General Data Protection Regulations, 2018 (GDPR) and how it affects you.
After 20 years, the Data Protection Act has been replaced by the GDPR. The aim is to ensure that your personal, sometimes sensitive, confidential data is held privately and securely, being processed in the way that you have agreed to. It exists to protect your rights as a consumer involving your identifiable data, e.g. your name and address & any reason you might have for visiting me. It also covers any session records, text messages or emails between us.
What information do we collect?
I collect information when you complete the contact page and when you email, text, and contact me directly on social media. I collect the following personal details:
- Name/ Address
- Date of birth
- Relationships and occupation
- Contact details: telephone, email address
- Medical conditions relevant to the sessions
- Prescribed medication
- Details of your GP for me to contact in case of an emergency or in the situation where I feel you may harm yourself or others.
- Any other information you felt was relevant to share.
- A summary of why you are seeking help
- Brief session notes
- Visitor behaviour information when you have contacted me through our website
Why do you need a record of this information?
For the purpose of giving you the highest quality of support. This allows me to refer back to the content and discussions of previous sessions. Your contact details/ address and GP details will only be used with your explicit consent. I use the information from the website to identify visitor information behaviour and trends.
How do I know that my information will be held securely?
- Paper: session notes/ consent form/ GDPR agreement – Are all stored in locked cabinets.
- Electronic Data: emails, contact form, texts, SMS messages, consent form, GDPR document – computer is password protected, emails require a username and password, smart phone is fingerprint recognition or a pass code.
How long will you hold my information for?
As a member of the Association for Solution Focused Hypnotherapy (Membership #9832) I am bound by their regulations regarding the length of time I must hold onto your information. This organisation stipulates that I must hold your data for 8 years after your final session. The exception to this rule applies to children, for whom I must hold their data until their 25th birthday, (unless they are 17 when treatment ends when I must keep it until their 26th birthday). All records will be deleted in the January after the above retention scales. This is in line with NHS regulations for holding data.
Can I ask for my information to be deleted before this date?
GDPR allows you to request the deletion of any of your records, by making a request in writing to me. Should you request this then all your paper records would be shredded with a cross shredding machine. Any electronic data such as emails or text messages would be permanently deleted from the devices they are stored on. Please note that I would have to save the deletion request you made but would not save any other data. It is possible that my insurance company’s legal team may want to verify the information I send out. To make a request please write to: Catherine O’Connell, Renewal Hypnotherapy, 2 Clayton Ave, Didsbury, M20 6BN.
Can I ask to see my data?
You are able to request to see the any data that I hold, and you will receive it within 30 days of such a request. You may ask for a copy of the data however it is possible that the legal team of my insurance company may want to verify the information that I send out to you.
Do our discussions during the sessions remain confidential?
Everything we discuss during our sessions remains strictly confidential. I undertake peer supervision as a form of good practice. This process allows me to voice any concerns I may have, in a safe and confidential environment. In order to protect all my client’s privacy, I will refer to you by a pseudonym and I may refer to your information verbally when it’s helpful to the professional process. My supervisor also adheres to the GDPR.
If your health is in jeopardy or I feel you may harm yourself, I may share your contact information with an emergency healthcare service (GP or mental Health Crisis Team). If I become aware of your intent to cause harm to another person/ organisation, the law may require that I inform an authority and that may include sharing your contact information.
What if I see you away from a hypnotherapy session?
I am obligated by GDPR to protect your confidentiality, so for this reason, although I will acknowledge you, it would be better to avoid any further conversation. However, if you wish to discuss your therapy with other people, you are welcome to do so.
Will you discuss my details with other Health and Social Care Professionals?
I am only able to contact other health and social care professionals with your written consent. Should I write to your GP, to notify them that you have come to see me for treatment and again at the end of the therapeutic relationship, I would require your signature in line with GDPR requirements. The only exceptions to this would be if I believed that you were about to harm yourself or another when I would be required to inform the relevant authorities as part of my “Duty of Care”. However, I would always aim to discuss this with you before taking any action. Legally, I would also have to provide the police with information as set out in a warrant or court order, should the situation arise.
Who is the Data Controller and what is their ICO registration number?
Catherine O’Connell is the Data controller ISO reference number ZA867939