Privacy Policy
Introduction
I value your privacy as I do my own. The information in this policy sets out how I collect, use and protect any personal data that you provide me with. Data held by Clare at Refreshing Minds will be held and processed lawfully for the retention periods set out in this policy.
This is a live document and may be updated at any time to reflect changes in law or growth of the business and should be revisited regularly to check for any updates. Clare at Refreshing Minds is fully committed to ensuring client privacy and data protection rights.
Who Am I
I am Clare Murchison at Clare at Refreshing Minds, a sole trader and I am the named Data Protection Officer/Controller.
What Data Do I Gather
I hold and process personal data about individuals who have expressed an interest in using my services or have used my services at Clare at Refreshing Minds.
Personal data can be anything that allows a living person to be directly or indirectly identified. This may be a name, an address, or even an IP address. It includes automated personal data and can also encompass pseudonymised data if a person can be identified from it.
GDPR calls sensitive personal data as being in ‘special categories’ of information. These include trade union membership, religious beliefs, political opinions, racial information, and sexual orientation.
Collecting Data
I collect data about individuals who:
- Enquire about the services of Clare at Refreshing Minds
- Use the services of Clare at Refreshing Minds
- Who complete a manual or electronic Contact Form
- Consent to receiving my newsletters and blog posts and marketing emails
How I am going to Use that Data
Consent
The legal basis for processing your data at Clare at Refreshing Minds is:
Clare at Refreshing Minds does not require consent to hold your data to provide a service but does require your consent to contact you for specific purposes. Participating in the service by attending more than one appointment implies that you agree with the Terms and Conditions provided to you at the commencement of service delivery.
Consent is required from individuals:
- who participate in the CORP research programme to track therapeutic progress
- who have signed up for my newsletters and blog posts in writing or online or via Facebook.
Withdrawing Consent
Consent can be revoked at any point either in writing by email or by using the Opt Out option on each email or newsletter.
Processing Data
The following is a broad description of the way Clare at Refreshing Minds processes personal data. Clients wishing to understand how their own personal information is processed may chose to read Clare at Refreshing Minds Terms and Conditions which compliments this Privacy Policy or ask during a session.
Reasons for processing information
Clare at Refreshing Minds processes personal information to enable the provision of Psychotherapy, Coaching and Hypnotherapy services, to advertise services and to maintain accounts and records.
Types of information processed may include:
- personal details – name, address, date of birth
- Contact details including email address, home address and phone numbers
- family, lifestyle, occupation and social circumstances
- Details of your GP
- financial details for processing payment
- Medical conditions relevant to your sessions and any relevant medication
- Other information you chose to share
- Session summary of what you want to achieve by having sessions
Clare at Refreshing Minds also processes sensitive classes of information that may include:
- physical or mental health details
- racial or ethnic origin
- religious or other beliefs of a similar nature
- offences and alleged offences
Storing and Holding Data
I hold data both in electronic and written form.
Written data includes but is not limited to:
- notes I make if you call to make an appointment or enquire about my services or book a discovery call
- Initial Consultation notes and your completed contact form, signed terms and conditions and consent
- Notes I make during your 121 sessions or group workshops or sessions
- Feedback sheets, evaluation sheets and handwritten surveys
- Anonymous data from supervision sessions and calls with my supervisor
Written data is stored securely and accessed only by myself.
Electronic data includes:
- Texts on mobile phones using a mobile service provider, Facebook messenger or WhatsApp
- Using an online calendar such as Google Calendar, Outlook Calendar to book sessions or calls or events
- Electronic booking system such as Calendly to make appointments, send reminders, arrange workshops or group sessions
- Zoom for individual or group sessions
- Emails sent and received via my BT email service or my website outlook email service
- Spreadsheets for accounts, records and client management are held on a password protected laptop
- A proprietary email management system such as Mail Chimp or Mailerlite may be used for the purposes of sending emails either individual or groups as business updates or newsletters or for notifying workshop participants.
Electronic data within emails, texts, voicemails and social media is held securely on laptop, mobile phone and tablet and is accessed via password protected accounts. I use leading service providers such as BT and Vodafone.
My laptop and the files contained within are protected and securely backed up daily using the services of Orbit Tech a 3rd party IT service company.
For clients participating in the CORP research programme I use the CORP specialist software to track progress. Client data is annoymised before it is stored in the CORP database on my password protected tablet and is periodically uploaded into a centralised cloud-based database for research purposes.
Electronic Processes
To provide an efficient, user friendly and safe process for booking and using my services I used leading service providers such as Calendly, Zoom, Stripe, PayPal, Google Calendar.
Website
Like most websites I may use cookies on my website. When an individual visits my website Google analytics, a 3rd party service, collect information about how visitors access and use my website. Google analytics only collect non-identifiable data which means neither I or they cannot identify who is visiting. I may use plug-ins to capture anonymous data such as the number of visitors to my website and how they found my website.
My website is hosted by a 3rd Party – Orbit Tech who also provides me with a back up service and website and laptop protection and firewalls.
Social Media
Clare at Refreshing Minds uses Facebook, Twitter, Facebook Messenger, WhatsApp, Instagram and Linked IN for the business’s social media interactions. Any messages sent to the inbox of social media accounts are stored by Facebook, LinkedIn, Twitter, Instagram, WhatsApp and Facebook Messenger.
How Long I hold the Data
This schedule shows what data I hold and for how long.
I will keep your data for no longer than necessary for the purposes of providing the services to you that you have requested and to fulfil my obligations for financial and insurance record keeping.
Information Asset | Information Owner Asset | Retention | Trigger for Disposal |
Email (including sent items) | Head of organisation | Rolling annual review process. | End of retention period |
Contact details held on mobile devices | Head of organisation |
All entries to be deleted prior to decommissioning of mobile device or reissue of device. 12 monthly review of numbers stored to ascertain if still required as active. |
End of retention period |
Recordings | Head of organisation | 5 years or earlier if consent is withdrawn | End of retention period |
Images taken | Head of organisation | 10 years or earlier if consent is withdrawn | End of retention period |
Promotional materials | Head of organisation | Until superseded – Consent to be rechecked prior to reissue | End of retention period |
Paper Diaries | Head of organisation | Stored Securely when the year end. | End of retention period |
Policies | Head of organisation | Until new policy has been put into place | End of retention period |
Client records including session notes, initial consultation notes and client overview form | Head of organisation | In accordance with CNHC regulation, 8 years after final treatment session has ended. Child records should be held until after 25th birthday, or 26th birthday if aged 17 when treatment ends. | End of retention period |
Safeguarding records | Head of organisation | In accordance with the current organisations insurance policy, 5 years after final treatment session has ended, unless superseded by new insurance policy. | End of retention period |
Waiting lists | Head of organisation | Monthly rolling review period | End of retention period |
Service evaluation and Survey records | Head of organisation | Transfer to anonymised data within 6 months of collection. | End of retention period |
Tax returns | Head of organisation | 6 years from the end of the financial period to which they pertain to. | End of retention period |
Incident/Accident reports | Head of organisation | 40 years from date report was closed | End of retention period |
Insurance policies | Head of organisation | 40 years from date policy ended. | End of retention period |
Complaints | Head of organisation | 2 years from complaint being resolved | End of retention period |
Right to Erasure Request | Head of Organisation | 8 years from request being submitted and completed. | End of retention period |
Subject Access Request | Head of organisation | 8 years alongside session notes, or plus 2 years from case closure if request is made after 6 years of storing data. | End of retention period |
Sharing your Personal Data
I may share your data with a 3rd party service provider who assists with administering the service I provide to you eg.
- Email Management System providers to help me communicate with you
- Online Calendar and booking providers
- Payment Gateways to process financial transactions
- A virtual PA service to enable me to manage my business affairs
These providers may have access to limited personal data so they can perform their functions on my behalf but may not use that data for any other purpose.
- My qualified Supervisor
I am required to undertake professional supervision to ensure best practice and that I can provide the highest level of service to you. My supervisor is GDPR compliant and I do not divulge your identify and provide only the necessary data to enable my supervisor to provide me with guidance.
I am professionally obliged to report to the relevant authorities if I have a concern that you may harm yourself or others.
I may request your permission during your Initial Consultation to contact your Doctor should I feel it appropriate to notify them that you are using my services or if I feel your health may be in jeopardy.
Your Rights
Under the UK Data Protection Act 2018 and the EU General Data Protection and Retention legislation you have the right:
- to be informed about the information I hold and how I process it (this document)
- to see what data I hold about you
- to rectify or update any inaccurate or incomplete data
- to erasure of your data
- to restrict processing of your data for communication and marketing
- to ask me to transfer your data to a third party
- to object to me processing your data
Data Breach
All personal and sensitive data held by Clare at Refreshing Minds is held and processed securely. In the case of a data breach Clare at Refreshing Minds shall
- Notify the data breach to the ICO no later than 72 hours after becoming aware of it where feasible, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of the individual.
- The notification will:
(a) describe the nature of the data breach including where possible, the approximate number of data subjects and personal data records concerned and the categories;
(b) provide the name and contact details of the data controller;
(c) describe the likely consequences of the personal data breach;
(d) describe the measures taken or proposed to be taken to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
- When it is not possible to provide the information at the same time, the information may be provided in phases.
- The controller will document any personal data breaches, comprising the facts relating to the personal data breach, its effects and the remedial action taken.
- In the event that a data breach is likely to cause a risk to the rights and freedoms of client data, the data controller must communicate without delay the nature of the breach in clear, concise and plain language, to the clients involved.
- If a breach occurs but the data controller has gone to appropriate lengths to protect the data held or if the data controller has taken subsequent action to prevent the risk (e.g. immediately blocking a mobile device) then notifying the client will not be required.
Subject Access Request
A Subject Access Request permits individuals to request a copy of their personal information.
This must be acted upon within one month, at the most within two months, any longer and reasonable reason must be provided.
Clare at Refreshing Minds will:
- give you a description of data held
- tell you why I am holding it;
- tell you who it could be disclosed to; and
- let you have a copy of the information in an intelligible form.
Subject Access Requests should be put in writing to Clare at Refreshing Minds. A response may be provided informally over the telephone with your agreement, or formally by letter or email.
There are no fees unless there is a disproportionate fee for sending out the information. Subject Access Requests made after six years of the end of treatment will be held for a further two years after closure of that request.
Right to Rectify Inaccurate or Incomplete Personal Data Request
If any information held is noted to be incorrect an individual can request a correction be made by contacting Clare at Refreshing Minds in writing.
Right to Erasure
Any person may put in a request for their personal data to be. In this instance hard copy data will be shredded and any electronic data will be permanently deleted. The client will be notified of the completion. The actual request for deletion of data and the confirmation of completion will be held securely until eight years after the request was made.
Complaints
Clare at Refreshing Minds aims to the meet the highest quality standards when processing personal and sensitive data. Complaints can help identify areas for improvement and therefore Clare at Refreshing Minds would welcome you raising any concerns you have.
This policy was created to be as transparent and understandable as possible. It will not be completely exhaustive of all aspects of data collection. If you would like further information about a specific process, please contact Clare at Refreshing Minds.
If you feel you would like to make a complaint about how your personal and sensitive data is handled by Clare at Refreshing Minds you can contact Clare at Refreshing Minds direct. In the event that Clare at Refreshing Minds cannot resolve your complaint to your satisfaction you can contact the Information Commissioners Office on 0303 123 1113.
Information Governance Framework Principles for Clare at Refreshing Minds
- Assessment needs for Information Governance Training have been identified and met, with an eLearning module approved by the Information Commissioner’s Office (ICO) completed. This training need is updated accordingly.
- Any changes to the business processes and operations will be planned and will comply with the framework to ensure any risks to personal and sensitive information are minimised.
- Any data collected is solely for the purpose of providing a person-centred service to an individual client.
- All technology [Microsoft Office products including Outlook] used to store or facilitate information and communication is maintained according to the Data Retention Policy for Clare at Refreshing Minds.
- All records are identifiable, locatable, retrievable, and intelligible
- It is the responsibility of the Data Controller to ensure sufficient resources are in place to prioritise adhering to Data Protection Legislation in the business.
- Any electronic devices where personal or sensitive, confidential information is held will be password protected
- Procedures have been put in place to ensure the General Data Protection Regulations are met.