Data Protection Policy (GDPR)

CPC Data Protection Policy (GDPR)

1.    INTRODUCTION

This policy sets out the obligations of Child Psychotherapy Council, a registered charity (no. CE026897) whose registered office is 17A East End Road, London N3 3QE (“CPC”), regarding data protection and the rights of service users (“data subjects”) in respect of their personal data under EU Regulation 2016/679 General Data Protection Regulation (“GDPR”).

The GDPR defines “personal data” as any information relating to an identified or identifiable natural person (a “data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

This Policy sets out CPC’s obligations regarding the collection, processing, transfer, storage, and disposal of personal data. The procedures and principles set out here must be followed at all times by CPC employees, all Committee members and volunteers. CPC ensures that its members are made aware of their responsibilities in respect of GDPR.

2.    KEY PRINCIPLES OF GDPR

This Data Protection policy has been developed to comply with the 7 key principles set out by the General Data Protection Regulations.

2.1         Lawfulness, Fairness and Transparency

The first principle of the Data Protection Act 2018 (DPA) says that everything done with personal data, from collecting it and holding it, to retrieving, organising and destroying it, must be done lawfully, fairly and in a transparent manner.

This means that CPC must have a good reason for collecting the data and that it must      be collected and used in a way that is fair to the person whose data is being processed.

2.1.1        Lawful processing

Processing will only be lawful where CPC can rely on at least one of the lawful bases provided for in the DPA 2018 for each instance of processing. CPC is most likely to rely on   the following lawful bases:

1.    The data subject has given their consent to processing (consent must relate to a particular purpose/particular purposes).

2.    The processing is necessary in order to perform a contract to which the data subject is party, or in order to take steps at the data subject’s request prior to entering into a contract, for example where we hire an employee or enter into an agreement with a third party.

3.    The processing is necessary so that CPC can comply with a legal obligation to which  it is subject.

4.    The processing is necessary for purposes of “legitimate interests” pursued by CPC or a third party. This is a broad term and therefore likely to cover a significant amount of processing carried out by CPC. However, it should not be selected automatically, nor considered as a last resort.

5.    Where the processing is necessary to protect the “vital interests” of a data subject or another living individual – for example, where CPC must process an individual’s personal data in an emergency medical situation.

6.    Where the processing is necessary to perform a task in the public interest.

7.    In addition, the processing of personal data must not involve a breach of any non-data protection legal provision in UK law. Some common examples include where the processing would involve:

·         a breach of confidentiality;

·         a breach of provisions of a contract; and

·         a breach of the Human Rights Act 1998.

2.1.2        Fair processing

In general, the processing carried out by CPC must also be fair – this is a wide concept so consideration always needs to be given to the particular circumstances relating to specific data being processed. For example, processing would be unfair if CPC collected personal data from a data subject having misled them about why the personal data in question was required.

2.1.3        Transparent processing

In general, the legislation obliges CPC to be clear with data subjects about what it does with  their personal data and why, and any such information should be communicated to data subjects in a way that is sufficiently straightforward so that any reasonable person would understand.

One of the most important ways to comply with this principle is that every time CPC collects personal data about a person directly from that data subject, which CPC intends to keep, CPC needs to provide that person with “fair processing information”. In other words, CPC needs to tell them:

a.    Details of CPC including, but not limited to, the identity of its Data Protection Officer;

b.    why CPC is collecting their information and what CPC intends to do with it e.g.   send mailing updates about CPC activities;

c.    the legal basis for collecting their information if CPC relies on the lawful basis of legitimate interests, those interests must be specified;

d.    whether the provision of their personal data is part of a statutory or contractual obligation and details of the consequences of the data;

e.    the period for which their personal data will be stored (if it is not possible to give a finite period of time, it is acceptable to provide the criteria which will be used to decide that period – usually we use criteria related to the purposes for which the personal data is collected/processed);

f.     the existence of the rights of data subjects;

g.    details of people/organisations, or categories of people/organisations, with whom    CPC may share their personal data;

h.    if relevant, the fact that CPC will be transferring their personal data outside the EEA   and details of relevant safeguards;

i.      the right to lodge a complaint with the Information Commissioner’s Office;

j.      the right to withdraw consent if consent is the lawful ground that has been relied upon; and

k.    the existence of any automated decision-making, including behavioural profiling, involving their personal data, including details about the logic involved and the significance and envisaged consequences of such processing for the data subject.

Our privacy notice provides an outline of the type of data we handle, this can be viewed on our website.

2.1.4        CPC does collect personal data in the “special category data” (also known as “sensitive personal data”) (for example, data concerning the data subject’s race, ethnicity, politics, religion, trade union membership, genetics, biometrics (if used for ID purposes), health, sex life, or sexual orientation), for this at least one of the following conditions must be met:

2.1.4.1           The data subject has given their explicit consent to the processing of such data for one or more specified purposes (unless EU or EU Member State law prohibits them from doing so);

2.1.4.2           The processing is necessary for the purpose of carrying out the obligations and exercising specific rights of the data controller or of the data subject in the field of employment, social security, and social protection law (insofar as it is authorised by EU or EU Member State law or a collective agreement pursuant to EU Member State law which provides for appropriate safeguards for the fundamental rights and interests of the data subject); CPC collects and processes personal data from employees on this basis.

2.1.4.3           The processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent.

2.1.4.4           The data controller is a foundation, association, or other non-profit body with a political, philosophical, religious, or trade union aim, and the processing is carried out in the course of its legitimate activities, provided that the processing relates solely to the members or former members of that body or to persons who have regular contact with it in connection with its purposes and that the personal data is not disclosed outside the body without the consent of the data subjects.

2.1.4.5           The processing relates to personal data which is clearly made public by the data subject.

2.1.4.6           The processing is necessary for the conduct of legal claims or whenever courts are acting in their judicial capacity.

2.1.4.7           The processing is necessary for substantial public interest reasons, on the basis of EU or EU Member State law which shall be proportionate to the aim pursued, shall respect the essence of the right to data protection, and shall provide for suitable and specific measures to safeguard the fundamental rights and interests of the data subject.

2.1.4.8           The processing is necessary for the purposes of preventative or occupational medicine, for the assessment of the working capacity of an employee, for medical diagnosis, for the provision of health or social care or treatment, or the management of health or social care systems or services on the basis of EU or EU Member State law or pursuant to a contract with a health professional, subject to the conditions and safeguards referred to in Article 9(3) of the GDPR.

2.1.4.9           The processing is necessary for public interest reasons in the area of public health, for example, protecting against serious cross- border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of EU or EU Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject (in particular, professional secrecy).

2.1.4.10      The processing is necessary for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes in accordance with Article 89(1) of the GDPR based on EU or EU Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection, and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.

2.2         Specific, Explicit and Legitimate purposes

Personal data shall be collected for specified, explicit and legitimate purposes. This means that CPC should not collect personal data for one purpose and then use it for another, incompatible purpose. If it becomes necessary to process a data subject’s personal data for a   new purpose, the individual should be informed of the new purpose beforehand. For example, if CPC collects personal data such as a contact number or email address, in order to provide  information about a service it should not then be used for a different purpose, for example to share it with other organisations for marketing purposes, without first obtaining consent.

2.3         Adequate, Relevant, and Limited Data Processing

CPC will only collect and process personal data for and to the extent necessary for the specific purpose or purposes of which data subjects have been informed (or will be informed).  Access to data will be restricted to those who reasonably need to access it in order to carry out this purpose.

2.4         Accuracy

The fourth principle is that reasonable steps must be taken to ensure the accuracy of any data we obtain. This, for example, means that we must be careful when we take client or student details, making sure we check spellings and we are recording them to an appropriate and pertinent part of the CPC systems. The DPA 2018 gives people the right to request that their data is changed, completed, corrected or deleted.

2.5         Data Retention

2.5.1        The fifth principle is that CPC should only keep personal data for as long as is necessary in light of the purpose or purposes for which that personal data was originally collected, held and processed.

2.5.2        When personal data is no longer required, or there is no longer a legitimate reason to keep it, all reasonable steps must be taken to erase or otherwise dispose of without delay.

See appendix 1 for details of data retention.

2.6         Integrity and confidentiality

The sixth principle mandates that data must be kept safely and securely. This principle means to protect data from accidental or deliberate, destruction, loss damage or unauthorised access.

2.7         Accountability

This principle requires us to take responsibility for what we do with personal data and how we comply with the other principles. We must have appropriate measures and records in place to be able to demonstrate our compliance.

This policy, plus those which support it aim to provide clear governance and record keeping to ensure we deliver this principle.

3          THE COMMON-LAW DUTY OF CONFIDENTIALITY

Common law is a form of law based on previous court cases decided by judges; hence it is also referred to as case law. The key principle is that information confided should not be used or disclosed further, except as originally understood by the confider, or with their subsequent permission. In practice this means that all personal information, whether held on paper, computer, visually or audio recorded, or held in the memory of the professional, cannot be disclosed without the consent of the individual whom it concerns. Whilst judgements have established that confidentiality can be breached ‘in the public interest’; these have centred on a case-by-case consideration of exceptional circumstances. Confidentiality can also be overridden or set aside by legislation.

All personal data is confidential and we have a duty of confidentiality to staff, clients, students, trainee therapists, centre users and partners. As such, CPC needs to ensure that no personal confidential information is shared without a justified need and the legal basis to do so.

4.            THE RIGHTS OF DATA SUBJECTS

The GDPR sets out the following rights applicable to data subjects (please refer to the parts of this policy indicated for further details):

4.1         The right to be informed (Part 5).

4.2         The right of access (Part 6);

4.3         The right to rectification (Part 7);

4.4         The right to erasure (also known as the ‘right to be forgotten’) (Part 8);

4.5         The right to restrict processing (Part 9);

4.6         The right to data portability (Part 10);

4.7         The right to object (Part 11); and

4.8         Rights with respect to automated decision-making and profiling (Parts 12 and 13).

5.            KEEPING DATA SUBJECTS INFORMED

5.1         CPC shall provide the information set out in 5.2 to every data subject:

5.1.1       Where personal data is collected directly from data subjects, those data subjects will be informed of its purpose at the time of collection; and

5.1.2       Where personal data is obtained from a third party, the relevant data subjects will be informed of its purpose:

a)                 if the personal data is used to communicate with the data subject, when the first communication is made; or

b)                 if the personal data is to be transferred to another party, before that transfer is made; or

c)                 as soon as reasonably possible and in any event not more than one month after the personal data is obtained.

5.2         The following information shall be provided:

5.2.1       Details of CPC including, but not limited to, the identity of its Data Protection Officer;

5.2.2       The purpose(s) for which the personal data is being collected and will be processed (as detailed in Part 21 of this Policy) and the legal basis justifying that collection and processing;

5.2.3       Where applicable, the legitimate interests upon which CPC is justifying its collection and processing of the personal data;

5.2.4       Where the personal data is not obtained directly from the data subject, the categories of personal data collected and processed;

5.2.5       Where the personal data is to be transferred to one or more third parties, details of those parties;

5.2.6       Where the personal data is to be transferred to a third party that is located outside of the European Economic Area (the “EEA”), details of that transfer, including but not limited to the safeguards in place

5.2.7       Details of data retention;Details of the data subject’s rights under the GDPR;

5.2.8       Details of the data subject’s right to withdraw their consent to CPC processing of their personal data at any time;

5.2.9       Details of the data subject’s right to complain to the Information Commissioner’s Office (the “supervisory authority” under the GDPR);

5.2.10  Where applicable, details of any legal or contractual requirement or obligation necessitating the collection and processing of the personal data and details of any consequences of failing to provide it; and

5.2.11  Details of any automated decision-making or profiling that will take place using the personal data, including information on how decisions will be made, the significance of those decisions, and any consequences.

6.            DATA SUBJECT ACCESS

6.1         Data subjects may make Subject Access Requests (“SARs”) at any time to find out more about the personal data which CPC holds about them, what it is doing with that personal data, and why.

6.2         Data subjects wishing to make a SAR must do so in writing. SARs should be addressed to CPC’s Data Protection Officer at CPC, 17A East End    Road, London, N3 3QE.

6.3         Responses to SARs shall normally be made within one month of receipt, however this may be extended by up to two months if the SAR is complex and/or numerous requests are made. If such additional time is required, the data subject shall be informed.

6.4         All SARs received shall be handled by the Data Protection Officer.

6.5         CPC does not charge a fee for the handling of normal SARs. CPC reserves the right to charge reasonable fees for additional copies of information that has already been supplied to a data subject, and for requests that are manifestly unfounded or excessive, particularly where such requests are repetitive.

7.            RECTIFICATION OF PERSONAL DATA

7.1         Data subjects have the right to require CPC to rectify any of their personal data that is inaccurate or incomplete.

7.2         CPC shall rectify the personal data in question, and inform the data subject of that rectification, within one month of the data subject informing CPC of the issue. The period can be extended by up to two months in the case of complex requests. If such additional time is required, the data subject shall be informed.

7.3         In the event that any affected personal data has been disclosed to third parties, those parties shall be informed of any rectification that must be made to that personal data.

8.            ERASURE OF PERSONAL DATA

8.1         Data subjects have the right to request that CPC erases the personal data  it holds about them in the following circumstances:

8.1.1       It is no longer necessary for CPC to hold that personal data with respect to the purpose(s) for which it was originally collected or processed;

8.1.2       The data subject wishes to withdraw their consent to CPC holding and processing their personal data;

8.1.3       The data subject objects to CPC holding and processing their personal data (and there is no overriding legitimate interest to allow CPC to continue doing so) (see Part 18 of this Policy for further details concerning the right to object);

8.1.4       The personal data has been processed unlawfully;

8.1.5       The personal data needs to be erased in order for CPC to comply with a particular legal obligation;

8.2         Unless CPC has reasonable grounds to refuse to erase personal data, all requests for erasure shall be complied with, and the data subject informed of the erasure, within one month of receipt of the data subject’s request. The period can be extended by up to two months in the case of complex requests. If such additional time is required, the data subject shall be informed.

8.3         In the event that any personal data that is to be erased in response to a data subject’s request has been disclosed to third parties, those parties shall be informed of the erasure (unless it is impossible or would require disproportionate effort to do so).

9.            RESTRICTION OF PERSONAL DATA PROCESSING

9.1         Data subjects may request that CPC ceases processing the personal data it holds about them. If a data subject makes such a request, CPC shall retain only the amount of personal data concerning that data subject (if any) that is necessary to ensure that the personal data in question is not processed further.

9.2         In the event that any affected personal data has been disclosed to third parties,those parties shall be informed of the applicable restrictions on processing it (unless it is impossible or would require disproportionate effort to do so).

10.          DATA PORTABILITY

10.1       CPC does not process personal data using automated means.

10.2       To facilitate the right of data portability, CPC shall make available all applicable personal data to data subjects in the following format:

10.2.1  pdf or csv format;

10.2.2  Personal data is not provided in hardcopy format;

10.3       Where technically feasible, if requested by a data subject, personal data shall be sent directly to the required data controller.

10.4       All requests for copies of personal data shall be complied with within one month of the data subject’s request. The period can be extended by up to two months in the case of complex or numerous requests. If such additional time is required, the data subject shall be informed.

11.          OBJECTIONS TO PERSONAL DATA PROCESSING

11.1       Data subjects have the right to object to CPC processing their personal data based on legitimate interests, direct marketing (including profiling), and processing for scientific and/or historical research and statistics purposes.

11.2       Where a data subject objects to CPC processing their personal data based on its legitimate interests, CPC shall cease such processing immediately, unless it can be demonstrated that CPC’s legitimate grounds for such processing override the data subject’s interests, rights, and freedoms, or that the processing is necessary for the conduct of legal claims.

11.3       Where a data subject objects to CPC processing their personal data for direct marketing purposes, CPC shall cease such processing immediately.

11.4       Where a data subject objects to CPC processing their personal data for scientific and/or historical research and statistics purposes, the data subject must, under the GDPR, “demonstrate grounds relating to his or her particular situation”. CPC is not required to comply if the research is necessary for the performance of a task carried out for reasons of public interest.

12.          AUTOMATED DECISION-MAKING

CPC does not use personal data in automated decision-making processes.

13.          PROFILING

CPC does not use personal data for profiling purposes.

14.          PERSONAL DATA COLLECTED, HELD, AND PROCESSED

A schedule of the personal data that is collected, held, and processed by CPC is included at the Appendix to sections 8 and 14, including the period of retention for each piece of data.

15.          DATA SECURITY - TRANSFERRING PERSONAL DATA AND COMMUNICATIONS

CPC shall ensure that the following measures are taken with respect to all communications and other transfers involving personal data:

15.1       All mobile devices are password protected.

15.2       All emails are marked with a privacy notice stating the confidentiality of the data contained within. Any emails containing sensitive or detailed personal data must be marked “private and confidential” in the subject line and on receipt any relevant personal data contained within must be removed from the email, stored in the appropriate location and the email deleted by all parties The type of data held is then governed by the appropriate retention schedule – for example in relation to staff records, HR records and so on. In the event of a SAR emails containing personal data will be disclosed.

15.3       In general, emails should not be retained longer than is necessary and should be deleted/archived in line with CPC policy on email retention.

15.4       Personal data may be transmitted over secure networks only; transmission over unsecured networks is not permitted in any circumstances.

15.5       Where personal data is to be transferred in hardcopy form it should be passed directly to the recipient or sent using a secure courier service.

15.6       All personal data to be transferred physically, whether in hardcopy form or on removable electronic media shall be transferred in a secure suitable container.

16.  DATA SECURITY - STORAGE

CPC shall ensure that the following measures are taken with respect to the storage of personal data:

16.1       All electronic copies of personal data are stored securely on a file server and in Dropbox or Microsoft Teams (see Third Party Data Storage). Access to file servers and databases are password protected.  CPC uses Mojo which uses Cloudfare to provide best practice TLS encryption and firewalls and two factor authentication where available to protects servers and third-party services.

16.2       All hardcopies of personal data, along with any electronic copies stored on physical, removable media should be stored securely in a locked box, drawer, cabinet, or similar; separating out identifiable and non-identifiable data wherever possible.

16.3       Hardcopies of personal data must not leave office bases unless there is a specific reason to do so and measures have been taken to keep it secure, for instance, identifiable and non-identifiable material has been separated. Wherever practicable and possible, employees and volunteers should only refer to personal data via secure routes and on equipment provided by CPC. In the event that hardcopy data is required outside of the office it should be returned, secured or destroyed at the earliest convenience.

16.4       All personal data stored electronically is backed up regularly:

·         Manually backed up more regularly in the case of bulk work onto our site servers (which are also backed up to data tapes which are stored in a fireproof safe).

·         Personal data contained on email is held in Office 365 (Cloud) and not backed up.

·         Personal data must not be transferred to any device personally belonging to an employee and personal data may only be transferred to devices belonging to agents, contractors, or other parties working on behalf of CPC where the party in question has agreed to comply fully with the letter and spirit of this Policy and of the GDPR (which may include demonstrating to CPC that all suitable technical and organisational measures have been taken)

16.5       CPC  operates a ‘clear desk’ policy. When not in use any files, folders or documents must be locked away in secure storage. Files or documents containing personal data must never be left unattended. Staff should ensure that personal data they are viewing on their PC or laptop screens cannot be viewed by others.

17.  DATA SECURITY - DISPOSAL

When any personal data is to be erased or otherwise disposed of for any reason (including where copies have been made and are no longer needed), it should be securely deleted and disposed of. For further information on the deletion and disposal of personal data, please refer to appendix 1.

18.  DATA SECURITY - USE OF PERSONAL DATA

CPC shall ensure that the following measures are taken with respect to the use of personal data:

18.1       No personal data may be shared informally and if an employee, agent, sub- contractor, or other party working on behalf of CPC requires access to any personal data that they do not already have access to, such access should be formally requested from the DPO.

18.2       No personal data may be transferred to any employees, agents, contractors, or other parties, whether such parties are working on behalf of CPC or not, without the authorisation of the DPO.

18.3       Personal data must be handled with care at all times and should not be left unattended or on view to unauthorised employees, agents, sub-contractors, or other parties at any time;

18.4       If personal data is being viewed on a computer screen and the computer in question is to be left unattended for any period of time, the user must lock the computer and screen before leaving it; and

18.5       Where personal data held by CPC is used for marketing purposes, we will ensure that the appropriate consent is obtained and that no data subjects have opted out, whether directly or via a third-party service such as the TPS.

19.  DATA SECURITY - IT SECURITY

CPC shall ensure that the following measures are taken with respect to IT and information security:

19.1       All passwords used to protect personal data are changed regularly and should not use words or phrases that can be easily guessed or otherwise compromised. All passwords must contain a combination of uppercase and lowercase letters, numbers, and symbols. All software used by CPC is designed to require such passwords.

19.2       Under no circumstances should any passwords be written down or shared between any employees, agents, contractors, or other parties working on behalf of CPC, irrespective of seniority or department. If a password is forgotten, it must be reset using the applicable method. IT staff do not have access to passwords.

19.3       All software (including, but not limited to, applications and operating systems) shall be kept up-to-date.

20.          ORGANISATIONAL MEASURES

CPC shall ensure that the following measures are taken with respect to the collection, holding, and processing of personal data:

20.1       All trustees, committee members employees, agents, contractors, or other parties working on behalf of CPC shall be made fully aware of both their individual responsibilities and CPC’s responsibilities under the GDPR and under this Policy, and shall be  provided with a copy of this Policy;

20.2       Only trustees, committee members, employees and other volunteers or other parties working on behalf of CPC that need access to, and use of, personal data in order to carry out  their assigned duties correctly shall have access to personal data held by CPC;

20.3       All trustees, committee members, employees and other volunteers or other parties working on behalf    of CPC working on behalf of CPC handling personal data will be appropriately trained to do so;

20.4       All trustees, committee members, employees and other volunteers or other parties working on behalf of CPC working on behalf of CPC handling personal data will be appropriately supervised;

20.5       All trustees, committee members, employees and other volunteers or other parties working on behalf of CPC working on behalf of CPC handling personal data shall be required and encouraged to exercise care, caution, and discretion when discussing work-related matters that relate to personal data, whether in the workplace or otherwise;

20.6       Methods of collecting, holding, and processing personal data shall be regularly evaluated and reviewed;

20.7       All personal data held by CPC shall be reviewed periodically, as set out in CPC’s Data Retention Schedule;

20.8       The performance of trustees, committee members, employers and other volunteers or other parties working on behalf of CPC working on behalf of CPC handling personal data shall be regularly evaluated and reviewed;

20.9       All trustees, committee members, employers and other volunteers or other parties working on behalf of CPC working on behalf of CPC handling personal data will be bound to do so in accordance with the principles of the GDPR and this Policy by contract;

20.10    All trustees, committee members, employers and other volunteers or other parties working on behalf of CPC handling personal data must ensure that any and all of their employees who are involved in the processing of personal data are held to the same conditions as those relevant employees of CPC arising out of this Policy and the GDPR; and

20.11    Where trustees, committee members, employers and other volunteers or other party working on behalf of CPC handling personal data fails in their obligations under this Policy that party shall indemnify and hold harmless CPC against any costs, liability, damages, loss, claims or proceedings which may arise out of that failure.

21.          TRANSFERRING PERSONAL DATA TO A COUNTRY OUTSIDE THE EEA

21.1       CPC may from time-to-time transfer (‘transfer’ includes making available remotely) personal data to countries outside of the EEA.

21.2       The transfer of personal data to a country outside of the EEA shall take place only if one or more of the following applies:

21.2.1  The transfer is to a country, territory, or one or more specific sectors in that country (or an international organisation), that the European Commission has determined ensures an adequate level of protection for personal data;

21.2.2  The transfer is to a country (or international organisation) which provides appropriate safeguards in the form of a legally binding agreement between public authorities or bodies; binding corporate rules; standard data protection clauses adopted by the European Commission; compliance with an approved code of conduct approved by a supervisory authority (e.g. the Information Commissioner’s Office); certification under an approved certification mechanism (as provided for in the GDPR); contractual clauses agreed and authorised by the competent supervisory authority; or provisions inserted into administrative arrangements between public authorities or bodies authorised by the competent supervisory authority;

21.2.3  The transfer is made with the informed consent of the relevant data subject(s);

21.2.4  The transfer is necessary for the performance of a contract between the data subject and CPC (or for pre-contractual steps taken at the request of the data subject);

21.2.5  The transfer is necessary for important public interest reasons;

21.2.6  The transfer is necessary for the conduct of legal claims;

21.2.7  The transfer is necessary to protect the vital interests of the data subject or other individuals where the data subject is physically or legally unable to give their consent; or

21.2.8  The transfer is made from a register that, under UK or EU law, is intended to provide information to the public and which is open for access by the public in general or otherwise to those who are able to show a legitimate interest in accessing the register.

22.          DATA BREACH NOTIFICATION

22.1       All personal data breaches must be reported immediately to CPC’s Data Protection Officer.

22.2       If a personal data breach occurs and that breach is likely to result in a risk to the rights and freedoms of data subjects (e.g. financial loss, breach of confidentiality, discrimination, reputational damage, or other significant social or economic damage), the Data Protection Officer must ensure that the Information Commissioner’s Office is informed of the breach without delay, and in any event, within 72 hours after having become aware of it.

22.3       In the event that a personal data breach is likely to result in a high risk (that is, a higher risk than that described under Part 29.2) to the rights and freedoms of data subjects, the Data Protection Officer must ensure that all affected data subjects are informed of the breach directly and without undue delay.

22.4       Data breach notifications shall include the following information:

22.4.1  The categories and approximate number of data subjects concerned;

22.4.2  The categories and approximate number of personal data records concerned;

22.4.3  The name and contact details of CPC’s data protection officer (or other contact point where more information can be obtained);

22.4.4  The likely consequences of the breach;

22.4.5  Details of the measures taken, or proposed to be taken, by CPC to address the breach including, where appropriate, measures to mitigate its possible adverse effects

Appendix 1: Data Retention

Background

GDPR requires that we do not retain personal data for longer than either we are required to by law or for longer than reasonable.

As there are a number of different reasons why we retain data (e.g. the data subject may have accessed our services (training or therapeutic) or they may have been a fundraiser or a volunteer) there are different data retention periods accordingly.

The purpose of this procedure is to explain the data retention periods applicable to different data subject’s data and to then explain the procedure for removing data which is not required.

Data Retention Periods Financial Data

We are required by law (Companies Act and HRMC Inland Revenue for statutory, tax and anti- money laundering purposes) to maintain certain data regarding the financial transactions that we process with individuals for a period of at least 7 years. Therefore, if there are valid transactions within this timeframe then we will not be able to erase data relating to these including the basic details of the individual concerned.

Unless we have a valid reason to retain financial data relating to individuals we will delete such data after 7 complete financial years have elapsed.

Accessing our services

Initial information / enquiries

When people contact us as prospective clients for our therapeutic services or potential students for training, we obtain personal data.

This usually includes information such as name, address, date of birth, and contact details. Additional specific information is gathered for students, which may include experience and qualifications. Referrers to our therapeutic service will provide personal information which may include some details of issues faced, other services involved and concerns. All of this data will be treated with sensitivity, restricted to only relevant personnel and kept confidential.

Where initial enquires from prospective students do not lead to them taking up a place on a course records will be kept for three years. When prospective clients do not take up a service then we will delete records after one year.

Staff Records

All of the following staff data is kept for 7 years:

1.    Brief staff details such as contact details, the position in which the staff member was employed.

2.    The financial details, including payroll and pension details.

3.    All other staff details, including staff notes, disciplinary proceedings, correspondence, etc.

Members

We keep the personal data of members for a period of seven years post the date that the member leaves CPC. For non-members, we will only retain your personal data for a period of five years.

To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.

 Fundraising and volunteers

Personal and financial information about supporters (fundraisers and/or volunteers) will be retained as long as there is an association with CPC. Unless there is an express request to be forgotten, details of supporters will be kept for 7 years after last contact.

Appendix 2 Details of data protection officer and third party data processors

Data Protection Officer:

Kim Fowler

Email: info@childpsychotherapycouncil.org

CPC

17A East End Road Finchley

London N3 3QE

Third-Party Data Processors

Processor: Dreamhost

Function: Email, file storage, backup, IM

Compliant with GDPR: YES

Processor: Dropbox

Function: File Storage

Compliant with GDPR: YES

Processor: Paypal/Stripe

Function: Payment of tickets etc.

Compliant with GDPR: YES

Processor: Mailchimp

Function: Communication with students and potential students

Compliant with GDPR: YES

Processor: Eventbrite/Survey Monkey

Function: Events and surveys

Compliant with GDPR: YES