PRIVACY POLICY- MAY 2018

THE BANYAN TREE – PRIVACY POLICY –Updated May 2018

This privacy notice tells you what to expect when I collect personal information.
Contacting me via Social Media
If you send me a private or direct message via social media the message will be archived within the social media platform it was sent to unless you request its deletion. It will not be shared with any other organisations.
Contacting me by Telephone
When you call me, any personal data that you give me will be used to track client interaction.
Contacting me by Email
Any email sent to me, including any attachments, may be monitored and used by me for reasons of security and to track client interaction. Email monitoring or blocking software may also be used. Please be aware that you have a responsibility to ensure that any email you send to me is within the bounds of the law.
Using my Services
I offer various services to the public. I have to hold the details of the people who have requested these services in order to provide it. However, I only use these details to provide the service the person has requested and, if the person has opted in, to send other communication (such as marketing) from me. When people do subscribe to my mailing list, they can cancel their subscription at any time and are given an easy way of doing this.
Lawful Basis and Retention Periods
I process data under the lawful basis of Consent and retain personal data for 7 years after your last interaction with me.
Your Rights
Under the Data Protection Act 1998, you have rights as an individual which you can exercise in relation to the information I hold about you. You can read more about these rights here –
https://ico.org.uk/for-the-public/is-my-information-being-handled-correctly/
Specifically you have the following rights:
 the right to be informed
 the right of access
 the right to rectification
 the right to erasure
 the right to restrict processing
 the right to data portability
 the right to object
 the right not to be subjected to automated decision-making including profiling
DATA BREACH POLICY
Every care is taken to protect personal data from incidents (either accidentally or deliberately) to avoid a data protection breach that could compromise security. The objective of this policy is to contain any breaches, to minimise the risk associated with the breach and consider what action is necessary to secure personal data and prevent further breaches. A data breach incident in the context of this Policy is an event or action which may compromise the confidentiality, integrity or availability of
data, either accidentally or deliberately. An incident includes but is not restricted to the following:
 Loss or theft of confidential or sensitive data or equipment on which such data is stored (e.g. loss of laptop, USB stick, ipad/tablet device, mobile phone or paper record)
 Unauthorised use of, access to or modification of data or information systems
 Attempts (failed or successful) to gain unauthorised access to information or IT system(s)
 Unauthorised disclosure of sensitive / confidential data
 Unforeseen circumstances such as a fire or flood
 Human error
If a breach occurs the Data Protection Officer (DPO) will firstly determine if the breach is still occurring. If so, the appropriate steps will be taken immediately to minimise the effect of the breach. The DPO will investigate the breach and assess the risks associated with it, for example, the potential adverse consequences for individuals, how serious or substantial those are and how likely they are to occur. The investigation will need to take into account the following:
 The type of data involved
 Its sensitivity
 What’s happened to the data, has it been lost or stolen
 Whether the data could be put to any illegal or inappropriate use
 Who the individuals are, number of individuals involved and the potential effects on those data subjects
 Whether there are wider consequences to the breach Every incident will be assessed on a case by case basis; however, the following will need to be considered regarding notification:
 Whether there are any legal/contractual notification requirements;
 Whether notification would assist the individual affected – could they act on the information to mitigate risks?
 Whether notification would help prevent the unauthorised or unlawful use of personal data?
 Whether there is a high risk to the rights and freedoms of individuals
Notification to the individuals whose personal data has been affected by the incident will include a description of how and when the breach occurred and the data involved. Specific and clear advice will be given on what they can do to protect themselves, and include what action has already been taken to mitigate the risks.
DATA BREACH REPORT FORM/LOG
Date Incident Discovered
Date of Incident
Place of Incident
Number of Data Subjects Affected (if known):
Name and Contact Details of Person Reporting Incident
Brief Description of Incident and Details of Information Lost
Has any personal data been placed at risk? If so give details. This may include sensitive personal data; information that could be used to commit identity fraud; personal information regarding vulnerable adults or children; detailed personal profiles; security information that could compromise the safety of individuals if disclosed.
DATA PROTECTION POLICIES AND PROCEDURES Last Updated: March 2018
1) Information Held
I keep client information for people who have come to me for a treatment for 7 years after their last treatment with me. I keep contact information given to me by people who have requested information from me about my services to provide said requested information.
2) Data Breaches
Data breaches can include accidental or deliberate breaches of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. See attached Data Breach Policy.
3) Log of Breaches
A log of any data breaches will be maintained. See attached copy of log in use.
4) Privacy Impact Assessment
A full privacy impact assessment has not been completed; however privacy has been designed into my procedures. See attached Privacy Notice.
5) Data Protection Officer :
Catherine Shaw
6) Lawful Basis for Processing Personal Data Consent:
The individual has given clear consent for me to process their personal data for a specific purpose.
Catherine Shaw
Owner
The Banyan Tree
May 2018.