Privacy Statement

The Data Controller and Processor for Hodges-White Associates is Barry Hodges-White.

The basis on which I keep client data is that of “Legitimate Interests”. This means that the data is necessary for me to fulfil the contract that we have together (ie to provide therapy) and that it is data that you would reasonably expect me to hold and use. 

For those who enquire about therapy, the data I hold includes any information you have sent me by email/text/message. 

For those who book and attend at least one session, the data I hold includes:

· Basic information such as name, email address, phone number

· Information that you give me as part of the work we do together

· Audio recordings of each session

· Records of what interventions that I use (or potentially do not use) in our sessions

· Emails, texts and/or messages that are sent between us 

· Information sent from any third party, eg GP, insurance company, EAP

Some of the information that you give me may fall under the definition of special category of data as defined by the General Data Protection Regulation. As I am not yet registered as a health professional, I must rely on your specific consent to hold this data, to share it with the National College of Hypnosis and Psychotherapy, who will keep it according to their own privacy notice (available on www.nchp.ac.uk). Assessors will access the data via the National College of Hypnosis and Psychotherapy’s secure cloud storage and not take copies of anything so they are covered by the National College of Hypnosis and Psychotherapy’s privacy notice.

Other than this, data is not shared with anyone, except possibly your GP, and for any reasons covered by the Requirements for Disclosure which are detailed and discussed when we first meet. 

The data is primarily used to enable me to provide therapy for you and for my capacity as a therapist to be assessed. It may also be used scientific research purposes and statistical purposes.

Details of where data is held:

· Any emails sent between us are held on the Microsoft Outlook servers in the UK and on my personal mobile (number 07803 843 578).

· Any texts, WhatsApp, telegram, or signal messages sent between us are held on those messenger service servers and on my personal mobile above.

· Your notes are held on personal computer in anonymised form, backed up in a dedicated secure cloud service via a dedicated tablet. 

· Any audio recordings are held on a personal computer following initial recording on Zoom. 

Your data is kept for 7 years. The length of time is based on the requirements of my insurance company. After this time any paper records are shredded and computer records permanently deleted. Audio recordings will be deleted by both myself and the National College of Hypnosis and Psychotherapy when the case has been assessed and any chance of appeal has passed. 

I take the security of data seriously and as such:

· All notes are anonymised by reference code and your name and any identifying characteristics such as address, mobile number, date of birth and email address are held in paper form only in a secure locked safe. This way there is no link between the data held in the cloud and you.

· Messages and emails between us will be permanently deleted once our work together is concluded.

· Audio recordings are deleted from Zoom’s servers once they have been downloaded.

· My personal mobile device is encrypted to the highest available standard.

If there is any breach of data security I will give full details to the Information Commissioners Office and any person affected within 72 hours of the breach and do all that is possible to minimise any potential impact.

You have rights with regards to the data held:

· The right of access. I will provide you with all data I hold on you as soon as I can following a request (and definitely within 30 days, unless this is impossible due to holidays or illness).

· The right to rectification. If any data I hold is incorrect, just let me know and I will correct it as soon as I can following a request (and definitely within 30 days, unless this is impossible due to holidays or illness).

· The right to erasure. If you wish me to erase your data just let me know and I will delete any computer records and shred any paper records as soon as I can following a request (and definitely within 30 days, unless this is impossible due to holidays or illness). NB: data may be retained for scientific research, historical research or statistical purposes where erasure is likely to render impossible or seriously impair the achievement of that processing but this would never include case notes or data such as address/email/phone

· The right to restrict processing. This would usually be a stop-gap measure before correction of any errors or before erasure

· The right to data portability. This might apply if you want your notes sent to another therapist for example, but it is likely that the easiest solution would come under the right to access, ie I would send the data to you.

· The right to object to:

o processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling). I do not engage in these things

o direct marketing. I do not undertake any direct marketing. 

o processing for purposes of scientific/historical research and statistics. For this, you must provide grounds for your objection.

o automated decision making and profiling. I do not engage in automated decision making or profiling