Data Protection (GDPR) – Keeping your information secure
Solution Focused Studio Privacy Statement
The Solution Focused Studio is committed to the highest standards of data protection and is fully compliant with the UK/EU requirements of the GDPR 2018. I am required by law to provide you with the following information regarding your data and how it is handled. The GDPR is a new EU regulation aimed at strengthening data protection for UK/EU citizens, ensuring transparency about what personal, confidential or sensitive data is taken, how it is used, stored and for how long. It is there to protect your rights involving your personal or sensitive data eg. name and address or personal details. It covers things like any session records, information, text messages or emails we exchange.
When you become a therapy client, it is necessary for me to record certain details about you to help with the therapy process, therefore the following statement and policies are here to reassure you:
Why do you need to record my information?
During the therapy process I collect brief information about why you are using the service; contact details; a small amount of wider health/life information, alongside brief shorthand session notes. This information enables me to provide an effective therapy service to you, ensuring I am equipped with the knowledge I need for our work together. Doctor’s details (if taken) will only be used with your explicit consent or in an emergency. I don’t send newsletters or marketing – your contact details are solely for the purpose of arranging appointments and security.
How long will you hold information for?
Clinical Hypnotherapists and professional therapists are regulated by the CNHC, an organisation that stipulates we must hold your data for 8 years after your final session. Insurers also require records to be kept for a similar amount of time, in the event a claim may be filed.If you are a child I must hold your data until your 25thbirthday, unless you are 17yrs when treatment ends and then I must keep it until your 26thbirthday. Therefore, all records will be deleted and incinerated in the January following the above retention scales. This is also in line with NHS regulations for holding data. Please be reassured that other than contact details and an outline of why you came to see me, very few other details are kept once you have actually finished sessions. Any paper records would be incinerated and any electronic data such as emails or text messages that still remain would be permanently deleted from the devices they are stored on.
What if I don’t want my records to be held for that long?
Under the GDPR you don't have a right to 'erasure' before the length of the required retention term, but you do have a right to ask for your data to be anonymised. You can make a request in writing to me. I would have to save the actual request for anonymity as I have to record numbers of clients accurately for tax and insurance purposes, but you would be recorded with a pseudonym or initials to prevent any identifying details. Again, please be reassured that the content held is minimal.
What actions are taken to ensure my information is held securely?
Paper documents – Stored in an unmarked, locked file box in a secure property.
Diary – Only first names are recorded beside appointment times.
Text messages– Separate work phone is secured with a pin code
Emails– Our email account requires a user name and password and is encrypted.
Wifi – Secure and encrypted connection
Electronic documents– If required, any electronic documents (e.g. a requested letter to your GP or an invoice) are password protected and stored on a password protected computer if they contain sensitive information.
Is what we discuss kept confidential?
Everything we talk about during our sessions is strictly confidential between you and me. To ensure I am doing my job effectively and that I have the right support, I may discuss elements of our sessions with my supervisor. During these discussions I do not disclose any identifying details and my supervisor also adheres to the GDPR.
There are two exceptions to confidentiality: In order to safeguard you and the people around you, if you were to disclose that you were going to harm to yourself or others, then under my “Duty of Care” I am obligated by law to inform the relevant authorities. This is to support you to live well, and I would always aim to discuss this with you prior to contacting anyone. Secondly, if I was issued with a police warrant or court order for your information, by law I would also have to provide them with your information. Again, please be reassured that any notes kept are minimal.
Do you pass on my personal details?
I do not pass on your details to a third party. I don’t send newsletters, marketing emails or offers.
I do use third parties such as Wix and Google Analytics for my website who have their own various ways of tracking numbers visiting the websites, but they will also be compliant with GDPR and not collect identifiable data without your previous consent, when browsing as a visitor.