Sonja Hookway Psychotherapy

https://www.psychotherapy.org.uk/ukcp-members/complaints/

1. Data Controller
The data controller is Sonja Hookway, a UKCP accredited psychotherapist. I am registered with the Information Commissioner’s Office (ICO). My registration number is ZB157173

You can contact me at:
Email: sonjahookway@yahoo.co.uk
Phone: 07745490781
Address: 18, Hareslade, Bishopston, Swansea, Wales SA33DU.

2. The Purpose and Lawful Basis for Processing Your Data
I collect and process your personal data for the sole purpose of providing safe, effective, and ethical psychotherapy. My lawful bases for processing under UK GDPR are:

• Contract: Processing is necessary for the contract (the therapeutic agreement) between us.
• Legitimate Interests: Processing is necessary for my legitimate interests as a psychotherapist in delivering and managing your care (e.g., keeping session notes for continuity).
• Legal Obligation: Processing is necessary for compliance with a legal obligation (e.g., my obligation to keep financial records for HMRC).
• Vital Interests: In very rare circumstances, processing may be necessary to protect someone’s life.
• Explicit Consent: For any processing outside the core therapeutic contract (e.g., sending you optional articles), I will seek your explicit, written consent separately.

3. What Data I Collect

• Contact Details: Name, address, telephone number(s), email address, emergency contact details.
• Personal Details: Date of birth, gender (if relevant), GP details, and relevant medical/psychiatric history.
• Sensitive Data: Information about your life, relationships, mental and physical health, sexuality, and beliefs. This is classified as “Special Category Data” under UK GDPR, which I process under Article 9(2)(h) – for the provision of healthcare.
• Session Notes: Brief, anonymised notes of our sessions, focussing on themes, interventions, and your wellbeing. These do not contain verbatim statements or unnecessary personal details.
• Financial Data: Records of payments, invoices, and bank details (if you pay by bank transfer).

4. How I Store and Protect Your Data

• Paper Records: Any handwritten notes are kept in a locked filing cabinet in a secure location.
• Digital Records: All digital data (e.g., emails, contact forms, encrypted notes) is stored on password-protected devices. Where possible, data is encrypted.
• Phone: My work phone is passcode-protected. Voicemail messages are deleted after being actioned.
• Email: While I use a professional email account, for maximum security, please avoid sending highly sensitive personal information via email. I will do the same.
• Data Minimisation: I only collect and retain data that is absolutely necessary for your treatment.

5. Data Retention
I will retain your data for no longer than is necessary.

• Clinical Records: In line with UKCP guidance and professional insurance requirements, I retain adult client records for 7 years after the end of our work together. For clients under 18, records are kept until their 25th birthday (or 26th if they were 17 when therapy ended).
• Financial Records: Invoices and payment details are kept for 7 years as required by HMRC.
• After this period, all your data (paper and digital) will be securely and permanently destroyed.

6. Your Data Rights
Under UK GDPR, you have the right to:

• Be informed about how I use your data (this notice).
• Access your personal data (submit a Subject Access Request).
• Rectify inaccurate or incomplete data.
• Erasure (“right to be forgotten”) in certain circumstances.
• Restrict processing in certain circumstances.
• Data portability (to receive your data in a common, machine-readable format).
• Object to processing in certain circumstances.
• Not be subject to automated decision-making.

To exercise any of these rights, please contact me using the details in Section 1. I will respond within one calendar month. Please note that in a therapeutic context, some rights (like erasure) may be limited by my legal and professional obligations to keep accurate records.

7. Data Sharing and Third Parties
Confidentiality is fundamental. I will not share your personal data with any third party without your explicit consent, except in the following specific circumstances:

• Where there is a serious risk of harm to you or others.
• Where there is a legal obligation (e.g., a court order, or disclosure related to money laundering or terrorism).
• In line with my professional will, to ensure client care in the event of my sudden illness or death. My executor (a qualified therapist) would contact you.
• For professional supervision. I discuss my work anonymously with a qualified clinical supervisor to ensure best practice. Your identity is protected.
• My accountant may see anonymised financial records for tax purposes.

8. Cookies and Website Data
My professional website [Your Website URL] may use essential cookies for basic functionality. I do not use analytics or tracking cookies for marketing purposes. See my separate Website Privacy Policy for more detail.

9. Complaints
If you have a concern about how I handle your data, please discuss it with me first. You also have the right to complain directly to the UK supervisory authority:
The Information Commissioner’s Office (ICO)
Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Helpline: 0303 123 1113
Website: https://ico.org.uk/concerns

10. Policy Review
This policy is reviewed annually and was last updated on 30/12/2025

Therapeutic Agreement
This Privacy Notice forms part of our therapeutic agreement. We will discuss it in our first session, and I will ask for your signed consent to hold and process your data as outlined above.

This policy explains how I use digital communication and social media to protect your confidentiality and maintain professional boundaries.

I do not accept friend or contact requests from current or former clients on personal social media accounts (such as Facebook, Instagram, or LinkedIn). This protects your privacy and the therapeutic relationship. You are welcome to view or follow any professional or public pages I may have, but I cannot engage in therapy-related communication through social media.

I do not provide therapy, counselling, crisis support, or clinical advice via social media, comments, or direct messages. Please use the agreed professional contact methods (such as email, phone, or booking systems) for practical matters like appointments or fees. Electronic communication is not fully secure and confidentiality cannot be guaranteed outside sessions.

I will not identify clients, confirm whether someone is a client, or discuss therapy-related matters online. If you interact with public posts connected to my work, please be aware this may affect your own confidentiality.

Any online content I share is for general information only and is not a substitute for psychotherapy or professional mental health care.

I do not routinely search for information about clients online unless there is a clear ethical or safety reason, handled in line with professional responsibilities.

I do not request testimonials or online reviews. If you choose to leave a review independently, please consider your own privacy.

I take reasonable steps to protect personal data in line with UK GDPR and professional requirements. See my Privacy Policy for details. This policy may be updated as guidance and technology change.