Corehealing & Natural Health
GDPR Policy for Clients
Updated: 23 September 2019
As a client of my personal practice, whether in a therapeutic, coaching, personal development or purely support capacity, in order to comply with data protection laws, including the new GDPR (General Data Protection Regulation), there are a few things I need to let you know about the information I will hold about you and the reasons for this.
Everything I do follows normal good practice for holding data generally as well as for a therapeutic practice, but it’s important, and your legal right, to read and understand the information before you come for treatment with me (or to be made aware of this if you are an existing client).
Information I may hold about you
When you come for treatment, I may request information from you. This will include essentials such as your name and other contact details, but may also include notes about your physical and mental health, or other material about your personal history.
All of this information will be given directly by you, starting with any initial contact or assessment sessions we undertake and may be added to over time in future sessions. This information will usually concern your health circumstances or the issues you are seeking help with. I will also note my impressions from our sessions including what I perceive through treatment.
Examples of information I hold on you may include:
- Full name
- Email address
- Landline and/or mobile phone number
- Date of birth
- Next of kin
- Family history
- Health history
- Notes on attitudes, opinions, thoughts, feelings and behaviours you may report or express during sessions
How is this information used?
Your contact information is used only in order to arrange appointments or payments, to follow up with you, and never for any other reason.
The case history information is important in order to understand your situation, get to know you and give you the best treatment possible, as well as to be able to track your progress over time.
Reasons for holding information
The reason I hold these details is to provide you with the best service that I can. Because the work we do together is to support your health and wellbeing, whether physical, mental or emotional, it’s important for me to hear some of your history in order to work with you responsibly and carefully, as well as to track your progress with you over time. You can choose how much you wish to share about your circumstances or history and you are not obliged to talk about anything that you don’t want to.
When I take notes, I may not record every detail of our verbal conversations but just what is needed to keep track of how you are doing and how we are working together. The notes I keep help me to remember and more fully understand our sessions. If your sessions with me include CST (Craniosacral Therapy), they are also a requirement of my professional body, the Craniosacral Therapy Association UK (CSTA).
The Legal Basis for holding your information
Under the new GDPR regulations, there are specific legal reasons which have to be met in order to hold information and which you have the right to know. In legal terms, the main reason for holding information about clients is in order to fulfil a ‘contract’ with you to provide therapy or support. In addition, because the information that is talked about can be very personal this is called ‘special categories’, and there is a separate legal basis for this with strict conditions such as confidentiality which must be met.
Sharing information about you
As you would expect within a therapeutic relationship, and as a requirement of the Code of Ethics of my professional body the CSTA, you can be assured that all of the information I receive about you is treated in complete confidence and will not be shared with others or used for any other purposes.
In practice this means that your information is never shared with anyone else unless you ask me to do this, or I am compelled to do so for legal reasons.
I undertake regular supervision and therapy sessions to support my work – this is support for me in my practice and although I may at times mention issues that are arising for some clients, names or other personally identifiable information is withheld.
How long will I keep your information?
I am not allowed to hold on to your personal data for longer than needed, and only related to the original reason for holding the information in the first place. After that I may retain your records for a limited time where needed for business /accounting or legal purposes. This is called the retention period.
My professional body the CSTA requires me to keep your notes for at least seven years after your last visit if you are an adult, or up to age 21 plus seven years for children. For those who legally lack ‘capacity’, the rules are more complicated but will usually be at least 15 years rather than seven, sometimes followed by legal advice.
In order to be able to provide follow-up if clients return after a break, as well as to allow time for disposal of notes, the maximum time I will keep your notes is 8 years after our last contact, if you are an adult and 29 years, if you are a child.
After this time electronic records are deleted, and paper records are either shredded or burned.
I am very aware of the sensitive nature of the information I receive as a practitioner, and I take steps to protect your personal information against loss or theft, as well as unauthorised access, disclosure, copying, use, or modification.
Given that emails can never be guaranteed to be fully secure, and that they may count as ‘data processing’ under the GDPR, if you want to discuss something personal about your situation or treatment you may wish to contact me to arrange a chat rather than sending personal information by email. However, if you do send any personal information to me by e-mail, I will add it to my notes within 4 weeks, by either printing it, in the case of paper-based notes, or transferring it to a secure record storage facility, in the case of cloud-based notes. The e-mailed note will then be deleted from my e-mail account.
Will your information remain in the UK?
You have the right to know if I expect to remove or send your information outside the UK or the European Economic Area (EEA), and if so, the safeguards that have been put in place to protect your information and your rights. This is important because not all countries are governed by the same strict regulations as the UK, and some ways of holding information (such as on a ‘cloud’) can mean information is stored on computers which may be outside the area governed by the GDPR.
To that end, I do not currently access any client information outside of the EU and only use EU housed cloud-based services.
Data protection and your rights
Data regulations say that anyone who has information held about them has various rights, including the right to know what information is held and to correct anything that isn’t right in their records.
Your right to refuse to give information
Under the GDPR, you are not required to give your personal information, and you have right to be informed of any consequences of refusing to give it.
A case history is needed in order to ‘fulfil our contract’, to give you the best treatment possible, including understanding your situation and any difficulties you are seeking help for, as well as to comply with my Code of Ethics. So, if you do not wish to give any information at all I may be unable to work with you, but I am always happy to have a chat about what may or may not feel comfortable for you.
Your right to object to me holding your information
If you object to me holding your information, you can ask me to stop. Because my Code of Ethics has a requirement for me to keep notes for a minimum time as described above, I will need to retain your records up to that point in order to comply with this.
Your right to see what information I hold about you
If you request it, I must give you a copy of the information I hold about you. This can be in paper or electronic form, and I can explain the notes and respond to any concerns or questions you may have. Depending upon the amount of information and what is requested, there may be a charge for this.
Your right to ‘rectify’ any information I hold which is not correct
If you believe that information I hold on you is inaccurate or incorrect, you have the right to tell me about this and request that the information is corrected.
Please do let me know if any of your details change so I can keep your records up to date.
Your right to make a complaint
You have the right to complain if you are unhappy about the way I look after your information, or feel I have not properly respected your rights – in the first instance to me, and then also to my professional body the CSTA firstname.lastname@example.org, or if you are still unhappy to the Information Commissioner’s Office (ICO) https://ico.org.uk/concerns/ or 0303 1231113
Understanding and agreeing to this information
You should make sure you understand and agree to me keeping this information about you – if you have any questions at all please ask and I’ll be happy to answer them.
Changes to this notice
I may make changes to this notice and information from time to time, for example if there are changes in the laws about data protection. While you are a client, I will always let you know of changes.