Information Governance, Policies and Procedures


Section A

  • Introduction
  • Aim and Purpose
  • Information Governance Framework Principles for Kim Dyke Hypnotherapy

Section B

  • Privacy Notice: Use of information
  • Retention Schedule
  • Data Processing

Section C

  • Data Breach
  • Subject Access Request
  • Right to Erasure
  • Complaints
  • Safeguarding your privacy


Section A


Data held by Kim Dyke Hypnotherapy will be held lawfully and for the retention periods set out in section B of this Policy Document.

This document refers to:

  • Written Documents
  • Spreadsheets
  • Hardcopy case notes and files
  • Database entries
  • Images
  • Recordings
  • Emails – directly or via online Registers, Governing Bodies and Associations
  • Text messages
  • Supervision notes
  • Visits to the organisations website
  • Social media communication

Aim and Purpose

The purpose of this document is to ensure that Kim Dyke Hypnotherapy has a framework that ensures the rights and freedom of individuals in relation to their personal data (Article 1) and adheres to best practice in the management of client information and business records.

Information Governance sets out the way in which information collated by an organisation is managed and ensures that any information collected:

  • is the right information
  • is in the right place
  • at the right time
  • with the right people
  • for the right reasons

This is a ‘live’ document and may be updated at any time to reflect changes in law or growth of the business, and therefore should be revisited regularly to check for any updates. Kim Dyke Hypnotherapy is fully committed to ensuring clients’ privacy and Data Protection rights.

For the purpose of this Policy, Kim Dyke is the named Data Protection Officer/Controller and Head of Organisation for Kim Dyke Hypnotherapy. Where Supervision of Supervisees is concerned, Sandra Churchill of Churchill Hypnotherapy is equal Data Protection Officer/Controller with Kim Dyke for all Supervision related activities.

Information Governance Framework Principles for Kim Dyke Hypnotherapy

1. Assessment needs for Information Governance (IG) Training have been identified and fully met, by completing a 75 minute GDPR CPD Course provided by the Clinical Hypnotherapy School ( Refresher training is updated accordingly and completed every two years.

2. Any changes to the business processes and/or operations will be planned and will comply with the framework to ensure any risks to personal and sensitive information are minimised.

3. Any data collected is solely for the purpose of providing a person-centred service to an individual client. Data is also collected for research purposes and does not include any personal details such as name, contact details, family details, lifestyle and social circumstances, or financial details. The sensitive type of information may include physical or mental health details but does not include racial or ethnic origin, religious or other beliefs. Where necessary or required this information may be shared with clients and the research organisation involved (CORP).

4. The Caldicott Principles are used to provide guidance in best practice when handling personal data, alongside the ICO’s Office Codes of Practice. (

5. All technology [Microsoft Office products including Outlook] used to store or facilitate information and communication is maintained according to the Data Retention Policy for Kim Dyke Hypnotherapy.

6. All records are identifiable, locatable, retrievable, and intelligible according to regulations set out by GDPR.

7. It is the responsibility of the Data Controller to ensure sufficient resources are in place to prioritise adhering to Data Protection Legislation in the business.

9. Any electronic devices where personal or sensitive, confidential information is held will be password protected. Individual documents stored electronically will also be password protected.

10. Procedures have been put in place to ensure the General Data Protection Regulations are met. These can be found in Section C.


Section B

Privacy Notice: Use of information

In accordance with this data retention schedule there may be occasions when data is not destroyed due to ongoing investigation, ligation or enquiry. The data will be deleted upon confirmation that it is no longer required.

On some occasions anonymised personal data will be retained whereby a client has provided a testimonial for use on the organisations website. When data is non-identifiable, GDPR law is no longer applicable. [Non-identifiable means that if this data was left on a bus, no one, including the data subject, would be able to identify that this data was relating to them.]

  • Personal information is collated and stored in hardcopy in a locked filing cabinet behind a locked door.
  • Any document containing personal data will state “Official-sensitive, private and confidential” clearly.
  • All emails will contain a privacy statement.

Under the General Data Protection and Retention (2018) legislation, regarding how your personal data is processed, all individuals have;

  • the right to be informed
  • the right of access
  • the right to rectification
  • the right to erasure
  • the right to restrict processing
  • the right to data portability
  • the right to object
  • the right not to be subject to automated decision-making including profiling

Please note that Kim Dyke Hypnotherapy does not use automated decision-making tools, including profiling.

Website Visitors

Website Hosting

darkHouse Multimedia is a third-party service that hosts Kim Dyke Hypnotherapy’s website. darkHouse Multimedia also uses anonymised data to collect visitor information such as how long an individual remains on a page of a website. darkHouse Multimedia’s privacy notice can be found here for further information:


Like any other website, Kim Dyke Hypnotherapy's website uses ‘cookies’. These cookies are used to store information including visitors’ preferences, and the pages on the website that the visitor accessed or visited. The information is used to optimise the users’ experience by customising Kim Dyke Hypnotherapy's web page content based on visitors’ browser type and/or other information.

You can choose to disable cookies through your individual browser options. More information on how to do this can be found by visiting the following links :

Note that if you block cookies, some features of Kim Dyke Hypnotherapy's website may not be available to you.

Contact Form

When you contact Kim Dyke Hypnotherapy via the website Contact Form, your name and email address will be collected. By using the Contact Form you consent to Kim Dyke Hypnotherapy using this information for correspondence purposes, notably to discuss your interest in the Hypnotherapy service, to book an appointment and or the provision of Supervision if you are a Clinical Hypnotherapist. To delete your email from Kim Dyke Hypnotherapy's records, please contact Kim Dyke by email at

Relaxation Download

When you request the Relaxation Download from Kim Dyke Hypnotherapy’s website, Kim Dyke Hypnotherapy will collect your name and email address. In doing so you consent to Kim Dyke Hypnotherapy using this information in order to email you a link to the Relaxation Download. To delete your email from Kim Dyke Hypnotherapy’s records please contact Kim Dyke by email at .

Transfer of Relaxation Track

Kim Dyke Hypnotherapy collects email addresses from clients for the purpose of transferring a Relaxation track to them, as explained during the Initial Consultation. The Relaxation track is sent using a third party, We Transfer. We Transfer’s Privacy notice can be found here for further information:

Google Analytics

When an individual visits Kim Dyke Hypnotherapy uses Google Analytics, who are considered a third party service, to collect information about what visitors do when they click on the website, e.g. which page they visit the most. Google Analytics only collect non-identifiable data which means Kim Dyke Hypnotherapy or they cannot identify who is visiting. Kim Dyke Hypnotherapy will always be transparent when it comes to collecting personal data and will be clear about how that data is processed.

Log Files

Kim Dyke Hypnotherapy's website follows a standard procedure of using log files. These files log visitors when they visit websites. All hosting companies do this and a part of hosting services’ analytics. The information collected by log files include internet protocol (IP) addresses, browser type, Internet Service Provider (ISP), date and time stamp, referring/exit pages, and possibly the number of clicks. These are not linked to any information that is personally identifiable. The purpose of the information is for analysing trends, administering the website, tracking users’ movement on the website, and gathering demographic information.


Subject to your prior consent, we may publish information you provide about the sessions you received from Kim Dyke Hypnotherapy as a Testimonial on Kim Dyke Hypnotherapy’s website. Testimonials are not personally identifiable. Such information may be available, via the internet, around the world. We cannot prevent the use (or misuse) of such information by others. To have your testimonial deleted from Kim Dyke Hypnotherapy’s website please contact Kim Dyke at

Social Media

Kim Dyke Hypnotherapy uses Facebook to manage its social media interactions. Any messages sent to the inbox of this social media account are stored by Facebook and permanently deleted after three months. Facebook’s Privacy notice can be found here for further information:


Kim Dyke Hypnotherapy receives enquiry emails containing personal data directly, through online Registers, such as the Hypnotherapy Directory and FreeIndex, and through Governing Bodies and Associations namely CNHC, NCH, AfSFH and the National Hypnotherapy Society. These emails are received into and stored in Kim Dyke Hypnotherapy’s Hotmail account at and are permanently deleted after 3 months.

Links to other Websites

Kim Dyke Hypnotherapy's website may contain links to other websites, e.g. Facebook, Twitter and any of those listed in the above paragraph. Kim Dyke Hypnotherapy's Privacy Policy does not apply to other websites. Therefore Kim Dyke Hypnotherapy advises you to consult the Privacy Policies of these websites for more detailed information as they may include their practices and instructions about how to opt out of certain options.


Kim Dyke Hypnotherapy collects information in paper format currently at the end of each client session for the purpose of assessing client progress and in the interests of research. Each form is attached to the client’s paper file. It is intended that this information will be collected electronically in the future using CORP software (as mentioned in Section A, point 3). There will be no identifiable data within this software.

Online Payments

Kim Dyke Hypnotherapy accepts session payments directly into their Bank Account and therefore clients choosing to settle their session fees via this method consent to the fact that their personal details may appear on Kim Dyke Hypnotherapy's Bank Statement. To safeguard clients' privacy Kim Dyke Hypnotherapy has entered into a Data Sharing Agreement with their Accountant.

Retention Schedule

Information Asset

Information Owner Asset


Trigger for Disposal

Email (including sent items)

Head of organisation

Annual review period every January, any remaining live data untouched until following review period.

End of retention period

Contact details held on mobile devices

Head of organisation

All entries to be deleted prior to decommissioning of mobile device or reissue of device

End of retention period


Head of organisation

5 years or earlier if consent is withdrawn

End of retention period

Images taken

Head of organisation

5 years or earlier if consent is withdrawn

End of retention period

Promotional materials

Head of organisation

Until superseded – Consent to be rechecked prior to reissue

End of retention period

Paper Diaries

Head of organisation

7 years in line with HMRC Guidelines

End of retention period


Head of organisation

Until new policy has been put into place

End of retention period

Client records including session notes, initial consultation notes and client overview form

Head of organisation

In accordance with CNHC regulation, 8 years after final treatment session has ended. Child records should be held until after 25th birthday, or 26th birthday if aged 17 when treatment ends.

End of retention period

Safeguarding records

Head of organisation

In accordance with the current organisations insurance policy, 5 years after final treatment session has ended, unless superseded by new insurance policy.

End of retention period

Sat Nav records

Head of organisation

All entries to be deleted prior to decommissioning of mobile device or reissue of device

End of retention period

Waiting lists

Head of organisation

Annual review period every January, old waiting list destroyed and new waiting list developed with any remaining live data transferred to new live document.

End of retention period

Continual Professional Development Records

Head of organisation

To be retained when worker is in service and until 8 years afterwards.

End of retention period

Worker supervision records

Head of organisation and workers supervisor

To be retained when worker is in service and until 8 years afterwards.

End of retention period

Service evaluation records

Head of organisation

Transfer to anonymised data within 6 months of collection.

End of retention period

Tax returns

Head of organisation

6 years from the end of the financial period to which they pertain to.

End of retention period

Incident/Accident reports

Head of organisation

40 years from date report was closed

End of retention period

Insurance policies

Head of organisation

40 years from date policy ended.

End of retention period


Head of organisation

2 years from complaint being resolved

End of retention period

Right to Erasure Request

Head of Organisation

8 years from request being submitted and completed.

End of retention period

Subject Access Request

Head of organisation

8 years alongside session notes, or plus 2 years from case closure if request is made after 6 years of storing data.

End of retention period

Hard copy data will be destroyed via a cross shredding machine owned by Kim Dyke Hypnotherapy, electronic data will be permanently deleted.

Data Processing

What are the lawful basis for processing data at Kim Dyke Hypnotherapy?

Consent in relation to communication: the individual has given clear consent for their data to be processed for the specific purpose/s detailed in the consent form stored in their personal file.

1. Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation shall be prohibited.

2. Paragraph 1 shall not apply if one of the following applies:

(h)processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3;

3. Personal data referred to in paragraph 1 may be processed for the purposes referred to in point (h) of paragraph 2 when those data are processed by or under the responsibility of a professional subject to the obligation of professional secrecy under Union or Member State law or rules established by national competent bodies or by another person also subject to an obligation of secrecy under Union or Member State law or rules established by national competent bodies.

This means that Kim Dyke Hypnotherapy does not require consent to hold your data to provide a service but does require your consent to contact you for specific purposes. Participating in the service by attending more than one appointment implies that you agree with the Terms and Conditions provided to you at the commencement of service delivery.

Description of processing

The following is a broad description of the way Kim Dyke Hypnotherapy/data controller processes personal information. Clients wishing to understand how their own personal information is processed may choose to read the ‘Frequently Asked Questions & Terms and Conditions of Receiving Treatment document, which compliments the policies detailed here.

Reasons/purposes for processing information

Kim Dyke Hypnotherapy processes personal information to enable the provision of Psychotherapy and Hypnotherapy, to advertise services and to maintain accounts and records.

Type/classes of information processed

Kim Dyke Hypnotherapy processes information relevant to the above reasons/purposes. This information may include:

  • personal details
  • family, lifestyle and social circumstances
  • goods and services
  • financial details
  • employment and education details

Kim Dyke Hypnotherapy also processes sensitive classes of information that may include:

  • physical or mental health details
  • racial or ethnic origin
  • religious or other beliefs of a similar nature
  • offences and alleged offences

Kim Dyke Hypnotherapy processes personal information about:

  • clients
  • suppliers
  • business contacts
  • professional advisers
  • supervisors
  • supervisees


Section C

Data Breach

All personal and sensitive data held by Kim Dyke Hypnotherapy is held securely. Electronic data stored on a computer is stored on a password protected computer, in password protected documents held on the C: Drive of the computer. This supports the ability to retrieve data in the event of faults. Hardcopy data is held securely in a locked cabinet behind a locked door.

In the case of a data breach Kim Dyke Hypnotherapy shall comply with the regulations set out under Article 33 of the GDPR;

1. In the case of a personal data breach, the data controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the ICO, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of the individual. Where the notification to the ICO is not made within 72 hours, it shall be accompanied by reasons for the delay.

2. The notification referred to in paragraph 1 shall at least:

(a) describe the nature of the personal data breach including where possible, the approximate number of data subjects concerned and the categories (e.g. sessions notes, phone numbers) and approximate number of personal data records concerned;

(b) communicate the name and contact details of the data controller where more information can be obtained;

(c) describe the likely consequences of the personal data breach;

(d) describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

4. Where, and in so far as, it is not possible to provide the information at the same time, the information may be provided in phases without undue further delay.

5. The controller shall document any personal data breaches, comprising the facts relating to the personal data breach, its effects and the remedial action taken. That documentation shall enable the supervisory authority to verify compliance with this Article.

6. In the event that a data breach will likely cause a risk to the rights and freedoms of client data, the data controller must communicate the nature of the breach in clear, concise and plain language, to the client/s involved, without delay.

7. If a breach occurs but the data controller has gone to appropriate lengths to protect the data held on the client (e.g. password encryption of electronic files), or if the data controller has taken subsequent action to prevent the risk (e.g. immediately blocking a mobile device) then notifying the client will not be required.

Subject Access Request

A Subject Access Requests (SAR) permits individuals to request a copy of their personal information.

A SAR must be acted upon within one month, at the most within two months, any longer and reasonable reason must be provided. There are no fees unless there is a disproportionate fee to the organisation for sending out the information. Application for SAR should be held alongside session records, unless application was made after six years of the end of treatment. In which case the SAR will be held for a further two years after closure of SAR.

A SAR request will include information we hold about you, Kim Dyke Hypnotherapy will:

  • give you a description of it
  • tell you why we are holding it
  • tell you who it could be disclosed to
  • let you have a copy of the information in an intelligible form

SAR requests should be put in writing to Kim Dyke Hypnotherapy. A response may be provided informally over the telephone with your agreement, or formally by letter or email. If any information held is noted to be incorrect an individual can request a correction be made to their own personal information. This should be made in writing to Kim Dyke at

Right to Erasure

Any person may put in a request for their personal data to be removed (the ‘right to be forgotten’ or the ‘right to erasure’). In this instance hard copy data will be shredded using a cross shredding machine owned by Kim Dyke Hypnotherapy and any electronic data will be permanently deleted. The client will be notified of the completion. The request for deletion of data and the confirmation of completion will be held securely until eight years after the request was made.


Kim Dyke Hypnotherapy hopes to meet the highest quality standards when processing personal and sensitive data. Complaints can help identify areas for improvement and therefore Kim Dyke Hypnotherapy would welcome you raising any concerns you have.

These Information Governance Policy documents were created to be as transparent and understandable as possible. It will not be completely exhaustive of all aspects of data collection. If you would like further information about a specific process, please contact Kim Dyke Hypnotherapy.

If you feel you would like to make a complaint about how your personal and sensitive data is handled by Kim Dyke Hypnotherapy you can contact Kim Dyke Hypnotherapy directly. In the event that Kim Dyke Hypnotherapy cannot resolve your complaint to your satisfaction you can contact the Information Commissioners Office on 0303 123 1113.

Safeguarding your privacy

In the event of my death or sudden illness, my peer Supervisor will contact existing clients and archive any client files in accordance with General Data Protection Regulations.