Who this notice is for
This Notice describes ways in which the CSTA needs to process personal information that is specific to people who apply for a role within the CSTA, whether or not they are members of the CSTA.
What this notice is about
This Notice tells you what personal data we collect, how we use it, and your rights relating to our use of your information.
You should make sure you understand this information, and if you have any questions, please contact us at dataprotection@craniosacral.co.uk.
Who we are
The Craniosacral Therapy Association UK (CSTA) is an accreditation and regulatory professional body for craniosacral therapy in the UK. Our charity number is 1156168.
Overview
Data protection legislation applies to ‘personal data’. This means information about someone (a living individual), who can be identified as that person. Generally this will include information such as full name, address, phone number, email address. Data protection law regulates how that data is ‘processed’ i.e. collected, stored and used, and in the UK is currently governed by the Data Protection Act 2018 and by the Europe-wide General Data Protection Regulation 2016 (GDPR).
The CSTA is the ‘data controller’ for the information it holds about applicants to roles within the CSTA. This means it controls what happens to that information and takes legal responsibility for this.
We are committed to ensuring that the way we process personal data is compliant with applicable data protection law, as well as best practice for a professional body. All personal information is treated in confidence within the organisation and is used only for the purpose of maintaining the records we need to meet our responsibilities.
The types of personal data we may hold about you
In general most information will have been supplied by you on your application form (if used) and any supporting documents or background information you send us.
Information you may provide
- Your contact details.
- Your application covering letter and CV (where supplied).
Information we may receive from a third party about you
- For some roles we will request references.
The purpose of processing
As a professional body and a charity, we need to ensure that the people we appoint to roles are a good ‘fit’. This means we need a certain amount of information about you, in order for the trustees to be able to understand your reasons for applying and relevant background, as well as to be able to pick up any questions from us or you within an interview as needed.
The legal basis for holding your information
We generally rely on ‘legitimate interests’ as our main ‘lawful basis’ for processing your personal data under the current data protection regulations (GDPR and 2018 Data Protection Act UK). This means our use of your personal data relates to our function as a professional body and membership organisation, including fulfilling any legal requirements this may entail.
If we enter into a contract with you, we may also rely on the legal basis of ‘contract’. This means that we use personal data for the management of the agreed terms of that contract.
Retention – how long will we keep your information and why
We will not keep information for longer than is needed in order to fulfil our purposes as described above, unless we are specifically obliged to by law.
- We will retain all applicants’ information until we have appointed someone to the role.
- If your application is successful, we will archive your information and references where sought, to fulfil good record keeping and in case of query. The information will be deleted when your term in post finishes, although we will retain your signed contract or declaration for up to a further five years in case of future query. Please see the Privacy Notice for Officers for more information.
- If your application is unsuccessful, or you do not pursue your application, we will delete your information unless you ask us to retain it in case of future roles becoming available which may suit you.
- If you decide not to pursue your application, you can ask us to delete your information sooner.
Who we share your information with
For almost all roles, we will not share your information with any external bodies.
The exception is if you are a trustee of the CSTA, we are required to share your name, address and date of birth with the Charity Commission. They will then list your full legal name on their website page for the CSTA, except in specific circumstances for exemption which are explained in the CSTA’s trustee information.
Security
We take the security of your personal information very seriously. We regularly review both our policies and our IT systems to ensure our security measures are adequate and reflect up to date technological advances as well as the requirements to prevent unauthorised access to, destruction or loss of your information.
Your filed application information is held on a secure and compliant cloud content management system, using GDPR-compliant hosting facilities.
Our main file sharing system is also fully GDPR-compliant.
Occasionally we may need to process small amounts of personal data temporarily via other servers – for example a service such as Dropbox, Freedcamp or Google, or by email. This may include some personal information in the documents needed for the trustees to vote on your appointment, or to be able to discuss your role or the work of a sub-committee, receive minutes of meetings etc. We have checked that the security and policies of the services that we use are adequate, and any documents with personal data will be deleted as soon as possible.
Data protection and your rights
Data protection regulations say that anyone who holds and controls personal information about individuals must respect their privacy rights, and must also inform them about these rights.
Your right to refuse to give information
Under the GDPR, you should not be forced to provide your personal information to a data controller, and you have the right to be informed of any consequences of refusing to give it.
The CSTA respects the principle of ‘data minimisation’ which means we only request information which we actually need for each type of membership.
Because this information is needed to appoint you and demonstrate good practice as described above under ‘purposes’, if you do not wish to give your personal information we will not be able to appoint you as an officer.
Your right to object to personal data processing
If you object to us processing your personal information, you can ask us to restrict our use of it and delete any records we are not required to retain. At your request, for example, we will stop using your data to contact you – this will generally mean that you will not be able to be appointed to a role within the CSTA. We may, however, need to retain some information about you as described in the retention section, in order to fulfil good practice as a professional body.
Your right to see what information we hold about you
You have the right to request access to the information we hold about you, and we must respond to your request within one month. We will need to see proof of your identity and address before we can transfer a copy of your records to you. We will also respond to any concerns or questions you may have about our use of your information.
It should be noted that we are not obliged to disclose to you all the information we hold about you, in particular where disclosure could be a risk to the privacy rights of someone else. For example, if someone has made a complaint or raised a concern about you, we are obliged to consider the risks to the privacy rights of the complainant of disclosing this information, and to weigh this up against your right to access the information we hold.
Your right to rectify any information we hold which is not correct
If you believe that any of the information we hold about you is inaccurate or incorrect you have the right to tell us about this and request that the information is corrected. Please do let us know if any of your details change so we can keep your records up to date, and please ensure you keep your information up to date within your online account.
Who to contact at the CSTA about personal data and your privacy rights
For any questions or concerns about this privacy information, or to make a request to exercise your privacy rights, please contact dataprotection@craniosacral.co.uk, telephone 0844 700 2358, or write to us at CSTA, 27 Old Gloucester Street, London, WC1N 3AX.
Your right to make a complaint
You have the right to complain if you are unhappy about the way we look after your information, or feel we have not properly respected your rights – please contact dataprotection@craniosacral.co.uk and we will do our best to answer you and work with you to resolve any concerns. If you are still unhappy you can appeal to the Information Commissioner’s Office (ICO) https://ico.org.uk/concerns/ or 0303 1231113.
Changes to this privacy notice
We may modify this privacy notice at any time to reflect best practice or changes in the laws or regulatory guidelines on data protection. If we make significant changes to this notice, we will contact our current officers by email.
This privacy notice was last updated on 12th June 2019