Dr Sarah Densham
Clinical Psychologist
Privacy Notice – Your data: Your rights.
Dr Sarah Densham, Clinical Psychologist
Last updated: 3rd November 2025
Introduction
Dr Sarah Densham (the “site”, “I”, “your psychologist” “we” “the Service”) takes the privacy of your personal data seriously. This Privacy Notice is based on the UK General Data Protection Regulations (GDPR) and the Data (Use and Access) Act (June 2025). Under UK data protection law which includes the UK GDPR, Dr Sarah Densham would be a “data controller” which means that she is responsible for taking measures to ensure your data is safe and for making decisions related to your data, such as how long data is kept and whether, and with whom, it may be shared.
This Notice aims to explain the kinds of data Dr Sarah Densham may collect about you and that are necessary for your psychologist to work effectively with you. It also explains how this data is handled and stored.
For purposes of this Privacy Notice, "you" and "your" means you as the user of the services, whether you are a client, website visitor, or another individual whose information we have collected pursuant to this Privacy Notice.
A glossary of key terms is provided at the end of this document for your reference (see appendix A). If you have any questions about this Privacy Notice, including any requests to exercise your legal rights, please contact Dr Sarah Densham: drsarahdensham@proton.me.
I will keep any information you share with me during our sessions safe and confidential. I will not share your information with anyone else unless I have a professional or legal obligation. I process information about everyone who accesses or enquires about this service in accordance with UK data protection law.
Please read this Privacy Notice carefully.
1. Changes to This Privacy Notice
This Privacy Notice may be updated from time to time, including to reflect changes to practice or for other operational, legal, or regulatory reasons. The revised Privacy Notice will be posted on the Site, the "Last updated" date will be updated, and any other steps required by applicable law will be taken. You are welcome to come back and check this notice at any time or contact me by any of the means shown below.
2. Accountability Statement
The Accountability Principle as detailed in the GDPR Article 5(2) means Dr Sarah Densham must be able to demonstrate responsibility for processing personal data in line with the UK GDPR.
• Dr Sarah Densham is the ‘accountable person’ for processing activities and is registered as the Data Controller with the Information Commissioner’s Office (ICO), the UK’s independent body that oversees data rights and privacy. The Service ICO reference number is: ZB947180
• Dr Sarah Densham regularly reviews data protection policies and procedures to ensure continued compliance with the law and to uphold the principles of fairness, necessity, and transparency in data processing activities. This includes making sure that intended data processing is clearly explained and justified.
• Where data processing is based on explicit consent, Dr Sarah Densham ensures that such consent is obtained in a lawful, informed, and unambiguous manner. In situations where other lawful bases are relied upon, such as the protection of vital interest, your psychologist carefully considers the rights and interests of the individuals concerned before proceeding.
• Dr Densham conducts risk assessments, when necessary, particularly when introducing new forms of data processing, to ensure that the Rights and Freedoms of individuals are upheld.
• She maintains records of data processing activities to support compliance monitoring. Dr Densham also actively engages with legal and professional guidance, including updates from the Information Commissioner’s Office (ICO).
• To safeguard personal data, Dr Densham regularly reviews and updates both technical and physical security measures. This includes the implementation of appropriate safeguards and undertaking relevant training to ensure continuous adherence to data protection responsibilities.
3. Legal Responsibilities
Under the UK General Data Protection Regulations (UK GDPR), Dr Sarah Densham is legally required to follow clear lawful principles when handling your personal data. She takes these responsibilities seriously and is committed to upholding them in all aspects of her practice. These principles include:
• Lawfulness, Fairness, and Transparency
Dr Sarah Densham must process your data in a lawful, fair, and transparent manner. Dr Sarah Densham will be clear about what data is being collected, why it is being collected and how it will be used.
• Purpose Limitation
Dr Sarah Densham can only collect your data for specific, explicit, and legitimate purposes. In this case, the data collected is solely for the purpose of providing psychological services.
• Data Minimisation
Dr Sarah Densham will only collect and record information that is directly relevant and necessary for the purposes of therapy. Dr Sarah Densham will not gather or retain unnecessary personal data.
• Accuracy
Dr Sarah Densham is required to take reasonable steps to ensure that your data is accurate and kept up to date. Your psychologist may occasionally ask you to confirm or update your information during the course of therapy.
• Storage Limitation
Your data will only be retained for as long as necessary for the purposes you have been informed about. Dr Sarah Densham follows strict data retention policies.
• Integrity and Confidentiality (Security)
Dr Sarah Densham is committed to ensuring that your data is kept secure. Dr Sarah Densham uses appropriate technical and organisational measures to protect your information from unauthorised access, accidental loss, or disclosure. Systems and procedures are regularly reviewed and updated to maintain high standards of security.
4. Conditions for Processing Data
Data protection law sets out several legal reasons or conditions under which an organisation or individual is allowed to collect and process your personal data. When collecting and processing your personal data, Dr Sarah Densham must identify a lawful basis and will make this clear to you. Most commonly, we process your personal data based on several lawful grounds under UK GDPR:
a. We may process your data with consent
b. We may process your data when there is a contractual obligation
c. We may process your data where there are concerns about your wellbeing or the wellbeing of somebody under your care
Dr Sarah Densham participates in clinical supervision where your personal information is discussed with her supervisor who is another psychologist or psychotherapist for the purposes of ensuring safe and effective practice, and as mandated by her professional bodies. Efforts are made to maintain your anonymity so only your first name will be used in these discussions, and no session notes are shared. Supervisors are also bound by confidentiality rules and do not share your personal information with anyone else.
If your psychologist becomes aware of specific identifying details about a perpetrator of abuse, they must assess the ongoing risk that person poses to you, others, children, or animals. If no specific identifying details are shared, your psychologist will be limited in taking any action. Please be aware that disclosing previously unreported criminal acts may legally obligate your psychologist to notify relevant authorities.
Limited personal information, such as your name, may be shared for financial or accounting purposes. No sensitive clinical details will be shared in these contexts.
If you choose to use private health insurance to fund your therapy, Dr Sarah Densham may need to share relevant clinical information with your insurer. This may include clinical summaries, the number of sessions attended, or other information required by your insurer to authorise therapy sessions, process claims, or justify payment. Only the minimum necessary information will be disclosed, and where possible, shared via encrypted email or password-protected documents. It will also be shared in line with your insurer’s data handling policies and in accordance with data protection law.
Please note that if fees are unpaid and recovery of fees is required via legal proceedings then your psychologist will need to provide basic information about you to a debt collection agency, solicitor, court, or other appropriate professionals. Basic information includes your name, address, date of birth, appointment details, and details about the amount due.
Dr Sarah Densham will inform you if data needs to be shared unless it is not possible.
d. We may have some contractual obligations
When you begin working with Dr Sarah Densham, you will be asked to agree to her terms and conditions. This agreement outlines the responsibilities of both parties, for example, Dr Densham’s commitment to provide psychological services, and your agreement to attend sessions and pay agreed fees. By agreeing to these terms, a contract is formed.
e. Vital use of data
In rare circumstances, your personal data may be used, typically in an emergency, where it is necessary to protect your life or the life of another person. This lawful basis is known as vital interests under the UK GDPR. In a small number of cases where other lawful bases do not apply, your data will be processed on this basis and in your best interests.
This may occur in situations where your psychologist believes there is a serious risk that you may harm yourself, another person or an animals. In such cases, your information may need to be shared with an appropriate third party such as your GP or the emergency services without first obtaining your consent. This would happen if it is not practical to obtain your consent in time, seeking consent could lead to a delay that increases risk, attempting to obtain consent could increase the risk of harm.
If information is shared in this way, it will be limited to what is necessary to protect safety. You will be informed of what was shared, with whom, and why, unless doing so would itself present a serious risk.
f. Legal obligations
In certain circumstances, Dr Sarah Densham may be legally required to share your personal information. This may include requests from the police, a court of law, a coroner’s office, or a professional regulatory body. In such cases, Dr Densham is obligated to comply with the law and may have no choice but to disclose relevant information.
g. Legitimate interest
In certain circumstances, Dr Sarah Densham may process personal data in a way which might be reasonably expected as a Clinical Psychologist, provided those interests are not overridden by your rights and freedoms. Any processing carried out under this basis will be limited to what is necessary and proportionate and will be conducted in a way that you would reasonably expect. Dr Densham does not rely on legitimate interests as a lawful basis for processing special category data, such as information relating to your mental health or therapy records.
5. Types of data that we process
We processes different kinds of personal data from clients, which have been grouped together as follows:
• Identity Data: Includes your first name, last name, date of birth, and title.
• Contact Data: Includes your address, email address, and telephone number(s).
• Emergency Contact data: Includes their full name, relationship to you and contact details.
• Financial Data: Includes bank account details and payment reference information (e.g., for invoicing or accounting purposes).
• Transaction Data: Includes details of payments made by you for psychology services.
• Communication Data: Includes email correspondence, telephone or video call records (where applicable), and messages sent to or from you. This may include special category data and will therefore form part of your clinical record.
• Special category data is a specific subset of personal data. This includes information such as that related to your current and previous psychological and physical health, your current and previous social, cultural and family circumstances, and any religious or philosophical beliefs. Because this type of data is more sensitive, it is given extra protection under the law. Dr Sarah Densham only collects and processes special category data when it is necessary for the provision of psychological services. There must be a clear reason for collecting, storing, and using this information. Special category data may be collected through your enquiry or referral form, during therapy appointments, and when you choose to complete relevant questionnaires. Dr Densham aims to collect and process only the information that is directly relevant to your mental health and the therapy being provided.
Personal data does not include information where the individual’s identity has been removed (i.e. anonymised data).
It is important that any personal data that we hold about your is accurate and current, so please update Dr Sarah Densham if your personal data changes during your contact.
Where we need to collect personal data either by law or under the terms of a contract we have with you (for example, to provide psychological therapy), and you do not provide that data when requested, we may not be able to begin or continue with the service. If this becomes relevant, Dr Sarah Densham will notify you at the time and explain the implications.
6. How might Dr Sarah Densham collect your data?
Dr Sarah Densham collects your data in different ways that may include, but are not limited to:
Direct interactions
• For example, when you write to Dr Sarah Densham about any subject by any means, enquire about her services but do not engage, complete a referral form, attend an appointment, complete questionnaires, give feedback about the service, or access or engage with our website.
Information received from Third Parties
Dr Sarah Densham may receive personal data about you from third parties, including:
• Healthcare data from other professionals involved in your care, such as your GP or other healthcare providers. This information will only be shared with us where you have given your explicit consent for them to do so.
7. How is your information used?
The information that Dr Sarah Densham collects is used to:
• Provide services to you
• Monitor assess and manage risks to you or others
• Process payment for such services.
8. Marketing
Generally, Dr Sarah Densham does not rely on consent as the primary legal basis for processing your personal data, as most data is processed to provide psychological services or to comply with legal obligations. However, we will seek your explicit consent before sending you any marketing communications, such as updates about services, groups, resources, or newsletters via email or text message. You have the right to withdraw your consent to receiving marketing communications at any time by contacting Dr Sarah Densham or using the unsubscribe option provided in the message.
You might also be asked for information on how you sourced Dr Sarah Densham’s services for the purpose of anonymised marketing research. You can choose not to disclose this information if you wish. At the end of therapy, Dr Sarah Densham may invite you to complete a feedback form for the purposes of evaluating and improving her services. This is voluntary and anonymous and will not impact upon any care you receive. Dr Sarah Densham may ask your consent to use the feedback you have provided as anonymous testimonials on her website.
Dr Sarah Densham will not share your personal information with third parties for marketing purposes.
Dr Sarah Densham will never sell your information to others.
9. Data Storage and Device Security
• Data collected and processed by Dr Sarah Densham is most likely in electronic format but can also be in paper form.
• Dr Sarah Densham implements appropriate technical and organisational security measures to protect your personal data, and the devices used to deliver psychological services. These measures are designed to safeguard your information against loss, misuse, unauthorised access, disclosure, alteration, or destruction, in line with data protection regulations.
10. Communication and Data Security
• Dr Sarah Densham seeks to minimise the communication of personal information via text message. Clients are also encouraged to avoid sharing sensitive data by SMS.
• Clients are reminded that the Internet cannot be guaranteed to be entirely secure, and communication via email is undertaken at the client’s own risk.
• Any documents containing personal or sensitive information sent via email will be included as password-protected attachments. Clients are encouraged to adopt similar precautions when sending sensitive data.
• Dr Sarah Densham will monitor any emails sent to drsarahdensham@proton.me, including file attachments, for viruses or malicious software. Please be aware that you have a responsibility to ensure that any email you send is within the bounds of the law.
• Sessions are conducted remotely via Zoom or WriteUpp, both of which offer a secure video conferencing platform. We do not record online sessions, and we ask that you do not record them either. Zoom/WriteUpp may collect limited metadata (such as your IP address or device type) to deliver the service.
11. You have several rights regarding your personal data
Right to Be Informed
You have the right to know how your data is used and why. This document outlines how your data is handled to aid transparency.
Right to restrict processing
You have the right to request that the processing of your personal data is limited, for example, if you contest its accuracy or object to processing.
Right of Access and Right to Rectification
You have the right to access the information Dr Sarah Densham holds about you to check whether it is accurate. You can make a ‘Subject Access Request’ either verbally or in writing via email. If you believe any of your data is incorrect or incomplete, you can request that it be corrected by submitting your request in writing, clearly identifying the inaccuracies and providing supporting evidence where possible. We aim to respond to all legitimate requests regarding your personal data within one month. If your request is particularly complex or you have submitted multiple requests, it may take longer. You will not usually have to pay a fee to access your personal data or to exercise any of your other data protection rights. However, we may charge a reasonable fee if your request is clearly unfounded, repetitive, or excessive. In some cases, we may refuse to comply with such requests. To protect your privacy and security, we may ask you to provide specific information to confirm verify your identity before fulfilling your request. This helps ensure that personal data is not disclosed to anyone without the right to receive it. We may also contact you for additional information to help us respond more quickly. If you have authorised a third party to submit a request on your behalf, we will require them to provide proof of your permission to make such a request.
Right to be forgotten
You may request the deletion of your data in certain circumstances. Please be aware that this right will be upheld unless there is a legal obligation or Dr Sarah Densham has a legitimate interest to keep your data. Therefore, your psychologist may not always be able to fulfil a request for erasure.
Right to object
You have the right to object to the processing of your personal data but there may be certain circumstances where Dr Sarah Densahm is legally required to process your data. Where you have provided consent for Dr Sarah Densham to collect and process your data, you may withdraw that consent at any time. However, due to the nature of the psychological services provided, Dr Densham may not be able to offer or continue to provide services if you choose not to provide the information requested.
Right to data portability
If we hold personal information about you and you would like us to transfer it to another organisation that provides a similar service (e.g. another psychologist or healthcare provider), you have the right to request this. If applicable, we will provide this service free of charge and will aim to do so without undue delay, and at the latest within one calendar month of receiving your request.
12. Data retention
Your data will only be retained for as long as necessary to fulfil the purposes for which it was collected, including any legal, regulatory, tax, accounting, or reporting obligations.
By law, we must keep information about our clients and records of the work together. If you become a therapy client your data will be kept for eight years following the end of therapy, in line with UK best practice for adult health and social care records (IGA, 2016). After this period, data is securely and permanently deleted at the end of each calendar year. Basic contact information stored on a mobile phone is deleted at the end of therapy. You may request deletion of your personal data in certain circumstances. Please see section 11 for further information.
If you do not become a client, any data collected via website enquiry, email, referral form, will be securely deleted after 3 - 6 months. However, if you proceed to attending a 20-minute initial consultation, your data will be kept for 1 year if you don’t proceed with therapy. This limited retention period allows time for follow-up while avoiding unnecessary storage of sensitive information.
In some situations, data may be retained for longer periods, including:
• Active or potential complaints or legal disputes
• Reasonable belief of impending litigation
• Data relevant to a criminal investigation, which may be retained indefinitely.
13. Data breach measures
Dr Sarah Densham takes the protection of your personal data seriously and has measures in place to prevent unauthorised access or disclosure. In the event of a data breach, immediate action will be taken. If the breach is assessed to be serious, it will be reported to the Information Commissioner’s Office (ICO) within 72 hours. If you suspect that a data breach has occurred, please contact Dr Sarah Densham immediately using the contact details below.
14. Change of purpose
We will only use your personal data for the purposes for which it was originally collected, unless we reasonably determine that a new purpose is compatible with the original one. If you would like an explanation of how the new processing purpose is compatible, please contact us. If we need to use your personal data for a purpose unrelated to the original one, we will notify you in advance and explain the legal basis for this new processing. Please note that, in some cases, we may process your personal data without your knowledge or consent where this is required or permitted by law and complies with the rules outlined above.
15. Contact
To make a Subject Access Request, request any data stored centrally, report an issue, or ask any questions about this privacy notice, please contact Dr Sarah Densham in the first instance.
Email: drsarahdensham@proton.me
Phone: 07394462388
If you are unhappy with how your data is processed, please raise a concern with Dr Sarah Densham in writing using the contact details provided above.
APPENDIX A: Glossary of Key Terms
To support your understanding of this document, the following definitions explain commonly used terms relating to data protection:
• Personal Data
Information that can identify you, either directly or indirectly, such as your name, contact details, home address.
• Special Category Data
A specific category of personal data that is considered more sensitive and therefore requires additional protection. This includes data about your physical or mental health, racial or ethnic origin, sexual orientation, and religious or philosophical beliefs. Psychological therapy typically involves processing special category data.
• Processing
Any action performed on your data. This includes collecting, recording, organising, storing, using, disclosing, reviewing, and deleting it.
• Data Subject
The individual whom the personal data relates to. In this context, you are the data subject.
• Data Controller
The person or organisation that determines why and how your personal data is processed. In this case, Dr Sarah Densham acts as the data controller.
• Condition for Processing Data
A lawful basis under UK GDPR that justifies why your personal data is being used. For therapy, this may include for example, your consent for Dr Sarah Denshamn to process your data to delier psychological therapies to you.