GDPR Privacy Policy
GDPR Privacy Policy – HRM Hypnotherapy
The purpose of this privacy policy is to outline how HRM Hypnotherapy has established measures to protect your privacy and information rights.
The basis on which we keep client data is that of “Legitimate Interests”. This means that the data is necessary for us to fulfil the contract that we have together (that is, to provide therapy) and that it is data that you would reasonably expect us to hold and use.
Your Rights
HRM Hypnotherapy recognise your rights as a ‘data subject’ and that we have an obligation to uphold these rights.
This privacy notice aims to outline how we maintain these rights. It outlines:
• How we collect and process your information;
• Why we do this;
• How you can exercise your rights;
• Who to contact in the event you are unhappy with our performance.
In various circumstances, your rights are as follows:
Right to be Informed
This encompasses the obligation for us to be transparent in how we collect and use your personal data.
Right of Access
You have the right to access your personal data and supplementary information. Following a request, we will provide all your data that we have on file within 30 days (unless this is not possible due to holidays or illness).
Right of Rectification
If the data we hold about you is incorrect, inaccurate or incomplete, you can request that we correct this. Following a request, we will correct the information as soon as possible (and within 30 days, unless this is impossible due to holidays or illness).
Right to Erasure
You can request that we delete or remove personal data where this is no compelling reason for us to continue processing. Following a request, we will delete any computer records and destroy any paper records as soon possible (and within 30 days, unless this is impossible due to holidays or illness).
Note that data may be retained for scientific research, historical research or statistical purposes where erasure is likely to render impossible or seriously impair the achievement of that processing, but this would never include case notes or data such as address/email/phone.
Right to Restrict Processing
You have the right to request that we cease processing your data. If:
• You consider it inaccurate or incomplete;
• You object to processing and we considering whether we still have a legitimate interest to process it.
This would usually be a temporary measure before correction of any errors or before erasure.
Right to Data Portability
Where you have consented to our processing your data, or where the processing is necessary for us to deliver a contract, you can request a copy of that data be provided to a third party in electronic form.
For example, this may apply if you wish that we send your notes to another therapist. The simplest solution in such cases would likely be to return the data to you, which is covered under the Right to Access.
Right to Object
You have the right to object to our processing under certain circumstances. For example, you can object to:
• Direct marketing (including profiling). HRM Hypnotherapy does not engage in these activities.
• Processing for purposes of scientific/historical research and statistics. Please provide grounds for your objection.
• Automated decision making (including profiling). HRM Hypnotherapy Ltd does not engage in these activities.
This would usually be a temporary measure before correction of any errors or before erasure.
Information We Collect
Please find below a summary of the information we hold and how we use this to deliver services to you.
Basic Personal Records, Contracts, Correspondence and Billing
Our basis for processing this information is that it is necessary for us to deliver the services that you have contracted to.
The data we hold includes:
• Basic information such as name, email address, phone number;
• Information that you give us as part of the work we do together;
• Records of what interventions that we use (or potentially do not use) in our sessions;
• Emails, texts and/or messages that are sent between us;
• Information sent from any third party, e.g. GP, insurance company, EAP;
• Audio recordings of sessions (unless you specifically object).
Special Category Data
Some of the information that you provide may be regarded as special category of data as defined by the General Data Protection Regulation (GDPR), Article 9. The condition for processing this special data is “processing is necessary for… medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems” (2,h). However, data on any criminal offences (including allegations, proceedings and convictions) will require your specific consent in order to hold any such information.
Sharing Your Data
Data is not shared with anyone, except possibly your GP (see GP info section below), and for any reasons covered by the Requirements for Disclosure section below. However, if you were to make a complaint about us to our professional body (NSHPM), we would be entitled to share your notes with any investigation procedures.
Transfer and Storage of Data
We share data with a number of third parties in the course of delivering our services. These are summarised below:
• We use Microsoft Office 365 to handle our email and other office automation (Microsoft’s servers and hence, online software, are GDPR compliant);
• We have a firm of accountants who operate payroll on our behalf and carry out auditing (any information is shared using encrypted and password protected documents);
• Any emails sent between us are held either on our computer’s hard drive or Microsoft Exchange Server;
• If emails are archived, they are stored in Microsoft OneDrive which is secure cloud-based storage which is itself GDPR compliant;
• Any texts/WhatsApp messages/Messenger messages sent between us (See Social Media and Electronic Information section below) are held on a Huawei mobile phone which is fingerprint/code protected;
• If you use PayPal or online banking, then these systems will hold your data. We will download from these systems for accounting purposes and the resulting spreadsheets are held in password-protected documents in Microsoft OneDrive.
Any credit card information is destroyed as soon as processed.
Any notes that are handwritten and are kept in a locked filing cabinet. A coding system enables the therapist to know to whom the notes belong, but should a stranger see them, they would not be able to identify to whom they referred. I often keep digital notes which are held on a Microsoft Cloud system subject to their own GDPR and Privacy agreements. The cloud is only accessed with an extra password on my already password protected/fingerprint access phone and Laptop which is also password protected.
I don’t audio or video record any clients details or sensitive information. From time to time with prior approval I may record the section of hypnotherapy for the client to take home with them. This will only be my voice and the therapeutic session with no identification of the client present. These are stored on a Huwei android phone with a code/fingerprint access.
Your data is kept for 7 years. The length of time is based on the requirements of our insurer. After this time, any paper records are destroyed, and computer records permanently deleted.
Securing Your Information
HRM Hypnotherapy takes the security of data seriously and as such:
• All data is held securely (see details of Transfer and Storage of Data above);
• Any data transmitted is sent encrypted and password-protected, where possible;
• For accounting purposes, encrypted and password-protected Microsoft Excel spreadsheets are used.
However, please note that:
• We are not in control of data (including emails and texts) which you send to us;
• Mobile phone and desktop applications such as Facebook routinely access any information held on electronic devices and this is beyond our control.
If there is any breach of data security HRM Hypnotherapy will give full details to the Information Commissioners Office and any person affected within 72 hours of the breach and do all possible to minimise any potential impact.
This privacy policy outlines how we are transparent in our processing. Please get in touch with us through the ‘Contact Us’ section of our website to find out more or to exercise your information rights.
We are not responsible if something goes wrong