Who I am
I’m Richard Lewis, my practice address is 11 Orchard Street, Bristol BS1 5EH. My website address is: https://richardlewishypnotherapy.com. No one else is involved in this practice.
When you make an initial contact via e-mail, using my e-mail address, this goes first to my domain server (hosted in the cloud by a third-party host) and is then served to me via Gmail, which means there is a copy in my Gmail webmail account. This account is secure and computer is password protected. However, as a precaution, once you go through an intake process into the practice, the personal data is moved to WriteUpp (see below) and the e-mails are deleted.
No personal data is held on my website. However, when you contact me using my web form, this is slightly less secure than e-mail as there are more touchpoints where data could be intercepted. I don’t have control over that process, only what arrives on my computer, so please keep confidential matters out of these contacts.
What personal data I collect and why I collect it
For practical and billing purposes I will collect for each client and prospective client a name, address and contact details. In some cases I may also collect an emergency contact name and number. This data is stored in a record on the cloud service WriteUpp, which integrates with Zoom and Google Calendar to make automatic bookings. WriteUpp assigns each client a code and uses this code to create an encrypted string called a hash when integrating with these services, so your name will never appear on those services. If I collect this information but we do not immediately work together clinically I will hold the information for 12 months before deleting it. I will delete it sooner if asked by you.
During our initial consultation I need to complete an intake form and this will contain details of a sensitive nature, including but not limited to, your presenting issues, your medical and mental health history, details of your GP practice and any prescription medications that may prevent me from working safely with you, such as medication for blood pressure, epilepsy or antipsychotics. This data is not processed by me or held on my computer or on paper records, it is stored in a digital record on the cloud service WriteUpp. I am obliged by my insurers to keep records for a period of seven years. You have a right to consult all the data I hold, request corrections and deletions, although I may not be able to delete everything I hold until my insurance obligation is fulfilled. I will never send you an e-mail containing details of confidential information shared during session. Should I need to contact you electronically with sensitive information, I will use an encrypted, time-limited direct message via WriteUpp, not e-mail.
I keep brief notes of each clinical session, again as required by my insurers. These notes will not be shared with any third party unless subject to a court order. With this in mind, I keep details to a minimum and try to focus on the process used and outcomes, rather than disclosing private matters. I am obliged to maintain records of these notes for 7 years. You have the right to receive a copy of these notes and any other data I hold at any time.
My website has no interactive element and does not require login, so any cookies used are purely functional and do not contain personally identifying data. My website is protected by robust security software. If you attempt to hack my website, my security software will log your IP address and I will retain this data indefinitely and will share it with third parties including law enforcement.
Embedded content from other websites
I do not perform any analytics or profiling and will not share your data with any party for such purposes.
How long I retain your data
- Prospects who visit the site but don’t make a booking: no data logged or kept.
- Prospects who book an initial consultation but do not attend: initial contact e-mail kept for 12 months or until you request deletion.
- Prospects who book an initial consultation and complete an intake form: personal and sensitive information kept for 12 months or until you request deletion.
- Clinical clients: personal and sensitive information held for seven years.
What rights you have over your data
If you have been a clinical client, you have the right to request an export of all data I hold on you, including your clinical notes. You can ask for data to be corrected where it is factually inaccurate. I may not be able to delete this data, however,
Where I send your data
GP: I will share a name and presenting issue with your GP only if you give me consent to do this, and only where I need a medical opinion on whether I can safely proceed with psychological therapies.
Supervision: I reserve the right to share elements of your case with my supervisor and peer supervision group. However I will not share your name or any other personally identifying information.
Court: If I receive a court order to share your information I must comply. For this reason I keep my notes brief and factual.
How we protect your data
- Secure e-mail using Google servers. Breaches are unlikely but routine deletion of e-mail records once cloud records are made will minimise the impact of a breach.
- No client data held on website or computer.
- Website runs advanced security software.
- Sensitive and personal data held on secure and encrypted third-party cloud server.
- Data deletion on request (where insurance regulation permits)
What data breach procedures we have in place
- In the event of any breach, all clients will be contacted and informed of the type of breach, the time and date of breach if known, the possible impact of the breach, the remedial action taken by me or by third-party suppliers and the suggested remedial action to be take by the client
Third parties I receive data from
No third party shares data about my clients with me. If you have opted into my practice mailing list, hosted and managed by MailChimp, then that service will share data about your interaction with my e-mail campaigns with me.
What automated decision making and/or profiling we do with user data
Industry regulatory disclosure requirements
I am on the ICO public register under the Data Protection Act and have a current certificate