1. Who I am and how to contact me
I am John Barber, a UKCP-registered psychotherapist. I am the data controller for the personal information I collect and hold in connection with my practice.
Contact: contact@johnbarber.org
ICO Registration Number: ZC139528
2. What this notice covers
This privacy notice explains what personal information I collect, why I collect it, how I use and protect it, and what your rights are. It applies to anyone who contacts me, enquires about therapy, or works with me as a client.
I am committed to handling your information with care, discretion, and in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
3. What personal information I collect
I may collect and hold the following information:
Your name, email address, and telephone number
Emergency contact details
Relevant background information you share with me, including personal, relational, and medical history
Clinical records made in the course of our work together, including session notes, attendance records, and correspondence
Payment and invoicing records (I do not store card or bank details)
The information I hold about you will be limited to what is necessary for the safe and effective provision of psychotherapy services.
4. Why I collect this information and my lawful basis for doing so
Under UK GDPR, I must have a lawful basis for processing your personal data. Because psychotherapy involves health information, I must also meet an additional condition for processing special category data.
I process your personal information for the following purposes:
To provide psychotherapy services to you
To maintain appropriate clinical records as part of safe and ethical professional practice
To communicate with you regarding appointments and enquiries
To meet my professional, legal, and regulatory responsibilities
To maintain financial and accounting records where required
The lawful bases I rely on are:
Performance of a contract — our therapeutic agreement
Legitimate interests — maintaining appropriate professional records and administering my practice
Compliance with a legal obligation — where applicable, including financial and tax record-keeping requirements
Provision of health care — for special category (health) data under Article 9(2)(h) UK GDPR and Schedule 1, Part 1 of the Data Protection Act 2018
5. How long I keep your information
Clinical records are generally retained for seven years after the end of therapy, in line with professional guidance and insurance requirements.
Where a client was under 18 at any point during therapy, records may be retained until the client’s 25th birthday, or for seven years after the end of therapy, whichever is longer.
Financial records may be retained for longer where required for tax, accounting, or legal purposes.
After the applicable retention period has passed, paper records are securely shredded and digital records are permanently deleted.
6. How I store and protect your information
Your personal information is held securely and is accessible only to me. I take reasonable technical and organisational steps to protect the confidentiality and security of your information, including the following:
Paper notes and records are stored in a locked and secure location
Digital records are stored using Google Drive, provided by Google LLC
Access to digital records and accounts is protected by strong, unique passwords
Devices used to access client information are password protected
Video therapy sessions are conducted via a secure platform
Google LLC may process data outside the UK. Google states that it uses appropriate safeguards for international data transfers in accordance with UK GDPR requirements.
Please be aware that standard email is not generally considered a fully secure form of communication. While I take reasonable steps to protect personal information sent electronically, email should not be regarded as completely secure.
7. Who I share your information with
Your information is treated as strictly confidential. I do not share your personal data with third parties except in the following circumstances:
Clinical supervision — As required by UKCP, I discuss my clinical work with a qualified supervisor. Identifying details are minimised wherever possible, and my supervisor is bound by professional confidentiality obligations.
Risk of serious harm — If I believe there is a serious risk to your safety or the safety of another person, I may need to share information with appropriate services or professionals. Wherever possible, I would aim to discuss this with you first.
Legal requirement — If I am required to disclose information by a court order or other legal obligation.
Safeguarding — If information comes to light suggesting a risk to a child or vulnerable adult, I may need to share information with appropriate safeguarding authorities.
Health insurers — If therapy is funded through a health insurer (such as AXA Health or Aviva), limited information may need to be shared for billing or authorisation purposes.
Other health professionals — Information would only be shared with your GP or other professionals with your explicit consent, except in exceptional circumstances relating to serious risk or safeguarding.
I will never sell, rent, or share your personal data for marketing or commercial purposes.
8. Your rights
Under UK GDPR you have the following rights in relation to the personal data I hold about you:
Right of access — you can request a copy of the information I hold about you
Right to rectification — you can ask me to correct inaccurate information
Right to erasure — you can request deletion of your data, subject to my professional and legal record-keeping obligations
Right to restriction — you can ask me to restrict how I use your data in certain circumstances
Right to object — you can object to certain types of processing
Right to data portability — where applicable, you can request your data in a portable format
Some of these rights are subject to legal and professional exemptions. For example, I may be required to retain certain records even if you request their deletion.
To exercise any of these rights, please contact me at johnbarbertherapy@gmail.com. I will normally respond within one calendar month.
9. Confidentiality and its limits
Confidentiality is a central part of psychotherapy, and I take appropriate steps to protect the privacy of our work together.
However, there are a small number of circumstances in which confidentiality may need to be broken, including:
If I believe you or another person is at serious risk of harm
If disclosure is required by a court of law
If safeguarding concerns arise relating to a child or vulnerable adult
Where appropriate and safe to do so, I would usually aim to discuss this with you before sharing information.
10. This website and cookies
This website is hosted by Squarespace. Squarespace may use cookies and collect limited technical information — such as IP address, browser type, and pages visited — for website functionality, security, and basic analytics.
Any information collected through the operation of the website is subject to Squarespace’s own privacy practices. Their privacy policy can be found at Squarespace Privacy Policy.
I do not use additional advertising or marketing tracking tools on this website.
11. Data breaches
I take reasonable steps to reduce the risk of unauthorised access, loss, or misuse of personal information.
In the unlikely event of a personal data breach that is likely to result in a risk to your rights and freedoms, I will comply with my obligations under UK GDPR, including notifying the Information Commissioner’s Office (ICO) where required.
12. Complaints
If you have concerns about how I handle your personal information, please contact me in the first instance at johnbarbertherapy@gmail.com.
If you remain dissatisfied, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO).
Telephone: 0303 123 1113 Post: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
13. Changes to this notice
I may update this privacy notice from time to time, for example if my practice changes or if there are changes in relevant law or guidance.
The most current version will always be available on this website.
Last updated: 12 May 2026
Privacy Notice