I, Hannah Holland am the Data Controller and Processor for data that I collect from Helping Hans Massage & Therapy.

The grounds on which I retain client data is that of “Legitimate Interests”. This means that the data is required for me to fulfil the contract that we have together, in order that I can provide therapy, and that it is data that you would reasonably expect me to hold and use.

For anyone who asks about therapy, the data I hold includes any information you have sent me by email, text or whats app message.

For anyone who books and attends at least one session, the data I hold includes:

• Basic information such as name, email address, phone number

• Information that you give me as part of the work we do together

• Notes on what interventions that I use, or do not use if it’s appropriate to note, in our sessions

• Emails, texts and/or messages that are sent between us

Information sent from any third party, e.g. GP, insurance company

Some of the information that you give me may fall under the definition of special category of data as defined by the General Data Protection Regulation (GDPR). The condition for processing this special data is “processing is necessary for medical diagnosis, the provision of health care or treatment pursuant to contract with a health professional”.

Data is not shared with anyone, except possibly your GP, and for any reasons covered by the Requirements for Disclosure which are detailed and discussed when we first meet. My accountant (should I have one) will see bank, credit card and PayPal records which will contain any information that you submit when making payment. If you would like me to redact your identifiable data before sending to the accountants, then please let me know.

The data is primarily used to enable me to provide therapy for you. It may also be used for scientific research purposes and statistical purposes, however your consent would need to be given first.

Details of where data is held:

- Any emails sent between us are held in my email inbox

- Any texts (via Text Messenger/iMessage) sent between us are held on my iPhone and iCloud

- Your notes are handwritten and held in my office

- Personal details (email, number) are held in my practice management tool on my MacBook and also in a file in a lockable cupboard in my office

- Your data is kept for 7 years. The length of time is based on the requirements of my insurance company. After this time any paper records are shredded, and computer records permanently deleted.

I take the security of data seriously and as such:

- All sign-in devices and activities on my website, Google and Apple accounts are monitored

- Verification methods of all accounts have been set up

- Biometric authentication and passcode protections on my iPhone and MacBook have been set up

- Personal details and all relevant notes are kept separate and are stored in a lockable cupboard in my home office

However:

- I am not in control of data (including emails and texts) which you send me

- Apps such as Facebook routinely access any information held and this is beyond my control.

- If there is any breach of data security, I will give full details to the Information Commissioners Office and any person affected within 72 hours of the breach and do all possible to minimise any potential impact.

You have rights with regards to the data held:

- The right of access. I will provide you with all data I hold on you as soon as I can following a request (and definitely within 30 days, unless this is not possible due to holidays or illness).

- The right to rectification. If any data I hold is incorrect, just let me know and I will correct it as soon as I can following a request (and definitely within 30 days, unless this is not possible due to holidays or illness).

- The right to erasure. If you wish me to erase your data just let me know and I will delete any computer records and shred any paper records as soon as I can following a request (and definitely within 30 days, unless this is not possible due to holidays or illness). Data may be retained for scientific research, historical research, or statistical purposes where erasure is likely to render impossible or seriously impair the achievement of that processing, but this would never include case notes or data such as address/email/phone.

- The right to restrict processing. This would usually be a stop-gap measure before correction of any errors or before erasure.

- The right to data portability. This might apply if you want your notes sent to another therapist for example, but it is likely that the easiest solution would come under the right to access, i.e. I would send the data to you.

Cookies

Like many websites, I use cookies. A cookie is a small amount of data that is sent to your computer or mobile phone browser from a website’s computer and is stored on your device’s hard drive.

Cookies record information about your online preferences. They help me understand how visitors engage with my site so that I can improve your online experience with me. I do not use cookies to collect personal identifiable information about you.

Each website you visit can send its own cookie to your browser if your browser’s preferences allow it. To protect your privacy, your browser only permits a website to access the cookies it has already sent to you, not the cookies sent to you by other websites.

How to control and delete cookies:

You may restrict or block the cookies which are set by my website, or any other website, through your browser settings. You can also ask your browser to alert you when a cookie is issued.

For more information about cookies and how to manage them is available at http://www.aboutcookies.org

I use Google Analytics to understand how visitors engage with my website. It collects information anonymously and reports website trends without identifying individual visitors. For more information visit Google Analytics privacy and security information.