CTET Data Protection Policy

1. Aims

CTET aims to ensure that all personal data collected about staff, clients, students, course tutors, course assistants and other individuals is collected, stored and processed in accordance with the General Data Protection Regulation (GDPR) and the expected provisions of the Data Protection Act 2018 (DPA 2018) as set out in the Data Protection Bill. This policy applies to all personal data, regardless of whether it is in paper or electronic format.

2. Legislation and guidance

This policy meets the requirements of the GDPR and the expected provisions of the DPA 2018. It is based on guidance published by the Information Commissioner’s Office (ICO) on the GDPR and the ICO’s code of practice for subject access requests.

3. Roles and responsibilities

This policy applies to all individuals working on behalf of CTET, including course tutors and assistants.

Those working on behalf of CTET are responsible for:

• Collecting, storing and processing any personal data in accordance with this policy.
• Informing CTET of any changes to their personal data, such as a change of address.
• Contacting the CTET management and administrator in the following circumstances:
  • With any questions about the operation of this policy, data protection law, retaining personal data or keeping personal data secure.
  • If they have any concerns that this policy is not being followed.
  • If they are unsure whether or not they have a lawful basis to use personal data in a particular way.
  • If they need to rely on or capture consent, draft a privacy notice, deal with data protection rights invoked by an individual, or transfer personal data outside the European Economic Area.
  • If there has been a data breach.
  • Whenever they are engaging in a new activity that may affect the privacy rights of individuals.

4. Data protection principles

The GDPR is based on data protection principles that CTET must comply with.

The principles say that personal data must be:

• Processed lawfully, fairly and in a transparent manner.
• Collected for specified, explicit and legitimate purposes.
• Adequate, relevant and limited to what is necessary to fulfill the purposes for which it is processed.
• Accurate and, where necessary, kept up to date.
• Kept for no longer than is necessary for the purposes for which it is processed.
• Processed in a way that ensures it is appropriately secure.

This policy sets out how CTET aims to comply with these principles.

5. Collecting personal data

5.1 Lawfulness, fairness and transparency

We will only process personal data where we have one of 6 ‘lawful bases’ (legal reasons) to do so under data protection law:

• The data needs to be processed so that CTET can fulfill a contract with the individual, or the individual has asked CTET to take specific steps before entering into a contract (for example to accept an individual onto a seminar or training).
• The data needs to be processed so that CTET can comply with a legal obligation.
• The data needs to be processed to ensure the vital interests of the individual e.g. to protect someone’s life.
• The data needs to be processed so that CTET, as a public authority, can perform a task in the public interest, and carry out its official functions.
• The data needs to be processed for the legitimate interests of CTET or a third party (provided the individual’s rights and freedoms are not overridden).
• The individual has freely given clear consent.

5.2 Limitation, minimisation and accuracy

We will only collect personal data for specified, explicit and legitimate reasons. We will explain these reasons to the individuals when we first collect their data.

If we want to use personal data for reasons other than those given when we first obtained it, we will inform the individuals concerned before we do so, and seek consent where necessary.

All individuals working on behalf CTET will only process personal data where it is necessary in order to do their jobs.

When individuals working on behalf CTET no longer need the personal data they hold, they must ensure it is deleted or anonymised. This will be done in accordance with CTET’s record retention schedule.

6. Sharing personal data

We will not normally share personal data with anyone else, but may need to do so in very limited circumstances, for instance where:

• There is an issue with a client that puts the safety of our staff at risk.
• We need to liaise with other agencies – we will seek consent as necessary before doing this.

We will also share personal data with law enforcement and government bodies where we are legally required to do so, including for:

• The prevention or detection of crime and/or fraud.
• The apprehension or prosecution of offenders.
• The assessment or collection of tax owed to HMRC.
• In connection with legal proceedings.
• Where the disclosure is required to satisfy our safeguarding obligations.
• Research and statistical purposes, as long as personal data is sufficiently anonymised or consent has been provided.

We may also share personal data with emergency services and local authorities to help them to respond to an emergency situation that affects any of our clients or staff.

To avoid unintentionally sharing personal data, group emails sent to clients/course participants should be sent BCC, unless all participants have given prior agreement to share their contact details with others in a class or seminar group.

6.1 Subject access requests and other rights of individuals

Individuals have a right to make a ‘subject access request’ to gain access to personal information that CTET holds about them. This includes:

• Confirmation that their personal data is being processed.
• Access to a copy of the data.
• The purposes of the data processing.
• The categories of personal data concerned.
• Who the data has been, or will be, shared with.
• How long the data will be stored for, or if this isn’t possible, the criteria used to determine this period.
• The source of the data, if not the individual.
• Whether any automated decision-making is being applied to their data, and what the significance and consequences of this might be for the individual.

Subject access requests must be submitted in writing, either by letter or email to the CTET Administrator. They should include:

• Name of individual.
• Correspondence address.
• Contact phone number and email address.
• Details of the information requested.

6.2 Responding to subject access requests

When responding to requests we:

• May ask the individual to provide two forms of identification.
• May contact the individual via phone to confirm that the request was made.
• Will respond as soon as possible and within onr month of receipt of the request.
• Will provide the information free of charge.
• May tell the individual that we will comply within three months of receipt of the request, where a request is complex or numerous. We will inform the individual of this within one month, and explain why the extension is necessary.

We will not disclose information if it:

• Might cause harm to the physical or mental health of the client or another individual.

If the request is unfounded or excessive, we may refuse to act on it, or charge a reasonable fee which takes into account administrative costs.

A request will be deemed to be unfounded or excessive if it is repetitive, or asks for further copies of the same information.

When we refuse a request, we will tell the individual why, and tell them that they have the right to complain to the ICO.

6.3 Other data protection rights of the individual

In addition to the right to make a subject access request (see above), and to receive information when we are collecting data about how we use and process it (see section 5), individuals also have the right to:

• Withdraw their consent to processing at any time.
• Ask us to rectify, erase or restrict processing of their personal data, or object to the processing of it (in certain circumstances).
• Prevent use of their personal data for direct marketing.
• Challenge processing which has been justified on the basis of public interest.
• Request a copy of agreements under which their personal data is transferred outside of the European Economic Area.
• Prevent processing that is likely to cause damage or distress.
• Be notified of a data breach in certain circumstances.
• Make a complaint to the ICO.
• Ask for their personal data to be transferred to a third party in a structured, commonly used and machine-readable format (in certain circumstances). An administrative charge may be made for this.

Individuals should submit any request to exercise these rights to the CTET Administrator.

7. Photographs and videos

As part of our activities, we may take photographs and record images of individuals within CTET.

However, we will obtain consent from students, course tutors, assistants and staff for photographs and videos to be taken of them for communication, marketing and promotional materials. We will clearly explain how the photograph and/or video may be used.

Uses may include:

• Within CTET in brochures, newsletters, etc.
• Outside of the CTET by external agencies such as a photographer, newspapers or campaigns.
• Online on the CTET website or social media pages.

8. Data protection by design and default

We will put measures in place to show that we have integrated data protection into all of our data processing activities, including:

• Designating an individual who works on behalf of CTET being responsible for Data Protection and ensuring they have the necessary resources to fulfil their duties and maintaining their specialist knowledge.
• Only processing personal data that is necessary for each specific purpose of processing, and always in line with the data protection principles set out in relevant data protection law (see section 6).
• Integrating data protection into internal documents including this policy, any related policies and privacy notices.
• Providing training and support to individuals working on behalf of CTET on data protection law, this policy, any related policies and any other data protection matters.
• Conducting an annual review of our privacy notice and privacy measures to ensure that we are compliant.
• Maintaining records of our processing activities, including:
  • For the benefit of data subjects, making available the name and contact details of CTET and our Administrator and all information we are required to share about how we use and process their personal data (via our privacy notices).
  • For all personal data that we hold, undertaking an annual data audit, to review and record the type of data, data subject, how and why we are using the data, how and why we are storing the data, retention periods and how we are keeping the data secure.

9. Data security and storage of records

We will protect personal data and keep it safe from unauthorised or unlawful access, alteration, processing or disclosure, and against accidental or unlawful loss, destruction or damage. Anyone submitting personal data for CTET training courses should be confident that their data is kept securely, is not kept for a needlessly long period of time and is disposed of safely. This is summarised on CTET course application forms. In particular:

• Paper-based records and portable electronic devices, such as laptops and hard drives that contain personal data are kept under lock and key when not in use.
• Papers containing confidential personal data must not be left on office desks, pinned to notice/display boards, or left anywhere else where there is general access.
• Passwords that are at least 8 characters long are used to access computers, laptops and other electronic devices used by those working on behalf of CTET.
• CTET administrators, tutors and students who store personal information on their personal devices are requested to follow the same security procedures as above.

10. Disposal of records

Personal data that is no longer needed will be disposed of securely. Personal data that has become inaccurate or out of date will also be disposed of securely, where we cannot or do not need to rectify or update it.

For example, we will shred or incinerate paper-based records, and overwrite or delete electronic files. We may also use a third party to safely dispose of records on CTET’s behalf. If we do so, we will require the third party to provide sufficient guarantees that it complies with data protection law.

11. Personal data breaches

CTET will make all reasonable endeavours to ensure that there are no personal data breaches.

In the unlikely event of a suspected data breach, we will follow the procedure set out in appendix 1.

When appropriate, we will report the data breach to the ICO within 72 hours. Such breaches may include, but are not limited to:

• Safeguarding information falling into the hands of an unauthorised person.
• The theft of a CTET laptop containing non-encrypted personal data about students or staff.

12. Training

Key individuals working on behalf of CTET will be provided with data protection support and required to read our data protection policy.

Data protection will also form part of continuing professional development, where changes to legislation, guidance or CTET’s processes make it necessary.

13. Monitoring arrangements

The Trust’s Management Committee is responsible for monitoring and reviewing this policy.

This policy will be reviewed and updated if necessary when the Data Protection Bill receives royal assent and becomes law (as the Data Protection Act 2018) – if any changes are made to the bill that affect our practice. Otherwise, or from then on, this policy will be reviewed every two years.

Appendix 1: Information for students, clients and course participants

The types of personal data that CTET collects and uses:

• Full name and contact details (e.g. home address, email address, home and mobile telephone numbers).
• Employment, family, educational qualifications and relevant career history for applications to Living Anatomy, Craniosacral Therapy Practitioner Training and Continuing Professional Development courses.
• Family and health information (for Craniosacral Therapy Practitioner Training applications and low-cost clinic clients only).
• Records of courses, seminars or conferences that you have enquired about or attended.

Providing your personal data

We will require you to provide some personal data so we can process your application for our courses.

Using your personal data

We will process your personal data to:

• Confirm your place on one of our seminars, trainings or events.
• Update our records.
• Send you communications in relation to a CTET course, event, clinic or conference.
• Occasionally provide information on other courses or events.

Marketing and communications

We have informed all those on our mailing list that we currently hold their email addresses and that they can unsubscribe from our mailing list at any time. All newsletters include an ‘Unsubscribe’ button.

Explanatory note

All information that you provide is held under the terms of the Data Protection Act 1998 and the General Data Protection Regulation, and is processed in accordance with CTET’s Privacy Policy. We also reserve the right to update this policy as required in the future. You can change your contact preferences at any time by contacting the administrator as detailed below:

CTET Administrator
78 York Street, London W1H 1DP, UK
Tel: 020-7101 3915
Email: info@cranio.co.uk

Craniosacral Therapy Educational Trust is a non-profit limited company (number 4444311) registered in the UK