Skip to main content


Data Protection | Data Protection Policy.

Data Protection | Data Protection Policy

Download Document
Download or Print This Policy Document
Download Document

Policy and Key Information

Atrium Data Protection Policy for Clients



a. The Atrium Clinic and Therapy Centre (Atrium) takes the security and privacy of your data seriously. We need to gather and use information or ‘data’ about you as part of our business and to manage our relationship with you. To comply with the law, data must be collected and used appropriately, stored securely and not disclosed to any unauthorised person. We will comply with our legal obligations under the Data Protection Act 2018 (the ‘2018 Act’) and the EU General Data Protection Regulation (‘GDPR’) in respect of data privacy and security. We have a duty to notify you of the information covered by this Policy.

b. Atrium is the ‘data controller’ for the purposes of your ‘personal data’ unless our processes are bound by our contractor such as NHS or Forensic services in which case, we will let you know the framework that guides our relationship with your data and direct you to the right person.
For all other direct pathways to our services, Atrium determines the purpose and means of the processing of your personal data, and you can contact the Chief Executive Officer (CEO) or Clinical Lead for further information.

c. This Policy explains how Atrium will hold and process your personal data. It explains your rights as a data subject. It also explains your obligations if you should obtain, handle, process or store personal data in the course of your contact with us.

d. This Policy applies to clients in our therapeutic and learning pathways.

e. This Policy does not form part of any contractual relationship with you, but it is intended that this Policy is fully compliant with the 2018 Act and the GDPR. If any conflict arises between those laws and this Policy, the Company intends to comply with the 2018 Act and the GDPR.

f. We will not sell your data, keep your personal data for longer than is necessary or make your personal data available to third parties, other than stated below.


a. Atrium is a provider of therapy to clients, and therefore has a legitimate interest in holding and processing data. We will collect, use and hold personal data about you, dependent on the nature of your involvement as set out in this Policy.

b. Personal data must be processed in accordance with six ‘Data Protection Principles.’

It must:

be processed fairly, lawfully, and transparently; be collected and processed only for specified, explicit and legitimate purposes; be adequate, relevant, and limited to what is necessary for the purposes it is processed; be accurate and kept up to date (inaccurate data must be deleted or rectified without delay); not be kept for longer than is necessary for the purposes it is processed; and be processed securely.

Atrium is accountable for these principles and must be able to show that it is compliant.


a. ‘Personal data’ means information that relates to a living person who can be identified as a specific data subject from this data, either on its own or when taken together with other information that is likely to come into our possession. It includes any expression of opinion about the person and an indication of the intentions of us, or others, in respect of that person. It does not include anonymised data. However, in some instances company size (SMEs with under 20 staff) may mean that conditions for anonymity cannot be met in which case only client consented data sharing processes are applied, by agreement.

b. Although the personal data held by Atrium on data subjects will vary by virtue of their relationship with us – the same duties and obligations apply equally to all data subjects.

c. This Policy applies to all personal data, whether stored electronically, on paper or otherwise.

d. This personal data is most likely to be provided to us by you – for example, when you register for a learning event or therapy and during a therapy session – basic information will be collected. For therapeutic interventions, this information may be added to from time to time by a clinician, learning or service coordinator, therapist, coach, or supervisor.

Basic information will include:
  • Information contained in the formal consent to receive services that you accept as part of the condition of receiving services from Atrium prior to the commencement of the intervention, includes name and address, phone number(s), email address and GP details for those in receipt of therapeutic services.
  • You may be asked routinely whether you have any additional needs that will impact on how you wish your service to be delivered.
  • If you purchase self-assessment resources digitally from Atrium or download one of our psychometric tools, we will ask you to supply name, contact details and other biographical information including ethnicity information. We collect this information to extract data for anonymised research (not identifiable as ‘you’ and outside the protection of personalised data) to identify patterns in profiling and reach, ensure our products are fair and inclusive and consolidate our evidence base to improve our products.
  • We do not use this information for marketing. If you are part of a company programme, anonymised data may be supplied to your company to help them improve their wellbeing strategy and approach.
    Your rights to request to withdraw consent for these research and development purposes can be exercised by writing to our head office or further depersonalising data by writing NA in text boxes as far as possible.

We do not make or store recordings of sessions.


‘Processing’ means any operation that is performed on personal data, such as:

  • collection, recording, organisation, structuring or storage; adaption or alteration; retrieval, consultation, or use; disclosure by transmission, dissemination or otherwise making available; alignment or combination; and restriction, destruction, or erasure. This includes processing personal data that forms part of a filing system and any automated processing of information.

a. Atrium will process your personal data (including special categories of personal data) in accordance with our obligations under the 2018 Act.

b. We will use your personal data:

to comply with any legal obligation; or to manage the working relationship between us; or if it is necessary for our legitimate interests (or for the legitimate interests of someone else). We can do this only if your interests and rights do not override ours (or theirs). You have the right to challenge our legitimate interests and request that we stop this processing. See details of your rights in Section 11 below.

c. We can process your personal data for these purposes without your knowledge or consent. We will not use your personal data for an unrelated purpose without telling you about it and the legal basis that we intend to rely on for processing it.


a. We may have to process your personal data in the course of conducting our relationship with you. We can do so if we have your explicit consent. If we were to ask for your consent to process a special category of personal data, then we would explain the reasons for our request. You do not need to consent and can withdraw consent later if you choose by contacting the CEO.

b. The law states that we do not need your consent to process special categories of your personal data when we are processing it for the following purposes, which we may do:

where it is necessary to protect your vital interests or those of another person where you/they are physically or legally incapable of giving consent; where you have made the data public; where processing is necessary for the establishment, exercise, or defence of legal claims.

c. We might process your personal data in respect of your racial or ethnic origin, special learning needs as referred to in Section 4, in relation to monitoring equal opportunities.


a. We do not expect to need to share your data, other than as described in Section 3.

b. Therapy sessions are confidential, and we do not usually share information relating to you with anyone outside Atrium. Learning needs are also confidential to the Atrium team. Exceptionally, in the event of a serious concern for the immediate safety of someone, it might be necessary to consult another service. Wherever possible, we would discuss this with you first. However, on rare occasions it might be necessary to proceed without prior discussion with you or without your agreement.


a. We have robust measures in place to minimise and prevent data breaches taking place.

b. If a breach of personal data occurs (whether in respect of you or someone else) we must take notes and keep evidence of that breach. If the breach is likely to result in a risk to the rights and freedoms of individuals, we must notify the Information Commissioner’s Office within 72 hours.

c. If you are aware of a data breach you must contact the CEO immediately and keep any evidence you have in relation to the breach.


a. All therapy records are kept securely. We advise all Practitioners with Atrium to make brief notes typically covering risk and safeguarding if relevant, wellbeing measures, plans for work, key areas covered in sessions and next steps. We advise practitioners to make notes in collaboration/agreement with the client so there are ‘no surprises’ in our records. We do not keep notes on individual learners apart from registration details including specific learning needs disclosed to us. We advise practitioners to document action taken to safeguard clients in reference to our safeguarding guidelines.

b. The law states that if you would like to make an SAR in relation to your own personal data you should make this in writing to the CEO. We must respond within one month unless the request is complex or numerous in which case the period in which we must respond can be extended by a further two months. As the data we hold is sensitive, please expect a robust identification process to take place so we are sure that the information is only given to the client. This can delay the process and if Atrium remains in doubt of the identity of the client, we will refuse the request until verification can be achieved or arrangements for validation assured. EG information sharing via the GP.

c. There is an administration fee for making a SAR £30.00 plus VAT. However, if your request is manifestly unfounded or excessive, we may refuse to respond to your request.

d. Access to written notes – written consent of all parties indicated in the session notes has to be secured before notes can be accessed, otherwise all reference to other parties will be redacted.


a. You have the right to information about what personal data we process, how and on what basis, as set out in this Policy.

b. You have the right to access your own personal data by requesting this via the CEO.

c. You can correct any inaccuracies in your personal data. To do so, you should contact the CEO.

d. You have the right to request that we erase your personal data where we were not entitled under the law to process it, or it is no longer necessary to process it for the purpose for which it was collected. To do so you should contact the CEO.

e. While you are requesting that your personal data is corrected or erased or are contesting the lawfulness of our processing, you can apply for its use to be restricted while the application is made. To do so you should contact the CEO.

f. You have the right to object to data processing where we are relying on a legitimate interest to do so, and you think that your rights and interests outweigh our own and you wish us to stop.

g. You have the right to object if we process your personal data for direct marketing purposes.

h. You have the right to be notified of a data security breach concerning your personal data.

i. In most situations we will not rely on your consent as a lawful ground to process your data. If we do however request your consent to the processing of your personal data for a specific purpose, you have the right not to consent or to withdraw your consent later. To withdraw your consent, you should contact the CEO.

j. You have the right to complain to the Information Commissioner. You can do this by contacting the Information Commissioner’s Office (ICO) direct. Full contact details including a helpline number can be found on the Information Commissioner’s Office website ( This website has further information on your rights and our obligations.


Personal data is held for up to seven years following the completion of the coaching or therapy and is then confidentially destroyed.

For more information contact HQ:

642 London Road
Westcliff on Sea

Close Menu

Get in Touch

Atrium Clinic
642 London Road

Telephone: 01702-332857

Get in Touch