As required by the EU General Data Protection Regulation, this page specifies what personal data I store and describes how I store, process and delete your personal data.

Data storage and security

All clients

Your appointment times are stored with your first and last name in a private google calendar. Only I (Dan Williams) have access to the Google calendar. The calendar is locked away from public viewing using Google's security settings. Appointments are retained permanently unless you request in writing or via email that they are deleted.

After you have contacted me, I may store your name, email address(es), phone number(s) and any electronic correspondence and attached media files we may share via any medium including but not limited to WhatsApp, SMS or email.

From time to time I make notes about our psychotherapy work together pertaining to individual sessions or our ongoing work in general. Such notes are stored on my BlackBerry Android handset locally and occasionally backed up to my computer hard drive. My BlackBerry Android handset is secured by finger print and backup password using BlackBerry propriety security software. BlackBerry's software is more secure than standard Android security. My computer is secured using Microsoft Windows 10 password protection and a firewall and the physical security of my home office.

Your email address and our correspondence are also stored securely on my email host's servers and while our work is in progress or if you request that I retain your contact in case of future work together, the data and correspondence are archived annually to a hard drive in my secure home office and deleted from the servers during the archival. 

Data sharing

All Clients

Except in the case of clients attending psychotherapy via Employee Assistance programs (outlined below), I will not explicitly share any information about the clinical personal content of your psychotherapy sessions with any third party without your consent unless I am required to do so by law as demanded by high court order or request from the coroner's office. If I am required by law to share clinical information, where possible I will inform you of which information will be shared and who it will be shared with.

Administrative information about our psychotherapy sessions and your contact details may be shared explicitly or implicitly from time to time as outlined in the paragraphs and sections below.

Where we communicate electronically data is implicitly shared with the electronic communication providers namely Vodafone UK Ltd (all mobile phone and unsecured internet communication), Paragon Internet Group t/a Tsohost (all email correspondence), Squarespace, Inc., 225 Varick Street, 12th Floor, New York, NY 10014, USA (enquiries you make via my website), WhatsApp Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (any communication using the WhatsApp smart phone app). Underlying physical network providers whose hardware the information travels through also implicitly receive the data. Before using each of these companies I ensure there is no risk of breach of confidentiality by reviewing and accepting their data protection policies.

Canary Wharf clients

Clients attending psychotherapy or supervision sessions at my Canary Wharf practice will require temporary access to the building for each visit. To enable the temporary access, sufficient name details will be shared with the Canary Wharf pass office and Regus PLC (1 Canada Square, London E14 5AA) so that the client's name can be matched with ID they carry when they are collecting their temporary pass to attend the session. Usually a first and surname is sufficient.

Aldgate / Liverpool street clients

I will share the first and last name and mobile phone number of clients attending psychotherapy or supervision sessions at my Aldgate / Liverpool street practice will have their first and last name. These details will be stored in the Koan practice's client database and appointment system and used in emergencies to identify people present in the practice in the case of a physical emergency (fire, flood, earthquake etc). The Koan practice's data polices can be viewed at

Employee Assistance Program clients

If you have been referred to me via an employee assistance program and not flagged as a risk client, the following information will be shared between the employee assistance provider and me for the purposes of case management and anonymous data analysis for the purposes of the employee assistance program's internal performance monitoring: your name, your contact details, your ethnicity, your age, your scheduled, attended and unattended / missed session dates and times, your employer's company name, the results of any online or paper questionnaires you complete pertaining to the employee assistance provider funded psychotherapy sessions and requested by the employee assistance provider. 

If you have been flagged at risk of harm to yourself or others by the employee assistance provider, I may verbally share details of our sessions with the case consultants employed by the employee assistance provider; these details may be recorded during phone calls by the employee assistance provider. All other data is kept as per Private clients (outlined above).

Data retention and deletion and your right to be forgotten

I retain any records of invoices, receipts issued and financial transactions between us permanently for my own tax purposes. These may contain your contact address and the dates, times and locations of supervision or psychotherapy sessions you attend with me. Bank and PayPal transactions will be shard with my tax agent. If I am audited by HMRC, invoices may also be shared with HMRC as part of the audit process. Otherwise I will never share these details with any third party.

Your name, contact details and any clinical notes I keep about our work together is retained for the duration of your supervision or psychotherapy with me and once supervision or psychotherapy has ended (meaning no further sessions are planned or scheduled and you have let me know verbally or otherwise that you have decided to finish attending supervision or psychotherapy), it will be retained until the next time I delete data for clients who have ended.

I periodically manually delete data for clients who have ended supervision or psychotherapy and not requested that I retain their contact details in case of future psychotherapy sessions. This data deletion happens approximately every three months. This means once you have finished psychotherapy your data may be deleted immediately or it may be kept for up to three months.

If you request that I delete your data immediately via SMS, email or in writing, I will make best endeavours to do so at the earliest opportunity. This will normally be up to a calendar fortnight from the date you make the request. If I am staying away from my home for any reason (for example illness, holiday, training, family emergency), I may take longer to delete your data. So that I can inform you that your data has been deleted, I will retain a contact mobile number or email address and delete this after informing you via SMS or email that you personal data has been deleted.

Your personal data is deleted by manually removing your contact details and notes from my phone, manually deleting our email correspondence and your contact details from my computer's email software address book.

Requesting copies of your data

You can request copies of your personal data from me in writing, via royal mail, SMS, WhatsApp or email or through any other electronic medium we have established and maintained contact through apart from voice or video calls. I need a written record of the request. Once I have received your request, I will send any personal data of yours that I control to you via email to the email address you nominate usually within one calendar fortnight. If I am staying away from my home for any reason (for example illness, holiday, training, family emergency), I may take longer to send you your data.

To ensure your request for personal data is genuine and not a phishing scam, before I send you your personal data, I may need to contact you or speak with you to verify your identity, that you have made the request for your personal data and additional confirmation of the email address you have asked for your data to be sent to. For the protection of your personal data, if I am unable to contact you to verify your identity and the validity of your request for personal data, I may withhold your personal data until I can validate your request.