Data Protection Complaints Procedure

Version: 1.0 – July 2026
Data controller: Chris Smith MBACP, trading as Hidden Dragon Holistics
Contact email: please use the HDH contact form
ICO registration number: ZB476454

1. Purpose of this procedure

Hidden Dragon Holistics aims to handle personal information lawfully, fairly, securely and transparently.

This procedure explains how you can raise a concern or complaint about how I have collected, used, shared, stored, secured, retained or deleted your personal information, and what you can expect after making a complaint.

You do not need to use legal terminology, identify a particular law or complete a specific form for me to recognise and consider a data protection complaint.

2. What counts as a data protection complaint?

A data protection complaint may concern matters such as:

  • how I collected, used, shared, stored or deleted your personal information;
  • the accuracy or security of your information;
  • how I responded to a request to exercise your data protection rights;
  • an actual or suspected unauthorised disclosure or personal data breach;
  • how long I retained information; or
  • whether I provided sufficient information about how your personal information would be handled.

A complaint about the counselling service, therapeutic work or professional conduct is not automatically a data protection complaint. However, a complaint may contain both data protection and counselling-service concerns. Where this happens, I will explain how each part will be considered and will ensure that the data protection aspects are handled under this procedure.

A request to access, correct, erase or otherwise exercise your data protection rights may accompany a complaint. I will treat the rights request and complaint appropriately and will not treat one as replacing or delaying the other.

3. How to make a complaint

You can make a complaint:

  • by completing the HDH contact form and selecting the category Data Protection Complaint
  • through the secure Therasee client portal, where you have access to it;
  • by telephone;
  • during a face-to-face or remote appointment; or
  • through another reasonable communication method available to you.

The contact form or secure portal message will usually provide the clearest written record, but you are not required to use either method.

If you contact me through social media, I will normally ask you to move the conversation to a more private and secure communication method. I will not ask you to post confidential or sensitive information publicly.

4. Information that may help me investigate

It is helpful, but not essential, if you can provide:

  • your name and preferred contact details;
  • a description of what happened;
  • relevant dates;
  • the personal information or communication involved;
  • copies of relevant correspondence or evidence; and
  • what you would like me to do to resolve the matter.

If I am unclear about the complaint, I may ask you for further information or ask what outcome you are seeking. I will not reject a complaint solely because some information was not initially provided.

5. Accessibility and support

Please tell me if you need:

  • this procedure or correspondence in another format;
  • support communicating your complaint;
  • additional time or another reasonable adjustment; or
  • communication through a particular safe or accessible method.

I will take reasonable steps to make the complaints process accessible.

6. Complaints made on behalf of another person

You may ask another person, such as a family member, advocate or solicitor, to complain on your behalf.

Before disclosing personal information or investigating through a representative, I may need proportionate evidence that they are authorised to act for you. This might include a signed letter of authority or an appropriate power of attorney.

I will not request additional identification or authority where I already have sufficient information to be satisfied about the person’s identity and authority.

7. What happens after I receive a complaint?

I will:

  1. record the complaint and consider whether it raises any immediate security, safeguarding, risk or data-breach concerns;
  2. acknowledge receipt within 30 days;
  3. begin considering and investigating the complaint without undue delay;
  4. make enquiries that are reasonable and proportionate to the circumstances;
  5. review relevant records, communications, policies, agreements and service-provider information;
  6. ask for clarification or further evidence where reasonably necessary;
  7. keep you informed about progress, particularly if the investigation is likely to take longer than initially expected; and
  8. communicate the outcome without undue delay.

I will aim to resolve straightforward complaints within 30 days where reasonably possible. More complex complaints may take longer. If additional time is required, I will explain the reason and provide a realistic indication of when you should receive a further update or final response.

If the complaint indicates an ongoing risk, safeguarding concern or possible personal data breach, I will consider and respond to that issue promptly rather than waiting for the wider complaint investigation to finish.

8. Investigation and professional advice

I am responsible for investigating data protection complaints as the data controller.

Where appropriate, I may seek confidential advice from my insurer, a legal or data protection adviser, the Information Commissioner’s Office, my professional body or my clinical supervisor. I will only share information that is reasonably necessary for obtaining that advice and will protect confidentiality as far as possible.

Where the complaint concerns a provider that processes information on my behalf, such as Therasee or Stripe, I may contact that provider for information needed to investigate. Responsibility for responding to your complaint remains with me.

9. The outcome

My final response will normally:

  • summarise the complaint and the matters investigated;
  • respond to each significant issue;
  • explain the evidence and reasoning considered;
  • state whether the complaint is upheld, partly upheld or not upheld;
  • explain any correction, apology, remedial action or service improvement;
  • identify any action that cannot reasonably be taken and explain why; and
  • explain your right to complain to the Information Commissioner’s Office.

Where appropriate, I may invite you to provide further information or ask for clarification of the outcome. You do not have to wait for an internal clarification or review before contacting the Information Commissioner’s Office.

10. Complaining to the Information Commissioner’s Office

You have the right to complain to the Information Commissioner’s Office, which is the UK regulator for data protection.

You may contact the ICO at any point, although it may be helpful to give me an opportunity to consider and respond to the concern first.

Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

ICO helpline: 0303 123 1113

11. Complaint records and confidentiality

I will keep a proportionate record of:

  • the complaint and date received;
  • my acknowledgement;
  • relevant correspondence and evidence;
  • enquiries and advice obtained;
  • progress updates;
  • the outcome and reasons for it; and
  • any corrective action or lessons learned.

Complaint records will be stored securely and accessed only where necessary. They will be retained only for as long as reasonably required, taking account of the nature of the complaint and any relevant legal, regulatory, professional or insurance requirements. The normal maximum retention period will be seven years after the complaint is closed unless longer retention is justified.

12. Learning and review

After closing a complaint, I will consider whether any changes are needed to my:

  • privacy information;
  • record-keeping;
  • security arrangements;
  • counselling documents or client journey;
  • service-provider arrangements;
  • policies, procedures or training; or
  • wider professional practice.

This procedure will be reviewed when relevant law, ICO guidance, professional requirements or HDH working practices change.