GDPR: Data Protection Policy: Pathways Reflexology/ Pathways School of Reflexology
Document Created: 4th May 2018
Date of Last Review: 28th May 2020
Date of Next Review: 28th May 2021
Person responsible for implementation and monitoring:
Angela Sellens Drake
247 College Road, Norwich NR2 3JD
This policy outlines my data protection policy, and thus how I comply with the GDPR.
I have registered with the ICO and I ensure that I adhere to the Regulations.
- How the personal data that I process flows into, through and out of my business
Data comes into my business in 4 ways:
- Via email messages to me from potential clients (PC) and clients(C) and from potential students (PS) and students (S) who have my email address
- Via phone or text messages
- Via my website
- Via Facebook Messenger
It flows through my business via:
- My laptop – which occasionally leaves my home clinic/ school.
- My smart phone – which is with me wherever I go.
- My tablet – by virtue of being synced to my other devices and which occasionally leaves my home clinic/ school.
- My paper file – All client records, staff and student records and data other than email addresses are held on paper and remain at my home from where I operate my clinic and training school. If I attend a home treatment or visit or charity event, a limited data file (for that session only) is taken with me.
The only information that flows out of my business is:
- The names and dates of birth of students on an accredited training course: to register with the Awarding Body. This is done electronically.
- Casework and other assignment work of students on an accredited training course: to the external moderator (appointed by the Awarding Body) and to the Awarding Body for Sampling purposes, on request. Students’ work is identified by the Awarding Body ID and is sent electronically or by registered post.
- Students’ contact details: Association of Reflexologists (AoR), for AoR CPD training events run by Pathways: AoR will keep this information for 6 months and will only contact the student in regard to feedback. This is part of the criteria for AoR CPD training approval.
- Students’ contact details: Essential Training Solutions (ETS) for registering students on an Anatomy, Physiology & Pathology online training chosen as fulfilling that Unit of the Level 3 Diploma in Reflexology.
- The data I hold, where it came from, who I share it with and what I do with it.
Information Asset Register
- Clients’ personal information
- In order to provide professional reflexology treatments I hold personal information about my clients that they have provided me with.
- This includes name, address, contact details, and date of birth. I also hold health and wellbeing information about them which I collect from them at their first consultation. I hold information about each treatment that a client receives from me.
- I do NOT share this information with anyone else (other than within my own practice, or as required for legal process) without explaining why it is necessary and obtaining the client’s explicit consent.
- Students’ personal information
- In order to provide professional learning opportunities and follow up support to students, I hold their name, address, contact details, and date of birth. I also hold health-related information that may affect their ability to study or complete a training course. I collect this from them when they apply to join a training course or at a pre-course interview.
|COVID-19 UPDATE 2020 for A & B above:: Name and contact details of those I have been in contact with are required to be kept for 21 days and may need to be shared if requested as part of ‘Test and Trace’ procedures.|
- I also need to ask for and keep the following information: case studies; copies of certificates issued and records of learning progress as a student.
- On completion of an AoR approved CPD course run by Pathways, I need to share students’ contact details with AoR. AoR will keep this information for 6 months and will only contact students in regard to feedback. This is part of the criteria for AoR CPD training approval.
- As part of the Level 3 Diploma in Reflexology, I need to share students’ contact details with ETS to register them on an Anatomy, Physiology & Pathology online training chosen as fulfilling that Unit of the Level 3 Diploma in Reflexology.
- During and on completion of a training course that offers a qualification (such as the Reflexology Diploma Training course), certain information needs to be shared with:
- appointed course tutors.
- an internal verifier.
- an external verifier (normally someone appointed by the Awarding Body).
- the Awarding Body.
The reasons for sharing this information are:
- for quality verification purposes.
- in the circumstance that a complaint is raised.
- for legal process.
- on your request, to confirm that you have completed a course satisfactorily.
- I do NOT share this information with anyone else (other than, as required, with those listed above) without explaining why it is necessary, and obtaining the student’s explicit consent
- C) Staff Records
- In order to provide professional learning opportunities and follow up support to students, I hold the name, address, contact details and relevant qualification details of members of staff who provide specialised training at Pathways. Pathways maintains records of qualifications, experience, right to work in the UK and all other required statutory documentation. I collect this information from them when they apply to provide a specialised area of a training course or an advanced training module.
- During the running of a training course that offers a qualification (such as the Reflexology Diploma Training course), certain information needs to be shared with Awarding Body personnel as listed above.
- In the case of any of the students being under the age of 18, a DBS check would be requested of a staff member and a record of this would be stored securely with staff records.
- I do NOT share this information with anyone else (other than, as required, with those listed above) without explaining why it is necessary, and obtaining the staff member’s explicit consent.
- D) How Long I Retain this Information for
I will keep this information for the following periods:
- If a client attends for treatments, I will keep their information for the period of 8 years from their last appointment, in accordance with the requirements of CNHC of which I am a registrant.
- In the case of a child, records need to be kept until the child is 25 (or 26, if they were 17 when treated).
- If a student submits case studies as part of a training course, these will include health-related information. In this instance I will need to hold this information until I cease to offer training courses, as it may be required in the event of an insurance claim made in relation to their training.
- Staff records are held after employment has finished so that references can be written.
- The lawful bases for me to process personal data and special categories of data.
Lawful Basis for holding and using Information
As a Fellow member of the Association of Reflexologists (AoR), and as member of Professional Reflexology (PR) and as registrant of the Complementary and Natural Healthcare Council (CNHC), and also as a recognised centre for Skills and Education Group Awards (SEG group/ABC Awards), I abide by the Codes of Practice and Ethics and policies of those organisations.
- The lawful basis under which I hold and use information is my legitimate interest, and the requirement to retain the information in order to provide the best possible treatment for clients and the most appropriate training, follow-up support and advice for students.
- As I hold ‘special category data’ (health-related information), the Additional Condition under which I hold and use this is to fulfil my health care practitioner role and my role as a Reflexology trainer, bound under the Confidentiality codes as defined in the Codes of Practice and Ethics and policies of those above-mentioned organisations..
- Privacy Notice
Individuals need to know that their data is collected, why it is processed and who it is shared with.
This information in included in my privacy notice which presented at the first consultation with a client and when a student applies to join a training course or at a pre-course interview. The individual is asked to read and sign that they have read and understood the information. They are offered their own copy to keep.
I have written a privacy notice for my clients and students. This is available to read via my website at: www.pathwaysreflexology.co.uk
I have also written privacy notices for students to provide to casework clients that they provide treatments for, during their training. These are provided to students to use during their training.
I have ensured that these privacy notices include all of the information included in the ICO privacy notice checklist at: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-be-informed#table
- Processes to recognise and respond to individuals’ requests to access their personal data.
All individuals will need to submit a written request to access their personal data – either by email or by letter. I will provide that information without delay and at least within one calendar month of receipt. I can extend this period by a further two months for complex or numerous requests (in which case the individual will be informed and given an explanation).
I will identify the client or student using reasonable means, which, because of the special category under which I process data, will be photographic ID.
I will keep a record of any requests to access personal data.
- Processes to ensure that the personal data I hold remains accurate and up to date.
I will ensure that client/ student information is kept up to date during treatments/ courses, and will update this information as I am informed of any changes. This will be reviewed periodically.
- Schedule to dispose of various categories of data, and its secure disposal.
Periodically I will review client/ student information and will place ‘dormant’ clients/ students in separate files. These will be assessed periodically to ensure that data that is no longer required to be kept under GDPR is destroyed by shredding.
- Procedures to respond to an individual’s request to restrict the processing of their personal data.
I hold data in order to provide treatments and training. If I should receive a request to restrict the processing of an individual’s personal data, I will respond as quickly as possible, and within one calendar month, explaining clearly what I currently do with the data and what I am able to do within the restrictions that govern how I hold or process that data.
- Processes to allow individuals to move, copy or transfer their personal data from one IT environment to another in a safe and secure way, without hindrance to usability.
Should clients/students wish their data to be copied or transferred I would work with them to ensure that this is done in a way that is most appropriate for them – for example this could be an electronic summary of treatments received and progress made, or a summary of assignments completed and marked. I do not hold clients’ treatment information electronically.
- Procedures to handle an individual’s objection to the processing of their personal data.
I will inform my clients/students of their right to object “at the point of first communication” and have clearly laid this out in my privacy notice.
- Processing operations that constitute automated decision making.
I do not have any processing operations that constitute automated decision making and therefore, do not currently require procedures in place to deal with the requirements.
This right is, however, included in my privacy statement.
- Data Protection Policy
This document forms my data protection policy and shows how I comply with GDPR.
This is a live document and will be amended as and when any changes to my data processing takes place, at the very least it will be reviewed annually.
I believe that I have done an appropriate amount of research around the implications of the new GDPR, including taking heed of the advice and guidance provided by my professional membership organisations: AoR and PR (Professional Reflexology) and CNHC, and by the Skills and Education Group Awards (SEG group/ABC Awards), for my work as a practitioner and tutor of Reflexology.
- Effective and structured information risks management
The risks associated with my data, and how that risk is managed is as follows:
- Theft of electronic devices – there are password locks on all electronic devices which are changed regularly and are not shared with anyone.
- Break in to home/school – all my paper files are stored in a filing cabinet in a locked house.
- Named Data Protection Officer (DPO) and Management Responsibility
As sole trader I understand there is not a need for a DPO. However, as Data Controller I will ensure that I remain compliant with GDPR.
- Security Policy
I have chosen my electronic equipment based on their industry record as having very robust inbuilt protection.
- Data Breach Policy
A personal data breach means a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.
I understand that I must notify the ICO of a breach where it is likely to result in a risk to the rights and freedoms of individuals.
Where a breach is likely to result in a high risk to the rights and freedoms of individuals, I will notify those concerned directly and without undue delay.
In all cases, I will maintain records of personal data breaches, whether or not they were notifiable to the ICO.
Data Protection Policy created: 4th May 2018
Reviewed: 28th May 2020
This is a live document and will be updated as and when changes occur.
Date of Next Review: 28th May 2021
Angela Sellens Drake
ALL CLIENT & STUDENT INFORMATION IS CONFIDENTIAL BETWEEN THE CLIENT or STUDENT AND PATHWAYS REFLEXOLOGY AND NOT SHARED WITH ANYONE ELSE
(except in the circumstances detailed above)