top of page

Privacy, Confidentiality and Data Protection Policy

Nurse-Led Therapeutic Interventions and Professional Services

Last reviewed | April 2026

 

Company: Become Your Change Ltd | Company No. 16444553

Contact: contact@becomeyourchange.com

Website: www.becomeyourchange.com

NMC Pin: 19D0976E

ICO Registration: ICO:00012712789

Data Controller: Bronwyn Evans, Become Your Change Ltd

Become Your Change.png

Purpose of this policy 

This policy explains how Become Your Change Ltd collects, uses, stores, and protects your personal information. It applies equally to private therapeutic clients and to professional clients engaging clinical supervision, peer supervision, NMC revalidation support, or annual appraisal services. It has been written in line with the NMC Code,¹ UK GDPR as amended by the Data (Use and Access) Act 2025,¹⁰ ¹⁸ the Data Protection Act 2018,¹¹ the NHS Records Management Code of Practice 2023,¹⁷ and ICO guidance for healthcare providers.⁶ Questions about this policy are always welcome at contact@becomeyourchange.com

1. Who We Are

Become Your Change Ltd (Company No. 16444553) is operated by Bronwyn Evans, a Specialist Mental Health Nurse registered with the Nursing and Midwifery Council (NMC Pin: 19D0976E).¹ Bronwyn Evans is the Data Controller for all personal information processed through this practice and is registered with the Information Commissioner's Office (ICO Registration: ICO:00012712789).⁶

 

All data processing is carried out in accordance with the NMC Code,¹ UK GDPR as amended by the Data (Use and Access) Act 2025,¹⁰ ¹⁸ the Data Protection Act 2018,¹¹ and ICO guidance.⁶

2. What Personal Data We Collect

We collect only what is needed to provide safe, ethical, and effective support. Nothing more.

 

2.1 Identifying and Contact Information

  • Full name, date of birth, and contact details including email address and telephone number

  • Emergency contact details

  • GP name and surgery details (private therapeutic clients)

  • Professional registration details, including NMC Pin or equivalent (professional clients)

2.2 Special Category Health Data

As a healthcare provider, we process special category data under Article 9(2)(h) of UK GDPR, which covers processing necessary for the provision of health or social care.¹⁰ This includes:

  • Physical and mental health history, including current and previous diagnoses

  • Medication information, including any recent changes

  • Risk assessment information

  • Clinical session notes, including assessment and treatment planning records

  • Correspondence relevant to your care

 

2.3 Professional Practice Data

For professional clients engaging supervision, appraisal, or revalidation services, we additionally process:

  • Reflective practice notes and case material discussed in session

  • CPD evidence and revalidation portfolio material submitted for review

  • Documentation produced as part of the service, including written appraisal reports and confirmation records

  • Records of attendance suitable for CPD and NMC revalidation purposes

 

2.4 Administrative Data

  • Booking and appointment records

  • Payment records including amounts and dates. Payment card details are not retained by us

  • Email correspondence relating to our work together

3. Lawful Basis for Processing

We process your personal data on the following lawful bases under UK GDPR, as amended by the Data (Use and Access) Act 2025:¹⁰ ¹⁸

 

  • Article 6(1)(b) | processing necessary for the performance of our agreement with you

  • Article 6(1)(c) | processing necessary to meet a legal obligation, including NMC record-keeping requirements and the NHS Records Management Code of Practice 2023¹⁷

  • Article 6(1)(f) | legitimate interests in practice administration and communication

  • Article 9(2)(h) | processing of special category health data necessary for the provision of healthcare

 

Where processing is based on your consent, you can withdraw it at any time. Withdrawing consent does not affect any processing already carried out, and some data must be retained regardless to meet legal and professional obligations.

4. How We Use Your Information

Your information is used only for the following purposes:

  • Providing, planning, and reviewing your therapeutic, supervisory, or professional support

  • Risk assessment and safeguarding decisions

  • Clinical and professional record-keeping in line with the NMC Code¹ and NHS Records Management Code of Practice 2023¹⁷

  • Production of professional documentation including written appraisal reports, supervision records, and revalidation confirmation evidence

  • Appointment scheduling and administrative communication

  • Compliance with legal and regulatory obligations

  • Anonymised discussion within Bronwyn's own clinical supervision

  • Anonymised use in assessed professional training. Your identity is never disclosed

 

Your information is never used for marketing, research, or any commercial purpose. It is not shared with third parties without your explicit consent, except where the law or our professional obligations require it.

5. AI-Assisted Note-Taking and Transcription

Become Your Change Ltd uses AI-assisted transcription to support accurate and timely record-keeping during or following sessions. The tool currently in use is Heidi.¹³

 

This tool is a clinical necessity and a reasonable adjustment. It allows Bronwyn to remain fully present with you during the session while ensuring your record is accurate and professionally maintained. Its use is disclosed here in full transparency, in line with ICO guidance on AI and data processing.⁶

 

Heidi operates in full compliance with UK GDPR¹⁰ and the relevant Standard Contractual Clauses for international data transfer. In practice this means:

  • Only Bronwyn Evans has access to session transcriptions

  • Transcription data is automatically deleted after 90 days, in line with retention settings configured within Heidi

  • Formal clinical and professional records produced from the transcriptions are retained in line with the schedule in Section 7

  • No audio or video is saved unless explicitly agreed in advance

  • All stored data is encrypted and access-controlled

 

By engaging with our service you are confirming your awareness and acceptance of the use of this tool. Please raise any questions or concerns before your first session.

5.1 Recording by Clients

You are welcome to make written notes during sessions. However, Bronwyn does not consent to any audio or video recording of sessions by clients, whether covert or otherwise. Recordings made without consent may constitute a breach of UK data protection law and could result in immediate termination of the therapeutic or professional relationship. Where an unauthorised recording has been shared beyond the session, Become Your Change Ltd reserves the right to take appropriate legal action.

6. Data Storage and Third-Party Processors

6.1 Clinical and Professional Records

All clinical and professional records are held electronically within WriteUpp,¹⁵ a specialist clinical records platform that adheres to UK clinical retention requirements and operates in accordance with UK GDPR. WriteUpp acts as a data processor on behalf of Become Your Change Ltd. No paper records are maintained.

The same encryption, access controls, and security standards apply to all records held within WriteUpp, regardless of whether they relate to private therapeutic clients or professional clients. WriteUpp provides:

  • Encrypted, secure storage of all clinical, supervisory, and professional records

  • Compliance with the NHS Records Management Code of Practice 2023 retention requirements

  • A unified eight-year retention period for all clinical and professional records

  • Compliant and secure destruction at the end of the retention period

  • Affiliated executor services in support of Bronwyn's Clinical Will arrangement

 

6.2 Administrative and Booking Systems

Practice administration is managed across two platforms. Google Workspace is used for email communication, calendar management, and appointment scheduling. Google Calendar and Google Meet both operate to EU and UK GDPR standards. WriteUpp is also used for clinic scheduling and booking management alongside its records function, ensuring administrative and clinical records are held within a single compliant system.

7. Data Retention

Data is retained only for as long as is necessary for the purpose for which it was collected, in line with professional and legal obligations.

  • Clinical records  |  Minimum 8 years from end of treatment as per NHS Records Management Code of Practice 2023¹⁷

  • AI transcription data  |  Maximum 90 days then permanently deleted

  • Administrative and booking records  |  3 years

  • Email correspondence  |  3 years from last contact, unless clinically relevant

 

The right to erasure under UK GDPR Article 17 cannot override the legal obligation to retain clinical healthcare records for the mandatory minimum period.¹⁰ All records are securely and permanently deleted on expiry of the applicable retention period.

8. When We Share Your Information

Your information is treated as strictly confidential. It is shared only in the following circumstances.

 

8.1 With Your Explicit Consent

  • Communication with your GP or other treating healthcare professionals (private therapeutic clients)

  • Communication with your employer, regulatory body, or other relevant party (professional clients), where you have specifically requested or agreed to it

  • Referral letters, clinical summaries, or professional documentation provided to other services

  • Insurance, occupational health, or medico-legal reports

 

8.2 Legal or Safeguarding Requirement

Confidentiality may be broken without your consent where required by law or where there is a risk of serious harm to you or others. For private therapeutic clients, this includes obligations under safeguarding legislation,⁷⁸⁹ the Proceeds of Crime Act 2002,¹⁶ and the NMC Code.¹

For professional clients, this also includes circumstances where Bronwyn becomes aware of a serious concern about your fitness to practise as a registered professional. Under the NMC Code,¹ Bronwyn has a professional obligation to consider appropriate action, which may include encouraging self-referral or, in serious cases, a referral to the relevant regulatory body. Where it is safe to do so, you will always be told before a disclosure is made.

 

8.3 Anonymised Disclosure

  • Anonymised material may be discussed with Bronwyn's own clinical supervisor. Your identity is not disclosed

  • Anonymised case material may be used in assessed professional training work. Your identity is never disclosed

 

Your information is never sold, rented, or used for any commercial purpose.

9. Your Rights Under UK Data Protection Law

You have the following rights in relation to the personal information we hold. These are set out under UK GDPR as amended by the Data (Use and Access) Act 2025:¹⁰ ¹⁸

  • Right of access | request a copy of your data via a Subject Access Request

  • Right to rectification | request correction of inaccurate or incomplete information

  • Right to erasure | request deletion where there is no legitimate reason to continue processing, subject to retention obligations

  • Right to restriction | request that processing be limited in certain circumstances

  • Right to data portability | receive your data in a structured, machine-readable format where applicable

  • Right to object | object to processing based on legitimate interests

  • Right to withdraw consent | where processing is based on consent, withdraw it at any time

 

9.1 How to Make a Request

To exercise any of these rights, please contact contact@becomeyourchange.com with your full name, a description of the request, and proof of identity. We will acknowledge your request within 30 days as required under the Data (Use and Access) Act 2025.¹⁸ Where a request is complex, the response period may be extended by a further two months and you will be informed.

Under the DUAA you also have the right to raise a data privacy complaint directly with us. We are obliged to acknowledge it within 30 days and take appropriate steps to investigate without undue delay.

In some circumstances, such as where a Subject Access Request is manifestly unfounded or excessive, we may request clarification, charge a reasonable fee, or decline to respond. We will always explain our reasons in writing if this occurs.

 

9.2 Complaints to the ICO

If you are not satisfied with our response, you have the right to raise a complaint with the Information Commissioner's Office:

ico.org.uk/make-a-complaint | 0303 123 1113

10. Record of Processing Activities

As a healthcare data controller, Become Your Change Ltd maintains a Record of Processing Activities (ROPA) as required under UK GDPR Article 30.¹⁰ This internal document records the categories of personal data processed, the purposes for processing, data flows, retention periods, and the technical and organisational measures in place to protect your information. It is available to the ICO on request.

11. Data Breaches

In the unlikely event of a data breach affecting your personal information, we will act promptly and transparently. Where a breach is likely to put your rights and freedoms at risk, the Information Commissioner's Office will be notified within 72 hours in line with UK GDPR Article 33.¹⁰ Where the risk to you as an individual is high, you will also be contacted directly as soon as possible.

12. Practitioner Unavailability and Clinical Will

A Clinical Will arrangement is in place through WriteUpp's affiliated executor services.¹⁵ In the event that Bronwyn Evans becomes unable to practice due to illness, incapacity, or death, appropriately qualified professionals bound by the same confidentiality standards will have access to your records solely to ensure continuity of care or to meet legal obligations. You will be informed if this situation applies to your records.

13. Website and Cookies

The Become Your Change Ltd website at www.becomeyourchange.com is hosted on Wix. The site may use cookies and analytics tools in line with Wix's standard data practices. By using the website you accept the use of cookies as described in the Wix cookie policy, accessible via the website footer.

14. Changes to This Policy

This policy is reviewed regularly and updated to reflect changes in legislation, professional guidance, or practice. The current version is always available at www.becomeyourchange.com. Material changes will be communicated to existing clients and professional clients at least 28 days before they take effect.

References

References are numbered consistently with those used in the Become Your Change Ltd Terms of Service. Numbers omitted in this document refer to sources cited in that document only.

 

[1] NMC Code of Professional Standards of Practice and Behaviour for Nurses, Midwives and Nursing Associates (published 2018, visual refresh 2023, substantive content unchanged and current) https://www.nmc.org.uk/standards/code/

[6] Information Commissioner's Office (ICO) https://ico.org.uk

[7] Care Act 2014 https://www.legislation.gov.uk/ukpga/2014/23/contents

[8] Children Act 1989 and 2004 https://www.legislation.gov.uk/ukpga/2004/31/contents

[9] Mental Capacity Act 2005 https://www.legislation.gov.uk/ukpga/2005/9/contents

[10] UK General Data Protection Regulation (UK GDPR) https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/

[11] Data Protection Act 2018 https://www.legislation.gov.uk/ukpga/2018/12/contents

[13] Heidi Health | AI clinical documentation https://www.heidihealth.com

[15] WriteUpp | Clinical Records Platform https://writeupp.com

[16] Proceeds of Crime Act 2002 https://www.legislation.gov.uk/ukpga/2002/29/contents

[17] NHS Records Management Code of Practice 2023 https://transform.england.nhs.uk/information-governance/guidance/records-management-code/

[18] Data (Use and Access) Act 2025 https://www.legislation.gov.uk/ukpga/2025/16/contents

bottom of page