High-Discretion Advisory / Restricted Handling
Joanna Kucinska, trading as JK Protocol, is the Data Controller for all personal data processed in connection with the JK Protocol programme.
When you make an initial enquiry, we collect your name and a secure contact method (email address or equivalent). We handle all enquiry data with strict confidentiality. We do not require your employer, address, or professional background at this stage.
When you confirm engagement, we collect and hold the following information, required by our BPC registration obligations and our duty of care as a registered practitioner:
All identifying information is held separately from session records in a secure paper Index, accessible only to the Consultant.
Session records are maintained using your reference code only and are held separately from your identifying information. Records reflect the clinical and operational content of each session as required by BPC record-keeping standards. All records are stored in a locked filing cabinet at the Consultant's secure premises and are not held on any internet-connected system.
We process your data on the following legal bases under UK GDPR:
Where we process special category data (health and wellbeing information shared in the course of a therapeutic engagement), we do so on the basis of explicit consent and the provision of health or social care services under Schedule 1 of the Data Protection Act 2018.
We do not rely on consent alone as the legal basis for processing. Some processing — including minimum record retention — is required regardless of consent by our professional regulatory obligations and cannot be withdrawn.
All client records held by JK Protocol are maintained in a paper-based system at the Consultant's secure private premises. A locked Index links your real name to your reference code. Your programme folder, identified by reference code only, is held in a locked filing cabinet and contains your signed contract, session records, and correspondence. Access is restricted to the Consultant only.
No session content or identifying client information is stored on internet-connected systems. Where encrypted digital communication is used (such as encrypted email), it is routed to a secure terminal accessible only to the Consultant. No client data is stored within our website infrastructure.
Initial website enquiries are handled using a non-retention architecture and are not stored within our web hosting infrastructure. The JK Protocol website operates a zero non-essential cookie policy with no commercial tracking pixels or third-party marketing automation.
We retain client records for a minimum of six years following the termination of your engagement, in line with BPC guidance for adult clients.
Where a safeguarding concern has been recorded, records relating to that concern are retained for the period required by applicable safeguarding frameworks, which may exceed six years.
Following the applicable retention period, all paper records are securely destroyed using a cross-cut shredder. Where practicable, you will be informed of the planned destruction date in your closing documentation.
As required by BPC standards, the Consultant discusses client work with a professional supervisor. All supervision is conducted using anonymised content only. Your supervisor will not be given your identity or any identifying information.
We do not share your data with NHS systems, MoD systems, Defence Medical Services, employer HR systems, vetting authorities, or any other institutional body — except where legally required under Section 6 below. We do not sell, rent, or share your data for any commercial purpose.
Confidentiality is the foundation of this engagement. The following are the only circumstances in which confidentiality may be breached without your consent. All are required by law or professional ethics. Where it is safe and lawful to do so, the Consultant will discuss any potential disclosure with you before taking action.
| Right | What This Means |
|---|---|
| Right of Access | You may request a copy of the personal data held about you at any time. The Consultant will respond within one calendar month. |
| Right to Rectification | You may ask us to correct inaccurate data held about you. |
| Right to Restriction | You may ask us to restrict processing in certain circumstances defined under UK GDPR. |
| Right to Erasure | You may request deletion of your data. This right is qualified — we cannot erase data where retention is required by BPC obligations, legal obligation, or safeguarding requirements. We will explain the basis for any retention that cannot be fulfilled. |
| Right to Object | You may object to processing based on legitimate interests. |
| Right to Complain | If you believe your data has been processed unlawfully, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at www.ico.org.uk or by calling 0303 123 1113. |
To exercise any of these rights, contact: jk@jkprotocol.co.uk
This Notice may be updated periodically. The current version is always available at www.jkprotocol.co.uk. Material changes will be notified to active clients directly via their agreed secure contact method.