This privacy notice sets out how I collect, use, store and protect personal information in my therapy practice. It was last updated on 8th July 2026.
I am Stephen Manning, a counsellor working in person and online. I am the data controller for personal information I collect through Actuality Counselling. This means that I am responsible for deciding how personal information is used and for keeping it safe. If you have any questions about this privacy notice, or about how your information is handled, you can contact me at the e-mail address or phone number on the right. This privacy notice applies to people who contact me about therapy, current and former clients, and visitors to my website.
I am registered with the Information Commissoner's Office (ICO) and, in accordance with data protection legislation, all client data will be processed fairly, lawfully and transparently. I record only information which is required to support my client work. The work we do is confidential; any exceptions to client confidentiality are set out in the Statement of Understanding which clients are invited to sign at the start of our work.
Under data protection legislation, you have a right to access the data which I hold about you, request rectification of any inaccuracies, ask for the data to be erased or object to me holding data at all.
What data are held?
I store some or all of the following data (provided by you): your name, postal address, phone number, e-mail address, age, date of birth, GP details, employer name and employment role, current medication, who your immediate family members are, emergency contact details (when working online), your circumstances and reasons for seeking therapy, your therapeutic goals, any preferences around how you wish to be contacted, relevant health, mental health or wellbeing information, availability, session dates and brief clinical notes recording the content of each of your sessions including information about your personal history, relationships, work, identity, family, attendance and appointment information, themes discussed, relevant risk, safeguarding or clinical information, agreed actions or important decisions and administrative information and correspondence between us.
I do not keep full transcripts of sessions.
Some of this information may be classed as special category data under UK data protection law. This includes information about health, mental health, sexuality, ethnicity, religion or other sensitive areas where these are relevant to therapy. I only collect information that is necessary for providing therapy safely, ethically and professionally.
How are the data used?
I use your personal information to respond to enquiries, arrange initial calls and appointments, provide therapy, keep appropriate clinical records, manage payments, invoices and appointments, communicate with you about sessions, meet legal, professional and ethical responsibilities. manage risk, safeguarding or emergency situations. maintain insurance, tax and accounting records and to respond to data protection requests or complaints.
I do not sell your personal information.
Sharing your information
I will not share your personal information unless there is a clear reason to do so (see Confidentiality below). Depending on the circumstances, I may share limited information with the following people or organisations where this is necessary, proportionate and lawful: my clinical supervisor, professional advisers, such as an accountant, insurer or legal adviser, my professional body, if required in relation to a complaint or ethical matter, safeguarding services, emergency services or your GP (where there is serious risk or safeguarding concern), a court or legal authority (if required by law), an appointed clinical executor (if I die or am unable to contact clients myself) and trusted digital service providers who process data on my behalf.
Where I share information, I aim to share only what is relevant and necessary for that purpose. If I, or one of my providers, transfer personal information outside the UK to a separate organisation, I will only do so where the law allows it and an appropriate transfer mechanism or other safeguard is in place where required.
Lawful basis for using your information
Under data protection legislation, I need a lawful basis for using personal information. For different parts of my work, I may rely on different lawful bases under Article 6 UK GDPR. For example, I may rely on contract where processing is needed to arrange or provide therapy, legitimate interests where I need to run my practice safely and keep appropriate records, and legal obligation where I need to keep or share information to comply with the law.
Contract: where information is needed to arrange and provide therapy.
Legitimate interests: where I need to use information to run my practice safely, respond to enquiries, keep appropriate records and protect both you and me.
Legal obligation: where I need to keep or share information to comply with the law.
Where I process special category data, such as information about health or mental health, I must also identify a separate condition under Article 9 UK GDPR before I begin that processing and reflect this in my privacy information. Depending on the reason for processing, I may also need to meet additional conditions and safeguards under the Data Protection Act 2018.
Where I ask for your consent for something specific, I will explain what I am asking for and whether you can withdraw that consent. Consent is not the only lawful basis available under data protection law, and I will only rely on it where it is appropriate to do so.
How are the data stored?
The data are recorded in handwritten format and are stored securely as a paper record in a locked cabinet (your name is in a coded format to preserve confidentiality). In addition, your name, phone number and e-mail address are stored on my mobile phone and on a network-based e-mail system (GMail), both of which are password-protected. Data is backed up to the Currys Cloud Backup system. Voicemail and text messages may be stored in WhatsApp or SMS. I use appropriate technical and organisational measures to keep information secure. This may include password protection, device security, restricted access and secure storage. Where I use external providers, they may process data on my behalf. I aim to use reputable providers with appropriate data protection and security arrangements. I do not use any practice management or client record systems.
Online sessions will be conducted using Doxy.Me or, where necessary, using Microsoft Teams, WhatsApp or Facetime. If we work online, I will take reasonable steps to protect confidentiality from my side, and I ask that you also choose a private space where you cannot easily be overheard or interrupted. Online platforms may process technical information such as IP address, device information or connection data (check the privacy notice of the platform we use if you would like more detail).
Payments are made via bank transfer, Stripe and PayPal.
I do not record, transcribe or use AI tools to process therapy sessions.
How long are the data kept?
Information collected during an initial enquiry will be deleted if you do not begin therapy.
I keep information only for as long as necessary for the purpose for which it was collected. Retention periods may vary depending on the type of record, the nature of the work, legal and professional requirements, and whether the work involved a child or young person. I will delete your details from my phone when our work ends. I will store the paper records securely for seven years (in case clients return to work with me during that period) after which time they will be shredded. Any records held by my professional executor will be destroyed after she has contacted you.
Financial records will be kept for the period required for tax and accounting purposes. E-mails, messages and administrative records are reviewed periodically and deleted when no longer needed. There may be times when I need to keep records for longer, for example where there are safeguarding, legal, insurance, complaint-related or professional-body reasons. I keep my retention periods under review and aim to make sure they remain justified and proportionate.
Confidentiality
Therapy is confidential, but confidentiality is not absolute. I will not share what you tell me unless there is a lawful, ethical or safeguarding reason to do so, and where possible I will limit any sharing to the minimum information necessary.
There are some limits to confidentiality. I may need to share information if: I believe there is a serious risk of harm to you or someone else; there is a safeguarding concern involving a child, vulnerable adult or person at risk; I am required to do so by law, court order or legal process; disclosure is necessary to prevent or detect a serious crime; there is a medical emergency and information is needed to protect life; or if I need to consult my clinical supervisor (in which case I will protect your identity as far as possible).
If I need to share your information, I would, where possible and appropriate, endeavour to discuss this with you beforehand. However, I may not be able to do this if it would increase risk, prejudice safeguarding action, undermine the purpose of the disclosure, or would otherwise not be possible.
Supervision
I use clinical supervision to support safe and effective practice. In supervision, I may discuss aspects of client work to support safe and effective practice. I aim to minimise identifying detail where possible and appropriate, and my supervisor is also bound by confidentiality and professional standards.
My supervisor is my clinical executor who will be contacted if I die or become seriously incapacitated and who will contact current clients and manage records appropriately. That person would be bound by confidentiality, would only access information if necessary, and would not take on an ongoing therapeutic role unless separately agreed and appropriate.
Your rights
Under UK data protection law, you have rights over your personal information. These may include the right to be informed about how your data is used, to access a copy of your personal information, ask for inaccurate information to be corrected, ask for information to be deleted in some circumstances, restrict or object to certain processing or complain about how your information has been handled.
Some rights are not absolute and may depend on the circumstances. For example, I may need to keep some information for legal, professional, safeguarding, insurance or complaint-related reasons, and there may be limits on what can be disclosed where information includes third-party data or where a relevant exemption applies.
If you would like to exercise your rights, please contact me using the details above and I will respond within 30 days. If a request is particularly complex, or if I need to consider whether any restriction or exemption applies, I may need longer, in which case I will let you know.
Data protection concerns and complaints
If you have a concern about how I have handled your personal information, you can make a data protection complaint by contacting me using the details above. I will acknowledge your complaint within 30 days and take appropriate steps to look into it without undue delay. Please include: your name, what your concern is about, what you would like me to look into and how you would prefer me to respond. I will investigate your complaint as appropriate, keep you informed where necessary, and tell you the outcome without undue delay.
If you are not satisfied with my response, or if you would prefer to contact the UK regulator directly, you can contact the Information Commissioner's Office (website: www.ico.org.uk, telephone: 0303 123 1113).
Changes to this privacy notice
I may update this privacy notice from time to time to reflect changes in my practice, legal requirements, professional guidance or the systems I use.
Tel: +44 (0)7941 488 550
e-mail:actualitycounselling@gmail.com
The General Data Protection Regulation (GDPR), which came into effect on 25th May 2018, and the Data (Use and Access) Act which came into effect on 19th June 2026, provide a legal framework for keeping everyone's personal data safe by requiring companies to have robust processes in place for handling and storing personal information.
This legislation also designed to protect us as individuals from being contacted by organisations without our express permission.
A full guide to the GDPR can be found here.
A full guide to the Data (Use and Access) Act 2025 can be found here.
"... live as if you were living already for the second time and as if you had acted the first time as wrongly as you are about to act now!"
Victor Frankl (1905-1997)