Keeping your data safe, secure and confidential.


Graeme Webster (also referred to as "Graeme", "he", "his"). works as a sole trader (trading as Plymouth CBT) providing Psychotherapy and Clinical Supervision Services to individuals and groups both face-to-face and online.  Graeme's practice runs from Ridgeway Clinic, 157 Ridgeway, Plympton, Plymouth, PL7 2HJ, UK.

Graeme registered with the UK Information Commissioner, registration number ZA319802.


This Notice is designed to help you understand what kind of information Graeme collect in connection with my services and how he will process and use this information in line with the General Data Protection Regulations (GDPR). In the course of providing you with services Graeme will collect and process information that is commonly known as personal data.

This Notice describes how Graeme collects, uses, shares, retains and safeguards personal data.

This Notice sets out your individual rights; These are explained later in the Notice but in summary these rights include your right to know what data is held about you, how this data is processed and how you can place restrictions on the use of your data.


Personal data is information relating to an identified or identifiable person. Examples include an individual’s name, age, address, date of birth, gender and contact details.

Personal data may contain information which is known as special categories of personal data. This may be information relating to and not limited to, an individual’s health, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic and biometric data, or data relating to sexual orientation.

Personal data may also contain data relating to criminal convictions and offences.

For the purposes of safeguarding and processing criminal conviction and offence data responsibly, this data is treated in the same manner as special categories of personal data, where Graeme is legally required to comply with specific data processing requirements.


In order for to provide psychotherapy or clinical supervision services for you, Graeme will collect and process personal data about you. He may also need to collect personal data relating to others in order to provide an effective service. In most circumstances, you will provide Graeme with this information. No names or other specific identifiable information will be recorded.

You may provide Graeme with personal data when completing online contact forms, or when you contact him via the telephone, when emailing him directly or where he provides you with paper based forms for completion or he completes a form in conjunction with you. Graeme may record your communications with him when contacting him. 

In normal circumstances, Graeme will not share your personal data with others without your explicit consent.  Graeme will share personal data with authorised third parties where you have given explicit signed consent or where he has a legal obligation to do so. Some examples follow:

  • Insurance companies (eg. Bupa)

  • Rehabilitation Companies who have referred you for therapy and require reports.

  • Statutory Agencies where there is a legal duty to share data.

  • Clinical Supervisors (no names or other directly identifiable data will be shared)

Graeme's website host, Squarespace, will collect your personal data when you visit the website on Graeme's behalf, where your unique online electronic identifier (commonly known as an IP address) is collected.

Squarespace will also collect electronic personal data when you first visit this website where a small text file that is commonly known as a cookie is automatically placed on your computer. Cookies are used to identify visitors, to simplify accessibility, to monitor visitor behaviour when viewing website content and navigating the website, and when using features or downloading files. You can choose not to allow cookies when visiting the website.

Where Graeme collects data directly from you, he is considered to be the data controller. Where third parties are used to process your data, these parties are known as processors of your personal data.  A data ‘controller’ means the individual or organisation which, alone or jointly with others, determines the purposes and means of the processing of personal data. A data ‘processor’ means the individual or organisation which processes personal data on behalf of the controller.

As a psychotherapist and clinical supervisor, Graeme will handle the following categories of data:

  • Personal data such as an individual’s name, address, date of birth, gender, contact details.

  • Details of current physical and psychological health, social circumstances, employment, relationships, etc.

  • Data relating to potential risk issues.

  • Data relating to criminal convictions and offences.

If you object to the collection, sharing and use of your personal data Graeme may be unable to provide you with a service. For the purposes of meeting the GDPR territorial scope requirements, the United Kingdom is identified as the named territory where the processing of personal data takes place.

If you require more information about how Graeme collects and processes personal data, please get in touch.


Graeme will use your personal data for the performance of his contract with you (in other words, he needs to keep accurate records to provide you with psychotherapy or clinical supervision) and to share information with other agencies (ie. those who you have given consent to talk to or those with whom Graeme has a legal duty to share information). Graeme also needs to retain data to enable him to process any complaints. 

If you contact Graeme to inquire about availability, to make a referral or request details on the services he provides, then he considers himself as having a legitimate business interest to provide you with further information about his services.  You may request to be withdrawn from all such marketing activities at any time.

Where Graeme requires consent, your rights and what you are consenting to will be clearly communicated to you in writing and your signature or expressed agreement in writing will be obtained. Where you provide consent, you can withdraw this at any time. This may mean that Graeme will be unable to offer you any further service and clinical data collected up until that point will be retained.


For all psychotherapy and clinical supervision activities Graeme will retain your personal data at the end of any contractual agreement for a period of 7 years.  This data will be retained to allow defence against litigation should an incident give rise to a claim. Graeme may need to retain your data for longer, for example if defending a legal dispute or as required by law or where evidence exists that a future claim may occur.  Should you make a complaint against Graeme, he will retain the data for 10 years. 

Where you or law enforcement agencies inform Graeme about any active investigation or potential criminal prosecution, he will comply with legal requirements when retaining this data.

The retaining of data is necessary where required for contractual, legal or regulatory purposes or for legitimate business interests for statistical analysis and service development and marketing purposes.

Please get in touch if you object to the use of, or you have any questions relating to the use of, or the retention of your personal data.


Your data is encrypted and stored securely by third party Data Processors. All of these are within the boundaries of the EU and comply with GDPR.


Individuals are provided with legal rights governing the use of their personal data. These grant individuals the right to understand what personal data relating to them is held, for what purpose, how it is collected and used, with whom it is shared, where it is located, to object to its processing, to have the data corrected if inaccurate, to take copies of the data and to place restrictions on its processing.  Individuals can also request the deletion of their personal data.

These rights are known as Individual Rights under the General Data Protection Regulations (2018). The following list details these rights:

  • The right to be informed about the personal data being processed.

  • The right of access to your personal data.

  • The right to object to the processing of your personal data.

  • The right to restrict the processing of your personal data.

  • The right to rectification of your personal data.

  • The right to erasure of your personal data.

  • The right to data portability (to receive an electronic copy of your personal data).

  • Rights relating to automated decision making including profiling.

Individuals can exercise their Individual Rights at any time. As mandated by law Graeme will not charge a fee to process these requests, however if your request is considered to be repetitive, wholly unfounded and/or excessive, Graeme is entitled to charge a reasonable administration fee.

In exercising your Individual Rights, you should understand that in some situations Graeme may be unable to fully meet your request, for example if you make a request for him to delete all of your personal data. A clear example of this is the erasure of clinical records as Graeme is required under the terms of his professional indemnity insurance to retain clinical records for a period of 7 years after the completion of contracted work (ie. an episode of therapy).

You should understand that when exercising your rights, a substantial public or vital interest may take precedence over any request you make. In addition, where these interests apply, Graeme is required by law to grant access to this data for law enforcement, legal and/or health related matters.

If you require further information on your Individual Rights or you wish to exercise your Individual Rights, please get in touch.


Graeme will take all appropriate technical and organisational steps to protect the confidentiality, integrity, availability and authenticity of your data, including when sharing your data with authorised third parties. Graeme's full Confidentiality and Data Protection Policy is available on request.


If you are dissatisfied with any aspect of the way in which Graeme processes your personal data please get in touch.  You also have the right to complain to the UK’s data protection supervisory authority, the Information Commissioner’s Office (ICO).  The ICO may be contacted via its website which is, by live chat or by calling their helpline on 0303 123 1113.


Version: May 2018