I collect and use the following personal information to provide health treatment (in this case counselling or therapy sessions), and to ensure your safety and well-being:

• Name: Required to accurately identify you in my records and for all documentation related to your care.

• Telephone number and/or email address: Used to communicate with you regarding session scheduling, appointment changes, and other relevant matters related to providing my service to you. I will not use text or email to provide you with therapy/counselling.

• Home address: Required for billing purposes and, in rare cases, to contact you by mail if there are outstanding invoices or urgent issues that cannot be addressed electronically or by telephone.

• Gender: Collected to help me better understand you and your circumstances, and to ensure inclusive and respectful practice during our sessions.

• Pronouns: Collected so I can address you respectfully, using the pronouns you identify with.

• Date of birth: Used to confirm your age, which can be relevant for understanding your circumstances and, if necessary, for contacting your GP in situations where there may be a risk of self-harm.

• Emergency contact details: Needed in the event that you become unwell or distressed during a session and require assistance getting home.

• GP details: Required solely in situations where there is a significant risk of harm to yourself. I will not contact your GP without your consent unless it is necessary due to immediate safety concerns, and you will be informed in advance whenever possible. This is discussed in detail in my Confidentiality Policy.

I also collect certain “special category information” to provide health treatment (in this case counselling or therapy sessions), in accordance with Article 9 of UK GDPR. This information receives additional protection due to its sensitive nature:

• Relevant health information: This may include any diagnosed mental health conditions, prescribed medications relating to mental health conditions, or other medical treatments related to your mental wellbeing, as well as any additional medical details that may help inform my understanding of your experiences. This information allows me to provide support that is tailored to your needs. For instance, it would be important for me to know if you were diagnosed with depression, or if a chronic illness was affecting your mental health. All information you share will remain confidential and will be used exclusively to support your care.

• Sexual orientation: This information helps me better understand your circumstances and enables me to provide inclusive and anti-oppressive support.

Some of the information I collect is for safeguarding or public protection reasons. These reasons would include me needing to communicate with your GP if I believed you were at imminent risk of harming yourself. Or if you disclosed to me that you were harming a child or vulnerable adult. Your information may also be necessary in case of a mental health crisis or emergency (for example if the crisis team requires your address). Please see my Confidentiality Policy for more details. Information collected or used for safeguarding or public protection reasons are as follows:

• Name, address, and contact details

• Emergency contact details

• Relevant health information

I collect or use personal information to comply with legal requirements. These requirements include complying with a court order to disclose any information I am required to by law.

• Name and contact information

• Any other personal information required to comply with legal obligations

• Safeguarding information

I do not keep notes on individual sessions. However, recording important factual events, such as bereavements, breakups, suicidal thoughts or actions, and other significant incidents that may affect counselling/therapy is sometimes necessary. This type of note would never include any opinion, interpretation, or impression – and would only contain facts as stated to me by you.

This information would be pseudonymised on a password-protected electronic document, please see below for details on how this is stored.

I store factual client notes on the following lawful bases under UK GDPR:

• Performance of a contract: To provide you with appropriate health care as part of our counselling or therapy agreement.

• Legal obligation: To comply with any requirements set out by law, such as a court order to disclose specific information.

• Legitimate interests: To protect my interests, for example if information is needed by my insurer in the event of a complaint.

It is a requirement of my ongoing advanced psychotherapy training to record client sessions after obtaining your full informed written consent. The recordings are for the sole purpose of my professional development.

Your name or any other identifying details or the identifying details of other people about whom you might talk during therapy/counselling, will never be disclosed or revealed.

The lawful basis under which I collect and store the recordings is:

• Consent - I have permission from you after I gave you all the relevant information. All of your data protection rights may apply. To be clear, you do have the right to withdraw your consent at any time.

The recordings may be used only for clinical supervision or examination purposes.  They may be heard by my supervisor, tutor, peers, and examiners.  They will not be heard by anyone not bound by a professional code of ethics and confidentiality.

See below for details on how and when I collect and store the recordings, and how long they will be stored for. 

Initial Contact:

When you contact me directly with an enquiry about my counselling/therapy services, I will collect some information to help me satisfy your enquiry. This will include:

• Name and email address: when you email me to initiate contact, I will receive your name and email address. I will never ask you to give me any further information via email. Instead, I will give you my mobile number for you to call me when we arrange our initial telephone consultation.

If you are referred by a GP, other healthcare provider, charity, or other voluntary sector organisation, they may send me your contact details so that we can make contact with each other directly. I will not request any other information from third parties myself.

While you are accessing counselling/therapy:

I will email you an intake form that requests the additional information I have outlined above. We can discuss your preferred secure method for returning the completed form—such as a password-protected PDF or encrypted email—during our initial phone call or via email before you send it. You are welcome to return a hard copy of the form in person at your first session, or to use the secure method we agree upon. If you choose to submit your form by email, I will print out your form and immediately delete the email and attachment to protect your privacy.

I record sessions using a password-protected digital recorder. This requires a password to use and nobody has the password except for me.

Under UK data protection law, I must have a “lawful basis” for collecting and using your personal information. There is a list of possible lawful bases in the UK GDPR. You can find out more about lawful bases on the ICO’s website.

I will explain which lawful basis I use to collect your data in the next section.

Which lawful basis I rely on may affect your data protection rights which are set out in brief below. You can find out more about your data protection rights and the exemptions which may apply on the ICO’s website:

• Your right of access - You have the right to ask me for copies of your personal information. You can request other information such as details about where I get personal information from and who I share personal information with. There are some exemptions which means you may not receive all the information you ask for. Read more about the right of access.

• Your right to rectification - You have the right to ask me to correct or delete personal information you think is inaccurate or incomplete. Read more about the right to rectification.

• Your right to erasure - You have the right to ask me to delete your personal information. Read more about the right to erasure.

• Your right to restriction of processing - You have the right to ask me to limit how I can use your personal information. Read more about the right to restriction of processing.

• Your right to object to processing - You have the right to object to the processing of your personal data. Read more about the right to object to processing.

• Your right to data portability - You have the right to ask that I transfer the personal information you gave me to another organisation, or to you. Read more about the right to data portability.

• Your right to withdraw consent – When consent is used as a lawful basis you have the right to withdraw your consent at any time. However, please note that I do not use consent as my lawful basis. Read more about the right to withdraw consent.

If you make a request, I must respond to you without undue delay and will do so within 28 days.

To make a data protection rights request, please contact me at tarek@tarekmalouf.com.

Most of the information I collect from you is necessary to provide my service to you. Because of this I am unable to offer consent as my lawful basis (except for session recordings), therefore, I have opted for the bases below to use your personal data.

• Contract: If you are currently having therapy or if you are in contact with me to consider therapy, I will process your personal data where it is necessary for the performance of our contract. This means that the data I process ensures that I can provide an ethical, inclusive, and professional service to you. All of your data protection rights may apply except the right to object, as without the personal information I request, I am unable to provide counselling/therapy sessions to you.

• Legal obligation: I may have to use your information so I can comply with any legal requirements and for safeguarding obligations. All of your data protection rights may apply, except the right to erasure, the right to object, and the right to data portability.

• Legitimate Interest: If you have had therapy with me and it has now ended, I will use legitimate interest as my lawful basis for holding and using your personal information. This is so I can run my practice effectively, ethically, and lawfully. Without retaining certain personal data up to 7 years I cannot conform to the requirements of my ethical bodies, HMRC, and my insurance provider.

The UK GDPR also makes sure that I look after any sensitive personal information that you may disclose to me appropriately. This type of information is called ‘special category personal information’. The lawful basis for me processing any special categories of personal information is that it is for provision of health treatment (in this case counselling/therapy) and necessary for a contract with a health professional (in this case, a contract between me and you) under Article 9 of the UK GDPR.

Yes. Where I need to collect personal data under our terms of our contract (and for all the reasons listed above) and you do not provide them when requested, or do not wish to, then I am unable to provide you with counselling/therapy sessions.

This does not include recording sessions, however, as you are able to decline or withdraw consent for that at any time without your therapy/counselling being affected.

Your contract and intake form containing all the information I have outlined above will be stored in hard copy only in a locked cabinet. Nobody else will have access to this cabinet besides me.

I will assign you a client number, which will only be noted on the hard copy of your intake form, kept in a locked cabinet.

Your client number will be used on any factual client notes, which will be stored in a password-protected electronic document. These electronic notes will not contain any personally identifying information and will only reference your client number to maintain your privacy. The notes may include brief factual details relevant to your sessions but will exclude names, addresses, or other information that could directly identify you.

Recordings are done using a standalone password-protected digital recorder. A password is needed each time it is switched on or before it can be used. I transfer and store the recordings on a password-protected and encrypted USB storage device that is not connected to the internet or wifi. The recording is pseudonymised by using your client number. The USB storage device is also kept in a locked cabinet.

While you are accessing therapy/counselling with me, I will store your name and mobile number onto my business smartphone which is protected by a passcode and facial recognition. I only use this device for my work.

To ensure transparency and clarity about how long I retain your information, here is a breakdown by data type:

• Name, contact details, and attendance records: Retained for 7 years after your sessions end. This is required by my professional insurance provider and HMRC, the UK tax authority. These organisations require me to keep certain records in case of legal claims or tax audits.

• Factual client notes: Retained for 7 years after your sessions end. These notes contain brief factual details relevant to your sessions, referenced only by client number (not by name or other identifiers), to protect your privacy. This retention is in accordance with professional and ethical guidelines for therapists and in case of legal or ethical claims against me.

• Sensitive or special category data: Retained for 7 years after our sessions end. This includes information related to your health or therapy, processed for the purpose of providing counselling/therapy as required by contract and law. This retention is in accordance with professional and ethical guidelines for therapists and in case of legal or ethical claims against me.

• Invoicing records: Retained for 7 years after our sessions end, in line with HMRC requirements, to demonstrate compliance with tax regulations in case I am tax audited.

• Client recordings: all recordings will be erased and destroyed after completion of my training course at the latest. This is likely to be in late 2027. However, normally I delete all recordings after our sessions have completed, unless a recording is being used for examination purposes.

I will delete your name and mobile number from my business smartphone as soon as we end our work together.

If you decide not to proceed with sessions after initial contact, your name and email will be deleted within 28 days.

If you would like more detail about these retention periods or the criteria used to determine them, please contact me at tarek@tarekmalouf.com.

For the purposes of this statement, "personal data" includes your client notes and any identifying details. I will never share your personal data with third parties for marketing or promotional purposes, nor will I use your personal data for my own marketing or promotional activities.

Your personal data will only be disclosed if required by law, or if you initiate an ethical or legal complaint against me that necessitates sharing relevant information with the appropriate authorities. For example, disclosure may occur if ordered by a court or regulatory body, or if an official complaint requires review by professional or governing organizations.

If you pay your fee via online banking your name will appear in my business bank account. In the event of an HMRC audit (for tax purposes), I may be required to provide bank statements. In this instance, your name would be disclosed to HMRC as it appears on the bank statement; no other personal data will be provided to them about you.

As stated above, and as described in greater detail in the Audio Recording Consent Form, any recordings will only ever be shared with individuals directly involved in supporting my clinical practice. These individuals—my clinical supervisor (who oversees and guides my therapeutic work to ensure best practice), peers (for collaborative learning and feedback in a supervised setting), tutor (for educational guidance and professional development), or examiners (for formal assessment purposes)—may access recordings strictly for professional and educational reasons. All of these people are bound by robust professional codes of ethics and confidentiality, such as those set by the UK Council for Psychotherapy (UKCP), the British Association for Counselling and Psychotherapy (BACP) or equivalent professional bodies, ensuring your privacy is protected at all times. Recordings will never be shared with anyone who is not covered by such ethical standards.

I have a professional executor in place. This simply means that if something unexpected were to happen to me (due to serious illness, death, or other unforeseen circumstances) and I could no longer continue in practice, a trusted colleague would step in to make sure you are contacted and supported. In that situation, only your name and contact details would be passed on so that my executor can get in touch with you — nothing about what we’ve talked about in sessions or any notes I may hold would ever be shared. Everything would still be handled in line with UK GDPR and data protection law. This arrangement is there to safeguard your confidentiality and to make sure you are not left without support.

You have the right to request the deletion of your personal information. Please send your written request by email to tarek@tarekmalouf.com. Any request for deletion will be considered in line with GDPR and the lawful basis on which I collect and use your personal information.

In some cases, I may have a lawful basis to retain your information in order to provide you with counselling sessions or to comply with legal obligations. If I am unable to delete your data after receiving your request, I will write to you. I will explain the lawful basis on which I am retaining your details.

If your request for removal of personal data is accepted, I would no longer be able to provide you with counselling. This does not include any request for deleting recordings of your sessions.

If you have any concerns about my use of your personal data, you can contact me by emailing at tarek@tarekmalouf.com.

If you remain unhappy with how I’ve used your data after raising a complaint with me, you can also complain to the ICO.

The ICO’s address is:        

Information Commissioner’s Office
Wycliffe HouseWater Lane
Wilmslow
Cheshire
SK9 5AF

Helpline number: 0303 123 1113

Website: https://www.ico.org.uk/make-a-complaint