Pure Channel Healing Association
Data Protection Guidelines
1) Unless no electronic data is used in the therapy practice then all practitioners need to register with the ICO (Information Commissioners Office) https://ico.org.uk , as even exchanging an e-mail with a client makes you a ‘data controller’. It costs £35 per year to register with ICO.
E-mails, texts, Whatsapp messages, an individual's phone number on a mobile, Skype/Zoom
calls all count as "personal data" and are covered by the legislation.
2) If only landline and post are used to contact clients, and all the records are kept on paper and nothing is recorded electronically then it is not necessary to register with the ICO
(Information Commissioners Office).
3) We need to ensure that all personal data is stored securely, both electronic and hard copies.
Any paper records need to be stored in a locked filing cabinet. Any electronic data needs to
be secured, e.g. via passwords on a computer (not just an overall login password for the
PC/Mac, but individual files need to be password protected). E-mail accounts need to be
4) We are obliged to inform clients in writing about what type of data we hold on them, what
the purpose of it is, how long you are going to keep it and the fact that they have the right to
view the data we hold on them and that we would provide it for them within 40 days from
their request. They need to give their explicit consent for the data to be held for the above
purposes by reading and signing a data protection policy/consent sheet (it needs to be
separate from any treatment consent form).
5) For those practitioners who do online conferencing with clients/students - Zoom is OK to use with clients, as the platform is GDPR compliant - the data transmitted during meetings,
webinars, etc. are encrypted and secure. (Skype is not quite as secure, even though it is also
apparently compliant with GDPR). If you record sessions on Zoom/Skype then the client
needs to be aware of this and to consent to the recording in writing. Your contract would
need to include info on why you need to record sessions, where you store them and how long
you hold the recording for.
6) The above is relevant for current, future, and any past clients/students whose information you are still keeping, i.e. for insurance purposes. ‘The Right to Be Forgotten’ which is part of the new legislation does not apply for healing therapies as there is a legal basis for keeping the data in case we are sued by the client, and the insurance requirement would normally be to keep records for 5 to 7 years because of this.
7) If there is a breach of personal data (e.g. if we lose our client notes, our computer or phone
with client details gets stolen, or we get hacked!), we are supposed to report this to ICO
within three days. There are fines for non-reporting (though it is unlikely that very small
businesses will be severely penalised for minor misdemeanours).
9) While the GDPR guidelines were issued in 2016, they will become legally enforceable from 25th May 2018. It does not mean that you have to have absolutely everything in place or to have 100% compliance in all your paperwork or processes on that date, but you need to be
able to demonstrate that you have at least given it some thought and have begun to make
appropriate changes to safeguard your clients data, and to keep them informed about it.
10) We do not need to contact past clients / ask them to sign consent forms etc. (however it is still possible that they might contact us to ask to see their data, in which case they have the
right to do that as the same GDPR principles will apply to them).
11) For those practitioners who may do some distant/online work, it is fine to have the consent forms signed electronically.
12) It is probably safer to keep client records, case studies, and enrolment forms in paper form. If you store data electronically then it should be kept on a memory stick or storage device rather than on your computer. If you lose any client record you need to inform the client and the ICO (Information Commissioners Office).
13) You will need to get your new clients to sign a consent form prior to treatment. This form will ask them to agree to their records being securely kept by you for up to 7 years (for insurance purposes). You need to inform new clients that their e-mail will not be shared with other people.
14) If you have a sound healing mailing list you will have to get consent from new people before they can be included on your mailing list. You need to tell them that you will only send them e-mails that relate to healing.
15) You should invest in a shredder to make sure that any documents containing people’s
personal data are disposed of securely.
16) If you work with children, a child's data belongs to the child, not their parent (there is some info on the ICO site here - https://ico.org.uk/for-the-public/personal-information/) It is the child who needs to consent to the holding of the data which would obviously need to be
appropriately worded for the age of the child. Whether the parents has the right to access that
information or not needs to be guided by the best interest of the child - i.e. the practitioner
needs to be able to make an informed decision on this.