Change Begins Today CBT Ltd
Change Begins Today CBT Ltd
Change Begins Today CBT Ltd
Change Begins Today CBT Ltd 

Privacy Policy

My name is Sharon Brennan and I am a cognitive-behavioural psychotherapist and manager/director of my own CBT practice, Change Begins Today CBT Ltd. For all intents and purposes, I also hold the role of data controller and data processor for my own clients.  For my own clients, I decide how your personal data is to be processed and shared.  I take your privacy seriously and am committed to ensuring that your privacy is protected.  Recent legislation from the Information Commissioners Office called the GDPR requires anyone handling personal data to make sure they have certain practices in place.  This Privacy Policy sets out how we do this.

For more information, please visit the ICO website or click the link


The changes require that anyone using our service gives active consent to the policy.  When you come to us for therapy, you will be provided with a copy of this policy, and be asked to sign it by your therapist to say you have read and understood its content.


Associate therapists have a legal contract that stipulates that they take this role for the clients they see under the legal title of sole trader although their clinical practice is supervised by me.  This should not impact on the service you receive, it simply clarifies that the therapist you see holds responsibility for data control and data processing for you.  This means you know exactly who to ask if you wish to access your data.  If you would like support, as with any query, you are welcome to contact me direct, and I will support the process

This privacy policy sets out how I use and protect any information that you give me when you visit my website, and when you use my CBT services.

Any information collected by me, by which you can be identified when using this website, will only be used in accordance with this privacy statement.

I will never share your information with a third party for marketing purposes.

If you have any questions or concerns about how your data is processed or shared, you can contact me on 07896 577130 or by email at

Change Begins Today CBT Limited is registered in the United Kingdom, Company number 9515934.  Our registration for data handling with the Information Commissioners Office (ICO) is Z1996296.

What is the ‘lawful basis’ for processing data?

A lawful basis for processing data is how I justify the processing of your personal data.  I process your personal data in line with GDPR legislation (General Data Protection Regulation) (EU) 2016/679.  This is being implemented from 25 May 2018 in accordance with (and in some aspects replacing) the earlier Data Protection Act.  It is designed to ensure that when other people handle or have access to your personal data, they take all steps possible to protect and look after that data.


My lawful basis for processing your data is called legitimate interest.

In order for me to fulfill my role as a CBT therapist, I take notes in each session and store these notes in your file. My notes allow me to reflect on our sessions, and make good clinical judgment about your treatment and care, including developing a treatment plan and adhering to the treatment plan throughout the duration of your psychotherapy journey. I only use your data in ways you would reasonably expect, and which have a minimal privacy impact.


How do I collect data about you?

Online:  My website does not use cookies.  This means that no information is collected about you when you browse the website.  I do not record statistical data or IP addresses.  My website may include quotes from feedback provided by previous clients, but this is anonymised using false names.  You will be asked for consent to include this during the therapy process and your comments will only be included if you provide that consent.  You are able to withdraw consent at any time, and if your comments have been included they will be removed.  I will cover the issue of consent later in this document.

If you contact me using the contact form on the website, your enquiry comes to me via email.  Your details are not stored by the website.  I do not sell or share the information you give.  You information will only be used to contact you to follow up your enquiry.  If you decide not to pursue therapy, your email will be deleted within 3 months of your enquiry being made.


Email:  When you enquire about my services via email and I reply to you via email, I cannot guarantee that your email, or my reply is 100% secure. It is important that you understand that no data transmission over the Internet can be guaranteed to be 100% secure. If you wish to send me any documents via email and have any concerns about confidentiality and the data contained within your documents, I am happy for you to password protect your documents before sending them to me. You can either provide me with your password in a separate email, or phone me and provide me with your password over the phone.


Phone: If you choose to make contact with me over the phone, I may collect information from you as a prerequisite for inviting you in for an assessment (see below “What type of information is collected from you”?  The mobile number you will be provided is my contact number and will not be picked up by anyone else.  Likewise, the voicemail box is only answered by myself (see extraordinary circumstances).  My phone is either carried by me or stored in secure circumstances (see secure storage).  Your name and number will not be stored in my phone to protect your confidentiality.


Face to Face:  When you attend for CBT sessions, I collect and record data from you in order to get to know you, understand you, and help you overcome your difficulties.  This will only be taken in paper format.


Completing forms:  When you to attend an assessment session, I will ask you for information to complete a Client Details form.  This form will ask you to provide me with personal information, including your name, date of birth and address.


Third parties:  I may receive information about you from third parties I work closely with, including other health professionals, your employer, your solicitor and your health insurance company.  If they may write a referral letter, it may contain both personal and sensitive information. If you have any concerns about whether the third parties are GDPR compliant, please contact them directly. I will never knowingly obtain data about you from any third party without your knowledge or consent.


What type of data is collected?

Personal information:  I may collect some or all of the following personal information from you, either at the pre-assessment stage (on the phone/via email/via my website), or face to face, throughout the course of therapy:

  • •    Name
  • •    Contact details including email address
  • •    Gender
  • •    Date of birth
  • •    Insurance Details (if you are paying through your health insurance policy)
  • •    GP name and contact details
  • •    Employment
  • •    Emergency contact


Special Category Data (sensitive data):  Given the nature of healthcare related data, some of the information I may collect from you will be classified as ‘sensitive’, either at the pre-assessment stage (on the phone/via email/via my website), or face to face, throughout the course of therapy:

  • •    Ethnic background
  • •    Sexual orientation
  • •    Sexual behaviour and history
  • •    Relationship history
  • •    Religion
  • •    Physical and mental health history (including history of alcohol consumption, drug use and any medication previously prescribed)
  • •    Current physical and mental health symptoms including suicide risk, alcohol and drug use, and any medication you are currently taking
  • •    Offences and alleged offences
  • •    Questionnaire scores (questionnaires that assess the severity of your symptoms)

I collect the above personal and sensitive data from you to ensure that the service I provide to you is adequate, and for therapy monitoring and evaluation purposes.


What is my information used for?

Personal information is collected to ensure you are provided with effective, individualized cognitive-behavioural therapy, which may include:

  • •    making appropriate referrals
  • •    coordinating your care when working with other health professionals who may be involved in your care
  • •    communicating with you regarding your treatment/ appointments
  • •    account for my clinical decisions and/or respond to complaints
  • •    clinical supervision as part of my own professional development.  I am required to attend clinical supervision as part of my professional practice to discuss the clients I see with my supervisor. My supervisor is bound by the same ethical guidelines regarding confidentiality as I am. I never disclose full names when discussing my clients with my supervisor.  As part of this process, I may occasionally ask for your consent to record sessions.  Therapy is not dependent on consent for this and you have the right to give consent or not.  You can withdraw this consent at any time.  You can request a copy of any recording made.  Any recording made will be deleted after it has been assessed by my supervisor.

I will never sell or provide your details to any third party for marketing purposes.


Who is my information shared with?

On your request

There may be occasions where you wish me to share certain information for a specific purpose.  Examples of this may be in education to support mitigating circumstances around exams or your employer to support a request for ‘reasonable adjustment’.  On these occasions, you will be provided with a report or letter that you can then share with whomever is appropriate.  This ensures you stay in control of your data and the sharing of it.

Third parties

There may be occasions when I need to share the personal information I process about you with third parties, specifically, your insurance company, or other health professionals involved in your care (see below). When I do so, I comply with all aspects of the Data Protection Act 1998 (DPA).

Your insurance company

If you are claiming the cost of your sessions through your insurance company, your insurance company may request details of your treatment and progress from me in order to authorize further funding for your treatment. Under these circumstances, I will share the minimum amount of information necessary with your insurance company.

Your employer

If you have been referred by your employer, they may request brief information about the proposed treatment, duration and outcomes to enable them to audit the provision of service and its cost-effectiveness.  Under these circumstances, only the minimum amount of information necessary will be shared.  You will be invited to view a copy of this information prior to it being submitted, and will be offered a copy.  

Your referring psychiatrist

When you are referred to me by a consultant psychiatrist, I normally write to them at the beginning and end of treatment as part of good practice.

Your GP

I will not contact your GP as a matter of course unless you request it, although you are welcome to let them know of our contact.  If you are not already registered with a GP, you will need to do so before I agree to take you on as a client/patient. I do not provide an out of hours emergency service, and if you needed support out of hours, your GP is normally the person to contact. Also, if I am ever concerned about your mental state, and I haven’t heard from you in a while, it is your GP who I would contact to see that you are OK. Ultimately, your GP is responsible for your care.



There are three situations where I would share your information with third parties, without your consent:

Court Order

If I am required to disclose data about you under a Court Order

Child Protection

If I am concerned about the welfare of a child, i.e., where there are child protection issues

Risk to self or others

Where there is an imminent risk of harm to yourself or others, i.e., you have expressed an intent to kill yourself, or to kill someone else, imminently.

As per the BABCP Code of Ethical Practice and NMC practice guidelines, I must take appropriate action to protect the rights of children and vulnerable adults if I believe they are at risk, including following national and local policies.


How long is my data stored?

My retention period is seven years, or until the client is 25 years of age for young people.  I use two main criteria for determining my retention period.

Criteria 1: According to the Limitation Act 1980, you, as my client, have six years within which to bring against me a complaint of breach of contract, breach of trust or a claim in relation to negligence. It is therefore in both our interests that I store your data for this period of time.  For young people, this time period commences from when they turn 18 years of age.

Criteria 2: The second criteria that I use in deciding how long to store your data is the likelihood of you returning to me for further therapy at some point in the future. In my experience if a client returns to me for further therapy in future, they normally do so within seven years. 


Secure Storage

Whilst you are in therapy, your notes are stored in a locked, fire retardant storage.  The phone is carried whilst in use, or locked in the same facility when not in use.  The laptop used is stored in the same facility when not in use.  Once you are discharged from my service, your file is stored securely in a locked, fire retardant secure storage off site for seven years, after which your file is shredded or burned.


What about information online?

I process your personal data in line with GDPR legislation (EU) 2016/679, and take all appropriate measures to keep it secure. 

I make every effort to ensure that your personal information is held securely and to safeguard against unauthorised access to your personal information. Unfortunately, no data transmission over the Internet can be guaranteed to be 100% secure.

I strive to protect your personal information after I have received it, however:

1. You acknowledge that the privacy of your communications and personal information can never be completely guaranteed when it is being transmitted over the internet.

2. You acknowledge and agree that you share and transmit the information at your own risk.


Is my data moved?

Your clinical notes may be moved from site to site, or from storage to the venue where you receive your therapy and back.  This is to facilitate the effective delivery of therapy.  If your file is moved, it will be transported via our tracking policy, and in accordance with GDPR legislation.  Please let me know if you wish to see this policy.


Your Rights:

You have a number of rights (including Right to be informed, Right to access, and Right to lodge a formal complaint) when it comes to your personal data. Please refer to the ICO’s website for full details.

Right of Access

You may request details of personal information that we hold about you under the Data Protection Act 1998 and in line with GDPR legislation (EU) 2016/679. Depending on the volume of information requested and the administrative costs involved in providing you with this information, there may be a charge for this information. You will be informed of the costs at the time the request is made. Requests for information must be put in writing. If you would like to request access to the information held on you, please contact me via email.

Requests that are considered excessive or unreasonable may be refused. In the event your request to obtain details of information held about you is refused, you will be provided with an explanation as to why that is.

Right to rectification

If you believe that any information I am holding on you is incorrect or incomplete, please contact me via email with details and I will promptly correct any information found to be incorrect.

Right to lodge a formal complaint with a supervisory authority

If you believe that your rights under the GDPR regulation have been infringed, or that the processing of personal data relating to you does not comply with this Regulation, you can inform the ICO (Information Commissioner’s Office) via their website or by phoning their helpline on 0303 123 1113.

Right to Erasure

You have the right to request the erasure of your information.  However, under the GDPR, there are circumstances where this right does not apply.  You can view more information about this on the ICO website.


Extraordinary circumstances

In the unlikely event of me being taken unwell and unable to make contact with you via any means, or in the event of a sudden, unexpected permanent termination of contact, I have allocated my clinical supervisor authority to contact all clients to advise them of the circumstances and manage the transfer and disposal of data in accordance with this guidelines laid out later in this privacy policy.  My clinical supervisor is an equally qualified and experienced therapist who is bound by the same confidentiality agreement as myself.




Print | Sitemap
Change Begins Today CBT Ltd