01751 620031 / 07790 893007 hello@karenhayward.co.uk

Data Protection (GDPR) and Confidentiality

When we work together I collect personal information from you to help me provide safe and effective therapy. In handling this information, I am bound by two sets of rules, the General Data Protection Regulations (GDPR) and my professional body’s code of ethics. This page will explain how these affect the way I work.

If you have questions about any of this, please discuss them with me before booking a session, or at a session you have already booked.

Protecting your personal information

  • I am registered with the ICO – https://ico.org.uk/ESDWebPages/Entry/ZA245514
  • As I am the only person who works for the company I am both the Data Controller and the Data Protection Officer. My contact details are; Karen Hayward, email info@kh-hypnotherapy.co.uk, phone 07790 893 007.
  • In most cases, the information about you that I collect comes from you, via an email, phone call, online form or during our face-to-face sessions.
    • If you are under 18, I may get some information from your parents or school.
    • If you are referred by someone else (e.g. an employer) I may get some information from them.
    • If you make a purchase via paypal, they will send me your contact details so I can send you what you’ve bought. All PayPal transactions are subject to the PayPal Privacy Policy
  • I use your personal data in the following ways
    • to provide you with items you have purchased, e.g. audio downloads
    • to deliver therapy
    • to reply to you if you contact me with questions about my services
    • to contact you between therapy sessions if necessary
    • to allow me to collect payment from you, and maintain my records and accounts
  • You have no legal requirement to share any information with me, but if you do not do so I will not be able to work with you.
  • The categories of data/information I collect may include: your name and contact details, your medical history, your family situation and support network, the nature of your employment, your hobbies and interests, your lifestyle, and details of the problem you’d like me to help with. These details are necessary to provide you with safe and effective therapy.
  • The lawful basis of my collecting and processing data is consent or contract or legitimate interests. You consent to my holding and using your information when you submit an online form. Clicking a Paypal button creates a contract to supply goods or services which I cannot do without using your data. If you undertake therapy with me you will sign my terms and conditions, which creates a contract. If you email, phone or contact me via social media with enquiries it is a legitimate interest of my business to use your contact details to reply to you.
  • Sharing information:
    • I am the only person who has access to your information unless
      • there is a legal requirement for me to share the information (e.g. a court order or warrant is issued)
      • you ask me in writing to share your information with someone else
      • the Duty of Care Provision from my Code of Ethics applies – see the notes about this further down
      • I am working with you as part of a care team, or you have been referred to me by someone else (e.g. an employer), in which case pre-arranged levels of information will be shared with these relevant parties
    • I keep the information you give me for eight years, which is the length of time required by my professional body and my insurance company. After this time, it is shredded and disposed of securely.
    • You have rights over the information I hold about you. These are
      • Portability – you can ask me to send your information to someone else
      • Rectification – if you think my records are wrong you can ask me to change them
      • Erasure – in some circumstances you can ask me to remove your details from my records (this is sometimes called ‘the right to be forgotten’)
      • Fair profiling – I do not currently use any automated processes for collecting data but may in the future.  You can ask that any processes I automate are done by a person instead of a computer. I don’t automate any information processing, although I do occasionally use online forms to collect information. If you prefer not to complete these, the information can be collected face to face at our first session.
      • Right of access – you can have a copy of the information I hold at any time, by requesting it in writing. If you do this, it will be provided within 30 days and free of charge.
      • Restricting processing – in some circumstances you can request that I stop processing your information
      • Objection – you can object to the way I process information (e.g. if it is used to send you direct marketing you don’t want to receive) and you can ask me to stop using it in that way. I do not currently undertake any direct marketing but may in the future.  If I begin direct marketing in the future, I will ask your permission to contact you in this way
      • Information – you have the right to understand how I collect and process your information (hence this privacy notice)
    • If you are under 18 I will need permission from a parent or guardian before working with you, and if you are under 13 I will need to verify your date of birth.
    • You can learn more about these rights on https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/
    • You can withdraw your permission for me to use your information at any time, this means ending your therapy.
    • You have a right to complain to the ICO if you have any problem with the way I store or use your data, or if you do not think your rights are being respected.


My Professional Body

The GHR ask me to keep the information you give me private and confidential unless one of the following applies:

  • there is a legal requirement for me to share information (as above)
  • there is good cause to believe that if I do not disclose information you or others would be exposed to a serious risk of harm


These exceptions to the confidentiality rule come under a provision called the ‘Duty of Care’.

My Code of Ethics also allows me to share anonymous case histories verbally or in hypnotherapy publications for the purposes of supervision or training. Anonymous means your personal details are removed and small details about your situation are changed so that you could never be recognised.

The Duty of Care provision applies to everyone but you can opt out of this other use of your information on the form you sign the first time we work together.


Social Media

Most businesses encourage their clients and customers to connect with them and to discuss their products on social media and other web-based discussion forums. It’s a bit different for therapists because we have rules about confidentiality which prevent us from discussing your personal issues in public.

I have an account with social media site Facebook, which is used for business purposes. I am happy to connect at any level with other therapists and those with a general interest in hypnotherapy or hypnotherapy training.

I do not accept friend requests from current therapy clients on any social networking sites. My reason for this is that I believe that adding clients as friends can compromise your confidentiality and blur the boundaries of our therapeutic relationship. If you have questions about this, please feel free to bring it up in-session; I’m happy to talk more about it.

You are welcome to like my Facebook business page, to follow any of my other social media business pages, and to read and share the articles and comments there. You may leave general comments and questions but remember that anything you post is visible to everyone who visits the page. If you want to ask anything specific to you please email* or phone me. If I feel any posts you have made blur the line of our professional relationship or identify you as a client, I will delete them.

It is not a regular part of my practice to search for clients online, via search engines or social media. The exception to this would be if one of the Duty of Care provisions (above) applied.

*Please note that email is not completely secure or confidential. Records of any emails you send me are automatically kept in the logs of your own computer and mine. Although in practice it seems unlikely, in theory they could be read by the system administrator. With this in mind it’s best not to use email to send any information that should be kept private. Any emails you send me that refer to your therapy will be printed and kept in your confidential records.



I occasionally use testimonials on my website or social media page but do not, as a rule, ask clients to provide one.  Any that are provided are treated as anonymous unless the client gives express permission for their name to be used.  This is entirely at the clients’ discretion.

There may be links to my websites on other sites or directories which ask you to rate my services. My presence on these sites is not a request for testimonials, and some sites may have added me to their database without my knowledge.

Please treat your own right to privacy and confidentiality with the same respect I do, and also bear in mind that I may not be aware of any posts you make on these sites. If we are working together, I hope that you will bring your feelings and reactions to our work directly into the therapy room. This can be an important part of therapy, even if we decide we are not a good fit.

If you do choose to write something on a business review site, I hope you will keep in mind that you may be sharing personally revealing information in a public forum. I urge you to create a pseudonym that is not linked to your regular email address or friend networks for your own privacy and protection.

None of this is meant to keep you from sharing that you are in therapy with me wherever and with whomever you like. Confidentiality means that I cannot tell people that you are my client, but you are more than welcome to tell anyone you wish that I’m your therapist, or how you feel about the treatment I provided to you. I welcome recommendations (‘word of mouth’ referrals) if you think I can help someone you know.

If you feel I have done something harmful or unethical, I ask that in the first place you contact me about your concerns. If you are not comfortable discussing it with me, you can always contact my professional body, the General Hypnotherapy Register, which oversees the way I work.


Social media policy adapted from a template provided by Dr Keeley Kolmes. If you are a therapist who would like to use this as as your own social media policy you are welcome to do so on condition that you include the following statement ‘Social media policy by https://www.kh-hypnotherapy.co.uk’ adapted from http://www.debbiewaller.com  adapted from an original by http://www.drkkolmes.com’.