General Data Protection Regulation (GDPR)

GDPR for Solution Focused Hypnotherapists

Back to Members area

The General Data Protection Regulation (GDPR) came into force on 25th May 2018, and applies to individuals and organisations that record and use personal data. Personal data can be anything from a person's name and contact details to sensitive information regarding their health and wellbeing. It is important to ensure that we are compliant with GDPR and that we take steps to minimize the risk of a data breach i.e. the loss or inappropriate disclosure of personal data. A data breach can not only undermine your trusting relationship with your client but can also lead to serious consequences if not reported.

Note: Working online with clients who live outside of the UK, may require additional elements of data protection. Please refer to our 'AfSFH Guidelines for Conducting SFH Online' document available in our Policy library.

Working online with clients who live outside of the UK, may require additional elements of data protection

Scroll

Code of Conduct, Performance and Ethics...

The AfSFH's Code of Conduct, Performance and Ethics offers guidance on some aspects of GDPR:
2.4 Keep accurate and legible client records that are attributable to you as the SFH and truly represent your interaction with the client to include; written consent to receive SFH (parental if under 16), information gathering from the Initial Consultation, notes on progress, copies of any correspondence relating to the client e.g. doctor's letters.

  • Protect client records and information against loss, damage or use by an unauthorised person.
  • Electronic based records must be secure and protected against tampering (GDPR 2016).
  • Allow access to client records (in line with GDPR 2016).

5.2 You must keep information about clients confidential

  • Information given to you by a client must only be used for the purpose for which it was intended.
  • All information pertaining to clients must be protected from improper disclosure.
  • No information pertaining to clients should be released to anyone who is not entitled to it and entitlement must be checked before release.
  • All client information and records whether paper based or electronic must be stored securely.
  • Client information should only be used for the continued care of that person OR for purposes where the client has given you specific written consent to use the information.
  • Disclosure of client information is only appropriate when specifically requested for legal reasons by those entitled OR if you have good reason to believe that your client, yourself or others may be at risk of harm.

In addition: It is expected that you will comply with all Data Protection Laws; GDPR (2016) and Data Protection Act (2018) in relation to handling and processing personal data.


It is expected that you will remain up to date with any changes in best practice and policy.


Any complaints made against a member in reference to data protection will be referred to the appropriate agencies for investigation and the AfSFH will act in accordance with their judgement and procedures.

Scroll

Lawful Basis for using data...

In order to process personal data, you must state your lawful basis for doing so. There are 6 lawful bases for processing personal data and 3 which are best suited to our work. Your chosen lawful basis must be explained in your privacy policy and when responding to a subject-access-request (SAR). The lawful bases:

  • Consent: The importance of gaining consent is referred to in the Code of Conduct, Performance and Ethics as part of our ethical obligation to our clients regardless of GDPR. To be compliant with GDPR it is important to be able to show that clients have been given real and genuine choice and have ‘opted in’ rather than ‘opted out.’ Pre-ticked boxes and default consent to receive newsletters and information, for example, would not be permissible. Explicit consent requests should be clear and specific statements and not ‘blanket’ statements.
  • Contract: This may apply if you are entering into a contract with a business where you need to process personal data in order to fulfil a contractual obligation or because you have been asked to provide information before entering into a working agreement e.g. provide a quote.
  • Legitimate Interests: This is the most flexible lawful basis for processing personal data. It is likely to be most appropriate when you are using personal data in such a way that has minimal impact on privacy and you are using the data in the way the client would expect i.e. to contact them to arrange appointments and to take records to support their ongoing work with you.

Scroll

Information Commissioner's Office (ICO)...

The ICO are a Government Regulator who work with Data Protection to ensure the compliance of their members. They advise businesses on how to implement data protection and report any breaches of data security. You can register with the ICO (for a fee) to receive advice and regular e-mail updates on current guidelines for data protection and on any changes that you will need to act upon. Your registration will need to be renewed annually. After registering with the ICO you will receive a certificate. If you work from a clinic or practice, ensure that they have a copy of your ICO registration certificate for their records.

All businesses that process personal data electronically should register with the ICO, although not everyone will need to register. To find out if you are required to register you can complete the online assessment form. A pricing scale will be applied, and you will be told which fee level you are required to pay: https://ico.org.uk/for-organisations/how-much-will-i-need-to-pay/

For further information, see www.ico.org.uk

Scroll

Mapping...

Mapping is the name given to the process of identifying how data flows into and out of your business. This process needs to be documented in the form of an information audit.
This document should describe the following with regards to personal data:

  • How it is received e.g. internet, email, third party referral, voicemail etc.
  • Why we keep it: i.e. our ‘lawful basis’
  • Where it is stored
  • How long we keep it
  • How it is removed
  • Who we share it with

Your mapping audit should also document how information is protected and include the following:

  • Mobile phone protection e.g. password, PIN etc.
  • Computer and laptop safeguarding including how your device is protected from others who may have access
  • How others who may take messages and information for you are trained in GDPR
  • Working safely with clients online (see our policy for online working)
  • Website protection e.g. from your host or website builder

The GDPR requires that you maintain records of your processing of information in order to comply with their principle of accountability.

Scroll

Privacy Policy...

Having effective policies and procedures in place is important in your compliance with the GDPR principle of accountability. Your privacy policy needs to be written with your client in mind as they are the ones who will be reading it so using concise language that is easy to understand is important for accessibility of the information. Start by making it clear in your policy that the purpose for the document complies with the client’s right under GDPR to be informed. In addition, your Privacy Policy should include the following information:

The right to:

  • Be informed: this will be covered in your opening statement
  • Accessibility: this refers to the right of the client to make a subject-access-request (SAR). The client can expect delivery of data within 30 days from making the request.
  • Rectification: the client is entitled to ask for any incorrect information to be rectified. You are also obliged to inform any third party in receipt of the information of the correction.
  • Erasure: the client has the right to request the removal and permanent destruction of their personal data. This can conflict with ICO and insurance company stipulations so MUST always be checked with theses bodies first. Personal data is about the living so in the event of the death of a client their personal data can be destroyed.
  • Restrict processing: the client has the right to ensure that only minimal information pertinent to the therapeutic relationship is processed.
  • Data portability: this should not apply in most cases but refers to a third party who may be granted access to personal data e.g. an accountant via invoices.
  • Objection: the client has the right to object to the way personal data is processed and to raise a complaint. Include details of your professional association and other relevant regulatory bodies to which the client may refer.

Scroll

Data Breaches...

GDPR accountability will also need to be demonstrated by having appropriate procedures in place to identify, investigate and report a data breach.

Data breaches must be reported to the ICO (if it is thought that the breach could significantly affect the individual) and with respect to ‘right of candour’ to the individual/s affected. A significant affect could include; resulting in discrimination or loss of reputation, loss of finances, confidentiality or other social/economic disadvantage. Data breaches must be reported to the appropriate authorities (where feasible) within 72 hours of becoming aware of the data breach. The individual/s affected must also be informed without delay. All personal data breaches must be recorded and retained. Failure to report a data breach can result in a fine.

Scroll

Subject-access-requests (SAR)...

Clients have the right to access their personal data.

This is referred to as a ‘subject access request’ (SAR) and can be made verbally or in writing.  You have one month to respond to the request for data access and no charge can be made for this provision.  It is good practice to be prepared for a SAR and to have a documented process in place. The following information offers some guidance on what you may need to consider.

More detailed information can be found on the ICO website:

https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-of-access/

If you are in receipt of a SAR:

  • Make sure you know exactly what the client is asking for and be aware of their entitlement i.e. they can only request information relating to themselves and not to anyone else. This may mean that you need to redact information from their notes if it pertains to another individual e.g. next of kin.
  • You should provide the information in an appropriate electronic format unless otherwise requested by the individual. Hand-written notes may be scanned.
  • The GDPR requires that the information you provide to an individual is in a concise, transparent, intelligible and easily accessible form, using clear and plain language. This will be particularly important where the information is addressed to a child* (see below). If you use any code or shorthand this will need to be clarified.
  • The information must be provided within one calendar month of receipt of the request. Adopting a 28-day policy is good practice as this will ensure that you are always within the calendar month.  You can request an extension to the time if you need to confirm the identity of the person making the request or if the information requested is particularly complex. Extensions are usually no more than a further 2 months.
  • A SAR may be requested by a third party acting on behalf of the client e.g. a solicitor.  In this instance, you need to be certain that the individual is acting on behalf of the person to whom the information pertains.  You may wish to contact the individual directly to verify that they wish to make a SAR.
  • *Regardless of age, it is the right of the child to request access to their own information although in the case of young children it is likely that this right will be exercised by an adult with parental responsibility for them. The age and maturity of a child do not always correspond, and you may have to make a judgement about a SAR request from a child. The ICO website link above has more information about this.  Note: In Scotland, a person aged 12 years or over is presumed to be of sufficient age and maturity to be able to exercise their right of access, unless the contrary is shown. This presumption does not apply in England and Wales or in Northern Ireland, where competence is assessed depending upon the level of understanding of the child, but it does indicate an approach that will be reasonable in many cases.
  • You may refuse to comply with a SAR if a request is excessive, e.g. overlaps with other requests or is a repetition of a previous request or ‘manifestly unfounded’ e.g. the intention to use the information for malicious or disruptive purposes. If you refuse to comply with an SAR, you must advise the individual without undue delay.

It may also be worth checking with your insurance provider for any further information regarding a SAR.

Scroll

Further help...

If you require any further information or have any questions about GDPR or the information provided here, please contact our Head of Professional Standards at: standards@afsfh.com.

© 2021 AFSFH All rights reserved
The Association for Solution Focused Hypnotherapy
(AfSFH) is a not-for-profit organisation
Company Registration no. 7412098 © AfSFH

Site Map

Registered Office

8-10 Whiteladies Road Bristol BS8 1PD

Email: membership@afsfh.com

Follow Us

This site uses cookies Find out more. Okay, thank you