Privacy Statement
Introduction
FD Consultants (“FDC”) is committed to protecting your personal information and complying with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and relevant updates under the Data (Use and Access) Act 2025 (DUAA). This Privacy Policy explains what data we collect, how we use it, the lawful bases we rely on, how long we keep your data, and your rights.
FDC is registered with the Information Commissioner’s Office (ICO).
When you are referred for psychosocial services with FDC you will be asked to consent to the processing of your data under the terms of this policy. FDC associates will also be responsible for their own data management, will abide by this privacy statement, and will hold their own privacy statement that complies with the GDPR terms.
What information we collect
We collect and process:
Personal identification data
- Name, address, telephone numbers, email address, date of birth
- GP/medical practitioner details
- Employer and deployment information
- Videoplatform identifiers
Sensitive (special category) data
- Medical and mental health information
- Background information relevant to psychosocial assessment and support
We only collect data necessary for the provision of psychosocial services, in line with tightened ICO expectations on data minimisation and justification of each collected data field.
- Lawfulbases forprocessing
FDC processes your information under the following lawful bases:
(a) Contract
To provide psychosocial services you request.
(b) Legal obligation
For safeguarding, serious incident reporting, and lawenforcement obligations.
(c) Legitimate interests
FDC has a legitimate interest in processing data for:
- Service delivery
- Clinical supervision
- Administrative purposes
(d) Recognised legitimate interests
We may process personal data without a balancing test in contexts such as:
- Safeguarding vulnerable individuals
- Responding to emergencies
- Preventing crime
(e) Consent
When sharing information with external medical professionals or where required for particularly sensitive disclosures.
You may withdraw consent at any time. Details on how to do this are included below.
How we use your information
Your information is used to:
- Provide psychosocial support services
- Arrange, manage, and notify you about appointments
- Produce clinical reports
- Meet ethical, legal, and regulatory obligations
- Provide occasional servicerelated updates (trainings, workshops, newsletters)
Where automated tools are used for administrative decision making, DUAA requires that we provide information and offer human review on any significant decisions made solely through automated processing. FDC does not currently make legally significant decisions by automated means.
Sharing your information
Your information will not be shared with third parties except in the following circumstances:
(a) With your consent
To coordinate care with clinicians or others you specify.
(b) Serious harm
If we believe disclosure may prevent serious harm to you or another person.
(c) Legal requirements
Compliance with statutory obligations, e.g. safeguarding, terrorism, serious crime.
(d) Clinical supervision
Supervisors are accredited professionals and bound by strict confidentiality rules.
(e) Clinical will
A designated colleague may access contact details in emergencies (e.g., sudden illness).
FDC does not sell or share data for marketing beyond FDCspecific updates.
How we store and protect your information
-
FDC maintains appropriate technical and organisational security measures, meeting ICO expectations for encryption, secure storage, and protection against breaches. Measures include:
- Locked storage for paper records
- Passwordprotected devices with antivirus software
- Encrypted transfer of formal reports
- Use of endtoend encrypted video platforms where possible
Any personal data breach will be reported to the ICO within 72 hours, in line with UK GDPR.
Data Retention
-
Under updated ICO guidance, organisations must communicate specific retention periods, not vague statements.
FDC retains records as follows:
- Clinical records: typically, 7 years after the end of services (or longer if required by professional guidelines).
- Administrative correspondence: 1–2 years unless needed for ongoing services.
- Contact information: deleted promptly once no longer required.
A full retention schedule is available on request. (i.e. An individual can ask what data and how long data was retained, and is likely to be, retained)
Your rights
Under the UK GDPR and DUAA reforms, you have the right to:
- Access your data (Subject Access Request – SAR)
- Request correction or deletion
- Restrict or object to processing
- Request data portability
- Withdraw consent
- Challenge automated decisions and obtain human review
SAR response timelines: one month, with “stoptheclock” pauses permitted when clarification is needed (new under DUAA).
International transfers
If data is transferred outside the UK, we follow DUAAupdated rules for international transfer risk assessment and safeguards.
How to Withdraw Consent or Make a Complaint
Changes to this policy
FDC may update this policy in response to legal or operational changes. The latest revision date will always be displayed.
Last updated: 18/06/2026