Confidentiality & Privacy Statement
This policy outlines how Mend Hypnotherapy collects, uses, and protects your personal information. We operate in full compliance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, the Data (Use and Access) Act 2025 (DUAA), and the Crime and Policing Act 2026.
1. Data Controller
The Data Controller for Mend Hypnotherapy is Sally Nicholls.
ICO Registration Number: ZB910270
Contact Information: sally@mendhypnotherapy.com
2. Why We Process Your Data (Lawful Basis)
Under the UK GDPR and DUAA 2025, we must identify a legal reason for holding your data:
Contractual Necessity: To provide the hypnotherapy services you have requested and manage your appointments.
Recognised Legitimate Interests: Under the DUAA 2025, we process data for "recognised" interests including safeguarding and the prevention of harm, which allows for swifter action in emergency situations.
Legal Obligation: To comply with statutory UK reporting mandates regarding public safety and safeguarding.
Special Category Data: As hypnotherapy involves health-related information, we process this under Article 9(2)(h) of the UK GDPR (provision of health or social care).
3. How Your Data is Stored
We use a "privacy by design" approach to ensure your information remains secure:
Electronic Data: Stored on encrypted, password-protected devices. Any cloud storage used is UK-compliant and utilizes high-level encryption.
Paper Records: Stored securely in a locked, private location.
Anonymisation: Session notes are pseudonymised (linked by a code rather than your name) where possible to provide an extra layer of security.
4. Data Retention
In accordance with professional insurance requirements, NCH standards, and UK law, records are kept for:
Adults: 8 years after your final session.
Children (under 16): Until the individual reaches age 25.
Young Adults (17–18): Until the individual reaches age 26.
(Note: Following the Crime and Policing Act 2026, which removes limitation periods for civil safeguarding claims, relevant records may be retained longer if a formal safeguarding concern was flagged). Once these retention windows expire, all data is securely destroyed via cross-shredding or permanent digital erasure.
5. Confidentiality & Disclosure
Your sessions are strictly confidential. However, we are legally or ethically required to share information without your consent in the following circumstances:
Professional Supervision: Cases are discussed anonymously with a supervisor to ensure clinical excellence. Your identity is never revealed.
Safeguarding & Risk: If there is a serious risk of harm to yourself or others, or a severe concern regarding a vulnerable adult.
Statutory Duty to Report (Crime and Policing Act 2026): This practice operates under a strict, mandatory statutory duty to report child sexual abuse. If a child discloses active abuse, an adult discloses an active threat to a child, or abuse is witnessed or suspected, an immediate report must be made to the police or local authority. In these specific safeguarding scenarios, prior discussion with the client may be bypassed if it risks compromising a child's safety or constitutes obstruction.
Legal Obligation: If required by a court order or for the prevention of serious crime (e.g., terrorism or money laundering).
6. Your Rights & The DUAA 2025
You have specific rights regarding your personal data:
Right of Access: You may request a copy of your records. We will conduct "reasonable and proportionate" searches and provide this within 30 days.
Right to Rectification: You can request that we correct any inaccurate information.
Right to Erasure: You may request deletion of your data. This is subject to our legal/insurance obligations to retain health records for the periods stated in Section 4; therefore, core therapeutic records cannot be deleted upon request before those periods expire.
7. Internal Complaints Procedure (DUAA Mandatory)
If you have a concern about how your data is being handled, the Data (Use and Access) Act 2025 requires you to contact us directly in the first instance:
Please submit your complaint in writing to the Data Controller (Sally Nicholls) at sally@mendhypnotherapy.com.
We will acknowledge your complaint within 30 days.
We will investigate and provide a full response without undue delay.
If you remain unsatisfied after our internal review, you have the right to escalate your complaint to the Information Commission (formerly the ICO).
8. Professional Boundaries
Public Encounters: To protect your privacy, if we meet outside of a session, I will not initiate contact or acknowledge our professional relationship unless you do so first.
Communication: While I use secure platforms, please be aware that standard email and SMS may not be fully end-to-end encrypted.