CRANIOSACRAL THERAPY EDUCATIONAL TRUST
UK non-profit limited company no. 4444311
CTET aims to ensure that all personal data collected about staff, clients, students, course tutors, course assistants and other individuals is collected, stored and processed in accordance with the General Data Protection Regulation (GDPR) and the expected provisions of the Data Protection Act 2018 (DPA 2018) as set out in the Data Protection Bill. This policy applies to all personal data, regardless of whether it is in paper or electronic format.
This policy meets the requirements of the GDPR and the expected provisions of the DPA 2018. It is based on guidance published by the Information Commissioner’s Office (ICO) on the GDPR and the ICO’s code of practice for subject access requests.
This policy applies to all individuals working on behalf of CTET, including course tutors and assistants.
Those working on behalf of CTET are responsible for:
The GDPR is based on data protection principles that CTET must comply with.
The principles say that personal data must be:
This policy sets out how CTET aims to comply with these principles.
5.1 Lawfulness, fairness and transparency
We will only process personal data where we have one of 6 ‘lawful bases’ (legal reasons) to do so under data protection law:
5.2 Limitation, minimisation and accuracy
We will only collect personal data for specified, explicit and legitimate reasons. We will explain these reasons to the individuals when we first collect their data.
If we want to use personal data for reasons other than those given when we first obtained it, we will inform the individuals concerned before we do so, and seek consent where necessary.
All individuals working on behalf CTET will only process personal data where it is necessary in order to do their jobs.
When individuals working on behalf CTET no longer need the personal data they hold, they must ensure it is deleted or anonymised. This will be done in accordance with CTET’s record retention schedule.
We will not normally share personal data with anyone else, but may need to do so in very limited circumstances, for instance where:
We will also share personal data with law enforcement and government bodies where we are legally required to do so, including for:
We may also share personal data with emergency services and local authorities to help them to respond to an emergency situation that affects any of our clients or staff.
To avoid unintentionally sharing personal data, group emails sent to clients/course participants should be sent BCC, unless all participants have given prior agreement to share their contact details with others in a class or seminar group.
6.1 Subject access requests and other rights of individuals
Individuals have a right to make a ‘subject access request’ to gain access to personal information that CTET holds about them. This includes:
Subject access requests must be submitted in writing, either by letter or email to the CTET Administrator. They should include:
6.2 Responding to subject access requests
When responding to requests we:
We will not disclose information if it:
If the request is unfounded or excessive, we may refuse to act on it, or charge a reasonable fee which takes into account administrative costs.
A request will be deemed to be unfounded or excessive if it is repetitive, or asks for further copies of the same information.
When we refuse a request, we will tell the individual why, and tell them that they have the right to complain to the ICO.
6.3 Other data protection rights of the individual
In addition to the right to make a subject access request (see above), and to receive information when we are collecting data about how we use and process it (see section 5), individuals also have the right to:
Individuals should submit any request to exercise these rights to the CTET Administrator.
As part of our activities, we may take photographs and record images of individuals within CTET.
However, we will obtain consent from students, course tutors, assistants and staff for photographs and videos to be taken of them for communication, marketing and promotional materials. We will clearly explain how the photograph and/or video may be used.
Uses may include:
We will put measures in place to show that we have integrated data protection into all of our data processing activities, including:
We will protect personal data and keep it safe from unauthorised or unlawful access, alteration, processing or disclosure, and against accidental or unlawful loss, destruction or damage. Anyone submitting personal data for CTET training courses should be confident that their data is kept securely, is not kept for a needlessly long period of time and is disposed of safely. This is summarised on CTET course application forms. In particular:
Personal data that is no longer needed will be disposed of securely. Personal data that has become inaccurate or out of date will also be disposed of securely, where we cannot or do not need to rectify or update it.
For example, we will shred or incinerate paper-based records, and overwrite or delete electronic files. We may also use a third party to safely dispose of records on CTET’s behalf. If we do so, we will require the third party to provide sufficient guarantees that it complies with data protection law.
CTET will make all reasonable endeavours to ensure that there are no personal data breaches.
In the unlikely event of a suspected data breach, we will follow the procedure set out in appendix 1.
When appropriate, we will report the data breach to the ICO within 72 hours. Such breaches may include, but are not limited to:
Key individuals working on behalf of CTET will be provided with data protection support and required to read our data protection policy.
Data protection will also form part of continuing professional development, where changes to legislation, guidance or CTET’s processes make it necessary.
The Trust’s Management Committee is responsible for monitoring and reviewing this policy.
This policy will be reviewed and updated if necessary when the Data Protection Bill receives royal assent and becomes law (as the Data Protection Act 2018) – if any changes are made to the bill that affect our practice. Otherwise, or from then on, this policy will be reviewed every two years.
We will require you to provide some personal data so we can process your application for our courses.
We will process your personal data to:
We have informed all those on our mailing list that we currently hold their email addresses and that they can unsubscribe from our mailing list at any time. All newsletters include an ‘Unsubscribe’ button.
CTET Administrator 78 York Street, London W1H 1DP, UKTel: 020-7101 3915 Email: firstname.lastname@example.org
Craniosacral Therapy Educational Trust is a non-profit limited company (number 4444311) registered in the UK
Craniosacral Therapy Educational Trust78 York StreetLondon W1H 1DPUnited Kingdom
The Craniosacral Therapy Educational Trust has been providing practitioner trainings, introductory and advanced courses in Craniosacral Therapy since 1989. All www.cranio.co.uk content is copyright © Craniosacral Therapy Educational Trust 2023
Please enter your name and email address below and we’ll be happy to keep you informed about future courses and events
Warm WishesMichael Kern