Privacy Policy

Privacy Notice for Dr Anna Colton


Data Controller

I am registered with the Information Commissioner’s Office (ICO) as a Data Controller for the personal data that I hold and process as a chartered clinical psychologist. My registration number is ZA113915.


Data Collection

All of the personal data that I hold is provided to or gathered by me in the course of my work as a chartered clinical psychologist, or connected activities.


My legal basis for processing personal data

The General Data Protection Regulation (GDPR) requires all organisations that process personal data to have a legal basis for doing so. The legal bases identified in the GDPR, and which provide my legal bases for processing personal data, are:

·       Consent of the individual concerned (or, where the person is under the age of 13, a person having parental responsibility for them)
·       Performance of a contract with the individual concerned or in preparing to enter into a contract with them
·       Compliance with a legal obligation
·       Performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
·       My own legitimate interests, or those of someone else, unless such interests are overridden by the interests, rights or freedoms of the individual concerned.

The legitimate interests for which I process personal data are to supply psychology services.

I use personal data to:

  • Prepare to provide, and provide, clinical psychology services (including treatment, coaching, mentoring, and training) to individuals and organisations
  • Liaise with other health professionals in respect of my clients
  • Render invoices and collect sums owed
  • Investigate and address complaints of my clients and others
  • Comply with my legal and regulatory obligations (including, if so ordered, providing information for court proceedings)
  • Make statutory returns as required by HMRC

I do not use automated decision-making in the processing of personal data.

I collect and process both personal data and sensitive personal data as defined in the GDPR. This may include any category of data which may be provided to me by my clients or other health professionals, including physical or mental health details; racial or ethnic origin; political opinion; religious or other belief; trade union membership; sexual life; and civil and criminal allegations, proceedings and outcomes.

I may share personal data with:

  • My staff who provide administrative services
  • Other health professionals who are treating the individual concerned
  • My regulator or legal advisors in the event of a dispute or other legal matter
  • Law enforcement officials, government authorities, or other third parties to meet my legal obligations
  • Any other party where I ask the individual concerned (or a person having parental responsibility for them), and that person consents to the sharing.

Transfers to third countries and international organisations

I will only transfer an individual’s personal data outside the European Economic Area if:

  • It is one of the countries which the European Commission has decided provides an adequate level of protections; or
  • It is made with the informed consent of the individual (or a person having parental responsibility for them); or
  • It is necessary for the performance of a contract between me and the individual or for pre-contractual steps taken at the individual’s request; or
  • It is necessary for the performance of a contract made in the interests of the individual between me and another person; or
  • It is necessary for important reasons of public interest; or
  • It is necessary for the establishment, pursuit or defence of legal claims.

Retention of personal data

I will retain personal data for so long as it relates to an ongoing clinical and/or commercial relationship. Thereafter, I will retain personal data for so long as is necessary for the purposes of:

  • Ensuring that if the client seeks further services, I am able to assist my client;
  • Defending myself against any allegations of negligence or professional misconduct; and/or
  • Complying with my legal and regulatory obligations.

I will delete or anonymise personal data at the request of an individual concerned unless:

  • There is an unresolved issue, such as claim or dispute;
  • I am legally or professionally required to retain it; or
  • There are overriding legitimate business interests.

Individuals’ Rights

The General Data Protection Regulation gives individuals specific rights concerning their personal data. Individuals can find out more information from the ICO’s website this is the organisation that individuals can complain to if they are unhappy with how I deal with them.


Accessing and Correcting Personal Data

An individual may request access to, correction of, or a copy of their personal data by contacting me at

I will occasionally update my Privacy Notice.When I make significant changes, I will publish the updated Notice on my website profile page.