data portability — where applicable, you can request your data in a portable format

Some of these rights are subject to legal and professional exemptions. For example, I may be required to retain certain records even if you request their deletion.

To exercise any of these rights, please contact me at johnbarbertherapy@gmail.com. I will normally respond within one calendar month.

9. Confidentiality and its limits

Confidentiality is a central part of psychotherapy, and I take appropriate steps to protect the privacy of our work together.

However, there are a small number of circumstances in which confidentiality may need to be broken, including:

  • If I believe you or another person is at serious risk of harm

  • If disclosure is required by a court of law

  • If safeguarding concerns arise relating to a child or vulnerable adult

Where appropriate and safe to do so, I would usually aim to discuss this with you before sharing information.

10. This website and cookies

This website is hosted by Squarespace. Squarespace may use cookies and collect limited technical information — such as IP address, browser type, and pages visited — for website functionality, security, and basic analytics.

Any information collected through the operation of the website is subject to Squarespace’s own privacy practices. Their privacy policy can be found at Squarespace Privacy Policy.

I do not use additional advertising or marketing tracking tools on this website.

11. Data breaches

I take reasonable steps to reduce the risk of unauthorised access, loss, or misuse of personal information.

In the unlikely event of a personal data breach that is likely to result in a risk to your rights and freedoms, I will comply with my obligations under UK GDPR, including notifying the Information Commissioner’s Office (ICO) where required.

12. Complaints

If you have concerns about how I handle your personal information, please contact me in the first instance at johnbarbertherapy@gmail.com.

If you remain dissatisfied, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO).

Telephone: 0303 123 1113 Post: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF

13. Changes to this notice

I may update this privacy notice from time to time, for example if my practice changes or if there are changes in relevant law or guidance.

The most current version will always be available on this website.

Last updated: 12 May 2026

Privacy Notice

A meeting or collaborative work session with two people using a laptop and taking notes at a table, with decorative vases and plants in the background.