This privacy statement describes how Dr Mandy & Associates protects and makes use of the information you give us. If you provide, or are asked to provide, information when contacting us, it will only be used in the ways described in this privacy statement.


Dr Mandy & Associates are a group of qualified psychologists who provide psychological assessment and therapy to children, adolescents and adults.  This privacy policy explains how we use any personal information we collect about you.

Dr Mandy & Associates needs to gather and use certain information about clients and prospective clients in line with the information contained within our Terms and Conditions document. This policy describes how this personal data is collected, handled and stored to meet the company’s data protection standards – and to comply with the law.

Dr Mandy Smiton is the data controller for Dr Mandy & Associates.  Associate psychologists taking on referrals with Dr Mandy & Associates will be additional data controllers for the clients they work with directly and may have access to more data than Dr Smiton due to the confidential nature of their therapy work with a specific client.  In such cases, associates will be the primary data controller for those clients.

What information do we collect about you?

Dr Mandy & Associates collects and processes the following personal data from therapy clients:

  • Personal data: Basic contact information: name, address, date of birth, email, contact number, GP contact details, name of educational establishment (where relevant) and details of health insurance policies (where relevant).
  • Sensitive personal data: Signed Registration Form, therapy records (therapist notes, letters, reports and/ or questionnaire measures).  This information is necessary to enable us to offer the service you have sought from us.
  • We collect information about you when you complete the contact form on our web page.  The contact form asks for your name, telephone number, email address and the reason for your enquiry.  We need this information in order to respond appropriately to your enquiry.  If you contact our psychologists via telephone or direct email, a record will be kept of that correspondence or conversation. 

How will we use the information about you?

We will only use your personal information to provide the services you have requested from us.  Collecting this data helps us to:

  • Contact you to set up assessment and therapy
  • Link you up with an appropriate psychologist
  • Conduct a thorough psychological assessment
  • Devise and implement an effective treatment plan (therapy)
  • Invoice for the services rendered
  • Communicate (when necessary and agreed with you) with relevant third parties to support your treatment and manage risk


Who we might share personal information with?

We hold information about each of our clients and the therapy they receive in confidence.  This means that we will not normally share your personal information with anyone else.  However, there are exceptions to this when there may be a need for liaison with other parties:

  • If you are referred by your health insurance provider, or are otherwise claiming through a health insurance policy to fund therapy, then we will share appointment schedules with that organisation fo the purposes of billing.  We may also share information with that organisation to provide treatment updates.

In exceptional circumstances we might need to share personal information with relevant authorities:

  • When there is need-to-know information for another health provider, such as your GP.  Any information sharing will be discussed with you and agreed in advance.
  • When the disclosure is in the public interest, to prevent a miscarriage of justice or where there is a legal duty, for example a Court Order.
  • When the information concerns risk of harm to the client, or risk of harm to another child or adult.  We will discuss such a proposed disclosure with you unless we believe that to do so could increase the level of risk to you or someone else.

We will not share your personal information with third-parties for marketing purposes.

Controlling information about you

Any personal information we hold about you is stored and processed under our data protection policy, in line with The Data Protection Act 1998 (in force on the date this statement became operational) and the General Data Protection Regulation (Regulation (EU) 2016/679) adopted on 27th April 2016 and enforceable from 25th May 2018.

Information is retained in line with Department of Health recommendations.  Information on a child will be kept until their 25th birthday or 26th if the young person was 17 at the conclusion of treatment, or 8 years after death.  Therapy records of adult clients are retained for a period of seven years in accordance with the guidelines and requirements for record keeping by The British Psychological Society (2000) and The Health Care Professions Council (2017).  An annual check is made and clients data deleted once the time has lapsed.


How we ensure the security of personal information

We will always hold your information securely:

  • All paper-based client files and therapy notes are kept secure in a locked filing cabinet.
  • Client information is stored in Cliniko, a secure password-protected database, which is compliant with General Data Protection Regulations
  • Any information you send us on email is uploaded onto Cliniko, following which the email is destroyed.
  • Access to your personal information is restricted on a ‘need-to-know’ basis only i.e. for those concerned directly with your care and with your account
  • Sensitive personal information will be sent to clients in an email attachment that is password protected. Any computers or mobile devices containing personal information are password protected or protected with a passcode/thumbprint scanner.
  • Data is backed up regularly
  • When clients have been discharged from our service, any paper records are scanned on to a secure, password protected database which is compliant with General Data Protection Regulations.  All paper documents are shredded.

If you contact us via the website contact form or directly by phone or email, we will keep the information in an online filing system which is compliant with General Data Protection Regulations.  If you do not become a client within six months of initial contact, we will delete all of your information.

Any clients who request to be on our waiting list will have their basic personal information stored in Cliniko.  If you do not see one of our psychologists after being offered an appointment, the information will be deleted.

To prevent unauthorised disclosure or access to your information, we have implemented strong physical and electronic security safeguards. In the unlikely event of a data protection breach we will notify the Information Commissioner’s Office (ICO) so that their procedures can be followed. We will also notify all individuals whose data may have been accessed to alert them to the breach and any potential risks.

Data accuracy

Should, during the course of your contact with us, any personal data be subject to change e.g. if you move, change GPs, change your name etc., we would be grateful if you could notify us at the earliest opportunity so we can ensure our records are up to date.


Subject access requests

All individuals who are the subject of personal data held by Dr Mandy & Associates are entitled to:

  • Ask what information the company holds about them and why.
  • Ask how to gain access to it.
  • Be informed how to keep it up to date.
  • Be informed how the company is meeting its data protection obligations.

If you would like to request a copy of the data we hold about you, this is called a subject access request. Subject access requests should be made in writing on email to the Data Protection Lead ( We will aim to provide the relevant data within 30 days. We will always verify the identity of anyone making a subject access request before handing over any information.  There may be an admin fee for supplying the information to you.

If you think that we have not complied with data protection laws, you have the right to lodge a complaint with the Information Commissioner’s Office.


Other websites

Our website may contain links to other websites.  This privacy policy only applies to our website so when you link to other websites you should read their own privacy policies.


Changes to our privacy policy

We keep our privacy policy under regular review and we will place any updates on our website.  This privacy policy was last updated on 23rd May 2018.


How to contact us

Please contact us if you have any questions about the privacy policy or information we hold about you:

By email via the contact form on our website or directly to:

Or write to us at: Data Protection Lead, Dr Mandy & Associates, The Lodge, 51a High Street, Wallingford, Oxfordshire, OX10 0DB






Dr Mandy Smiton
Clinical Psychologist
CPsychol, AFBPsS

British Psychological Society no. 82247

Health and Care Professionals Council no. PYL19659