Privacy Policy

Dr Rhona Howitt Psychology trading as Attuned Therapy London Limited, respects your privacy and is committed to protecting your personal data.

This policy explains how your personal information is collected, used, stored, and protected in accordance with the General Data Protection Regulation (GDPR) (EU) 2016/679 and the subsequent UK Data Protection Bill, May 2018.

Dr Howitt is registered with the Information Commissioner’s Office (ICO) and acts as the Data Controller, meaning she is legally responsible for ensuring that your data is processed lawfully, fairly, and securely.

If you have any questions about this policy, please contact Dr Howitt. If you are not satisfied with the response, you have the right to contact the Information Commissioner’s Office (ICO).

What Information Is Collected?

The following categories of personal data may be processed:

Personal data

  • Name, address, and date of birth

  • Email address and telephone number

  • GP contact details

  • Next of kin name and contact details

Special category (sensitive) data

  • Signed therapy or service agreements

  • Clinical records, including therapy notes, correspondence, reports, and outcome measures

Special category health data is processed in accordance with Article 9(2)(h) UK GDPR, for the purpose of providing health and psychological care.

Website enquiries
If you contact Dr Howitt via a website form, the personal information you provide, and your IP address will be collected. This information is automatically supplied by the Squarespace platform. All web services used by Dr Howitt are GDPR compliant.

Insurance referrals
If therapy is funded by a health insurance provider, personal data supplied by that organisation may be processed, including referral details, policy number, and authorisation for psychological treatment.

Why Is Your Data Collected?

Dr Howitt has a legitimate interest in collecting and using your personal data. This is necessary in order to:

  • Provide psychological therapy, consultancy, and supervision services

  • Communicate with you and manage appointments

  • Process payments and meet legal, regulatory, and professional obligations

Your information is never sold and is not shared without your consent, except where there is a legal or professional duty to do so.

How Is Your Data Used?

Your personal data is used only for the purposes of providing appropriate psychological services and managing the practice. Where essential personal information is not provided, it may not be possible to offer treatment or related services.

How Long Is Your Data Kept?

  • Basic contact information held on mobile devices is deleted at the end of therapy.

  • Clinical records are retained for 7 years after the end of therapy, in line with BPS and HCPC guidance.

  • Financial and transaction records are retained for 7 years to meet HMRC requirements.

After the relevant retention period, data is securely deleted. In some circumstances, anonymised data may be retained indefinitely for research or statistical purposes, as it can no longer be linked to you.

Who Might Your Information Be Shared With?

Your information is held in confidence and is not routinely shared. Exceptions include:

  • Health insurance providers: appointment schedules and treatment updates required for billing and authorisation

  • Referrers (such as a GP or psychiatrist): reports and brief treatment progress updates, where appropriate

  • Legal services: where therapy has been instructed by a solicitor and with your written consent

In exceptional circumstances, information may be shared without consent where:

  • There is a serious risk of harm to you or others

  • Disclosure is required by law or court order

  • There are safeguarding concerns

Any decision to disclose information is carefully considered, proportionate, and recorded in clinical records, including the rationale for disclosure. Where possible, disclosures will be discussed with you unless this would increase risk.

Your personal information is never shared for marketing purposes.

How Is Your Data Stored?

Your data is stored securely using GDPR-compliant systems, including encrypted cloud storage, secure email, and password-protected devices. Software used to support the practice (including OneDrive, Xero, Zoom, and Egress) is GDPR compliant.

Paper records are stored in locked filing systems and securely shredded when no longer required. All computing devices are protected with up-to-date antivirus and malware software.

Your Rights Under Data Protection Law

You have the right to:

  • Access your personal data

  • Request correction of inaccurate information

  • Make a Subject Access Request (SAR)

SARs are normally responded to within 30 days. A fee will not normally be charged, unless a request is manifestly unfounded or excessive, as permitted by law. Identity verification may be required.

In some circumstances, access to information may be restricted where disclosure could cause serious harm or would not be in your vital interests.

Clinical records cannot usually be deleted on request, as Dr Howitt is required to retain them to meet legal, regulatory, and professional obligations in accordance with BPS and HCPC guidance.

If you believe your data is being handled unlawfully, you have the right to complain to the Information Commissioner’s Office (ICO).

Professional Guidance Referenced

  • British Psychological Society (2013). Electronic Records Guidance

  • British Psychological Society (2017). Practice Guidelines

  • Health and Care Professions Council (2017). Confidentiality: Guidance for Registrants