• Assessments
  • Reviews and Debriefing
  • Reatreats
  • Education
  • Supervision and Mentoring
  • Therapy

Supporting mission personnel and humanitarian workers worldwide

Privacy Policy


Scope. This privacy policy describes the personal data we process when we provide you or others with services, or as a result of other parts of our work. It is effective from 25th May 2018.

Jurisdiction. The personal data we collect and process is regulated by the European Union (EU) General Data Protection Regulations (GDPR) and monitored in the UK by the Information Commissioner’s Office (ICO).

Client information. If you want to know how we work with clients, see client information.

Children. To read our privacy policy written for children, click here.

What personal data is

Personal data. Personal data is any information that reveals exactly who a living person is. Information about you that does not identify you is not personal data.

What we must tell you. By law we have to tell you when we collect your personal data, what we do with it, and what you can do about it.

Why we process your personal data

Overview. We process information about you

  • so that we can provide you with services or receive services from you; or
  • because the law says we must; or
  • because it there is a legitimate interest to process it.

  • Providing services

    Services we provide. We may process information about you to provide you, or an organisation you represent, with clinical psychology and member care services such as

  • confidential psychosocial assessments, reviews, debriefing, and therapy for the benefit of your or your child’s health;
  • clinical supervision, retreats, training, consultation, providing publications or resources, or other agreed services.

  • Services we receive. We may also process information about you so we can receive services from you such as clinical supervision or professional advice, or so we can carry out work agreed with you for any other reason, or to purchase goods or services from you in connection with our work.

    Lawful basis. The lawful basis for this kind of processing is to fulfil a contract or to provide information before a contract is agreed. There may be an implicit contract between us even when it is not written. We will usually not be able to fulfil a contract unless you provide us with relevant information.

    Complying with the law

    Lawful basis. We may process information about you because the law says we must. Under GDPR, the lawful basis for this kind of processing is legal obligation.

    Safeguarding. When a child or adult is at risk of harm, the law says we must process that information and share it as necessary to keep the person safe. The law says we must also process, and pass on as necessary, concerns that an identifiable person may have harmed others in the past, and information about other serious crime.

    Financial records. The law also says we must use personal data to provide invoices to customers for services, and keep financial records of payments received.

    Other legal obligations. We may also need to process your information to comply with other legal requirements, such as court orders.

    Legitimate interests

    Lawful basis. We may process information about you for valid reasons to help us, you, or other people – or what GDPR calls the lawful basis of legitimate interests.

    Third party information. When we provide clinical psychology health services such as assessments, reviews, debriefing, and therapy, we may process information about persons who are not receiving those services from us. This is called third party information. We process third party information when it helps with the service we are providing. For example, in therapy you may expect us to remember information you have told us about other people in your family, and so we would record that information to remind us. You can share this privacy notice with other family members if they are concerned. Or if you wanted us to consult with other health professionals about your care, we would need to know their name and contact details. When we receive third party information about someone in confidence, we do not have to tell them, but they do have other rights over their information.

    Retreats, training, & conferences. If you are taking part in a retreat or training event that we have arranged with another provider, or in a conference which we have helped organise, we will have no contract with you. But we may collect information from you to help us know your name, to tailor our materials to your needs, and to provide you with materials to your benefit before or after the event.

    Enquiries. If you contact us about our services or website, we may process your information so we can respond to your query, to make notes about any services we agree to provide for you, or to block you if we suspect you of phishing or spam.

    IP addresses. When you email us, information is routinely collected to trace which computer you connected from, making it possible to track any faults and maintain security.

    Feedback. We may ask you for feedback, and process any feedback we receive so that we can improve our services. Usually we process feedback anonymously so you cannot be identified. See Client Information for further details.

    Professional networking and authorship. If you are a professional colleague, we may process your personal information as part of our work with you, so that we can keep in contact, meet and communicate to share ideas, and keep and share records of meetings we have, to our mutual benefit. If you have published work with us that is in the public domain, or publish your name on your website, we may publish your name on our website as a an author, co-author or editor.

    Children. If you are a child, the law says we can’t expect you to agree a contract with us.

    But we may use information about you and other important people in your life. We use it to help you and your family stay or get more healthy.

    We write down what you tell us so we can remember it when you talk to us again.

    We talk to other people who can help you and write down what they say.

    We keep your information private unless you want us to pass it on, or unless we have to tell other people to keep you safe. If we do tell other people, we only tell the people who need to know, and we only tell them what they have to know.

    Marketing and automatic decision making

    We do not use your information for marketing or automatic decision making such as profiling.

    What personal data we collect

    From you. We may collect any information you tell us.

    From third parties. We may also collect information from other people about you. This may include:

  • basic personal information (e.g. name, date of birth, organisation, passport and host country, first language);
  • contact information (e.g. email addresses, phone numbers, postal addresses, Skype identities or other electronic contacts);
  • sensitive personal information (usually about your health, and sometimes also other sensitive information if it’s relevant to our work with you);
  • information about your network (e.g. your family relationships, friends, GP, professional and other contacts);
  • internet protocol (IP) addresses (e.g. if forwarded to us in an email trail);
  • safeguarding information about any risks affecting you and action taken to protect you;
  • any other information that may be relevant to our work with you.

  • Pseudonymisation. Where possible, we separate the personal information that would identify you, from sensitive information and other information we process about you, by keeping it anonymous. Information that does not identify you is not personal data.

    Who we collect information from

    Third parties. As well as collecting information from you, we may collect information that other people give us about you. They may include:

  • people in your organisation or family, health professionals, or individuals who give us information about you before we have agreed to provide you a service, or to help us provide a service to you;
  • people who give us information about you in connection with a service we or they are providing for you or someone else;
  • financial providers who display your identity when you make a payment;
  • email providers who automatically supply your IP address when you email us.

  • Public domain. We may collect names or contact details which are available publicly (e.g. full GP contact details when a client cannot recall them fully). But we do not otherwise collect information about you that is in the public domain (e.g. google searches or your website, blog or other web presence) unless you ask us to. Please ask us if you would like us to look at such information.

    Commercial data. We do not receive information about you from marketing companies or data harvesting, and we do not buy your data.

    Who we share information with

    Sharing information in your best interests. With your express permission, we may share information with your family members, medical and other health professionals, teachers, social care or other professionals, or responsible contacts in your organisation.

    Safeguarding. Where necessary to safeguard a child or adult at risk of harm, we may share information with family members, police, statutory services, other professionals, or responsible contacts in their organisation. We may tell you first, but may need to share the information without your knowledge or permission.

    Supervision & training. We do not share information that would personally identify you with supervisors or colleagues. But we may discuss you anonymously in supervision or in consulting with colleagues to ensure that we are providing you a good service. If we use examples from our work in training, we take special care to change or omit any information which could identify an individual.

    Conferences, training, and retreats. We may share your contact information with colleagues who are helping organise conferences or training events or retreats, so they can provide you with services connected to the event.

    Financial and internet service providers. We may share information with financial providers where necessary for billing and payment, and email and webhosting providers where that is necessary for email security.

    Between ourselves. We (David and Debbie Hawker) may share information between ourselves as joint data controllers.

    Cloud services. We use electronic services for storing, transferring and processing information, including Skype, Zoom, VSee, Yahoo email, Google, Mega, Fastcomet, Protonmail, Surveymonkey, Whatsapp, and Paypal. Some of these involve transferring information to countries outside the EU. All these services are password protected and/or encrypted for your protection. We use strong password protection or encryption for transferring sensitive information.

    Transfers outside the EU. We also sometimes transfer information outside the EU to countries or international organisations which are not regarded by the EU as having adequate levels of protection. We make these transfers where there is no other way of providing a service, when the recipient is aware of the risks and has agreed to the transfer. We use encryption and password protection for transferring sensitive information.

    Selling information and automatic processing. We do not sell or pass on information to third parties to use for marketing purposes, data harvesting, or automatic decision making.

    How long we keep information

    Retreats, training, & conferences. We keep information about retreat or training participants for up to three months after either the event or our last post-event contact with you. This allows us time to make sure there is no need to retain the information, and that you receive any materials you have asked for after the event has taken place. Information on email may be kept longer.

    Finished contracts & supervision. Where a contract is completed with an organisation to provide health services to an individual, and we do not expect to work with the individual again, we keep information for up to five years after the end of a contract, the normal maximum time the HCPC allows for raising concerns. We also keep supervision notes for five years.

    Ongoing and recurring contracts. In other circumstances we keep information for longer. We offer a very specialised service, supporting people who work as humanitarian or mission workers overseas. Many of the people who we provide health services to return to us many years later, perhaps after another term overseas, after another traumatic event or a new development in an abduction situation, or for other reasons. Some have informed us that they find it helpful to come back to someone who already knows their story so that they do not have to spend a long time going over it again, especially when there are traumatic or sensitive details. Therefore, when we work with people who we are likely to see again, we keep information for up to twelve years after the last contact.

    Children. Children also return to us for health services, and keeping information after they reach adulthood gives them time to exercise their rights to access that information. Therefore we keep children’s information until their 25th birthday (or 26th birthday if they were 17 when treatment ended). This includes information on any concerns about risk to a child.

    Alleged abuse. National and local guidelines say that we must keep information about alleged historical abuse until the natural retirement age of the alleged abuser, or for ten years, whichever is the longer.

    If allegations are found to be malicious, or all information has been passed on to the police, we destroy our records within three months. If relevant legal proceedings have begun but not been completed, including legal proceedings against an organisation or the Independent Inquiry into Child Sexual Abuse (IICSA), we may need to keep information about alleged abuse until the legal process is complete.

    Other safeguarding information. We keep other information relating to safeguarding individuals for twelve years, or until relevant legal proceedings (including the IICSA) are complete.

    Financial records. We keep financial invoices and receipts for seven years, to ensure we comply with HMRC requirements.

    Professional networking. We may keep contact details for professional colleagues, and records of meetings and conversations with colleagues until our retirement, to maintain contact for archival purposes.

    Email. We keep offline backups of emails (which include IP addresses) for up to twelve years (or until the child's 25th birthday if they relate to children - or 26th birthday for children who were 17 at our last contact with them), but delete them from our server after a year.

    We delete spam and phishing emails immediately, but may keep contacts indefinitely to maintain blocking arrangements.

    What if we retire or die? In the event of the retirement or death of either of us, personal data may be destroyed earlier than stated here.

    What rights you have

    Your rights. You have certain rights in relation to the processing of your information. You have the rights:

  • to be informed about whether we are processing your personal information, and how we use it (you exercise this right by reading this privacy notice);
  • to ask for a copy of the information we have about you;
  • in some circumstances, for a copy of information you gave us to be passed on to another data controller (such as case notes to another therapist);
  • to ask us to amend information about you if it is incorrect or incomplete;
  • if particular conditions apply, to ask us to erase information about you or to restrict our processing of it; and
  • to object to our processing your information for reasons of legitimate interests.

  • Other people we might have to tell. If we make changes to your information, or how we process it, as a result of your request, we also must tell you about anyone else who we passed your information onto, and we must tell them about the changes.

    How to exercise your rights. If you want to exercise any of these rights, please contact us and make clear what you are asking for. Usually we have to act on your request within one month, without charging you a fee. We may need to ask you for more information about your request or to prove your identity.

    Children. Children's data belong to them, and they have the same rights over their data. Where a child is not considered to be competent, an adult with parental responsibility may exercise the child’s data protection rights on their behalf. We must consider the child's personal interests, and whether they are mature enough to understand their rights over their information and to exercise them on their own.

    Exceptions. There are exceptions to these rights. For example, if we received third party information about you in confidence, we do not have to tell you, but that does not affect your other rights. Or we may need to withhold personal information from you to protect you or others. In these and various other circumstances we may not have to comply with your request.

    Fees. Normally we cannot charge you a fee to respond to your requests concerning your personal information. But if a request is unfounded or excessive, we may charge you a reasonable administrative fee to comply.

    What if we refuse your request? If we refuse a request or charge a fee, we have to tell you why. If you are not happy with our response, you may complain to the ICO.


    Pages using cookies. The contact forms on our website (accessed from here) each store a single cookie on your computer. The cookies ensure that your information is sent securely thrsough the internet. The cookie identifies you while you are using the form and expires when you close your browser.

    Pages without cookies. None of our other webpages use cookies, at least as far as we're aware.

    What you can do about cookies. Learn more about cookies and how to disable them here. If you disable cookies on the contact forms, your information may be sent less securely.


    To read a version of our privacy policy written for children, click here.

    Social media

    We use social media (Facebook and LinkedIn) to promote our services. Social media accounts for a very small proportion of the personal information we process. For ease of reference, we describe separately here our policy regarding information we collect on social media.


    Comments and likes. Our Facebook page collects anything you post on it, such as likes and comments. The personal data we collect is your name, unless you post any other personal data on our page. We recommend you don't. If you have a Facebook account (which you must to comment or like), your name will be linked to whatever other personal data you have posted in your account. Facebook, or you, are responsible for that. We are not.

    Visiting stats. Facebook also tells us how many people have viewed our page and may tell us more, but we can't identify individuals from that, as far as we know. As far as we understand, Facebook is controller of information connected to your name, but we are controller of information you post on our Facebook page. Facebook may also put cookies on your computer if you visit our Facebook page, even if you do not have a facebook account. See Facebook's privacy policy for information on the personal data they collect.

    Why we process your information on social media. Our lawful basis for collecting your personal information is legitimate interests, in that receiving likes and comments and responding to them helps us promote our business.

    Who can see your information. We do not actively pass on your information, but our Facebook page is public and can be viewed by anyone with access to the internet, even if they do not have a Facebook account.

    How long we keep your information. We will retain your information as long as we retain the Facebook page, unless you remove it or ask us to remove it. We will, however, remove sensitive personal information if you post it, as soon as it comes to our attention..

    Your rights. You have the same rights regarding your information on Facebook as you have about all your personal information. However, you will probably find it easier and quicker to remove your own likes, comments and endorsements than to ask us. For instance, the only way we can remove your "like" is by banning you from the page. You, in contrast, can remove it yourself simply by clicking "Like" again. If we remove comments or likes from our page they will no longer display on the page and we will no longer have access to it, but Facebook may retain your information for longer. See Facebook's privacy policy for information.


    Debbie Hawker's and David Hawker's public LinkedIn pages may also collect information you post on them, such as endorsements, comments, and likes attached to your name. If you are a client, we ask you not to contact us via our LinkedIn pages. Our privacy policy about personal data you post on our LinkedIn pages is the same as our policy about our ARREST Facebook page, as described above.

    Professional networking contacts

    We may communicate privately with colleagues through social media (Facebook Messenger, LinkedIn messaging and the like). We ask clients receiving our clinical services not to contact us in these ways. Our policy on these communications with colleagues is covered within our privacy policy as a whole, under the heading of Professional networking, and not by this separate section on social media.

    Who is responsible for processing your information

    Data controllers. Dr Debbie Hawker and Dr David Hawker are each sole traders and joint data controllers for ARREST.

    Joint controller arrangements. We are jointly responsible for processing your information, with David taking the lead on devising and implementing ARREST’s privacy policy, and both Debbie and David responsible for following it in their individual work.

    Contact us. If you have any questions about privacy, contact David.

    Further information and complaints

    Complaints. If you are not satisfied with our response to your request to exercise your rights, or with anything else about our privacy policy, you can contact the ICO.

    Further information. The ICO also provides further information on GDPR and other data protection laws that we must comply with, on how you can exercise your rights and how we must respond.

    Other questions. If you have any questions or comments about our privacy policy, please contact us.

    Last updated

    Back to Top...