Privacy Notice – Associate Members

Who this notice is for?

This Notice is for Associate Members of the CSTA and describes ways in which the CSTA needs to process personal information for your membership.

There is a separate Privacy Notice for the CSTA website, which can be found here.

What this notice is about

This notice tells you what personal data we collect, how we use it, and your rights relating to our use of your information. You should make sure you understand this information, and if you have any questions, please contact us at

Who we are

The Craniosacral Therapy Association UK (CSTA) is an accreditation and regulatory professional body for craniosacral therapy in the UK. Our charity number is 1156168.


Data protection legislation applies to ‘personal data’. This means information about someone (a living individual), who can be identified as that person. Generally this will include information such as full name, address, phone number, email address. Data protection law regulates how that data is ‘processed’ i.e. collected, stored and used, and in the UK is currently governed by the Data Protection Act 2018 and by the Europe-wide General Data Protection Regulation 2016 (GDPR).

The CSTA is the ‘data controller’ for the information it holds about its Members, Friends and Subscribers. This means it controls what happens to that information and takes legal responsibility for this.

We are committed to ensuring that the way we process personal data is compliant with applicable data protection law, as well as best practice for a professional body. All personal information is treated in confidence within the organisation and is used only for the purpose of maintaining the records we need to meet our responsibilities as a membership organisation and professional body.

The types of personal data we may hold about you

In general most information is supplied by you on your application form or membership renewals. We may also receive information about some Associate Members from external organisations, as described below.

Information you provide

  • Your name, address, phone number, email address
  • Your date of birth and preferred title (if given)
  • Name of foundation training and date of completion
  • An ongoing record of your insurance,supervision, first aid and CPD requirements – the original signed supervision records that you submit are archived.
  • The address(es) at which you practise – this is also published on our practitioner register if you choose this option.
  • You also sign on application to confirm that you have not been expelled or refused membership by any register or organisation concerned with complementary or alternative medicine, or any branch of medicine or profession ancillary to medicine;and that there are no outstanding complaints against you which have been made to any register or organisation concerned with complementary or alternative medicine. You also confirm that you have no criminal convictions in any country which might be reasonably held to cast doubt on your fitness to practise, and that you are willing to be bound by the provisions of the current versions of the CSTA Code of Ethics and Practice and the Standards of Practice.This information is stored in your account and you are asked to re-confirm at each renewal.
  • Your signed application form is archived securely in case of a need to refer back to it.

Information the CSTA may record about you

  • Your fee payment record and expected renewal date
  • Any queries about your membership requirements or special circumstances
  • Any requirements you have been asked to complete before the following renewal, including in case of complaint–these are not identifiable as a complaint within our database

Information we may receive from a third party about you

  • We may receive confirmation of your insurance from our block scheme provider,or your own insurer if different

The purpose of processing

The purpose of holding and processing personal information about you is to manage your membership – processing your application and renewals and contacting you about this where needed; maintaining a database of membership; responding to enquiries from you; and sending you communications relevant to your membership.

Our duty of care to the public and to the profession establishes further purposes for holding information. As a professional body, our purposes include being informed about the needs of the profession and how practitioners and clients experience practice. In addition as a membership organisation, our purposes include assessing our own performance and areas we can improve our services to members and the public.

Duty of care to public

As a professional body for craniosacral therapy, our purposes for processing your information include fulfilling our duty of care to the public to ensure that all practitioners on our register meet the professional standards for safe and effective practice. Therefore we need to keep records of membership requirements met, such as insurance, CPD, supervision and first aid, and we may be required to refer to these in case of complaint about a current or former registered practitioner.

Duty of care to profession

In order to be aware of the needs of the profession, we also need information from members about their practices, so we may contact you from time to time to ask if you would take part in a survey.

Duty of care to members

We also need to assess how we are doing as a membership organisation and this includes receiving feedback from current and past members, so we may contact you to ask for feedback or to conduct a survey about your experiences with the CSTA.

Contacting you about your membership

We will contact you in order to process and renew your membership, first aid and insurance as appropriate.

  • We will contact you with CSTA news including the newsletter and The Fulcrum journal, and with information about CSTA-run courses and adverts for roles within the CSTA.
  • We have a system of reminders if your membership lapses, to ensure members do not lapse accidentally. These will be sent up to about six weeks after your membership lapses. After this time your membership will be archived.

The legal basis for holding your information

We rely on ‘legitimate interests’ as our main ‘lawful basis’ for processing your personal data under the current data protection regulations (GDPR and 2018 Data Protection Act UK). This means that we need this information in order to manage your membership and to function as a membership organisation, including fulfilling any legal requirements this may entail. If we enter into a contract with you, we may also rely on the legal basis of ‘contract’. This means that we use personal data for the management of the agreed terms of that contract.

Retention – how long will we keep your information and why?

We need to retain membership information to meet our duties and responsibilities as a professional body for craniosacral therapy, as described above. We will not keep information for longer than is needed in order to fulfil these purposes unless we are specifically obliged to by law.

  • Your membership record is active while you retain your membership.
  • If your membership lapses, your information will be archived securely and removed from use.
  • We need to retain the archived information in case we receive a complaint against a lapsed member which we would be obliged to investigate.
  • General emails that you may send about your membership are deleted on a rolling approximately three-yearly basis, but we will aim to delete any with sensitive information once they have been acted on.

Who we share your information with

The supporting documents for your application, detailing your qualifications, will be seen by officers of the CSTA only (the Administrator, Registrar, Trustees and your Associate Assessors), and will not be shared externally.

We will only share personal information about members with external bodies in limited situations where this is strictly necessary, as described below.

Newsletters and CSTA communications

We may use third party services to send communications from the CSTA to members, such as our newsletter, a survey or The Fulcrum journal. These services include, but are not restricted to, MailChimp, Printmark, Google Forms and Survey Monkey. Only the minimum required personal data is shared for each purpose, for example your name and contact email or postal address,and these details are not accessed or used by the service for any other reason.We have checked that each service is GDPR-compliant.


We share limited information with our block insurer, Holistic Insurance Services (or if you are insured with another company, with your own insurer if requested), so they are able to provide you with insurance. This is usually limited to name, membership status and renewal date only but on occasion e.g.if there is doubt about identity from name only (such as where two members share the same name or members use a different name on the register from their legal name), it may be extended to other information such as address or postcode. We will always use the minimum needed in each case.


If you attend a CSTA-run workshop, your name, email address, contact phone number and type of membership will be shared with the CSTA contact for the workshop, and may also be passed to the workshop provider.


We take the security of your personal information very seriously. We regularly review both our policies and our IT systems to ensure our security measures are adequate and reflect up to date technological advances as well as the requirements to prevent unauthorised access to, destruction or loss of your information.

All CSTA membership data is held on a secure and compliant server using GDPR-compliant hosting facilities. Membership documents are held on a secure and compliant cloud content management system.

Our main file sharing system is also fully GDPR-compliant.

Occasionally we may need to process personal data temporarily via other servers – for example in order to share documents that are needed for a trustee or committee meeting via a service such as Dropbox, Freedcamp or Google. This will only rarely include personal data, and will be the minimum needed. We have checked that the security and policies of the services that we may use are adequate, and any documents with personal data will be deleted as soon as possible.

Your online account

The security of your personal data also depends on your protection of your account password. Please do not disclose your account password to unauthorised people.

Data protection and your rights

Data protection regulations say that anyone who holds and controls personal information about individuals must respect their privacy rights, and must also inform them about these rights

Your right to refuse to give information

Under the GDPR, you should not be forced to provide your personal information to a data controller, and you have the right to be informed of any consequences of refusing to give it.

The CSTA respects the principle of ‘data minimisation’ which means we only request information which we actually need for each type of membership.

Because this information is needed to maintain your membership and to fulfil our obligations as a professional body, if you do not wish to give your personal information as described above, we will not be able to process membership for you.

Your right to object to personal data processing

If you object to us processing your personal information,you can ask us to restrict our use of it and delete any records we are not required to retain. At your request, for example, we will stop using your data to contact you – this will generally mean that your CSTA membership will cease. We will, however, need to retain some information about you as described in the retention section above, in order to fulfil good practice as a professional body.

Your right to see what information we hold about you

You have the right to request access to the information we hold about you, and we must respond to your request within one month. We will need to see proof of your identity and address before we can transfer a copy of your records to you. We will also respond to any concerns or questions you may have about our use of your information.

It should be noted that we are not obliged to disclose to you all the information we hold about you, in particular where disclosure could be a risk to the privacy rights of someone else. For example, if someone has made a complaint or raised a concern about a practitioner, we are obliged to consider the risks to the privacy rights of the complainant of disclosing this information, and to weigh this up against the practitioner’s right to access the information we hold.

Your right to rectify any information we hold which is not correct

If you believe that any of the information we hold about you is inaccurate or incorrect you have the right to tell us about this and request that the information is corrected.

Please do let us know if any of your details change so we can keep your records up to date, and please ensure you keep your information up to date within your online account.

Who to contact at the CSTA about personal data and your privacy rights

For any questions or concerns about this privacy information, or to make a request to exercise your privacy rights, please contact, telephone 0844 700 2358, or write to us at CSTA, 27 Old Gloucester Street, London, WC1N 3AX.

Your right to make a complaint

You have the right to complain if you are unhappy about the way we look after your information, or feel we have not properly respected your rights – please contact and we will do our best to answer you and work with you to resolve any concerns. If you are still unhappy you can appeal to the Information Commissioner’s Office (ICO) or 0303 1231113.

Changes to this privacy notice

We may modify this privacy notice at any time to reflect best practice or changes in the laws or regulatory guidelines on data protection. If we make changes to this privacy notice, we will highlight this on our website where the new documents will be available, and for significant or major changes we aim to inform current members by email.

This privacy notice was last updated on 12th June 2019