How we handle your data

This Privacy Notice explains what personal information What Works Psychology collects about you, why, how it is stored, who it is shared with, and the rights you have under the UK GDPR and the Data Protection Act 2018.

What Works Psychology offers two distinct services: 1:1 clinical psychology assessment and therapy, and workshops and training programmes. The information collected differs between these, and this Notice covers both.

1. Who we are

What Works Psychology is the trading name of Dr Henry Briscoe, an HCPC-registered Practitioner Psychologist operating as a sole trader. Dr Briscoe is the data controller for all personal data described in this Notice and is registered with the Information Commissioner's Office (ICO).

2. What information we collect

2.1 General enquiries (via the website form)

When you submit an enquiry through the website, we collect:

• Your name
• Your email address
• Your phone number (optional)
• Your preferred callback time (optional)

The enquiry form is intended only to arrange a follow-up call. You are asked not to share clinical or sensitive information through the form. Anything sensitive is discussed once a private, secure conversation has been arranged.

2.2 Clinical psychology services (1:1 therapy)

If you become a client of the clinical practice, we collect and process:

• Identifying and contact information (name, address, phone, email, date of birth)
• Emergency contact details and, where you provide them, GP details
• Clinical information you share during assessment and therapy (presenting concerns, history, formulation, session notes, correspondence)
• Any reports, assessments, or letters generated as part of your care
• Records of appointments, attendance, and payment

Clinical information is special category personal data (data concerning health) under Article 9 of the UK GDPR and is afforded additional protection.

2.3 Workshop bookings

If you book a workshop or training programme, we collect:

• Your name and email address
• Booking and attendance records
• Payment confirmation details (we never see or store your card details — these are handled by Stripe)
• Any feedback you choose to provide following the workshop

2.4 Newsletter subscribers

If you sign up to the newsletter, we collect your name and email address.

2.5 Information collected automatically

When you visit the website, our hosting provider may automatically log your IP address, browser type, and pages visited. This is used only to maintain and secure the website and is not used to identify individuals.

3. Why we use your data, and our legal basis

We process your data only where we have a lawful basis under UK GDPR. The basis depends on the type of data and service:

• To respond to enquiries — legitimate interest (Art 6(1)(f)): operating a professional practice and replying to people who contact us.
• To deliver clinical psychology services — performance of a contract (Art 6(1)(b)) for non-clinical data, and the provision of health care (Art 9(2)(h)) for clinical (special category) data. This is the standard lawful basis used by HCPC-registered healthcare professionals in private practice.
• To deliver and administer workshops — performance of a contract (Art 6(1)(b)).
• To send the newsletter or marketing emails — your consent (Art 6(1)(a)), which you can withdraw at any time.
• To meet legal and regulatory obligations — including HCPC standards of record-keeping, professional indemnity requirements, tax and accounting law (Art 6(1)(c)).

We do not use your data for automated decision-making or profiling.

4. Confidentiality and its limits

For clients of the clinical practice, sessions and records are treated as confidential. There are limited circumstances in which confidentiality may be broken:

• Where there is a serious risk of harm to you or another person, including a child or vulnerable adult (safeguarding obligations)
• Where required by a court order or other legal process
• Where you give explicit consent for information to be shared (e.g. with your GP, another professional, or a family member)
• Anonymised case material may be discussed in clinical supervision, which is a professional requirement of HCPC registration. Supervisors are themselves bound by confidentiality.

Where it is safe and appropriate to do so, we will discuss with you before sharing information.

5. Who we share your data with

We do not sell or rent your personal data. We share data only with the following service providers (data processors), each of which is contractually required to protect your data:

• WriteUpp — UK-based clinical practice management software used to store clinical records, session notes, appointments, and correspondence. Used only for clinical clients.
• Microsoft (Teams) — used to host video sessions for remote clinical appointments.
• Google (Workspace, Sheets, Apps Script) — used to receive and store enquiry-form submissions and newsletter signups.
• Stripe — PCI-DSS compliant payment processor, used to take card payments for workshop bookings. Card details are handled entirely by Stripe and are never seen or stored by us.
• DreamHost — website hosting provider.

For BACS bank transfers (used for clinical session fees and as an alternative for workshops), only the bank account details necessary to receive payment are used; these are not stored beyond what is necessary for accounting.

We may also disclose your information where required by law, regulation, or a competent authority, including where this is necessary to meet our HCPC professional obligations or to comply with safeguarding duties.

6. International transfers

Some of the providers above (notably Microsoft and Google) are international companies that may process data outside the United Kingdom, including in the European Economic Area and the United States. Where this occurs, transfers are protected by appropriate safeguards — either an adequacy decision under UK GDPR or Standard Contractual Clauses combined with additional safeguards — to ensure your data is protected to UK standards.

7. How long we keep your data

• Clinical records — retained for seven years from the date of your final session, in line with HCPC and BPS guidance for adult clinical records, after which they are securely destroyed. Records of clients who were under 18 at the time of treatment are retained until the client's 25th birthday, or longer where required.
• Enquiry data (where you do not become a client) — retained for up to 12 months, then deleted.
• Workshop booking records — retained for up to 2 years following your last interaction with us, then deleted. Financial records (e.g. invoices, payment confirmations) are retained for 7 years to meet UK tax law.
• Newsletter subscribers — retained until you unsubscribe or request deletion.

8. How we store and protect your data

Clinical records are stored in WriteUpp, which is hosted on UK-based encrypted servers and accessed only by Dr Briscoe via secure login with two-factor authentication. Other data (enquiries, newsletter, workshops) is stored in encrypted cloud accounts with strong, unique passwords and two-factor authentication. Devices used to access this data are encrypted and password-protected.

We take reasonable technical and organisational measures to protect your data against unauthorised access, loss, alteration, or disclosure. No system is perfectly secure, but we keep our practices under regular review.

9. Your rights under UK GDPR

You have the right to:

• Be informed about what data we hold and how it is used (this Notice)
• Access a copy of the personal data we hold about you
• Rectification — request correction of inaccurate or incomplete data
• Erasure — request deletion of your data, subject to legal and professional record-keeping obligations (clinical records cannot generally be deleted before the retention period ends)
• Restriction of processing in certain circumstances
• Object to certain types of processing, including direct marketing
• Data portability — receive a copy of certain data in a structured, machine-readable format
• Withdraw consent at any time, where processing is based on consent

To exercise any of these rights, please contact contact@whatworkspsychology.co.uk. We will respond within one calendar month.

10. Cookies

The website uses only essential cookies for security and basic functionality. These do not collect personally identifiable information. You can manage cookie preferences through your browser settings.

11. How to raise a concern

If you have any concerns about how we handle your personal data, please contact us first at contact@whatworkspsychology.co.uk so we have an opportunity to put things right.

If you remain dissatisfied, you have the right to complain to the Information Commissioner's Office:

Concerns about clinical conduct can additionally be raised with the Health and Care Professions Council (HCPC) at www.hcpc-uk.org.

12. Updates to this Notice

We may update this Privacy Notice from time to time to reflect changes in our services, our data processors, or applicable law. The current version is always published on our website with a revised effective date. Substantive changes will be communicated to active clients directly.

Last updated: 28 April 2026