Data Retention Policy

This Data Retention Policy outlines how The Bridge Counselling Pte Ltd (the “Practice”, “we”, “us”, or “our”) collects, retains, manages, and disposes of client records and personal data. The aim is to ensure that all information is handled responsibly, with care for confidentiality, and in accordance with the Personal Data Protection Act 2012 (PDPA) of Singapore, as well as accepted professional standards within counselling and psychotherapy practice.

Maintaining appropriate records supports continuity of care, ethical practice, and accountability, while also protecting the privacy and rights of clients.

1. Scope

This policy applies to all personal data and client-related information collected, used, disclosed, or stored by us.

This includes, but is not limited to:

  • Client intake forms and administrative records

  • Session notes and clinical documentation

  • Contact details and communication records (email, phone, messaging)

  • Appointment and billing information

  • Any information shared verbally during counselling sessions that is documented as part of the client record

  • Digital data stored on secure systems and physical paper records

This policy applies to all staff, contractors, and any authorised parties who may handle such information.

2. Retention Period

Client records and personal data are typically retained for a period of 7 to 10 years from the date of the last interaction or session.

This retention period is based on commonly accepted professional guidelines and allows for:

  • Ongoing or future therapeutic support if a client returns

  • Administrative reference and continuity of care

  • Responding to enquiries, complaints, or requests for information

  • Compliance with legal, regulatory, or professional obligations

Where relevant, retention periods may vary depending on the nature of the service provided or specific legal requirements.

3. Disposal and Anonymisation

At the end of the retention period, all client records and personal data are handled in a manner that ensures they cannot be reconstructed, accessed, or misused.

This may include:

  • Secure shredding of physical documents

  • Permanent deletion of electronic files from all storage systems and backups

  • Anonymisation of data where appropriate, so that it can no longer be linked to an identifiable individual

All disposal processes are carried out with care to maintain confidentiality and prevent unauthorised access.

4. Exceptions to Retention Periods

In certain circumstances, we may retain or dispose of data outside of the standard timeframe. These situations may include:

  • When there are legal or regulatory requirements mandating longer retention

  • Where a client has provided explicit consent for a different retention duration

  • If records are required for ongoing or anticipated legal proceedings

  • Where there are legitimate professional or clinical reasons to retain information for a longer period

Any such exceptions are considered carefully and handled in line with applicable laws and ethical standards.

5. Data Security and Protection

Client confidentiality is a core part of the therapeutic process. All personal data is stored and managed using appropriate safeguards to prevent loss, misuse, unauthorised access, or disclosure.

Security measures may include:

  • Secure digital storage systems with restricted access

  • Password protection and user authentication controls

  • Encryption of sensitive data where applicable

  • Regular data backups to prevent loss

  • Controlled handling of physical records

Access to client information within the practice is limited only to authorised individuals who require it for legitimate professional purposes. Where third-party service providers process data on our behalf, they are required to maintain equivalent standards of protection. Please refer to Section 6 for further details.

6. Third-Party Disclosure

In the course of operating the practice, certain personal data may be processed by third-party service providers, including scheduling platforms, payment processors, and cloud storage services. These providers are engaged only where necessary and are required to handle personal data in a manner consistent with this policy and applicable data protection obligations.

Where any such provider stores or processes data on servers located outside Singapore, we take reasonable steps to ensure that appropriate protections are in place in accordance with the PDPA's requirements on cross-border data transfers. Personal data is not sold, rented, or otherwise disclosed to external parties for commercial purposes.

7. Cross-Border Data Transfers

Some of the tools and platforms used by the practice may store or process data on servers located outside Singapore. Where this occurs, we take reasonable steps to ensure that the receiving party provides a standard of protection comparable to that required under the PDPA, whether through contractual arrangements, recognised data protection frameworks, or equivalent safeguards.

8. Client Rights

Under the PDPA, you have the right to request access to the personal data we hold about you and to request corrections where that data is inaccurate or incomplete. You also have the right to withdraw consent to the collection, use, or disclosure of your personal data, subject to legal and professional obligations that may require us to retain certain records regardless of withdrawal.

Where a client is a minor, records are managed with due regard to the consent arrangements in place at the time of engagement, including any parental or guardian authorisation.

To exercise any of these rights, please contact us using the details in Section 13.

9. Data Breach Notification

In the event of a data breach that is likely to result in significant harm, we will take prompt action to contain the breach and assess its impact. Where required under the PDPA, affected individuals and the Personal Data Protection Commission will be notified in accordance with applicable mandatory breach notification obligations.

10. Accuracy and Minimisation

Reasonable steps are taken to ensure that personal data collected is accurate, relevant, and not excessive in relation to its purpose. Information is only retained for as long as necessary to fulfil its intended use.

11. Policy Review and Updates

This policy is reviewed periodically to ensure that it remains aligned with current legislation, professional standards, and operational practices. The version date at the top of this document reflects the most recent review. Updates will be made available where appropriate, and continued use of our services following any update constitutes acknowledgement of the revised policy.

12. Compliance and Responsibility

All staff are required to comply with this policy when handling client records and personal data. Failure to adhere to this policy may result in appropriate action, depending on the nature and severity of the breach.

13. Contact Information

If you have any questions, concerns, or requests relating to your personal data or this policy, you may contact:

Data Protection Officer
The Bridge Counselling Pte Ltd
Email: dpo@thebridgecounselling.com.sg

Bridge WhatsApp
The Bridge Counselling Online
Hello! How can we help you today? 👋