Forest Hypnotherapy Privacy Policy & GDPR

This Privacy Policy explains how I use and protect any information that you give to me when you use my services.

I am committed to ensuring that your privacy is protected. Should I ask you to provide certain information by which you can be identified when using my services, this will only be used in accordance with this privacy statement.

This policy may change from time to time. You are requested to please check this page to ensure that you continue to be comfortable with the measures that I take to protect your privacy. This policy is effective from 25th May 2018.

By visiting you are accepting and consenting to the practices described in this policy.

By continuing to use this site, you are agreeing to the use of cookies as described below.

For the purpose of the Data Protection Act 1998 (the Act) and GDPR, the data controller is Kazia Tyszka-Baxter.

What is GDPR?

On the 25th May 2018 General Data Protection Regulation (GDRP) legislation came into effect.  GDPR replaces current data protection legislation, the Data Protection Act 1998.  

It is designed to give individuals control back over personal information and to simplify regulation for business.

6 Principles of GDPR

Information is:

a) processed lawfully, fairly and in a transparent manner in relation to individuals;

b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;

c) adequate, relevant and limited to what is necessary in relation to the purposes for which processed;

d) accurate and, where necessary, kept up to date; every reasonable step must be taken to

ensure that personal data that are inaccurate, having regard to the purposes for which they are

processed, are erased or rectified without delay;

e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals; and

f) processed in a manner that ensures appropriate security of the personal data, including

protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

The controller shall be responsible for and be able to demonstrate compliance with all of these principles.

Information I may collect

The basis on which I keep client data is that of “Legitimate Interests”. This means that the data is necessary for me to fulfil the contract that we have together (ie to provide therapy) and that it is data that you would reasonably expect me to hold and use.

For those who enquire about therapy, the data I hold includes any information you have sent me by email/text/message. For those who book and attend at least one session, the data I hold includes:

  • Basic information such as name, email address, phone number
  • Information that you give me as part of the work we do together
  • Audio recordings of the session
  • Records of what interventions that I use (or potentially do not use) in our sessions
  • Emails, texts and/or messages that are sent between us
  • Information sent from any third party, eg GP, insurance company, EAP

Some of the information that you give me may fall under the definition of special category of data as defined by the General Data Protection Regulation. Assessors will access the data via the National College of Hypnosis and Psychotherapy’s secure cloud storage and not take copies of anything so they are covered by the National College of Hypnosis and Psychotherapy’s privacy notice.

Other than this, data is not shared with anyone, except possibly your GP, and for any reasons covered by the Requirements for Disclosure which are detailed and discussed when we first meet. The data is primarily used to enable me to provide therapy for you and for my capacity as a therapist to be assessed.

Details of where data is held:

  • Any texts or WhatsApp messages sent between us are transferred to a secure password encrypted drive and then deleted from my phone
  • Any emails sent between us are held on a secure password encrypted drive at Forest Hypnotherapy
  • Your notes are held in a secured space at Forest Hypnotherapy
  • Audio recordings are held on a password encrypted drive at Forest Hypnotherapy. Your data is kept for two years. The length of time is based on the requirements of my insurance company. After this time any paper records are shredded, and computer records permanently deleted. Audio recordings will be deleted by both myself and the National College of Hypnosis and Psychotherapy when the case has been assessed and any chance of appeal has passed.

I take the security of data seriously and as such:

  • Give details of all security measures including how any systems you use are secure (including payment systems) If there is any breach of data security I will give full details to the Information Commissioners Office and any person affected within 72 hours of the breach and do all possible to minimise any potential impact. You have rights with regards to the data held:
  • The right of access. I will provide you with all data I hold on you as soon as I can following a request (and definitely within 30 days, unless this is impossible due to holidays or illness).
  • The right to rectification. If any data I hold is incorrect, just let me know and I will correct it as soon as I can following a request (and definitely within 30 days, unless this is impossible due to holidays or illness).
  • The right to erasure. If you wish me to erase your data just let me know and I will delete any computer records and shred any paper records as soon as I can following a request (and definitely within 30 days, unless this is impossible due to holidays or illness). NB: data may be retained for scientific research, historical research or statistical purposes where erasure is likely to render impossible or seriously impair the achievement of that processing but this would never include case notes or data such as address/email/phone
  • The right to restrict processing. This would usually be a stop-gap measure before correction of any errors or before erasure
  • The right to object to: processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling)
  • The right to data portability. This might apply if you want your notes sent to another therapist for example, but it is likely that the easiest solution would come under the right to access, ie I would send the data to you.

Any personal information submitted via our website is treated in accordance with the data protection Act 1998, including compliance with GDPR 2018. To find out more about your entitlements under this legislation, visit the Information Commissioner’s website at

Your acceptance

By using the website, you consent to the collection and use of the information by us in accordance with my privacy policy.


Complaints, questions, comments and access requests are welcomed and should be addressed to Kazia Tyszka-Baxter, Data Protection Officer, This email address is being protected from spambots. You need JavaScript enabled to view it. or telephone 01342 531530.