Compliant with UK GDPR, HCPC, and UKCP Ethical Standards
Data Controller: The Shifting Self Ltd (Company no: 17167710)
ICO Registration Number: ZC134831
Professional Body Memberships: UKCP 2011192458

1. Introduction

This notice outlines how The Shifting Self Ltd collects, uses, and protects your personal data. As a practitioner registered with UKCP, I am committed to maintaining the highest standards of clinical confidentiality and data security.

2. Lawful Basis for Processing

Under the UK GDPR, we process your data under the following legal bases:

• Contractual Necessity (Article 6.1b): To provide the psychological therapy you have requested.
• Legal Obligation (Article 6.1c): To maintain financial records for HMRC.
• Provision of Health or Social Care (Article 9.2h): This allows the processing of “Special Category” (sensitive) clinical data by a health professional bound by professional secrecy.

3. Professional Accountability & Supervision

In accordance with UKCP ethical requirements, I participate in regular professional supervision.

• Case Consultation: I may discuss our work with a qualified supervisor to ensure the quality and safety of your therapy.
• Anonymisation: During supervision, your identity is protected. Your full name and identifying details are not shared; only clinical themes are discussed.
• Confidentiality: My supervisor is also a registered professional bound by strict confidentiality and UK GDPR.

4. Continuity of Care: The Professional Will

The UKCP requires practitioners to have arrangements in place for “continuity of care” should the practitioner become suddenly unavailable.

• Clinical Trustee: I have appointed a Clinical Trustee (a qualified therapist) who is authorised to access your contact details only in the event of my death or permanent incapacity.
• Purpose: They will contact you to inform you of the situation and, if you wish, assist you in finding alternative support. They do not have automatic access to your full clinical notes unless vital for your immediate safety.

5. Third-Party Data Processors

To provide an efficient and secure service, I use the following “Data Processors.” Each has been
vetted for UK GDPR compliance and, where applicable, we have a Data Processing Agreement
(DPA) in place:

• WriteUpp: A secure, ISO 27001-certified practice management system where clinical notes and contact details are encrypted and stored.
• Google Workspace (Business): Used for secure professional email communication and encrypted cloud storage for administrative (non-clinical) files.
• Zoom (Healthcare/Pro): Used for secure video consultations. Zoom uses end-to-end encryption to ensure the privacy of our sessions.
• Xero: Used for business accounting and HMRC compliance.
• Stripe: A PCI-compliant payment gateway for secure card processing. I do not see or store your full credit/debit card details.

6. Data Retention & Your Rights

• Retention: Clinical records are retained for 7 years following the end of therapy (or until
  age 25/26 for minors) to meet insurance and legal requirements. After this, they are
  securely destroyed.
• Access: You have the right to request a copy of your records (Subject Access Request).
• Correction: You may request that factual inaccuracies in your personal data be
  corrected.
• Erasure: You may request the deletion of your contact data. However, we cannot delete
  clinical notes before the 7-year retention period ends, as they are required for the
  “establishment, exercise, or defence of legal claims” (UK GDPR Article 17.3e).

7. Digital Boundaries & Social Media

To maintain professional boundaries as per UKCP guidelines:

• I do not engage with clients via social media (LinkedIn, Facebook, etc.).
• I do not use WhatsApp or SMS for clinical discussions. Please use my secure email:
  ilia@theshiftingself.com.

8. Concerns and Complaints

If you have a concern about how your data is handled, please contact me directly. You also have
the right to lodge a complaint with:

1. The Information Commissioner’s Office (ICO): ico.org.uk
2. The UKCP: Regarding any ethical breach of confidentiality or professional conduct.

9. International Data Transfers

If you are located outside the United Kingdom or the European Economic Area (EEA), the
personal data we collect from you will be transferred to, and stored in, the UK

1. Adequacy: The UK has robust data protection laws. By engaging in therapy with The Shifting Self Ltd, you provide your explicit consent for your data to be transferred to the UK for the purposes of providing your care.
2. Safeguards: We use secure, UK-based or GDPR-compliant processors (such as WriteUpp and Google Workspace) to ensure your data is handled with the same level of protection regardless of your location.
3. Cross-Border Rights: While you may have specific rights under your local data protection laws, this practice operates primarily under the jurisdiction of the Information Commissioner’s Office (ICO) in the UK.