GDPR – Data Protection Policy for Routes to Healing and Private Clients


Our Privacy Policy and GDPR compliance statement.


Your information is important to us and it is never shared by any means.

The information that we hold is only that which is given by yourself to help me help you as a client or where you have asked to be kept informed on events and teachings from Routes to Healing. That data is securely kept.

Client details are not kept on any computerised device. Although you are free to contact me via phone, mobile, text or email and a response will be via the same or however you have requested.

If you do not wish to be contacted by Routes to Healing, please let us know by emailing ‘Unsubscribe’

You may have preferences to being contacted and those can be established at the first point of contact.

You have the right to request to see any information held about yourself and that will be provided as soon as possible and within 30days unless an extension for exceptional circumstances is needed, this can be extended. All possible precautions will be taken to ensure the request has come legitimately and proof of ID may be required.


1.The Data that I process and how it enters and leaves my business.


•Data can come in via clients, potential clients, students and potential students via the Telephone, Mobile Phone, Text Message, Website Email link

•It can flow back to the clients, potential clients, students and potential students via my Smart Phone, Landline phone, Text and Email

•Clients notes are kept securely in the clinic room at home unless they are with me on a home visit to that client.

•Data does not flow out of my business and never shared unless written permission is given by the client. An example of this would be a client requesting information to be shared with another therapist or insurance organisation, solicitor etc.


2.The Personal Data that I hold and what is done with it.


•The only information I hold is that which you give me.

•This will be Name, Address, Contact Details, Age, D.O.B. A Health consultation questionnaire taken on the first appointment

•Subsequent treatments will mean that I will write down what has changed, how you feel and what you want from the appointment each time and what happened during the session.

•This information is to help both you and me see if the treatments are effective for you and to inform on how we need to proceed.

•I keep all data for you but share it with you as I write it up and you are entitled to request to see it at any time.

•I am legally required to keep clients records for 7 years after the last treatment.

•With children under 18, the legal requirement is that I keep the records under the child is 25 or if 17 when treated, then they are to be kept until they are 26.

•I am insured with Balens and registered with CHP Complementary Health Professionals. Balens recommend a longer duration to hold records which I comply with.


3.The lawful bases for me to process personal data and special categories of data.


I process personal date under: Legitimate Interest;


Information is retained in order to give the best possible treatment with informed thought and consideration for what has gone before.


4.Privacy Notice


On a first consultation, clients are asked to specify how they wish to be contacted and are made aware of the privacy policy in place along with their rights to access to data held about themselves and why that information is held.



5.Processes to recognise and respond to individual’s requests to access their personal data.


•A written request is required to access an individual’s personal data. This can either be by email or letter. It may be you need to provide photographic evidence due to the nature of the information that is held.

Any request to access your personal data will receive a prompt response and provided as soon as possible and at most within one month of the request. In exceptional or complex requests, this can be extended by a further 2 months. A record of such requests will be kept.


•No direct request for your data from another therapist, insurance organisation or solicitor etc will be acknowledged unless a letter of authorisation has been received from you the individual stating exactly who data can be shared with and to what extent that data extends to.



6.Process to ensure that the personal data help remains accurate and up to date.


•Information is reviewed periodically and changes made to keep information up to date as changes are brought to my attention or at request during a review.


7.Schedule to dispose of various categories of data and method of disposal.


•Dormant client files are kept secure and reviewed periodically to ensure that data that is no longer required to be kept under GDPR and with regard to Insurers legal recommendation’s, is destroyed by shredding.


8.Procedure to respond to an individual’s request to restrict the processing of their personal data.


•In the unlikely event this should occur as data is only held in order to provide therapeutic treatments. I would respond within one month from the date of request and reassure that no data is shared or processed as requested.


9.Process to allow individuals to move, copy or transfer their personal data from one IT environment to another in a safe and secure way without hindrance to usability.


•I do not hold any treatment information electronically so if a client wished their data to be copied or transferred I would work with them to find the most secure and appropriate way for them. This could be copies of individual treatment records or an email (electronic summary of treatments.

Some clients like to photograph their notes and it is then their responsibility what should happen with that.



10.Procedures to handle an individual’s objection to the processing of their personal data.


•On the first consultation a client is made aware of their right to object which is part of my privacy statement.


11.Processing operations that constitute automated decision making.


•There are no processing operations that constitute automated decision making in my business.


12.Data Protection Policy


•This document forms my data protection policy and shows how I comply with GDPR


     This is a live and current document and will be amended and reviewed as and when changes occur is how I process data and always annually.


13.Effective and Structured Information risks management.


•Theft of locked electronic devices which are secured with a password known only to me

•Break in to the home – clients details stored securely.



14. Named Data Protection Officer and Management Responsibility


I am the DPO and will ensure compliance with the GDPR


15. Security Policy


•Electronic devices are password protected.


16.Data Breach Policy


•A personal data breach means a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of or access to personal data.

•If a breach of personal data has occurred that is likely to result in a risk to the rights and freedoms of individuals, then I only have to notify the ICO

•When a breach is likely to result in a high risk to the rights and freedoms of individuals, I will notify those concerned promptly and without undue delay.

•In all cases records of personal data breaches recorded details of such will be kept.


This policy was created on May 22 2018 and will be reviewed yearly or as required.

Next review no later than May 21 2021