Privacy Policy

I, Tamsin Taylor (trading as Tamsin Urquhart), am the Data Controller and Data Processor for this practice. I adhere to the ethical guidelines of the National Society of Talking Therapies (NSTT).

The lawful basis on which I hold and process personal data is Legitimate Interests. This means that the data I hold is necessary in order to fulfil our therapeutic contract (i.e. to provide psychotherapy), and that it is information you would reasonably expect me to hold and use in the context of this work.

What data I hold

The personal data I may hold includes:

  • Basic contact information such as name, email address, and telephone number
  • Information you share with me as part of our therapeutic work
  • Brief clinical notes, including records of interventions used
  • Emails, texts, or messages exchanged between us
  • Information provided by third parties where relevant (for example, a GP referral)

Some of the information you share with me may fall under special category data as defined by the UK General Data Protection Regulation (UK GDPR). The condition for processing this data is that it is necessary for the provision of health care or treatment under a contract with a health professional.

Information relating to criminal offences (including allegations, proceedings, or convictions) is subject to stricter controls. I will only hold such information with your explicit consent.

How your data is used and shared

Your data is used solely for the purpose of providing psychotherapy.

Your information is not shared with anyone, except where necessary to support your care (for example, with your GP or my clinical supervisor), or where disclosure is required by law or professional duty.

If a formal complaint were made to a professional body, I may be required to share relevant clinical records as part of an investigation.

Where and how your data is stored

Emails are stored on the servers of our respective email providers and may also be stored on my computer or secure cloud storage. While I use GDPR-compliant services, email should not be considered fully secure and is not suitable for sharing sensitive clinical information.

Any data held on my mobile phone is protected by a passcode.

Text, WhatsApp, or Messenger messages are stored on my phone, which is code protected.

Clinical notes are handwritten and stored in a locked filing cabinet. A coding system is used so that notes cannot be identified by someone outside the practice.

Credit or debit card details are securely destroyed once payment has been processed.

Accounting records are held using FreeAgent accounting software, which is GDPR compliant and password protected, and accessible only to me and my accountant.

Your data is retained for seven years, in line with the requirements of my professional insurer. After this period, paper records are securely shredded and electronic records permanently deleted.

Data security

I take the security of personal data seriously. Measures include:

  • Secure storage of all personal data
  • Password-protected devices and systems
  • Encryption of data transmissions where possible

Please note that I am not responsible for the security of information you choose to send to me via third-party platforms (for example, social media or messaging services), which may access or store data beyond my control.

Copyright notice

All images, illustrations, logos, and written content on this website are the intellectual property of Tamsin Urquhart, unless otherwise stated. They may not be reproduced, stored, or transmitted in any form without prior written permission.

Supervision and ethical practice

I work under regular clinical supervision as part of my ongoing professional practice. My work is held within the ethical guidelines of the National Society of Talking Therapies (NSTT) and informed by the principles of Internal Family Systems therapy.

Your rights

You have the right to:

  • Access the personal data I hold about you
  • Request correction of inaccurate data
  • Request erasure of your data (subject to legal and professional obligations)
  • Request restriction of processing in certain circumstances
  • Request data portability, where applicable
  • Object to processing based on legitimate interests

I will respond to requests as promptly as possible and within 30 days, unless prevented by exceptional circumstances.

If there were any breach of data security, I would notify the Information Commissioner's Office (ICO) and any affected individuals within 72 hours, and take all reasonable steps to minimise any potential impact.

Activities I do not engage in

I do not engage in:

  • Direct marketing
  • Automated decision-making or profiling
  • Processing for scientific, historical, or statistical research purposes

Final note

This privacy policy applies to current and former clients and to individuals who make contact via this website.