Data Protection (GDPR) – Keeping your information secure
Alastair Green: Privacy Statement
I, Alastair Green, am committed to the highest standards of data protection and am fully compliant with the requirements of the Data Protection Act 2018, and the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) (“the Data Protection Legislation”). I am required by law to provide you with the following information regarding your personal data and how it is handled.
The Data Protection Legislation is the new legislation aimed at strengthening data protection for UK/EU citizens, ensuring transparency about what personal, confidential or sensitive data is taken, how it is used, stored and for how long.
It is there to protect your rights involving your personal or sensitive data, eg. name and address or personal details. It covers any session records, information, text messages, whatsapp, emails or other communications we exchange.
When you become a hypnotherapy client, it is necessary for me to record certain details about you, to support the hynotherapy process, and therefore the following information is provided to reassure you:
Why do I need to record your information?
During the therapy process I collect brief information about why you are using my service; contact details; a small amount of wider health/life information, alongside brief shorthand session notes. This information enables me to provide an effective therapy service to you, ensuring I am equipped with the knowledge I need for our work together. I will only contact your Doctor with your explicit consent, or in an emergency.
How long I will hold your information for?
As a Clinical Hypnotherapist I am regulated by the CNHC (Complementary and Natural Healthcare Council), an organisation that stipulates we must hold your data for 8 years after your final session. My Insurers also require records to be kept for a similar amount of time, in the event a claim is filed. If you are a child I must hold your data until your 25th birthday, which may therefore be longer than the standard eight years. All records will be deleted and/or incinerated in the January following the 8th anniversary of our final session OR your 25th birthday if you are a child. This is also in line with NHS regulations for holding data.
Any paper records will be incinerated and any electronic data such as emails or text messages that still remain will be permanently deleted from the devices they are stored on.
What if you don’t want your records to be held for that long?
You can make a request in writing to me to erase your data. Under GDPR, you don’t have a right to erasure before the end of the required retention term as set out above. However, I would anonymise your data, which means that you would be recorded with a pseudonym or initials to prevent any identifying details.
What actions are taken to ensure your information is held securely?
Paper documents – Stored in an unmarked, locked filing cabinet in a secure property.
Diary – Only first names are recorded beside appointment times.
Text/Whatsapp messages – phone is secured with a pin code.
Emails– My email account requires a user name and password and is encrypted.
Wi-Fi – Secure and encrypted connection
Electronic documents – If required, any electronic documents (e.g. a requested letter to your GP or an invoice) will be password protected, and stored on my password-protected computer.
Is what we discuss kept confidential?
Everything we talk about during our sessions is strictly confidential between you and me.
To ensure I am doing my job effectively and that I have the right support, I may discuss elements of our sessions with my Supervisor. During these discussions I do not disclose any identifying details, and my Supervisor also adheres to the GDPR.
There are two exceptions to confidentiality: In order to safeguard you and the people around you, if you were to disclose that you were going to harm to yourself or others, then under my duty of care to you, I am obliged by law to inform the relevant authorities. This is to support you to live well, and I would always aim to discuss this with you prior to contacting anyone. Secondly, if I were issued with a police warrant or court order for your information, by law I would also have to provide them with your information.
Do I pass on your personal details?
I do not pass on your details to third parties.
I don’t send newsletters, marketing emails or offers.
I will use third parties such as WordPress and Google Analytics for my future website, who have their own ways of tracking numbers visiting the websites, but they will also be compliant with GDPR and do not collect identifiable data without your explicit consent, when browsing as a visitor.
Updated: 17 September 2018