This document sets out the parameters within which Hypnotherapy with Nick acquires, controls, stores, uses and disposes of any personal data, in line with General Data Protection Regulation (GDPR) requirements.
Hypnotherapy with Nick takes your privacy very seriously and treats all your personal information as confidential. “Personal information” is information through which you can be directly or indirectly identified e.g. your name or email address. Hypnotherapy with Nick strictly adheres to the requirements of the data protection legislation in the UK.
Hypnotherapy with Nick does not sell, rent or exchange your personal information with any third party for commercial reasons, beyond the essential requirement for credit/debit card validation during payment of sessions. Hypnotherapy with Nick follows strict security procedures in the storage and disclosure of information, which you have given us, to prevent unauthorised access in accordance with the UK data protection legislation.
All the major browsers allow you to block cookies and delete those that have already been created on your computer, usually within the ‘Tools’ section of the browser. These tools allow you to specify which cookies you will accept by type and often by specific websites using an exception list e.g. you can block all cookies and then list the website from which you will accept cookies. There are also a wide choice of browser add-ins that you can install if you wish to have greater control over persistent cookies.
What is GDPR?
“General Data Protection Regulation (GDPR) is, essentially, an upgraded version of the existing Data Protection Act legislation”
The General Data Protection Regulation (GDPR) is a legal framework that sets guidelines for the collection and processing of personal information of individuals within the European Union (EU). The GDPR sets out the principles for data management and the rights of the individual. The General Data Protection Regulation covers all companies that deal with data of EU citizens. GDPR came into effect across the EU on May 25, 2018 (Information Commissioner’s Office).
The personal data information Hypnotherapy with Nick holds
As an organisation, due to the nature of the therapy services offered, Hypnotherapy with Nick holds a moderate level of identifiable personal data including such data as is categorised under GDPR as ‘Special Category Data’.
Under GDPR, personal data is defined as “any information relating to an identified or identifiable natural person”. Special Category data is highlighted as sensitive and therefore needs more protection. Special Category data can include details of:
- Ethnic origin
- Trade union membership
- Biometrics (where used for ID purposes)
- Sex life
- Sexual orientation
It is viewed as sensitive as, in particular, this type of data could create more significant risks to a person’s fundamental rights and freedoms, for example by putting them at risk of unlawful discrimination.
The personal data information Hypnotherapy with Nick holds (continued)
Hypnotherapy with Nick holds the following client information:
- Name, address and contact details including email address and telephone number
- Issues which the client is presenting/details of problems with which the client requires help
- Personal history including family details
- Medical history and medication record
- Record of progress through therapy
Hypnotherapy with Nick understands that client consent for treatment is not the same as GDPR consent. In the healthcare sector, client data is held under a duty of confidence. Hypnotherapy with Nick operates on the basis of implied consent to use client data provided, for the purposes of direct therapy treatment, without breaching confidentiality.
How Hypnotherapy with Nick acquires this information
- Through the initial consultation, in person, by email or by telephone
- Through therapy sessions in person
- Through Skype sessions
Who Hypnotherapy with Nick shares this information with
In line with Hypnotherapy with Nick’s ICO registration statement, Hypnotherapy with Nick sometimes needs to share the personal information it processes with the individual and also with other organisations. Where this is necessary, Hypnotherapy with Nick is required to comply with all aspects of the Data Protection Act (DPA).
The following is a description of the types of organisations Hypnotherapy with Nick may need to share some of the personal information with, that is processes, for one or more reasons:
- Family, associates and representatives of the person whose personal data Hypnotherapy with Nick holds (if dealing with children, for example)
- Client’s GP or medical/healthcare consultant etc. (in circumstances where this may be appropriate for those health professionals to know)
- Central government, police forces and security services (if applicable lawful request made)
The lawful basis for processing personal data
Hypnotherapy with Nick holds personal data as described above, to enable it to:
- Conduct an assessment for clients who request help with treatment
- Provide therapy sessions relevant to those clients
- Track progress through therapy for clients
- Assess therapy ‘end-point’ in conjunction with clients
The lawful basis for processing this data is defined under Article 9(2) of the GDPR:
(d) processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the data subjects;
Hypnotherapy with Nick understands that whilst the holding of sensitive client data is lawful, and is held under a duty of confidence in terms of therapy/treatment, consent to process personal data electronically, or for marketing purposes, must be:
- Freely given
Hypnotherapy with Nick understands that holding client data for treatment purposes and GDPR consent are not related. GDPR consent is not a pre-condition for therapy/treatment.
Hypnotherapy with Nick understands the need for positive opt-in and that consent cannot be inferred from silence, pre-ticked boxes or inactivity. A quick, easy ‘unsubscribe’ link on our email marketing communications will always be provided. Hypnotherapy with Nick has also expressly advised its entire marketing database that they can continue to hear from Hypnotherapy with Nick by actively ‘opting-in’ to clarify that they agree with this.
Whilst Hypnotherapy with Nick may hold client ‘Special Category’ data (see above for definition), via appropriate parental consent, for persons under the age of eighteen, which is considered as being held purely for client treatment purposes under a duty of confidence, Hypnotherapy with Nick will not process any of this data for any other purposes such as marketing or profiling etc.
Data Security and Retention Policy
Hypnotherapy with Nick’s IT system is backed up continuously. There is an active security policy in place to ensure that all data is backed up and held in a safe, confidential environment, including a secure, password protected, encrypted file. Hypnotherapy with Nick’s laptops have an activated encryption function in the event of theft/misuse.
Personal data is held for a minimum of 5 (five) years, and an average maximum of 8 (eight) years, in line with NHS and healthcare industry guidelines, after which time it will be destroyed.
Under GDPR, Hypnotherapy with Nick acknowledges the following rights of the individual, in respect of any personal data that we hold:
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- The right not to be subject to automated decision-making including profiling
Subject Access Requests
As outlined in GDPR guidelines, Hypnotherapy with Nick will respond to and comply with all subject access requests within one month.
If it is felt that the individual’s request is manifestly unfounded or excessive, Hypnotherapy with Nick reserves the right to refuse or to make a charge.
If any requests are refused on the above grounds, Hypnotherapy with Nick will tell the individual why and inform them that they have the right to complain to the supervisory authority and to a judicial remedy – this will be done within one month of the request.
Communication of Privacy Information
Registration with ICO
Hypnotherapy with Nick is registered with the Information Commissioner’s Office. You can view the registration at the ICO homepage using the reference ZA465959:
If you would like to discuss any aspect of this document, please contact:
Subject access requests should be submitted in writing to:
Hypnotherapy with Nick
8-10 Whiteladies Road