Bluebell Therapy
Data Protection Policy
Last updated: May 2018
The Principles of this policy
Bluebell Therapy shall:
- Hold an ICO registration as a lawful holder of client data.
- Obtain only appropriately relevant information with regards to the purpose of personal therapy.
- Keep personal data accurate and up to date.
- Hold information for the time specified by the National Counselling Society and the National Hypnotherapy Society and no longer. This amounts to 7 years for both societies, after which any information is removed and securely destroyed.
- Take appropriate measures to ensure the security of that data.
- Ensure that checks are made as to the GDPR compliance of electronic areas where client data is stored.
What is Data protection?
The data Protection Act aims to protect an individual’s rights and freedom to privacy, in respect of personal data processing.
It applies to paper and electronic records containing personal information relating to living individuals who can be identified from the data.
Individuals have the right to gain access to their own data; they are entitled to make a subject access request in order to do this. This implies access to:
- A description of their personal data
- The purposes for which it is being processed
- Details of whom this information may be disclosed to and in what circumstances
Individuals are also entitled to opt out of direct marketing.
Bluebell Therapy has a mailing list, for example, which clients are expressly invited to join by an ‘opting in’ system (see later).
ICO Registration
Bluebell Therapy holds a valid ICO registration certificate, registration reference ZA317878.
Data Classes
Data classes refers to the type of data which is being held about clients. Bluebell Therapy holds the following type of details:
- Personal details – name, email address, phone numbers
- Some limited medical information (disclosure of serious health conditions and medication)
- Doctor’s name and address
- Client notes
- Hypnotherapy scripts, which are anonymised
Areas in which hard copy data is stored
Client details are collected by means of a client questionnaire and contract, to be signed by both Judith Mason and the client – with a scanned copy provided so that both parties have access to the terms of engagement.
Both the contract, questionnaire and any notes shall be kept in a securely locked filing cabinet, accessed only the sole key-holder, Judith Mason.
Areas in which electronic data is stored
- GoogleDrive
- Dropbox (copies of personalised hypnotherapy recordings only)
- PayPal
- Payhip (via downloads of generic recordings, emails captured)
- Gmail
- Occasionally clients contact Bluebell Therapy via business facebook page – all details are deleted immediately from this after reading.
- Mobile phone (current client phone numbers may be occasionally stored. These are removed once therapy is terminated)
In addition:
- Website – clients can message directly from this but no email addresses are retained.
- Blog – comments can be left, leaving an email trace. None of these email addresses are retained.
All electronic areas where client information is collected/stored are GDPR compliant or are currently preparing for compliance.
Bluebell Therapy Mailing List
Since March 2018 :
- Clients are specifically asked via the contracting process whether or not they would like to join a mailing list. This is an ‘opt in’ process, whereby clients have to tick a box to join.
- Email addresses captured via the downloading of a free recording or recordings purchased via the website, are asked specifically via email whether they would like to join a mailing list. Again, the process is one of opting in. If they prefer not to opt in, their email details are not retained.
Historic mailing list data:
- In March 2018, all existing participants on the current mailing list were contacted and asked to express a wish to opt in in order to remain on the list and a record kept of all ‘yes’ respondents.
- Clients can unsubscribe at any time.
Security arrangements
- Hard copy data: Data is kept in a securely locked filing cabinet, accessed only by Judith Mason, the sole key holder.
- Electronic data: No data is retained on the hard drive; Client notes, resources used etc are all kept on GoogleDrive, Business laptop is password protected and stored in a locked filing cabinet whilst not in use.