Privacy Notice

This privacy notice explains how we use any personal information we collect about you. We collect information about you when you engage us for therapy, training, assessment, workshops, and/or advice. This information will relate to your personal circumstances. It may also include special categories of personal data such as data about your health, if this is necessary for the provision of our services.

The categories include:

• Racial
• Ethnic origin
• Political Opinions
• Religious Beliefs
• Genetic Data
• Biometric Data
• Health Data
• Data concerning a natural person’s sex life (where relevant) • Sexual Orientation

We may also collect information when you voluntarily complete client surveys or provide feedback to us.

The primary legal basis that we intend to use for the processing of your data is for the performance of our contract with you. The information that we collect about you is essential for us to be able to carry out the services that you require from us effectively. Without collecting your personal data we would also be unable to fulfil our legal and regulatory obligations.

Where special category data is required we will obtain your explicit consent in order to collect and process this information.

We collect information about you in order to provide you with the services for which you engage us.

If you agree, we may email you about other products or services that we think may be of interest to you.

We will not share your information for marketing purposes with other companies.

Where third parties are involved in processing your data we will ensure that the nature and purpose of the processing is clear, that they are subject to a duty of confidence in processing your data and that they will only act in accordance with our written instructions.

Where it’s necessary for your personal data to be forwarded to a third party we will use appropriate security measures to protect your personal data in transit such as password protection and/or encryption of data. The third party in this respect is only likely to be a local authority representative, and transmitted securely.

In principle, your personal data should not be held for longer than is required under the terms of our contract for services with you. However, we are subject to regulatory requirements to retain data for specified minimum periods. We also reserve the right to retain data for longer than this due to the possibility that it may be required to defend a future claim against us. In any case, we will not retain your personal data for longer than 6 years past the time of your death.

You have the right to request deletion of your personal data. We will comply with this request, subject to the restrictions of our regulatory obligations and legitimate interests as noted above.

You have the right to request a copy of the information that we hold about you. If you would like a copy of some or all of your personal information please email or write to us. When your personal data is processed by automated means you have the right to ask us to move your personal data to another organisation for their use.
We have an obligation to ensure that your personal information is accurate and up to date. Please ask us to correct or remove any information that you think is incorrect.

Marketing
We would like to send you information about our products and services which may be of interest to you. If you have agreed to receive marketing information, you may opt out at a later date.

You have a right at any time to stop us from contacting you for marketing purposes. If you no longer wish to be contacted for marketing purposes, please contact us by email or post.

Other websites
Our website may contain links to other websites. This privacy policy only applies to this website so when you link to other websites you should read their own privacy policies.

You also have a right to lodge a complaint with the supervisory authority for data protection. In the UK at:

Information Commissioner’s Office Wycliffe House
Water Lane
Wilmslow

Cheshire SK9 5AF

GDPR

TherAppUK Ltd Data Protection Policy

The following is the policy of TherAppUK Ltd regarding handling of data. This policy applies to TherAppUK Ltd and all of its constituent committees, boards and subsidiary organisations. Membership organisations are required to adopt data protection policies consistent with this Policy. The term “member” in this document refers to TherAppUK Ltd individual or organisational members.

The Principles

TherAppUK Ltd shall:

  1. 1  Process personal data fairly and lawfully and, in particular, not process data unless these principles and the rules set out here are followed.
  2. 2  Obtain personal data only for specified and lawful purposes, and not process data in any manner incompatible with that purpose or those purposes.
  3. 3  Obtain personal data that is adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
  4. 4  Keep personal data accurate and up to date.
  5. 5  Not keep personal data for longer than is necessary for their legitimate purposes.
  6. 6  Process personal data in accordance with the rights of data subjects under the Data Protection Act.
  7. 7  Take appropriate technical and organisational measures against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
  8. 8  Not transfer personal data to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

9 Consult with TherAppUK Ltd Member Organisations (MOs) to ensure that a comparable level of data protection exists for registrants/individual members who are also members of TherAppUK Ltd MOs.

What is Data Protection?

The Data Protection Act (the Act) aims to protect individual’s fundamental rights and freedoms, notably privacy rights, in respect of personal data processing.

The Act applies to paper and electronic records held in structured filing systems containing personal data, meaning data which relates to living individuals who can be identified from the data.

Data protection operates by giving individuals the right to gain access to their personal data. This is done by making a subject access request in which they are entitled to:

a description of their personal data
the purposes for which they are being processed details of whom they are or may be disclosed to

Individuals can also prevent processing of their data in certain circumstances, opt-out of having their data used for direct marketing and in automated decision making processes, apply to the courts for inaccurate data to be corrected and claim compensation for damage and distress caused as a result of any data protection breach.

All organisations must notify the Information Commissioner of the processing of personal data; this is included in a public register. The public register of data controllers is available on the Information Commissioner’s website (http://www.ico.gov.uk/), from where you can search for TherAppUK Ltd’s or any other organisation’s notification.

Data Subjects
Data Subjects are defined as being individuals about whom information is held.

Supervisors, students and trainees who are enrolled in a TherAppUK Ltd course Complainants, correspondents and enquirers
Advisors, consultants and other professional experts

Data Classes
Data classes are the types of data which are being or which are to be processed:

• • •

• • •

  • Personal Details
  • Education and Training Details

• Financial details
• Goods or services provided

Employment Details
Website user name and password
Your preferences of the types of information that you prefer to receive and what types of information about yourself you are willing to share with others Offences (including alleged offences)
Criminal proceedings, outcomes and sentences

Recipients

• • •

• •

Recipients are individuals or Organisations to whom TherAppUK Ltd as a data controller intends or may wish to disclose data. This list does not include any person to whom the TherAppUK Ltd as a data controller may be required by law to disclose in any particular case, for example if required by the police under a warrant.

This list should not be read as a list of those to whom data will be disclosed. TherAppUK Ltd is required to make clear all of the possible categories of ‘recipient’ to which they might need or wish to disclose data – either in pursuit of their regulatory and public protection functions or in relation to permissions sought from and granted by a data subject or an organisational member.
.

Data subjects themselves
Current, past or future employers
Healthcare, social and welfare advisors or practitioners
Education, training and accrediting establishments and examining bodies Employees and agents of the TherAppUK Ltd
Suppliers, providers of goods and services
Persons making an enquiry or complaint
Police forces
Private investigators
Local government
Central government
Voluntary and charitable organisations
Ombudsmen and regulatory authorities

Purposes

The purposes to which TherAppUK Ltd as a Data Controller may put the data held are described here. This list does not represent the purposes to which all data held will always be put to.

TherAppUK Ltd holds a wide range of data types relating to diverse data subjects. At various times the data held in respect of these subjects may be used in relation to some or all of the following purposes:

Accounting and auditing
The provision of accounting and related services; the provision of an audit where such an audit is required by statute.

Administration of complaints processes
The administration of complaint and grievance processes of all kinds, including professional disciplinary processes, and complaints against officers, committees or other subsidiary bodies.

Administration of justice
Internal administration and management of courts of law or tribunals and discharge of court business.

Advertising marketing and public relations for others

Public relations work, advertising and marketing, including host mailings for other organisations and list broking.

Assessment and collection of taxes and other revenue
Assessment and collection of taxes, duties, levies and other revenue. You will be asked to indicate the type of tax or other revenue concerned.

Education
The provision of education, training, accreditation and reaccreditation, supervision and/or research as a primary function or business activity.

Information and databank administration
Maintenance of information or databanks as a reference tool or general resource. This includes catalogues, lists, directories and bibliographic databases.

Licensing and registration
The administration of licensing or maintenance of official registers.

Processing for not for profit organisations
Establishing or maintaining membership of or support for a body or association which is not established or conducted for profit, or providing or administering activities for individuals who are either members of the body or association or have regular contact with it.

Realising the objectives of a charitable organisation or voluntary body
The provision of goods and services in order to realise the objectives of the charity or voluntary body.

Research
Research in any field, including market, health, lifestyle, scientific or technical research.

Duration of Data Retention

As a data controller TherAppUK Ltd must not hold data for longer than required or after the data subject’s relationship with the TherAppUK Ltd has been terminated. It should be noted that TherAppUK Ltd’s charitable purpose and function as a provider of professional therapeutic services in the interest of protecting the public requires that data relating to data subjects be retained indefinitely. TherAppUK Ltd has clear protocols for archiving of data relating to registrants who wish to terminate their relationship with TherAppUK Ltd (cease to register) and for changing the uses to which such archived records may be put.

Sensitive Data

Any data that is identifiable to any registrant is considered sensitive data that is subject to protection. TherAppUK Ltd will require specific authorisation from registrants for the use of sensitive data. Each registrant has the right to inspect and receive a printout of all sensitive data pertaining to him or her. TherAppUK Ltd will notify any registrant when it acquires and stores any sensitive data from a source other than the registrant him/herself or the registrant’s member organisation. The registrant has the right to petition that any

sensitive information held by TherAppUK Ltd be removed for inaccuracy or without a lawful purpose.

Security

TherAppUK Ltd operates in a field in which confidentiality and record security is of paramount importance. TherAppUK Ltd’s office is operated on the basis that all material entering the office be regarded as confidential until otherwise defined. Clear guidelines are laid down for staff with respect to processing and provision of data to data recipients. TherAppUK Ltd Information Our Privacy Policy defines which employees may have access to specified sets of sensitive data, and security provisions to ensure that unauthorised individuals do not have access. In pursuit of TherAppUK Ltd’s charitable goals and its regulatory and public functions it is necessary to release / make available certain data to various recipients. This will be done in accordance with the definitions and guidelines above.

Relationship with Existing Policies
This policy has been formulated within the context of the following documents:

Confidential Data Policy
Archiving
Complementary Therapies
Data Protection, Data Security Procedure Recording Policy

Safeguarding Policy
These will be made available on request to relevant persons.

Review of this Policy
This policy shall be reviewed annually.

Payments

Please see Stripe’s Privacy Policy