Privacy Policy
Contact information:
Karen Salmon Hypnotherapy
Woodland Therapy Room
Frogmill Track
Off Wangfield Lane
Curdridge
SO32 2DA
kmshypnotherapy@gmail.com
07795 955557
The Data Controller and Processor is Karen Salmon.
The lawful basis for processing data
The basis on which we keep data is that of “Legitimate Interests”. This means that the data is necessary for us to fulfil the objectives of Karen Salmon Hypnotherapy and that it is data that would reasonably be expected for us to hold and use.
Data
The data we hold includes:
Client information as provided on the paper forms required for treatment.
Sharing
Data is shared in the following situations:
With the client if they request to see their personal record.
Our accountant will see bank, credit card and Paypal records which will contain any information that is submitted when making payment. If asked we will redact identifiable data before sending to the accountants. The data is primarily used to enable us to provide the service(s) that we have been engaged to provide.
It may also be used scientific research purposes and statistical purposes.
Details of where data is held:
Any emails are held either on our computer’s hard drive or if archived in Dropbox which is secure cloud based storage which is itself GDPR compliant.
Credit card information is shredded as soon as processed.
Standing order mandates are shredded and/or deleted as soon as payments start to come through.
If you use Paypal, standing orders or online banking then clearly these systems will hold data. We will download from these systems for accounting purposes and the resulting spreadsheets are held in a secure file. When sent to our accountants, they will be password protected.
Email addresses are held within our email processing software which is GDPR compliant.
Client data is kept for 7 years. After this time any paper records are shredded and computer records permanently deleted.
Security
We take the security of data seriously and as such:
All data is held securely (see details of where data is held above)
Any sensitive data transmitted is sent encrypted where possible
For accounting purposes Excel spreadsheets are used
However, we are not in control of data (including emails) which are sent to us.
If there is any breach of data security, we give full details to the Information Commissioners Office and any person affected within 72 hours of the breach and do all possible to minimise any potential impact.
Rights
Clients have rights with regards to the data held:
The right of access.
We will be provide all data we hold on you as soon as we can following a request (and definitely within 30 days, unless this is impossible due to holidays or illness).
The right to rectification.
If any data we hold is incorrect, we will correct it as soon as we can following a request (and definitely within 30 days, unless this is impossible due to holidays or illness).
The right to erasure.
If a client requests their data to be erased we will delete any computer records and shred any paper records as soon as we can following a request (and definitely within 30 days, unless this is impossible due to holidays or illness). Data may be retained for scientific research, historical research or statistical purposes where erasure is likely to render impossible or seriously impair the achievement of that processing but this would never include data such as address/email/phone.
The right to restrict processing.
This would usually be a stop-gap measure before correction of any errors or before erasure
The right to data portability.
This might apply if a client wants notes sent to another therapist for example, but it is likely that the easiest solution would come under the right to access, i.e. we would send the data to the client.
The right to object to:
Processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling). We do not engage in these things. Clients can opt-out at any time.