top of page

Privacy Notice

 

Talking Works

Chris Colcomb | Psychotherapist

Last updated: June 2026

 

1. Introduction

Your privacy matters deeply to me. This Privacy Notice explains how I, Chris Colcomb of Talking Works, collect, use, store, and protect your personal information in connection with your psychotherapy. Please read this notice carefully before we begin working together. If you have any questions, do not hesitate to raise them at any point.

This practice operates in compliance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Data (Use and Access) Act 2026. The Data (Use and Access) Act 2026 builds upon the existing UK GDPR framework, introducing updated provisions around transparency, legitimate interests, and data intermediaries. This notice reflects those requirements.

 

2. Data Controller

I, Chris Colcomb (trading as Talking Works), am the data controller responsible for your personal information. If you have any questions or wish to exercise your data rights, please contact me:

 

Email: chris@talkingworks.uk  or  chris@chriscolcomb.co.uk

 

I am a registered member of the UK Council for Psychotherapy (UKCP) and the National Counselling and Psychotherapy Society (NCPS), and adhere to their respective ethical frameworks and professional standards.

 

3. What Information I Collect

Before we begin working together, I ask all clients to complete a Client Details Form. This form helps me to understand your background, ensure your safety, and provide appropriate care. The form collects information including:

  • Your name and contact details, including phone number and email address

  • Emergency contact details

  • Relevant personal and medical history

  • Any allergies or physical health conditions relevant to your care

  • GP or other medical professional details

  • Other health or background information relevant to your therapeutic needs

 

In addition to the Client Details Form, I may also hold the following over the course of our work together:

  • Session notes and records of your therapeutic progress

  • Financial records, such as records of payments made for sessions

 

Please note: client records and session notes are stored using your first name and a reference identifier only. Your surname is not recorded within any client notes, case record, or case management system. This is a deliberate privacy measure to reduce the identifiability of your records. The Client Details Form, which does contain your full name and contact details, is stored separately and securely.

 

4. How You May Contact Me and How I Communicate With You

I may receive initial enquiries or ongoing communications through a number of channels. Each is handled with care:

  • Email (chris@talkingworks.uk or chris@chriscolcomb.co.uk): Emails to and from clients are stored on Google's Gmail servers. Gmail provides industry-standard encryption in transit. My email account is secured with a strong password known only to me, and is protected by two-factor authentication (2FA).

  • Wix website contact form: Enquiries submitted via the contact form on my Talking Works website are processed through Wix's platform. Wix's own privacy and data policies apply to submissions made via their forms.

  • Counselling Directory: Enquiries made through Counselling Directory are processed via their platform, subject to their own privacy policy.

  • Psychology Today Directory: Enquiries made through the Psychology Today therapist directory are subject to Psychology Today's own data handling and privacy policies.

  • UKCP Directory: Enquiries made through the UKCP therapist directory are subject to UKCP's data handling policies.

  • NCPS Directory: Enquiries made through the NCPS directory are subject to NCPS's data handling policies.

  • Social media (Facebook, LinkedIn, Threads, Instagram): I maintain a professional presence on these platforms. If you contact me via a direct message or comment on any of these platforms, please be aware that those platforms have their own privacy policies and data processing practices, over which I have no control. I would encourage you not to share sensitive personal or clinical information via social media channels. Any such contact will be acknowledged, and I will ask that we move to a more secure and private channel — such as email or telephone — before discussing anything of a personal nature.

  • WhatsApp: I am happy to communicate via WhatsApp for practical matters such as appointment booking and rescheduling. WhatsApp messages are end-to-end encrypted. Please be aware that WhatsApp is owned by Meta and is subject to Meta's data policies regarding metadata and platform usage information. I would ask that sensitive clinical content is kept to session time rather than shared over messaging.

  • Apple iMessage and SMS: I am happy to communicate via iMessage or standard SMS text for practical matters. iMessage is end-to-end encrypted between Apple devices; standard SMS is not encrypted. For sensitive matters, please use email, WhatsApp, or telephone where possible.

  • Telephone: Calls may be received on my personal or business mobile number. I do not routinely record calls.

 

Please be aware that no digital communication channel is entirely without risk. Where possible, I recommend using email or telephone for anything of a sensitive nature, rather than social media platforms.

 

5. How Your Information Is Stored

I take the security of your personal information seriously. The following protective measures are in place:

  • All electronic records and files relating to your therapy are password protected.

  • Client information is not stored in any system or application that contains your surname. A first name and reference code are used instead.

  • Paper notes are kept in a locked filing cabinet within my premises. I am the only person with a key to that cabinet.

  • No personal client information is processed by, shared with, or stored within any Artificial Intelligence (AI) tool or platform. I do not use AI systems to assist with session notes, case records, correspondence, or any other aspect of your personal information.

  • My email account is secured with two-factor authentication (2FA) and a password known only to me.

 

6. Smart Speakers in the Therapy Room

The therapy room contains smart speaker devices — specifically Amazon Echo (Alexa) and Apple HomePod (Siri) devices. I want to be transparent about what this means for your privacy:

  • Smart speakers are designed to listen passively for a wake word, which means their microphones are active by default. There is a small but real possibility that a spoken word during a session could inadvertently trigger a device and result in a short audio clip being transmitted to and stored on the manufacturer's servers (Amazon or Apple).

  • Smart speakers are not muted as a matter of default practice. By confirming that you have read this privacy notice (as required in the therapy contract), you are acknowledging that smart speaker devices are present and may be active during sessions.

  • If you would prefer the smart speakers to be muted during your session, you are welcome to request this at any time — before or during a session — and I will do so promptly. There is no need to explain your reasons.

  • I would encourage you to raise any concerns about smart speakers with me at any point. Your comfort and confidence in the privacy of the therapy space is important.

 

The manufacturers of smart speakers (Amazon, Google, and others) have their own privacy policies governing how voice data is processed and stored. Even with muting in place, these devices remain connected to the internet and subject to those policies when not in use.

 

7. Financial Records, Accountancy, and HMRC

As a self-employed practitioner, I am required by law to maintain accurate financial records and to comply with HMRC requirements. Please be aware of the following:

  • Bank account statements relating to my business may include your name where a bank transfer payment was made by you. This information may be visible on statements shared with my accountant or submitted to HMRC as part of my tax obligations.

  • Where I use an accountant or bookkeeper to assist with my financial records, they will be bound by professional confidentiality obligations and their own data protection responsibilities.

  • Financial records are retained for a minimum of six years in accordance with HMRC requirements.

  • The legal basis for processing financial data for tax and accounting purposes is compliance with a legal obligation under Article 6(1)(c) of the UK GDPR.

 

I take care to keep financial records separate from clinical records. Where a name appears on a bank statement, no clinical information is attached to or associated with it in any shared financial documents.

 

8. Home Premises and Security

Face-to-face sessions take place at my home address. Please be aware of the following:

  • A Ring video doorbell is installed at the entrance to the premises. This records activity at the front door and is operated jointly with my partner, who may have access to footage captured by the device via the Ring application. This means your arrival and departure from sessions may be visible to my partner.

  • The Ring doorbell operates in accordance with Ring's (Amazon's) own privacy and data retention policies.

  • If you have any concerns about the doorbell or about being seen arriving or leaving, please speak with me and we can discuss practical arrangements to address this.

  • No camera or recording equipment is used within the therapy room itself.

 

9. Online Sessions via Zoom

Where therapy takes place online, I use Zoom as a secure platform for video sessions:

  • Zoom sessions are conducted using a professional account, which supports end-to-end encryption for meetings.

  • Sessions are never recorded without your explicit prior consent.

  • You are responsible for ensuring your own environment is sufficiently private and confidential during online sessions.

  • Zoom's own privacy policy governs how data is processed through their platform. I encourage you to review Zoom's documentation if you have specific concerns.

 

10. Confidentiality

Everything you share in therapy is treated with the strictest confidence. I will not disclose information about you to anyone outside of our therapeutic relationship without your consent, except in the following circumstances:

  • Risk of serious harm to yourself: If I have significant concern that you are at serious and imminent risk of harming yourself and are unable to keep yourself safe, I may need to contact your GP or emergency services.

  • Risk of serious harm to others: If you disclose information indicating that another person — including a child or vulnerable adult — is at serious risk of harm, I have a professional and legal duty to act to protect them. This may include making a referral to appropriate safeguarding authorities.

  • Legal obligation: I may be required by a court order or other legal requirement to disclose information.

  • Terrorism and serious crime: Under the Terrorism Act 2000 and other relevant legislation, I am required to disclose certain information relating to acts of terrorism or serious organised crime.

 

Wherever possible, I will discuss these situations with you before taking action, unless doing so would place you or another person at greater risk. I work within the ethical frameworks of both UKCP and NCPS and adhere to their respective guidelines on confidentiality and safeguarding.

 

11. Clinical Supervision

As part of my professional practice and in line with the requirements of UKCP and NCPS, I attend regular clinical supervision — both individual (one-to-one) supervision and group supervision. Your case may be discussed in either setting in order to ensure you receive the highest standard of care and to support my professional development.

All supervisors and group supervision members are themselves trained therapists bound by professional confidentiality obligations and their own ethical codes. Where your case is discussed, identifying details — including your surname — will not be shared. Only the minimum information necessary for reflective practice will be used.

 

12. Third-Party Platforms and Data Processors

I use a number of third-party platforms and services in the running of this practice. Each acts as a data processor, handling data on my behalf but under my instruction or within the scope of normal use. These include:

  • Google (Gmail): Email communications are stored on Gmail servers, subject to Google's privacy and data processing policies.

  • Zoom: Used for online therapy sessions, subject to Zoom's own privacy policy.

  • Wix: Hosts my practice website and processes enquiries submitted via contact forms.

  • Counselling Directory, Psychology Today, UKCP Directory, and NCPS Directory: Used for professional listings and client enquiry routing, each subject to their own privacy policies.

  • Meta (Facebook, Instagram, Threads): Used for professional social media presence. Meta processes data in accordance with its own policies.

  • LinkedIn: Used for professional networking and visibility, subject to LinkedIn's own privacy policy.

  • Meta (WhatsApp): Used for practical client communications. End-to-end encrypted for message content, but metadata is processed by Meta under its own policies.

  • Apple (iMessage): Used for practical client communications. End-to-end encrypted between Apple devices.

  • Ring (Amazon): Operates the video doorbell at my premises, subject to Ring/Amazon's own privacy and data retention policies.

  • Amazon (Alexa/Echo) and Apple (HomePod/Siri): Smart speaker devices present in the therapy room are subject to the privacy policies of Amazon and Apple respectively. These devices may be active during sessions; clients may request that they are muted at any time.

 

Where I engage third-party platforms, I take reasonable steps to ensure they operate to an appropriate standard of data protection. However, their own privacy policies govern how they process data within their systems.

 

13. Legal Basis for Processing

Under UK GDPR and the Data (Use and Access) Act 2026, I must have a lawful basis for processing your personal information. The bases I rely on are:

  • Contract: Processing is necessary to deliver the therapeutic service you have engaged me for.

  • Legal obligation: Processing is required to comply with my legal duties, including financial record-keeping for HMRC.

  • Legitimate interests: In certain limited circumstances, such as maintaining supervision records or operating a professional social media presence, I may process data where it is in my legitimate professional interests, provided those interests do not override your rights.

  • Vital interests: In an emergency where your life or another person's life is at risk.

  • Special category data: Therapy involves the processing of special category data (health and mental health information) under Article 9 UK GDPR. The additional legal basis I rely on is Article 9(2)(h) — processing necessary for the provision of health or social care treatment — and/or your explicit consent.

 

14. Your Rights

Under UK GDPR and the Data (Use and Access) Act 2026, you have the following rights:

  • Right of access: You may request a copy of the information I hold about you.

  • Right to rectification: You may ask me to correct inaccurate or incomplete information.

  • Right to erasure: In certain circumstances, you may ask me to delete your records.

  • Right to restrict processing: You may ask me to limit how I use your information.

  • Right to object: You may object to certain types of processing, including processing based on legitimate interests.

  • Right to data portability: You may request your data in a portable, machine-readable format where applicable.

  • Rights related to automated decision-making: You have the right not to be subject to decisions made solely by automated processing. I do not use automated decision-making in this practice.

 

Please note that some rights may be limited where I have an overriding legal, ethical, or safeguarding obligation to retain records. I will always explain my reasons if I am unable to comply with a request.

To exercise any of your rights, please contact me at chris@talkingworks.uk or chris@chriscolcomb.co.uk. I will respond within one calendar month, as required by law.

 

15. How Long I Keep Your Information

I retain client records for a minimum of seven years following the conclusion of therapy. This retention period is required by my professional indemnity insurance provider, and is consistent with the guidance of UKCP and NCPS, and with standard practice in the event of any future complaint or legal proceedings.

Records relating to children or young people are retained until they reach the age of 25, or for seven years after the end of therapy — whichever is later.

Financial and accounting records are retained for a minimum of six years in line with HMRC requirements.

After the relevant retention period has elapsed, records are securely and permanently destroyed.

 

16. Clinical Will and Unexpected Endings

I am in the process of developing a clinical will. A clinical will is a document that sets out what will happen to my practice, and to my clients, in the event of my death, serious illness, or any other circumstance that means I am unexpectedly unable to continue practising.

As part of this process, I will appoint a clinical executor — a trusted fellow therapist — whose role will be to contact current and recent clients in the event of my death or incapacitation. The purpose of this contact would be to inform you, to ensure you are not left without explanation or support, and to provide signposting to other therapeutic services if you wish to continue your work.

This means that a limited amount of your contact information — sufficient to reach you in such circumstances — will be known to or accessible by my clinical executor. This information will be held securely and will only be used in the event that it is needed for this purpose.

Once my clinical will is formally in place, I will update this privacy notice to provide further details about the arrangements, including the identity of my clinical executor. In the meantime, if you have any questions or concerns about this, please do raise them with me directly.

 

17. Concerns and Complaints

If you have any concerns about how your information is being handled, please contact me in the first instance at chris@talkingworks.uk or chris@chriscolcomb.co.uk. I will take all concerns seriously and aim to respond promptly.

 

If you remain dissatisfied, you have the right to complain to the Information Commissioner's Office (ICO), the UK's independent supervisory authority for data protection:

  • Website: www.ico.org.uk

  • Telephone: 0303 123 1113

  • Post: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

 

This notice may be updated from time to time. The current version will always be available at www.talkingworks.uk.

Talking Works
bottom of page