Data protection policy and processes

Data Protection information (Update 18th July re COVID)

We keep minimal possible information on our clients and colleagues.

  • Email software may store contact details and emails until deleted, this is basic correspondence to enable clinical service. We need this to arrange support.
  • Data is only shared for emergency support, in cases of extreme risk to public or personal safety, or if clinical data is needed for safe referral.
  • As a result of the COVID crisis we are keeping COVID consent forms in order to be able to ensure compliance with safety requirements, and in order to be able to cooperate with Government Track and Trace systems.
  • Initial assessment forms and other assessment forms will be kept in hard copy format in a locked filing cabinet. Clients may refuse to complete these but this may prevent service.
  • Assessment and other data is held in passworded email accounts with an extra level of access required via security application. All emails are encrypted by default (TLS).
  • All out of date or non essential data will be deleted (digital) and or shredded (hard copy). we use encryption built into Gmail, encrypted deletion, extra security password protection and a full software suite of firewall and security protection on all computer and smartphone equipment.
  • Virtual sessions are carried out with Google Meetings.  Zoom is used as a back up system only. Both have encryption compliance.
  • Our legal basis for holding data is: clinical care, regulatory requirement and insurance coverage requirements in case of a complaint.
  • At present regulator requirement for data holding is 8 years. Insurance requirement is less unless the person is of vulnerable mental state, in which case it is 5 years after that state ends.
  • You may withdraw consent to collect and store data at any time, but this may make provision of the service impossible because of the need to collect data for your treatment and safety.

Nominated person

Person responsible for data security is Stuart Morgan-Ayrs, Senior Partner

Age verification

Under adult age persons are not normally clients of our company, and then only if data is secured and signed by an adult and guardian.


Initial assessment forms set out how we handle and store data. Clients are informed as to use, handling and reason for that data. Clients are signposted to this resource in information files and emails.


The only information held (apart from correspondence with the client) about the client are the assessment forms, already seen by the client. Emergency data from crisis situations is stored digitally and is available within 30 day limit. it is stored in secured and encrypted manner (see above) for the clinical safety and care of the client. Thus the client has sight of all materials about them naturally. The held material can be retrieved within the 30 day limit. Complex data may take longer, up to the 3 months permitted by the ICO


You may complain to the ICO if you think we are not handling your data appropriately.

During the COVID crisis attendance data and contact data may be shared with Track and Trace if required for health and safety reasons.

Scotlandtherapy Partners are ISO registered. Initial assessment and agreement forms updated in line with revised standards 03.10.2017

Contact via the contact us page HERE