top of page

Privacy & Data Policy

1. Who I Am

I am Emma Toms, an Integrated Wellness Coach and practitioner working with individuals and in partnership with charitable organisations. For the purposes of data protection law, I act as a Data Controller for work delivered through my own practice and website. When working on behalf of charities, I also act as a Data Processor, handling information under their policies and instructions.

 

2. My Commitment to Your Privacy

I am committed to handling personal information with care, respect, and integrity.

I follow:

  • UK General Data Protection Regulation (UK GDPR)

  • Data Protection Act 2018

  • ICO guidance

  • Trauma-informed and safeguarding-led practice

I only collect what is necessary, store it securely, and never sell personal data.

 

3. What Information I Collect

Depending on the service you engage in, I may collect:

Personal information

  • Name

  • Email address

  • Phone number

Special category information (health & wellbeing)

 

Because of the nature of my work, this may include:

  • Physical or mental health information

  • Emotional wellbeing information

  • Session notes

  • Safeguarding disclosures

 

This information is treated with additional protection, as required by law.

Website information

  • Contact form submissions

  • Mailing list sign-ups

  • Basic website analytics (no profiling or tracking for advertising)

 

4. Why I Collect Your Information

I process data under the following lawful bases:

Personal data

  • Consent – when you choose to contact me or sign up

  • Contract – to deliver agreed services

  • Legal obligation – safeguarding or regulatory requirements

  • Legitimate interests – necessary administration

Special category data

Processed only where:

  • You give explicit consent, and/or

  • It is necessary for wellbeing support, and/or

  • There is a safeguarding or legal obligation

You may withdraw consent at any time unless another lawful basis applies.

 

5. Confidentiality & Safeguarding

All personal information is treated as confidential.

Information will only be shared without consent where:

  • there is a safeguarding concern and disclosure is necessary to protect someone from serious harm, and it is in the vital interests of the individual, or

  • disclosure is required by law or regulatory obligation

 

Only the minimum necessary information will be shared with appropriate authorities or professionals.

Safeguarding responsibilities override confidentiality where there is a risk of significant harm.

When working with partner charities, safeguarding and confidentiality are managed in line with their published policies, available on their respective websites.

 

6. How Your Data Is Stored & Protected

I use appropriate security measures, including:

  • Password-protected devices

  • Secure digital storage

  • Limited access to sensitive data

  • Secure disposal of records

If a data breach is suspected, it is managed promptly and in line with GDPR and ICO requirements .

 

7. Working With Charities

When I work with:

I may handle client information on their behalf.

In these situations:

  • The charity remains the Data Controller

  • I act as a Data Processor

  • Data is handled under their privacy, confidentiality, safeguarding, and breach policies

  • Any data subject requests are directed to the charity

This ensures continuity, safety, and legal compliance across services.

 

8. How Long I Keep Your Information

I retain personal data only for as long as necessary, based on:

  • Legal and insurance requirements

  • Safeguarding considerations

  • Professional standards

When information is no longer required, it is securely deleted or destroyed.

 

9. Your Rights

You have the right to:

  • Access your personal data

  • Correct inaccurate information

  • Request erasure (where legally possible)

  • Restrict or object to processing

  • Withdraw consent

Requests can be made by contacting me directly.

You also have the right to raise concerns with the Information Commissioner’s Office (ICO).

 

10. Record Keeping & Retention (Clinical & Session Notes)

Why Records Matter

Accurate records protect both clients and practitioner.

They provide evidence that:

  • appropriate assessment took place

  • informed consent was obtained

  • decisions were made thoughtfully and safely

  • advice and aftercare were given

  • reasonable care was exercised
    In the event of a complaint, safeguarding concern, or insurance claim, treatment notes may form a key part of the evidence.

 

What Is Recorded

The information recorded will depend on the nature of the service provided and follows training, professional standards, and insurer requirements.

Records may include:

Before a session

  • Presenting issue or reason for engagement

  • Relevant medical conditions, medications, allergies, or contraindications

  • Suitability assessment

  • Confirmation of informed consent and how it was obtained

During planning

  • Treatment or session plan

  • Techniques or approaches used

  • Any modifications or adjustments made for safety or suitability

  • Rationale for key decisions

During / after sessions

  • Date and duration of session

  • Client responses and outcomes

  • Any adverse events or concerns

  • Aftercare advice or signposting provided

Where applicable

  • Safeguarding concerns or actions taken

  • Group attendance records (date, time, facilitator)

  • Risk assessments or screening information

  • Records are factual, respectful, and proportionate. They are not speculative or judgmental.

How Records Are Stored

Records are kept in a durable and secure format, which may include:

  • Password-protected digital systems

  • Secure physical storage where applicable

Access is restricted to authorised individuals only. Records must remain accessible in the event of a complaint, claim, or safeguarding investigation.

How Long Records Are Kept

In line with professional insurance requirements and legal guidance, records are retained as follows:

  • Adults: a minimum of 7 years from the date of last contact

  • Vulnerable adults: records may be retained beyond 7 years where appropriate, as limitation periods may be extended

These timeframes are consistent with GDPR, which permits retention where necessary for the establishment, exercise, or defence of legal claims. Records are reviewed periodically and securely deleted or destroyed when no longer required.

 

Ownership & Access to Records

In most professional settings, treatment records are the responsibility of the practitioner.

Clients have rights to access their personal data under data protection law. Requests are handled in line with UK GDPR and within statutory timeframes.

When working on behalf of charities or partner organisations, records are managed in accordance with the relevant organisation’s data protection and confidentiality policies.

 

11. Contact

For privacy or data protection queries, contact:

Emma Toms
Email: emma@emmatoms.com
Last updated: 23/2/2026

bottom of page