top of page
Image by Markus Spiske

Data Protection and Privacy Policy

This policy explains the processes that I, Dr Nicola Rance, have in place to protect your personal data when you get in touch (by phone, email or via the contact form on my website), or work with me. It has been written in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act (DPA, 2018), and the codes of practice set out by the British Psychological Society (BPS) and the Health and Care Professions Council (HCPC). If you have any questions about my policies please do not hesitate to email me at nic@drnicrance.com, or call me on 07364 135952.  

​

Who keeps and processes your data?

I, Dr Nicola Rance, am the data controller responsible for this Data Protection and Privacy Policy, the website, and for making sure that your personal information is held and processed in line with the law.

​

What personal data is processed?

The information I may hold about you falls into two categories: personal data and special category data. ‘Personal data’ is information relating to a person who can be directly identified from that information, or who can be indirectly identified from that information if it is combined with other information. ‘Special category data’ is personal data that requires more protection because UK GDPR has identified it as likely to be more sensitive (e.g., data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership; genetic and biometric data; and data concerning health or a person’s sex life or sexual orientation).

 

The personal data I hold includes:

  • Basic contact information such as your name, address, email address, telephone number, and your emergency contact/next of kin’s name and telephone number.

  • General information such as your date of birth, a record of session dates, and general and administrative correspondence.

  • Online identifiers such as your IP address may also be collected along with any information you provide if you complete a web-based enquiry form. This information is automatically supplied by the website software used to create the form. All of the web services I use are verified by themselves as GDPR compliant.

  • Financial records such as invoices (if you require them), payments received, refunds (e.g., if you overpaid) must also be kept for accounting purposes and to comply with HMRC requirements.

 

The special category data I hold includes:

  • Your reason(s) for contacting me and the service I provide.

  • Your GP’s name and contact details; the name and contact details of any other healthcare professionals involved in your case (if any).

  • Any relevant physical and mental health details, including medications (if any).

  • Therapy records (e.g., session notes, consent forms, assessments, questionnaires, communications from or to you about your case, outcome measures (if used), letters or reports from or to other healthcare professionals (if any)).

​

How do I obtain this data?

This data is either provided by you (e.g., when you contact me about my services, fill in a form or questionnaire, or work with me), or it is data I create in order to offer my services ethically and comply with the legal and regulatory rules of the BPS, HCPC and HMRC.

​

My lawful basis for processing personal data

In order to process personal data it is necessary to have what is known as a ‘lawful basis’ for doing so. The six lawful bases are set out in Article 6 of UK GDPR, and the one I have is that of ‘legitimate interest’ as I need to collect and use personal data in order to deliver my services. Additionally, as I also process special category data, I need what is called a ‘special category condition’ for doing so. The ten special category conditions are set out in Article 9 of UK GDPR, and the one I meet is that of ‘health or social care’ as I have to process special category data in order to provide health care or treatment.

​

Why do I keep this data and how do I use it?

I keep personal data in order to communicate with you, provide you with my services, send invoices (if requested), help prevent serious harm, and meet legal and regulatory requirements. Unfortunately, if you do not provide me with personal data I cannot provide you with my services. And if I do not keep appropriate notes and records I am neither meeting legal and regulatory requirements nor providing you with the best possible service.

​

How long is your personal data stored?

I only store personal data for as long as it is needed. In accordance with BPS guidelines and requirements I store special category data relating to our work together for seven years. I also keep financial records of invoices, income and payments for six years from the end of our work together in order to meet HMRC guidance. After the specified time periods have been met I delete or shred the data. If you email me, or fill in the contact form on my website, to enquire about my services I will keep your data (your name, email address and anything you choose to write in your email or on the form) if we remain in contact. If we do not remain in contact I will delete it.

​

Will your personal data be shared with anyone?

I will never share your personal data with third parties for marketing purposes, and I will only ever share it with legitimate people or organisations if there is an exceptional reason for me to do so. In particular, I might have to share personal data:

  • When doing so would be in the public interest (e.g., to prevent a miscarriage of justice or a serious crime such as terrorism or fraud).

  • When I am legally required to do so (e.g., to comply with a court order, a subpoena or the instructions of a government authority).

  • When the information concerns a risk to yourself or to another adult or a child.

  • When I have need-to-know information that another health provider (e.g., your GP) should have.

 

I will always endeavour to discuss any potential disclosures with you unless doing so would increase the risk of harm to yourself or to others. Additionally, if I ever needed or wanted to share your data in a way not described in this policy I would contact you beforehand, and I would only proceed with your permission.

 

Finally, as part of my commitment to working ethically, I have regular professional supervision sessions. During these sessions I maintain client anonymity by omitting identifying details. Furthermore, my supervisor is a qualified, accredited psychologist with many years’ experience and is bound by the same confidentiality rules as I am.

 

Where is your personal data stored and how is it kept safe?

Your data is primarily stored in three places: Writeupp (a practice management software system), my mobile phone, and my email system. If necessary I may very occasionally store data on my laptop or in paper records (this would be unusual though and is not something I would do regularly).

​

Your data is kept safe in the following ways:

  • Writeupp (the practice management I use) is an ISO27001 certified, GDPR ready software system which utilises two-factor authentication login and encrypts data in flight and at rest.

  • My mobile phone is a dedicated work phone with pin protection – additionally, I only store your phone number, first name and the first letter of your surname in my contact list.

  • My email account utilises SSL (Secure Sockets Layer) encryption which means my emails cannot be intercepted as they travel between my device and the mail server.

  • My laptop is password protected and has anti-virus and web protection.

  • If I ever hold paper records they are stored in a locked filing cabinet.

  • If sensitive data is ever sent in a digital format the file containing it is password protected (the password is sent in a separate message, preferably by a different method of communication), using a secure internet connection.

  • If sensitive data is ever sent in a hardcopy format the envelope is clearly marked ‘Private and Confidential’.

  • In all instances I minimise the use of personal data wherever possible and would encourage you to do the same when contacting me.

  • The drnicrance.com website has an SSL certificate which means that the connection between it and your web browser is encrypted. You can check that this is the case by looking for the padlock symbol and the https address in the website address bar.

 

What are your rights in relation to your personal data?

You have a number of rights under data protection law. These include:

  • The right to access – you have the right to access information that is held about you. If you wish to access the information I hold about you please make a request to me in writing. In order to ensure your privacy I may need to ask for evidence to confirm your identity before complying with any such request.

  • The right to rectification – you have the right to ask for your personal data to be corrected if it is inaccurate or incomplete. If you believe the information I hold about you is incorrect please contact me so that I can amend or update it. Similarly, if any of your personal data (e.g., contact details) change while we are working together please let me know as soon as possible.   

  • The right to erasure – you have the right to be erased from any marketing lists you are on (I do not currently keep marketing lists and if I decide to do so the lists will be ‘opt in’ rather than ‘opt out’ so it would be up to you to decide if you wanted to be on them). Although you also have the right to request that data I hold about you be erased, it is not an absolute right as I must keep special category data relating to our work together for seven years in accordance with BPS guidelines and requirements. As such, I must reserve the right to refuse any request to erase such data.

  • The right to restrict processing – you have the right to ask me to restrict the processing of your data in certain circumstances. If you do this it means I cannot add to, erase, or use your data in any way. Therefore, if you made such a request I would be unable to continue working with you as I am obliged to keep records of all my work.  

  • The right to object – you have the right to object to the processing of your data in certain circumstances.

 

I will endeavour to respond to any requests you make in relation to the above rights within 30 days and you will not be required to pay a fee.

 

How can you make a complaint?

If you have any concerns about the way in which I am processing your data you can make a complaint to me by emailing me at nic@drnicrance.com or calling 07364 135952.

​

Alternatively, you can make a complaint to the Information Commissioner’s Office (the UK’s independent authority set up to uphold information rights in the public interest) by calling 0303 123 1113 or visiting their website https://ico.org.uk/make-a-complaint/

​

Changes to this privacy policy

If any of my procedures or the laws relating to data protection change I will update this privacy policy accordingly.

​

October 2025

bottom of page