Privacy policy
KEIRA ANDERSON (JOHNSON) HYPNOTHERAPY - BA (HONS), DSFH, HPD
Members Orginsation: MNCH (Reg) | AfSFH (Reg) | CNHC
Credits: Farley Photography | Fran Layzell Design (Branding)
On 25th May 2018, the UK introduced a raft of new data protection legislation – parts of the EU regulation – the GDPR (General Data Protection Regulation); Data Protection Act 2018 and e-privacy regulations as well as Fees Regulations. Leaving the EU has not made any significant changes to the UK legislation – except that the “GDPR” is now referred to as “UK GDPR” – all the concepts therein remain the same. From June 2025 we have the “Data (Use and Access) Act 2025” being phased in as well. This does not replace any existing legislation – it is to supplement it in certain areas.
To be compliant with the new legislation and avoid the inevitable fines regime, I have reviewed current measures in place for the Business and have drafted new texts to take the new requirements into account. The suggested text is in a different font and colour purely for ease of reference.
The Business is aware of the requirement for a “Notification” in place with the Information Commissioner’s Office (ICO).
PRIVACY NOTICE
A “Privacy Notice” is now the term for a “Privacy Policy”. The text suggested below should go on the website under its own tab “Privacy & Cookies”. It is the main Privacy Notice for the business…others will appear on the footer of emails and forms that collect data. The text below has been drafted utilising the ICO guidance on the matter;
“PRIVACY & COOKIES
Keira Anderson (me) is a hypnotherapist. I am based at Silverthorn, Canfield Road, Takeley CM22 6SZ. I can be contacted via this website, by phone, 07766551954 or via email, info@keiraandersonhypnotherapy.co.uk . I can also be found on Instagram and Facebook. I may process “personal data” and/or “special category personal data” (as defined in UK data protection legislation, including UK GDPR) as part of the contracted services and/or for administration. Information is kept while it remains relevant to the reason for collection and/or if there is a statutory retention period. All feasible security measures are in place, including secure destruction when required. Security of data in my care is important to me. Data may be shared with third parties as part of the contracted services, for administrative purposes and/or if I am required by law to do so. I cannot accept any liability for any processing conducted by any third party outside my remit. As required by law, a cookie audit has been conducted on our website. Cookies are internet files utilised by websites. My website uses these files for analytical purposes only. Any social media links you may access via my site may utilise cookies, but I am not responsible for this. Google security has been built into the forms – Google “build“ into this feature some cookies which include one that will utilise your system to create a user advertising profile on you. This cannot be rejected or turned off and therefore I am making you aware of this here but I am not responsible for the resultant processing.
None of the above affects your rights under the legislation, in particular your right to access the data I may hold on you. If you wish to request a copy of your data, please submit it in writing/email to the Business. Please include enough information to enable me to identify you and search for appropriate data.
If you are dissatisfied with this policy, have queries about my data protection procedures or wish to lodge a complaint, please contact the Business in the first instance. Thereafter you have the right to submit a complaint to the Supervisory
Authority, the Information Commissioner’s Office (ICO):
The Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire SK9 5AF”
COOKIES
As required by the Privacy and Electronic Communications Regulations (PECR) (which are still extant in UK law), we have conducted a cookie audit on the website. The laws require some cookie information results from these audits to be published but this can be done as part of the Privacy Notice – there is no legal requirement for a separate Cookie Policy/notice. The google “reCAPTCHA” feature which appears to be built into the forms does pose potential issues. The Google feature sets an intrusive cookie when the website is accessed and cannot be refused by the user. The “intrusive” cookie allows Google to establish a targeted advertising profile on the web visitor from 6 months of browsing history. However, as it is set by a third party – ie Google – the website owner is NOT responsible for any resultant processing. This is reflected in the Privacy Notice.
COOKIE BAR
There are cookies set for use of a cookie bar but it is not visible on the site. There is no legal requirement for a cookie bar - especially if the website owner does not set cookies for advertising. Therefore, I recommend that these cookies be either removed or the “cookie bar feature” in the website administration be deactivated.
EMAIL PRIVACY NOTICE
Email privacy notices are required to meet the Privacy and Electronic Communications Regulations 2003, the Companies Act 2007 and the data protection legislation. Therefore, I respectfully suggest that the following be added to the existing footer on all outgoing emails as a default: “Please note that the internet is not a secure medium – all feasible security measures are in place. If you are not the intended recipient, please notify the sender and delete all copies. All personal data herein are processed in accordance with UK data protection legislation, including UK GDPR. Further details are available from the Business and are in my Privacy Notice on my website.”
FORMS
In order to provide your services, you need to collect and collate certain information about individuals as well as their business. Therefore any “form” you may use to collect such data will need the following text on it:
“Any personal data/special category personal data collected herein are processed in accordance with UK data protection legislation. Further details are available from the Business”
This text does not need to be in heavy or bold font, or even in a large font. It just needs to be there and legible. No “consent” for the processing needs not should be sought as the person completing the form is providing the information “freely”.
FORMS ON THE WEBSITE
Any form on the website requires a data protection disclaimer near to the “SEND/SUBMIT” button. This includes the “Contact Us” form: “All personal data herein are processed in accordance with UK data protection legislation. All feasible security measures are in place. Further information is in my Privacy Notice”.
The above text should also appear on the forms on the website such as the Contact Form.
MARKETING AND PROMOTIONAL MATERIALS
If sent via email, then there should be an “unsubscribe” facility and the business should keep a list of those who do unsubscribe so as not to send materials to that person again. If promotional materials are sent to someone new who has not been in contact with the business before, then you must employ an “opt in “system – i.e. request the person’s consent to send further materials in future. If a response is NOT received in these cases, then consent is NOT given and you cannot follow up on this at all. If you decide to try this marketing, I respectfully suggest that we work on the appropriate wording together to get the best results.
CLIENT QUESTIONNAIRE
There may be a questionnaire to be completed by clients when contracting Keira’s services. I recommend that the following text be considered in addition. It does not need to be in large or bold font, but must be legible: “All personal data/special category data submitted herein are processed in accordance with UK data protection legislation, including UK GDPR. All feasible security measures are in place. Further information is available on the website and/or just ask”
CLIENT AGREEMENT
If a Client Agreement is put in place, I recommend that the following text be considered for inclusion: “All personal data/special category data that may be collated by Keira Anderson during the term of this Agreement are processed in accordance with UK data protection legislation, including UK GDPR. Further information is available in the Privacy Notice on the website and/or from Keira.”
DATA RETENTION SCHEDULE
This document is new under “GDPR” and is now a legal The details mean that it can also be used to evidence that a “Data Audit “ has been conducted by the business owner – also a legal requirement. “Data Audit” is not a requirement for a new business. This is just so anyone who may need to access the records knows where to look for the information. This is a “living” document that can be built and amended over time. Think about how long you need to hold the data. You can legally hold any data that helps you to provide your services to a client, and/or if there is a legal time frame, such as accounts for the current year plus 6 years.
DATA BREACHES
The business is required to record any data breaches that occur. A Data Breach can be something as much human error as anything else – such as sending an email to incorrect addressee. I recommend that a spreadsheet be set up with the following columns as a base:
DATE NATURE OF BREACH NUMBER OF INDIVIDUALS AFFECTED
HIGH/LOW RISK ACTION TAKEN
Despite being a Sole Trader, it can still be useful to hold this document. I find it helps to focus the mind when sending emails etc.
ACCOUNTABILITY
Under the GDPR provisions, organisations are now required to keep an “Accountability” document within their administrative documentation. This document needs to contain certain elements and can be issued if required. To meet these requirements, I recommend that the text below is kept in a folder in the Business administration.
“ACCOUNTABILITY
Keira Anderson (me) is a hypnotherapist. I am based at Silverthorn, Canfield Road, Takeley CM22 6SZ. I can be contacted via this website, by phone, 07766551954 or via email, info@keiraandersonhypnotherapy.co.uk . I can also be found on Instagram and Facebook. I may process “personal data” and/or “special category personal data” (as defined in UK data protection legislation, including UK GDPR) as part of the contracted services and/or for administration. Information is kept while it remains relevant to the reason for collection and/or if there is a statutory retention period. All feasible security measures are in place, including secure destruction when required. Security of data in my care is important to me. Data may be shared with third parties as part of the contracted services, for administrative purposes and/or if I am required by law to do so. I cannot accept any liability for any processing conducted by any third party outside my remit. There is a data retention schedule in place. This will allow the Business to locate data quickly if required as well as documenting the Retention Policy for data. Data is separated and held in more than one place to provide security. There are technical security measures in place – encryption where necessary and restriction of access to data to maintain integrity and privacy. Data may be held electronically on local servers and/or a cloud-based system. The security of all systems utilised has been assessed.
Organisational measures such as the privacy notice and additional notices on forms are in place to demonstrate my transparency. Organisational measures are also in place to maintain integrity and security of data when working with third parties. Data may be held on paper on clients as well. It may be entered into the electronic system at some point and then destroyed securely. All destruction of data is by secure means. “
PROCEDURES FOR RESPONDING TO REQUEST FOR SUBJECT ACCESS
Any written request for personal information - by an individual (client or supplier) for their information – should be processed in accordance with data protection legislation. This document is designed to help you through the process. Once a request for personal information is received by the business, the time limit for responding starts! This is only 28 days under the 2018 legislation so it is important that the request is processed as soon as possible. The receipt should be acknowledged. Do you have enough information in the Request to identify the subject of the data to be found? Are you sure that the person making the request has the legal right to do so. You can ask for more information if you need it. Search through all systems ( manual or electronic) for information. Then go through all the documents to extract the personal information to be disclosed. Remember that expressions of opinion count. It is not about disclosing whole documents, but the relevant data within those documents.
THIRD PARTIES – any data about someone other than the data subject is a third party. You should seek the consent of a third party to disclose their data IF it cannot be deleted from the data without destroying the data itself. In most cases this should be possible. You are responsible for the information the Business holds so just make sure that the Response includes details of where you got the information from. You need to assess what is disclosable in each case.
RESPONSE
In the Response, you need to state that you are disclosing what is held and possible to disclose under the legislation. You can withhold anything given to you by the requester but offer a copy if they wish it. You can decide to include it but make sure the Requester is aware of what is the source of the data.
You should give the Requester the opportunity to request a review by the Business on what’s been disclosed if they think you haven’t released everything you should. They also have the right to go to the Information Commissioner’s Office as well and you should provide contact details for them.