Client Privacy Notice (UK GDPR & Data Protection Law)

Effective from: 25 May 2018
Last updated: 21 April 2026

Introduction

This Privacy Notice explains how your personal data is collected, used, and protected in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, as updated by the Data Use and Access Act 2025 (DUAA).

I, Ingrid Radford, Clinical Hypnotherapist (HPD, DSFH), am committed to protecting your privacy and handling your personal data in a lawful, fair, and transparent manner.

I act as the Data Controller for your personal data.
ICO Registration Number: 00018935247

Lawful Basis for Processing Your Data

Your personal data is processed under the following lawful bases:

  • Provision of healthcare services (contractual necessity)
  • Legitimate interests in delivering safe, effective therapy
  • Legal and professional obligations (including insurance and regulatory requirements)
  • Explicit consent, particularly when processing special category (health) data or sharing information with other professionals

As part of providing therapy, I process special category (health) data. This is done in accordance with UK GDPR requirements and with your explicit consent where required.

Data Protection Principles

Your personal data will be:

  • Processed lawfully, fairly, and transparently
  • Collected for clear and legitimate purposes
  • Limited to what is necessary (data minimisation)
  • Accurate and kept up to date
  • Retained only for as long as required
  • Stored securely and protected against loss, misuse, or unauthorised access

How Your Data Is Used

Your personal data is collected and used to:

  • Provide personalised hypnotherapy services
  • Maintain accurate clinical records
  • Ensure continuity and quality of care
  • Meet legal, ethical, and insurance obligations

This may include:

  • Contact details
  • Emergency contact information (e.g. GP)
  • Relevant medical information
  • Session notes
  • Goals and progress records

How Your Data Is Stored

Your data is stored securely using appropriate technical and organisational measures:

  • Digital records are encrypted, password-protected, and secured with two-factor authentication where possible
  • Paper records are kept in locked storage
  • Access is restricted to me as the sole practitioner
  • Security practices are reviewed regularly

How Long Your Data Is Retained

In accordance with professional standards (National Council for Hypnotherapy):

  • Adults: 8 years after last contact
  • Children: Until age 25 (or 26 if treatment ended at age 17)

Data is securely destroyed after this period.

Early Deletion Requests

Due to legal, insurance, and professional requirements, it is not possible to delete records before the minimum retention period has expired.

Your Data Protection Rights

Under UK GDPR, you have the right to:

  • Access your personal data (commonly known as a Subject Access Request, SAR)
  • Request correction of inaccurate data
  • Request restriction of processing
  • Object to processing in certain circumstances
  • Request data portability (where applicable)

Requests will be responded to within one month, subject to identity verification, and handled in a reasonable and proportionate manner.

Data Breaches

In the unlikely event of a data breach affecting your personal data, I will:

  • Notify the Information Commissioner’s Office (ICO) where required
  • Inform affected individuals without undue delay

Confidentiality

All discussions during hypnotherapy sessions are confidential and handled in accordance with UK GDPR and professional ethical standards.

Your information will not be shared without your explicit consent, except where there is a legal or professional obligation to do so, including:

  • Safeguarding concerns where there is a risk of harm to yourself or others
  • Legal requirements, such as a court order

To support safe and effective practice, I may discuss aspects of client work within professional supervision or training settings. All information shared is fully anonymised, and no identifying details or records will be disclosed.

Contact Outside of Sessions

If we meet outside of sessions, I will not acknowledge our professional relationship unless you choose to do so, in order to protect your privacy.

Sharing Information

Your information will only be shared with other healthcare professionals with your explicit written consent, unless there is a legal or safeguarding obligation.

Right to Complain

If you have any concerns about how your personal data is handled, please contact me in the first instance using the details below. I will acknowledge your complaint within 30 days and aim to resolve it promptly.

If you are not satisfied with the outcome, you have the right to escalate your complaint to the Information Commissioner’s Office (ICO): www.ico.org.uk

Contact Details

For any data protection queries:

Ingrid Radford
07415 323 853
[email protected]