1. Purpose
This policy explains how Prior Mindset collects, stores, processes, and protects personal information. It ensures that all client data are handled lawfully, fairly, and securely, in line with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and relevant NHS information governance standards.
2. Scope
This policy applies to:
All staff, practitioners, associates, and contractors at Prior Mindset.
All client information, whether held digitally or physically.
All communication channels (online sessions, telephone, email, WriteUpp, paper records).
3. Policy Statement
Prior Mindset is committed to protecting client confidentiality and privacy.
Information will only be used for purposes directly related to the provision of care, therapy, or coaching.
Data will be stored securely and retained only for as long as legally required.
Clients’ rights over their personal data will be respected and upheld.
4. Collection of Data
Prior Mindset collects personal information directly from clients at registration and during sessions, including:
Identity details (name, date of birth, address, contact information).
Health and wellbeing information relevant to therapy/coaching.
Emergency contact details.
Session notes, assessments, and treatment records.
Payment and administrative details (where applicable).
Consent for data collection is obtained through WriteUpp, the secure patient documentation system.
5. Storage and Security
All clinical records are stored in WriteUpp, which complies with NHS data security standards.
Records are encrypted and protected with role-based access.
Paper records (if any) are kept in locked storage.
Personal devices must never be used to store client data.
Data breaches or suspected breaches must be reported immediately to the Data Protection Officer (DPO).
6. Use of Data
Client information will be used only for:
Delivering therapy, coaching, or wellbeing services.
Administrative functions such as appointment scheduling and billing.
Compliance with safeguarding duties or legal requirements.
Service monitoring, audit, and quality improvement (in anonymised form where possible).
Information will never be sold, shared for marketing without consent, or disclosed to unauthorised third parties.
7. Confidentiality and Exceptions
All information shared by clients is treated as confidential. Exceptions apply where:
There is a risk of serious harm to the client or others.
There are safeguarding concerns involving a child or vulnerable adult.
Disclosure is required by law (e.g. court order, terrorism offences, money laundering).
In such cases, only the minimum necessary information will be shared, and the client will be informed where possible.
8. Retention of Records
Records will be retained in line with the NHS Records Management Code of Practice:
Adults: 8 years after the end of service.
Children/Young People: until age 25 (or 26 if treated at 17) plus 7 years.
Records will be securely destroyed once the retention period ends.
9. Client Rights
Under UK GDPR, clients have the right to:
Access their records (via a Subject Access Request).
Request correction of inaccurate or incomplete data.
Request erasure of data, where legally permissible.
Restrict or object to processing in certain circumstances.
Data portability, where applicable.
Requests will be responded to within 30 calendar days.
10. Responsibilities
All Staff
Maintain confidentiality at all times.
Only access client records on a “need to know” basis.
Report breaches or concerns immediately.
Management / DPO
Ensure compliance with GDPR and NHS information governance standards.
Provide staff training in confidentiality and data protection at induction and annually.
Maintain the data breach log and notify the ICO within 72 hours if required.
11. Monitoring and Review
Compliance with this policy will be reviewed annually.
Audits of WriteUpp usage and data access logs will be carried out regularly.
Policy will be updated if legislation or guidance changes.
12. Policy Ownership
Owned by: Data Protection Officer (DPO) / Senior Management Team
Applies across all Prior Mindset services and platforms.