Confidentiality Policy

Effective Date: 13th of October 2024
Contact Information: Dr Tiffany Leung – Chartered Counselling Psychologist
Email: admin@tiffany-leung.com

Last update: 25th of October 2025

​

1. Purpose of the Policy

This policy explains how I, Dr Tiffany Leung, Chartered Counselling Psychologist (HCPC Registered, BPS Chartered), handle all personal and sensitive information shared during therapy, supervision, or coaching.
It outlines how confidentiality is maintained, the legal limits to confidentiality, and your rights under the Data Protection Act 2018 and UK General Data Protection Regulation (UK GDPR).
 

Confidentiality and privacy are central to my professional and ethical practice. This policy supports compliance with the HCPC Standards of Conduct, Performance and Ethics (particularly Standards 5, 6, 10) and the BPS Code of Ethics and Conduct (Principle 4: Integrity, Confidentiality and Trust). This policy also upholds the BPS Code of Ethics and Conduct (Principle 3: Responsibility), which emphasises accountability, ethical awareness, and professional integrity in safeguarding client welfare.

​

2. Confidentiality Commitment

I am committed to treating all information you share with me in strict confidence. This includes:

• Personal details (e.g., name, contact information, demographic data)

• Medical and psychological history

• Session notes, observations, and treatment records

• Information disclosed in supervision, therapy, or correspondence

• Audio/video content where consented for clinical use

Confidentiality applies to all forms of data: written, electronic, or verbal, and to all forms of communication, including email, online platforms, and telehealth sessions.

Key points from this policy are summarised in the Therapy Agreement Summary provided before the first session.

​

3. Data Collection and Usage

I collect and process personal information only for the purpose of providing psychological services. This includes:

• Conducting assessments and therapy sessions

• Managing appointments, billing, and administration

• Liaising (with your consent) with other professionals when necessary

• Complying with legal, ethical, and regulatory obligations (e.g., clinical supervision, safeguarding, record keeping)

Information is processed under the lawful bases of Contract, Legal Obligation, and Legitimate Interest (as defined under UK GDPR).
Where special category data (e.g., health information) is processed, it is done under explicit consent (Article 9(2)(a)) and within professional ethical boundaries.

​

4. Limits of Confidentiality

While everything you share is confidential, there are exceptions where I am legally or ethically required to share information:

• Risk of Harm

If there is a serious and imminent risk of harm to yourself or others, I have a duty of care to take appropriate steps to prevent harm, which may include contacting emergency or safeguarding services.

• Legal Obligations

If ordered by a court or required by law (e.g., under the Terrorism Act 2000 or Child Protection legislation), I may need to disclose relevant information without your consent.

• Safeguarding Duties

If I believe a child or vulnerable adult is at risk of neglect, exploitation, or abuse, I have a statutory obligation to share information with safeguarding authorities.

• Professional Supervision

As part of my ethical commitment to safe practice, I receive regular clinical supervision with qualified professionals who are bound by the same confidentiality and data protection obligations.

In all cases, I will aim to discuss the need for any disclosure with you beforehand, unless doing so would increase risk of harm or contravene a legal directive.

​

5. Secure Storage and Data Protection

All personal and clinical data are stored in line with UK GDPR and professional confidentiality standards.

• Digital Records: Stored on encrypted, password-protected systems (e.g., Wix, Google Workspace, or Healthcode).

• Paper Records (if any): Locked in secure physical storage.

• Telehealth Platforms: Sessions conducted via Zoom (password-protected, encrypted connection).

• Messaging: Administrative communication via email, SMS, WhatsApp, or WeChat is minimised, used only for scheduling or practical matters, and deleted after transfer to the secure record. Therapeutic or clinical material is never shared via messaging apps (e.g., WhatsApp, WeChat, SMS). These tools are used solely for scheduling or brief logistical updates.

Records are accessible only by me, and security procedures are reviewed annually or upon the introduction of new technology.
In the event of a data breach, affected clients will be notified immediately and the Information Commissioner’s Office (ICO) informed within 72 hours, as required by law.

​

6. Sharing Information with Third Parties

I will not share your information with any third party without your explicit, informed consent.
Exceptions apply only under Section 4 (risk, legal, safeguarding).

If you consent, I may liaise with other professionals (e.g., your GP, psychiatrist, or employer) to support continuity of care.
You will be informed of what information is shared and with whom.
All third parties are expected to handle information securely and in line with professional confidentiality and GDPR standards.

​

7. Cross-Border and Digital Communications

For clients based outside the UK (e.g., Hong Kong, Mainland China, EU countries):

• Sessions are conducted via secure, encrypted platforms.

• Any use of WeChat is strictly for administrative communication and covered under a separate WeChat Data Protection Impact Assessment (DPIA) and consent notice.

• Clients are informed of any limitations to data protection outside the UK jurisdiction before communication begins.

​​

8. Client Rights and Access to Records

You have the right to:

• Request access to the personal data I hold about you.

• Request correction of inaccurate information.

• Request deletion of records where legally permissible.

• Withdraw consent for data processing (where consent is the lawful basis).

Requests should be made in writing to admin@tiffany-leung.com, and I will respond within 30 calendar days as required under GDPR.

8. Retention and Disposal of Records

• Clinical records are retained for seven (7) years after the conclusion of therapy, or until the client reaches age 25 if under 18 at the time of treatment.

• Supervision and consultation notes are retained for the same period.

• Records are securely deleted or destroyed at the end of the retention period using approved methods.

If you wish your records to be deleted sooner and no legal obligation prevents this, I will accommodate your request where feasible.

​

9. Complaints and Concerns

I take confidentiality and data protection very seriously.
If you have concerns about how your information is handled, please contact me directly at admin@tiffany-leung.com.

If your concern cannot be resolved, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO):
🌐 https://ico.org.uk

You may also raise ethical concerns with:

• Health and Care Professions Council (HCPC) – www.hcpc-uk.org

• British Psychological Society (BPS) – www.bps.org.uk

10. Policy Review

This policy will be reviewed annually or whenever significant changes occur in law, technology, or professional guidance.
Any updates will be published on my website and communicated to clients.

Signed: Dr Tiffany Leung
Date: 13th October 2024
Contact Email: admin@tiffany-leung.com