Client GDPR Policy

General

This Policy has been produced to explain what data Jo Gilbert may collect from clients, how it is used, and how it is stored. It helps Jo Gilbert Hypnotherapy comply with the UK General Data Protection Regulation (GDPR) and uphold the confidentiality and ethical standards required by the National Council for Hypnotherapy (NCH) and the Association for Solution Focused Hypnotherapy (AfSFH).

How long will you hold my information for?

Jo Gilbert is a registered member of the NCH, AfSFH, and is therefore bound by their regulations regarding the length of time client information is retained.

These professional bodies require Jo to hold onto client records for eight (8) years after your final session. For clients who were children at the time of therapy, data must be retained until their 25th birthday. If therapy ended when the client was 17, records will be kept until their 26th birthday.

Client records will be securely destroyed in January following the final retention date, in line with NHS and professional standards.

What if I would like my data to be destroyed before this date?

As a professional therapist, Jo is required to retain certain information such as session notes and communications that form part of the therapeutic record.

However, you may request that all identifying details be removed. In such cases, Jo will anonymise your data by removing personal identifiers and storing records under coded filenames.

Requests for anonymisation or deletion can be made by email to Jo Gilbert Hypnotherapy, and there is no charge for this service.

Am I able to see or get a copy of the information held by Jo Gilbert Hypnotherapy?

In accordance with GDPR, you may request access to the personal data Jo holds about you at any time. Written requests will be fulfilled within 30 days, and Jo may need to verify your identity before providing the information. There is no charge for this service.

What and why is data collected?

To provide effective, safe, and personalised therapy, Jo collects limited information relevant to your treatment, including:

• Your contact details

• GP contact details (with your consent)

• An overview of what you wish to achieve through hypnotherapy

• A small amount of relevant medical history

• Brief session notes

• Basic information about key people in your life (where relevant)

This information supports continuity of care, allowing Jo to refer to previous sessions and tailor your therapy to best meet your needs. Your contact and GP details will only be used with your explicit consent, except where legal obligations apply (see “Confidentiality” below).

How is my information stored securely?

Session Notes:

Any electronically taken notes are stored password protected.

Paper Notes:

If any paper notes are taken, they will either be:

• Securely digitised and then destroyed, or

• Stored in a locked filing cabinet behind a locked door.

Emails and Messages:

All email communications are protected by strong passwords. Jo’s mobile phone and other devices are PIN and/or fingerprint protected.

Confidentiality

Everything discussed during sessions with Jo remains strictly confidential.

Jo may occasionally discuss elements of sessions with her supervisor to ensure professional best practice, but no identifying information will ever be shared. Jo’s supervisor is also bound by GDPR and registered with the ICO (Information Commissioner’s Office).

If you encounter Jo outside of a session, she will always protect your confidentiality and will only acknowledge you briefly unless you choose to initiate conversation. You are, of course, free to discuss your therapy with others if you wish.

Sharing information with other professionals

Jo will only contact your GP or other health or social care professionals with your written consent — for example, to confirm the start or completion of therapy.

When might confidentiality need to be broken?

Jo has a professional duty of care to ensure client safety. Confidentiality may need to be broken if:

• There is a risk of harm to yourself or others

• There is a safeguarding concern

• Jo is legally required to share information (e.g., through a court order or police warrant)

Whenever possible, Jo would discuss this with you before taking any action.

Data Controller and ICO Registration

The Data Controller is Jo Gilbert, trading as Jo H Gilbert Hypnotherapy.

ICO Registration Number: 00011880192

This policy was last updated: October 2025.

It may be updated periodically to reflect legal or professional changes. The latest version will always be available via www.johgilberthypnotherapy.com.