Privacy Policy

Privacy Policy for Pathways Reflexology website

Current from March 2024; Renewable from March 2025

Policy Purpose

Pathways Reflexology creates and maintains accurate records in order for it to function.

The policy for managing records at Pathways has been drawn up in conformity with current legislation and regulations, as far as these have been understood to apply.

Policy Content

1. How personal data that is processed flows into, through and out of Pathways Reflexology

Data comes into and through Pathways:

  1. Via this website
  2. Via email, phone or text messages from clients and potential clients and from students and potential students

The only information that flows out of Pathways is:

  • Personal details of students on an accredited training course: to register with the Awarding Body. This is done electronically.
  • Submitted assignments of students on an accredited training course: to the Awarding Body and Moderators for Sampling purposes, on request. Students’ work is identified by the Awarding Body ID and is sent electronically.
  • Students’ contact details: to Association of Reflexologists (AoR), for AoR Gateway Schools training; and for AoR Approved CPD training events run by Pathways, where AoR will keep this information for 6 months and only contact the student in regard to feedback. This is part of the criteria for AoR CPD training approval.
  • Students’ contact details: to Essential Training Solutions (ETS) for registering students on an Anatomy, Physiology & Pathology online training when this is included within their training for the Level 3 Diploma in Reflexology.

2. The data that is held: where it comes from, what is done with it and who it is shared with

Information Asset Register

  1. Clients’ personal information
  • In order to provide professional reflexology treatments: clients’ personal information that they have provided.
  • This includes: name, address, contact details, and date of birth; health and wellbeing information collect ed at a first consultation; information about each treatment that a client receives.
  • These details are NOT shared with anyone else (other than as required for legal process) without explaining why it is necessary and obtaining the client’s explicit consent.
  1. Students’ personal information
  • In order to provide professional learning opportunities and follow up support to students: their name, address, contact details, and date of birth; health-related information that may affect their ability to study or complete a training course.
  • This is provided by them when they apply to join a training course or at a pre-course interview.
  • The following is also held: case studies; copies of certificates issued and records of learning progress as a student.
  • During and on completion of a training course that offers a qualification (such as the Reflexology Diploma Training course), certain information needs to be shared with:
  • appointed course tutors
  • an internal verifier/ moderator/ quality assurer
  • an external verifier/ moderator/ quality assurer (appointed by the Awarding Body)
  • the Awarding Body.

The reasons for sharing this information are:

  • for quality verification/ moderation/ quality assurance purposes
  • in the circumstance that a complaint is raised
  • for legal process
  • on a student’s request, to confirm that they have completed a course satisfactorily.
  • These details are NOT shared with anyone else (other than, as required, with those listed above) without explaining why it is necessary and obtaining the student’s explicit consent.

C) Staff Records

  • In order to provide professional learning opportunities and follow up support to students: name, address, contact details and relevant qualification details of members of staff who provide specialised training at Pathways.
  • Pathways maintains records of qualifications, experience, right to work in the UK and all other required statutory documentation, collected from them when they apply to provide a specialised area of a training course or an advanced training module.
  • During the running of a training course that offers a qualification (such as the Reflexology Diploma Training course), certain information needs to be shared with Awarding Body personnel as listed above.
  • In the case of any of the students being under the age of 18, a DBS check would be requested of a staff member and a record of this would be stored securely with staff records.
  • These details are NOT shared with anyone else (other than, as required, with those listed above) without explaining why it is necessary and obtaining the staff member’s explicit consent.

D) How Long this Information is retained

These details are kept for the following periods:

  1. If a client attends for treatments: for the period of 8 years from their last appointment, in accordance with the requirements of CNHC registration.
  2. In the case of a child, records need to be kept until the child is 25 (or 26, if they were 17 when treated).
  3. If a student submits case studies as part of a training course, these will include health-related information. This information will be held until Pathways ceases to offer training courses, for insurance purposes.
  4. Staff records are held after employment has finished so that references can be written.

3. The lawful basis for processing personal data and for special categories of data

Lawful Basis for holding and using Information:

To abide by the Codes of Practice and Ethics and policies of the following organisations:

  • Association of Reflexologists (AoR), Professional Reflexology (PR), the Complementary and Natural Healthcare Council (CNHC), the Skills and Education Group (SEG) Awards.

The lawful basis under which this information is held and used is:

  • Pathways’ legitimate interest, and the requirement to retain the information in order to provide the best possible treatment for clients and the most appropriate training, follow-up support and advice for students.

The Additional Condition under which ‘special category data’ (health-related information), may be held and used is:

  • To fulfil the responsibilities of Health Care practice and Reflexology training, bound under the Confidentiality codes as defined in the Codes of Practice and Ethics and policies of those above-mentioned organisations

4. Privacy Notice

Individuals need to know that their data is collected, why it is processed and who it is shared with.

This information in included in Pathways’ privacy notice which presented at the first consultation with a client and when a student applies to join a training course or at a pre-course interview. The individual is asked to read and sign that they have read and understood the information. They are offered their own copy to keep.

A privacy notice is provided to Pathways’ clients and students, and to of Case Study clients of students in training.

These privacy notices include all of the information included in the ICO privacy notice checklist at: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-be-informed#table

5. Processes to recognise and respond to individuals’ requests to access their personal data

Individuals will need to submit a written request to access their personal data – either by email or by letter.

  • requested information will be provided without delay and at least within one calendar month of receipt.
  • this period can be extended by a further two months for complex or numerous requests (in which case the individual will be informed, and an explanation given)

The individual will be identified using reasonable means, which, because of the special category under which data is processed, will be photographic ID.

A record will be kept of any requests to access personal data.

6. Processes to ensure that the personal data held remains accurate and up to date

Client/student information is kept up to date during treatments and courses and will be updated this information as any changes are provided. This will be reviewed periodically.

7. Schedule to dispose of various categories of data, and its secure disposal

Individuals’ information will be reviewed periodically and ‘dormant’ client/ student details placed in separate files. These will be assessed periodically to ensure that data that is no longer required to be kept under GDPR is destroyed by shredding.

8. Procedures to respond to an individual’s request to restrict the processing of their personal data

Data is held by Pathways in order to provide treatments and training. If a request to restrict the processing of an individual’s personal data is received, a response will be given as quickly as possible, and within one calendar month, explaining clearly what is currently being done with the data and what it is possible to do within the restrictions that govern how that data is held or processed.

9. Processes to allow individuals to move, copy or transfer their personal data from one IT environment to another in a safe and secure way, without hindrance to usability

Should clients/students wish their data to be copied or transferred, Pathways would work with them to ensure that this is done in a way that is most appropriate for them – for example this could be an electronic summary of treatments received and progress made, or a summary of assignments completed and marked. Clients’ treatment information is not held electronically.

10. Procedures to handle an individual’s objection to the processing of their personal data

Clients/students are informed of their right to object “at the point of first communication” and this is clearly laid out in the privacy notice provided.

11. Processing operations that constitute automated decision making

Pathways does not use any processing operations that constitute automated decision making, and therefore does not currently require procedures in place to deal with the requirements.

This right is, however, included in its privacy statement.

12. Data Protection Policy

This document forms Pathways’ data protection policy and shows how it complies with GDPR.

This is a live document and will be amended as and when any changes to Pathways’ data processing takes place. At the very least it will be reviewed annually.

Pathways believes it has carried out an appropriate amount of research around the implications of GDPR, including taking heed of the advice and guidance provided by relevant professional member organisations:

AoR (Association of Reflexologists) and PR (Professional Reflexology) and the voluntary regulator CNHC, and by the Skills and Education Group (SEG) Awards, for the practice and training of Reflexology.

13. Effective and structured information risks management

The risks associated with data held by Pathways, and how that risk is managed, is as follows:

  • Theft of electronic devices – there are password locks on all electronic devices. These are changed regularly and are NOT shared with anyone.
  • Break-in to physical premises – all paper files are stored in a filing cabinet in a locked property.

14. Security Policy

Electronic equipment and processes are chosen based on industry record of robust inbuilt protection.

16. Data Breach Policy

A personal data breach means a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.

Any such breach must be notified to the ICO where it is likely to result in a risk to the rights and freedoms of individuals.

Where a breach is likely to result in a high risk to the rights and freedoms of individuals, those concerned would be notified directly and without undue delay.

In all cases, records of personal data breaches will be maintained, whether or not they were notifiable to the ICO.

This Policy:

created 4th May 2018

updated and current from March 2024

Renewable from March 2025

Angela M Sellens Drake info@pathwaysreflexology.co.uk