Helena Meadows, Suite 5, 7 French Row, St Albans AL3 5DU.
07855 918895 | firstname.lastname@example.org | www.meadowstherapy.co.uk
I, Helena Meadows am the Data Controller and Processor of Helena Meadows Hypnotherapy, ICO registration ZA352246.
To make sure your personal information is protected, I have a series of technical and administrative measures in place. I will treat your personal information in a way that is compliant with the DPA and the GDPR.
The basis on which I keep client data is that of “Legitimate Interests”. This means that the data is necessary for me to fulfil the contract that we have together (i.e. to provide therapy) and that it is data that you would reasonably expect me to hold and use.
For those who enquire about therapy, the data I hold includes any information you have sent to me by email/text/message.
For those who book and attend at least one session, the data I hold includes:
- Basic information such as name, email address, phone number
- Information that you give me as part of the work we do together
- Audio recordings of each session
- Records of what interventions that I use (or potentially do not use) in our sessions
- Emails, texts and/or messages that are sent between us
- Information sent from any third party, eg GP, insurance company, EAP
Some of the information that you give me may fall under the definition of special category of data as defined by the General Data Protection Regulation. The condition for processing this special data is “processing is necessary for medical diagnosis, the provision of health care or treatment pursuant to contract with a health professional”.
Data is not shared with anyone, except possibly your GP, and for any reasons covered by the Requirements for Disclosure which are detailed and discussed when we first meet. My accountant may see bank or credit card which contain any information that you submit when making payment. If you would like me to redact your identifiable date before sending to the accountants then please let me know.
The data is primarily used to enable me to provide therapy or supervision for you. It may also be used for scientific research purposes and statistical purposes.
Details of where data is held:
- Any emails sent between us are stored electronically and kept on devices that are password and/or fingerprint ID.
- Any texts sent between us are held on devices that are password and/or fingerprint ID.
- Your notes are handwritten and kept securely in locked storage. These records are only accessible by me or by a designated therapist in the eventuality of my incapacity to contact you.
- The audio recordings are stored electronically and kept on devices that are password protected.
- Your data is kept for 5 years. The length of time is based on the requirements of my insurance company. After this time any paper records are shredded and computer records permanently deleted.
I take the security of data seriously and as such:
- Give details of all security measures including how any systems you use are secure
- If there is any breach of data security, I will give full details to the Information Commissioners Office and any person affected within 72 hours of the breach and do all possible to minimise any potential impact.
You have rights with regards to the data held:
- The right of access. I will provide you with all data I hold on you as soon as I can following a request (and definitely within 30 days, unless this is impossible due to holidays or illness).
- The right to rectification. If any data I hold is incorrect, just let me know and I will correct it as soon as I can following a request (and definitely within 30 days, unless this is impossible due to holidays or illness).
- The right to erasure. If you wish me to erase your data just let me know and I will delete any computer records and shred any paper records as soon as I can following a request (and definitely within 30 days, unless this is impossible due to holidays or illness). NB: data may be retained for legal purposes, scientific research, historical research or statistical purposes where erasure is likely to render impossible or seriously impair the achievement of that processing but this would never include case notes or data such as address/email/phone. In all cases and when considering such requests, these rights are obligatory unless it is information that I have a legal obligation to retain.
- The right to restrict processing. This would usually be a stop-gap measure before correction of any errors or before erasure.
- The right to data portability. This might apply if you want your notes sent to another therapist for example, but it is likely that the easiest solution would come under the right to access, i.e. I would send the data to you.
- The right to object to:
- processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling). I do not engage in these.
- direct marketing
- processing for purposes of scientific/historical research and statistics. For this, you must provide grounds for your objection.
- automated decision making and profiling. I do not engage in automated decision making or profiling
Disclaimer: Your role in protecting your own privacy
- 1. You acknowledge that the privacy of your communications and personal information can never be completely guaranteed when it is being transmitted over the internet.
- 2. You acknowledge and agree that you share information via the internet at your own risk and that electronic messages are not encrypted and our communication may be seen by others, such as internet hackers or people with access to your devices or living at your address.
- 3. You agree to take responsibility for your own role in safeguarding your data privacy in the email address you choose to use and whether or not you choose to password protect information you send to me.
Client Signature______________________ Date _________________
Client Name _________________________