The General Data Protection Regulation (GDPR) is concerned with personal information that we collect, store, and share.
Personal Information we Collect:
- Gender (or preferred identity).
- Date of Birth / Age.
- Telephone/SMS number (plus permission to send SMS & leave voice message).
- Email address
- Relationships & Progeny.
- Occupation & Hobbies.
The above information helps us to get to know you and contact you regarding your sessions
- Next of kin
- GP name & address
- Medical conditions relevant to therapy sought.
- Prescribed medication.
The above information allows us to contact your Dr or next of kin if we are worried you were at risk. If we can we will tell you in advance
- Previous Therapy History.
- Difficulties & Issues.
- Session notes.
The above information allows us to formulate a therapy plan tailored to your needs and be able to reflect on previous sessions
How we Store Your Personal Information:
- Paper – written forms including; Contact Sheet / Therapy Information & Agreement consent Form / GDPR signed agreement ~ these will be anonymised and kept in a locked filing cabinet in our locked therapy room. Your Assessment Record / Brief Session Notes will be kept in a separate locked filing cabinet in our locked therapy room. The two separate files will be linked by a client code system and these details will be in an encrypted and password protected vault on our laptop.
- Smartphone – We will store your name and telephone number in our code protected business smartphone which is our contact for business purposes text messaging and telephone calls.
- Email – your email address and correspondence will be stored in our email account. We will only access our password protected email account using our password protected computer, laptop or code protected smartphone.
- Website – none of your personal information is stored on our website, other than to momentarily collect and send it to our business email if you complete the contact form as your initial contact.
How long we will store your personal information and how we will dispose of it:
- We will keep your session notes, contact sheets, assessment and agreements along with your unique code for a period of 7 years after our work finishes as required by our insurance provider and governing associations. After this time, we will shred all paperwork and delete your electronic code from the vault. Your email address will be deleted from our email account at the same time.
- We will keep your name and telephone number on our business phone for a period of 7 years after our work finishes to maintain continuity if you return to us for further advice or treatment. After this time, we will delete your name and telephone number from our business phone. Text messages will be deleted when you finish therapy with us.
How we may process/share your personal information:
Only we will have automatic access to your data and we will never sell this or use it for unethical reasons. It is very unlikely we will share it unless;
- Our notes are subpoenaed by a court of law.
- If you or anyone you tell me about is at harm or risk of harm we may have to share information.
- We have regular supervision as required by the National Council for Hypnotherapy (NCH) where we talk about our work, but we will never use your name without your permission.
- Your name and contact details would be shared with our Therapeutic Executor in the event of our death if you are still in therapy with us and they will contact you to inform you of the situation.
- If your health is in jeopardy whilst in a session we may share your name and contact information with an emergency healthcare service.
- If we become aware of your intent to cause harm to another person/organisation (e.g. terrorism) the law may require us to inform an authority without seeking your permission and without your knowledge.
Your Rights under the GDPR agreement:
You have the following rights;
- The right to be informed what information we hold (this document).
- The right to see the information we hold about you (free of charge for the initial request) subject to timescales within the regulations.
- The right to rectify any inaccurate or incomplete personal information.
- The right to withdraw consent to us using your personal information.
- The right to request your personal information be erased/deleted.
- The right to data portability.
- The right to object.
- The right not to be subject to automated decision making including profiling