Data protection policy and processes

Data Protection information (Update 27.04.2023)

We keep minimal possible information on our clients and colleagues. since the pandemic (COVID) our systems radically changed to digital since COVID hygiene rules meant going “paper-free”. Increased data protection legislation has also meant an increased emphasis on only keeping information for as long as needed, and justifying that need. This also means ONLY keeping the information that is needed on a client, and securely deleting other information such as basic contracting information.

Scotlandtherapy Partners is a registered sole trader partnership, and in 2023 a second related but separate entity will be formed and registered for non clinical training and psycho-education, and the same strict policies will be applied to both. We will take advice from ICO on whether the new company will need separate registration. Scotlandtherapy is ICO registered.

  1. Email software may store contact details and emails until deleted, this is basic correspondence to enable clinical service. We need this to arrange support.
  2. Data is only shared for emergency support, in cases of extreme risk to public or personal safety, or if clinical data is needed for safe referral. This is guided by Safeguarding Policies and legal requirements.
  3. As a result of the COVID crisis we are keeping COVID consent forms in order to be able to ensure compliance with safety requirements, and in order to be able to cooperate with Government Track and Trace systems.
  4. Initial assessment forms and other assessment forms will be kept in hard copy format in a locked filing cabinet. Clients may refuse to complete these but this may prevent service. As of April 2023 we have now securely shredded the majority of hard copy  contracting forms, since for several years new clients have been using digital forms instead. The handful of existing hard copies that need to be kept will be digitized or replaced with new forms during 2023 and then also shredded. For the last decade ongoing notes have been stored securely and digitally and these are kept longer (see paragraph 9).
  5. Assessment and other data is held in passworded email accounts with an extra level of access required via security application. All emails are encrypted by default (TLS). Some data and ongoing safety notes are held in the Powerdiary clinic system which is ISO 27001 compliant for Healthcare Data security (2023)
  6. All out of date or non essential data will be deleted (digital) and or shredded (hard copy). we use encryption built into Gmail, encrypted deletion, extra security password protection and a full software suite of firewall and security protection on all computer and smartphone equipment.
  7. Virtual sessions are carried out with Doxy, a specialised healthcare platform with added security and encryption.  Google meetings is used as a back up system only. Both have encryption compliance. As of April 2023 we are considering using powerdiary virtual meetings once they have completed Beta testing, part of their ISO 27001 compliant system.
  8. Our legal basis for holding data is: clinical care, regulatory requirement and insurance coverage requirements in case of a complaint.
  9. At present CNHC regulator requirement for data holding is 8 years. Insurance requirement is less unless the person is of vulnerable mental state, in which case it is 5 years after that state ends. (Contracting forms are not required as such, this is about client clinical data or “notes”. Non essential data is securely deleted / shredded and only the required data is kept.)
  10. You may withdraw consent to collect and store data at any time, but this may make provision of the service impossible because of the need to collect data for your treatment and safety.

Nominated person

Person responsible for data security is Stuart Morgan-Ayrs, Senior Partner. Stuart is also the lead Safeguarding Officer with responsibility for safeguarding information sharing decisions.

Age verification

Under adult age persons are not normally clients of our company, and then only if data is secured and signed by an adult and guardian.


Initial assessment forms set out how we handle and store data. Clients are informed as to use, handling and reason for that data. Clients are signposted to this resource in information files and emails.


The only information held (apart from correspondence with the client) about the client are the assessment forms, already seen by the client. Emergency data from crisis situations is stored digitally and is available within 30 day limit. it is stored in secured and encrypted manner (see above) for the clinical safety and care of the client. Thus the client has sight of all materials about them naturally. The held material can be retrieved within the 30 day limit. Complex data may take longer, up to the 3 months permitted by the ICO


You may complain to the ICO if you think we are not handling your data appropriately.

During the COVID crisis attendance data and contact data may be shared with Track and Trace if required for health and safety reasons.

Scotlandtherapy Partners are ISO registered.

Contact via the contact us page HERE