Your privacy is very important to me, and you can be confident that your personal information will be kept safe and secure, and used only for the purposes it was provided for. I comply with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations (PECR).
This notice explains what happens to your personal information, from your first point of contact with me through to after our work together has ended, including:
why I'm able to process your information, and for what purpose
whether you have to provide it to me
how long I keep it for
whether anyone else receives it, including anywhere outside the UK
whether I carry out any automated decision-making or profiling
your data protection rights
I'm happy to talk through any questions about this notice — you can reach me by email at ilbarrand@outlook.com.
The "data controller" is the person responsible for deciding how and why your personal information is processed. In this case, that's me, Isabella Barrand, trading as Isabella Barrand Counselling & Clinical Supervision. I am registered with the Information Commissioner's Office (registration number ZB671878).
UK GDPR requires me to have a lawful basis for processing your personal data, and this differs depending on the stage of our contact:
Initial enquiry: when you first get in touch, I process your details on the basis of legitimate interest — to respond to your enquiry and work out whether I can help.
While we are working together: I process your personal data because it's necessary for the performance of our contract for counselling services.
Special category data: anything sensitive you share with me in session (for example, about your mental health, or any other special category information that comes up) is processed on the basis of your explicit consent, given at the outset of our work together.
After our work together ends: I retain your records on the basis of legitimate interest, and where special category data is involved, the lawful basis for retaining it is the establishment, exercise, or defence of potential legal claims, in line with my professional indemnity insurer's requirements.
When you contact me with an enquiry, I'll collect information to help respond to it. This might come directly from you, via a referral from a GP or other health professional, or from a trusted person making an enquiry on your behalf.
If you decide not to go ahead, I will delete your personal data within six months. If you'd like it deleted sooner, just let me know.
Everything you share with me is confidential. The only routine exception is that I discuss my work anonymously with my clinical supervisor, as all counsellors are required to have regular supervision to keep their work safe, ethical, and effective. My supervisor is bound by the same confidentiality requirements as I am, and by BACP's ethical framework.
Confidentiality will only be broken without your knowledge if I believe there's an immediate risk to your safety or someone else's, or where I'm required to by law (i.e., in relation to terrorism, drug trafficking and money laundering). Wherever possible, I will talk to you about this first.
I keep a record of your personal details and written notes from each session, stored securely on Google Workspace. I don't retain text messages or emails for long after they're received — anything relevant is transferred into this system and the original message is then deleted.
As required of all counsellors, I hold a Clinical Will, setting out what should happen to my client records, and how clients should be informed, if something happened to me and I were unable to tell you myself. My supervisor (or a nominated fellow counsellor if they're unavailable) is the executor of this, and would, in that situation only, have access to your contact details in order to inform you.
Records may include your contact details, contracts, session notes, and relevant correspondence. These are kept for 7 years from the end of our work together, and then securely destroyed.
Financial records, such as invoices issued, payment records and receipts, are retained for 5 years following the 31 January submission deadline of the relevant tax year, in line with HMRC's record-keeping requirements for sole traders. The lawful basis for retaining these specific records is legal obligation.
If you'd like your information deleted sooner than this, let me know and I will action this unless I'm required to retain it for legal reasons.
Where I use a service to support a session, take a payment, or manage a booking, that service will process some of your personal data on my behalf. Currently these include:
Microsoft Outlook for appointment booking
Starling Bank for processing session fees
Google Meet or Microsoft Teams for online sessions
None of these providers use your data for their own marketing purposes, and none of your information is sold to anyone.
Some of the providers listed above may store or process data outside the UK (for example, in the US). Where this happens, I only use providers that offer a safeguard recognised under UK GDPR, such as the UK extension to the EU–US Data Privacy Framework or standard contractual clauses. You can ask me for more detail about a specific provider's safeguards at any time.
I do not use any automated decision-making or profiling in relation to your personal data.
I take the security of your information seriously. This includes keeping records on platforms that use encryption and multi-factor authentication, restricting day-to-day access to your information to myself only, and reviewing my security practices regularly.
You have the right to:
ask for a copy of the information I hold about you
ask me to correct anything that's inaccurate
ask me to delete your information
ask me to restrict how I use it, or object to its use
ask for it in a portable format, where relevant
To make a request, please email ilbarrand@outlook.com. I won't charge for this unless the request is excessive, and I will ask you to verify your identity first. You can read more about your rights at ico.org.uk/your-data-matters.
If you're unhappy with how I've handled your personal data, please contact me directly at ilbarrand@outlook.com in the first instance. I will acknowledge your complaint in writing within 30 days and respond without undue delay.
If you remain unhappy with my response, you also have the right to complain to the Information Commissioner's Office: ico.org.uk/make-a-complaint, or by post to Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.
This notice was last reviewed on 18th June 2026. I will update it if my practices change.
© 2022-2026 Isabella Barrand (Isabella Barrand Counselling & Clinical Supervision)