GDPR: Data Protection Policy: Chi-Reflexology
Moss Arnold and Sharon Windle
246 Williamthorpe Road, North Wingfield, Chesterfield, Derbyshire S42 5NR
Moss – 07526830122 or Sharon 07526853660
This policy outlines our compliance with the GDPR and data protection.
1. The data that we process and how it flows into, through and out of our business.
Data comes into my business in 5 ways:
It flows through our business via:
● Our laptops, which never leave the premises and are Firewalled and password protected.
● Our smart phone, which are also fingerprint and password protected.
● Our paper file, kept securely in the Chi-Reflexology Home Office, which is protected by secure locks on all access points.
The information is not in any form shared or distributed in any form, other than Attendance Records taken from the Office to the venue and returned, as required.
2. The personal data we hold, where it came from, who I share it with and what I do with it.
Information Asset Register
● We hold personal information about prospective participants, hosts, organisers and organisations that have been received from them.
● This includes name, address, location and contact details.
● No information is shared with anyone outside of Chi-Reflexology (Moss & Sharon).
● We keep all data for our business such as advertising and promotional reasons as well as to inform and education those interested in Chi-Reflexology, unless requested to unsubscribe.
3. The lawful bases for me to process personal data and special categories of data.
We process the personal data under:
● Legitimate interest: We are required to keep attendance and academic records by the professional organisation and issue certificates of Attendance.
● Special Category Data – Health Related: We process under special category data, therefore the additional condition under which we hold and use this information is for Chi-Reflexology which is AoR accrediated CPD provider, to fulfil this role, bound under the AoR Confidentiality as defined in their Code of Practice and Ethics.
4. Privacy Notice
We have written a privacy notice for prospective participants, hosts, organisers and organisations, and have ensured that the privacy notice includes all of the information included in the ICO privacy notice checklist at: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-be-informed#table
5. Processes to recognise and respond to individuals’ requests to access their personal data.
Anyone who wishes their personal data to be removed from your systems, only has to request this either via text, email or in writing. We will removal and respond to their request at our earliest convenience.
6. Processes to ensure that the personal data we hold remains accurate and up to date.
We will ensure that prospective participants, hosts, organisers and organisations information is kept up to date, and will update said information as we are informed of any changes. This will be reviewed periodically.
7. Schedule to dispose of various categories of data, and its secure disposal.
Upon request, all such data will be removed from all locations, including email address books. Laptops, mobile phones, etc.
8. Procedures to respond to an individual’s request to restrict the processing of their personal data.
9. Processes to allow individuals to move, copy or transfer their personal data from one IT environment to another in a safe and secure way, without hindrance to usability.
There should be no situation where data held by Chi-Reflexology would need to be copied or transferred, other than between us (laptops and mobiles).
10. Procedures to handle an individual’s objection to the processing of their personal data.
We will inform prospective participants, hosts, organisers and organisations of their right to object “at the point of first communication” and this is clearly explained in our privacy notice.
11. Processing operations that constitute automated decision making.
There are no such processing operations in Chi-Reflexology and therefore, do not currently require procedures in place to deal with this requirements. This right is, however, included in my privacy statement.
12. Data Protection Policy
This document forms the Chi-Reflexology data protection policy and demonstrates compliance with GDPR. As this is a live document, it will be amended as and when any changes to our data processing occurs, and as a minimum annually.
13. Effective and structured information risks management
The risks associated with our data, and how that risk is managed is as follows:
● Theft of electronic devices – all such devices have at least password protection and some fingerprint as well, and these are not shared with anyone, except each other.
● Break in to home – all our paper files are stored in a locked filing cabinet.
14. Named Data Protection Officer (DPO) and Management Responsibility
Although not required to have a named DPO, as the sole trader Moss Arnold will be the designated Chi-Reflexology DPO and will ensure that Chi-Reflexology remain compliant with GDPR.
15. Security Policy
As detailed in our risk assessment, we have also chosen our electronic equipment based on their industry record as having the most robust inbuilt protection possible, including Firewall, Software and Shareware protection, which will be maintained at the highest possible level.
16. Data Breach Policy
A personal data breach means a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.
If there is a breach of this policy, such as theft we will notify the ICO of said breach where it is likely to result in a risk to the rights and freedoms of individuals.
Where a breach is likely to result in a high risk to the rights and freedoms of individuals,we will also notify those concerned directly and without undue delay.
In all cases we will maintain records of personal data breaches, whether or not they were notifiable to the ICO.
Date of Next Review: 30th May 2019
Moss Arnold & Sharon Windle
ALL PROSPECTIVE PARTICIPANTS, HOSTS. ORGANISERS AND ORGANISATIONS INFORMATION IS CONFIDENTIAL BETWEEN THE INDIVIDUAL/ORGANISATION AND CHI-REFLEXOLOGY AND NOT SHARED WITH ANYONE ELSE
The Ki of Life