Calm Breathing Therapies
Compassionate, evidence-based CBT tailored to you.
Compassionate, evidence-based CBT tailored to you.
Calm Breathing Therapies – Appropriate Policy Document
This Appropriate Policy Document explains our procedures and policies for processing special‑category personal data for the purposes of health or social care. It is written in accordance with Schedule 1, Part 4 of the Data Protection Act 2018.
1. Purpose of Processing
We process special‑category personal data (information relating to mental health, therapy notes and assessments) for the purpose of providing CBT and related services to our clients. This includes assessing suitability, formulating treatment plans, monitoring progress, and fulfilling our legal and professional duties.
2. Lawful Basis and Conditions
Our lawful basis for processing is Article 6(1)(b) of the UK GDPR (performance of a contract) and Article 9(2)(h) (providing health or social care). We meet the condition under Schedule 1, Part 1 (paragraph 2) of the Data Protection Act 2018 for health or social care purposes.
3. Procedures for Ensuring Compliance
• Data minimisation – we only collect data necessary for providing therapy and managing our practice.
• Accuracy – we keep your data accurate and up to date; clients can correct inaccuracies at any time.
• Retention – records are kept for the minimum periods specified in our Privacy Notice and deleted or anonymised when no longer required.
• Security – we implement appropriate technical and organisational measures, including password protection, encryption, two‑factor authentication and secure storage, to protect data against unauthorised access, loss or damage.
• Staff training – we maintain professional registration and CPD to ensure awareness of data protection obligations. Any contracted staff or supervisors comply with this policy.
• Access controls – only authorised persons (practitioner and supervisor) have access to client records. Access is logged and monitored.
• Data protection impact assessments – when introducing new systems or processes involving personal data, we assess potential risks and implement controls.
• Contracts with processors – we ensure written agreements are in place with any third‑party processors and that they provide adequate safeguards.
4. Retention and Review
Retention periods are detailed in our Privacy Notice. We review this APD annually or sooner if there are changes in our processing activities or legal requirements.
5. Accountability
The practitioner is responsible for ensuring compliance with data protection legislation and this APD. We document processing activities and maintain records of processing in accordance with Article 30 of the UK GDPR.