Who this notice is for
This Notice is for all Officers of the CSTA, whether or not they are also CSTA members.
What this notice is about
This Notice describes ways in which the CSTA needs to process personal information that is specific to people who fulfil a role within the CSTA.
It tells you what personal data we collect, how we use it, and your rights relating to our use of your information. You should make sure you understand this information, and if you have any questions, please contact us at firstname.lastname@example.org.
Who we are
The Craniosacral Therapy Association UK (CSTA) is an accreditation and regulatory professional body for craniosacral therapy in the UK. Our charity number is 1156168.
Data protection legislation applies to ‘personal data’. This means information about someone (a living individual), who can be identified as that person. Generally this will include information such as full name, address, phone number, email address. Data protection law regulates how that data is ‘processed’ i.e. collected, stored and used, and in the UK is currently governed by the Data Protection Act 2018 and by the Europe-wide General Data Protection Regulation 2016 (GDPR).
The CSTA is the ‘data controller’ for the information it holds about its Officers. This means it controls what happens to that information and takes legal responsibility for this.
We are committed to ensuring that the way we process personal data is compliant with applicable data protection law, as well as best practice for a professional body. All personal information is treated in confidence within the organisation and is used only for the purpose of maintaining the records we need to meet our responsibilities.
The types of personal data we may hold about you
In general most information will have been supplied by you on your application form (if used) and any supporting documents or background information you sent when you applied for a role.
Information you may provide
- Your contact details.
- Your application covering letter and CV (where supplied).
- Your signed declaration confirming you have understood the terms of reference of your post and the CSTA’s charitable aims and policy on conflicts of interest and loyalty; or your signed contract, as applicable.
Information we may receive from a third party about you
- For some roles we will receive references – you will have supplied the names and contact information for these.
The purpose of processing
As a professional body and a charity, we need to keep records of officers in post, to demonstrate transparency in our procedures and that we have ensured that the people we appoint to roles have been chosen carefully and appropriately. This means we need a certain amount of information about you at application and to retain this while you are in post, in case of query.
If we have entered into a contract with you, our purpose will be to manage the terms of that contract.
The legal basis for holding your information
If you have a contract with the CSTA we rely on the ‘contract’ condition as our ‘lawful basis’ for processing your personal data under the current data protection regulations (GDPR and 2018 Data Protection Act UK). That means we use your personal data for the management of the agreed terms of that contract, and this is our legal basis for processing.
Otherwise we rely on the ‘legitimate interests’ condition. This means our use of your personal data relates to our function as a professional body and membership organisation, including fulfilling any legal requirements this may entail.
Retention – how long will we keep your information and why
We will not keep information for longer than is needed in order to fulfil our purposes unless we are specifically obliged to by law.
- We will retain your filed information until your term in post ends, when it will be deleted.
- We will retain your signed declaration or contract for up to a further five years, in case of query or a need to refer to it.
Who we share your information with
For almost all roles, we will not share your information with any external bodies.
The exception is if you are a trustee of the CSTA, we are required to share your name, address and date of birth with the Charity Commission. They will then list your full legal name on their website page for the CSTA, except in specific circumstances for exemption which are explained in the CSTA’s trustee information.
We take the security of your personal information very seriously. We regularly review both our policies and our IT systems to ensure our security measures are adequate and reflect up to date technological advances as well as the requirements to prevent unauthorised access to, destruction or loss of your information.
Your filed application information is held on a secure and compliant cloud content management system, using GDPR-compliant hosting facilities.
Our main file sharing system is also fully GDPR-compliant.
Occasionally we may need to process small amounts of personal data temporarily via other servers – for example a service such as Dropbox, Freedcamp or Google, or by email. This may include some personal information in the documents needed for the trustees to vote on your appointment, or to be able to discuss your role or the work of a sub-committee, receive minutes of meetings etc. We have checked that the security and policies of the services that we use are adequate, and any documents with personal data will be deleted as soon as possible.
Data protection and your rights
Data protection regulations say that anyone who holds and controls personal information about individuals must respect their privacy rights, and must also inform them about these rights.
Your right to refuse to give information
Under the GDPR, you should not be forced to provide your personal information to a data controller, and you have the right to be informed of any consequences of refusing to give it.
The CSTA respects the principle of ‘data minimisation’ which means we only request information which we actually need for each type of membership.
Because this information is needed to appoint you and demonstrate good practice as described above under ‘purposes’, if you do not wish to give your personal information we will not be able to appoint you as an officer.
Your right to object to personal data processing
If you object to us processing your personal information, you can ask us to restrict our use of it and delete any records we are not required to retain. At your request, for example, we will stop using your data to contact you – this will generally mean that your term in post will cease. We will, however, need to retain some information about you as described in the retention section, in order to fulfil good practice as a professional body.
Your right to see what information we hold about you
You have the right to request access to the information we hold about you, and we must respond to your request within one month. We will need to see proof of your identity and address before we can transfer a copy of your records to you. We will also respond to any concerns or questions you may have about our use of your information.
It should be noted that we are not obliged to disclose to you all the information we hold about you, in particular where disclosure could be a risk to the privacy rights of someone else. For example, if someone has made a complaint or raised a concern about you, we are obliged to consider the risks to the privacy rights of the complainant of disclosing this information, and to weigh this up against your right to access the information we hold.
Your right to rectify any information we hold which is not correct
If you believe that any of the information we hold about you is inaccurate or incorrect you have the right to tell us about this and request that the information is corrected. Please do let us know if any of your details change so we can keep your records up to date, and please ensure you keep your information up to date within your online account.
Who to contact at the CSTA about personal data and your privacy rights
For any questions or concerns about this privacy information, or to make a request to exercise your privacy rights, please contact email@example.com, telephone 0844 700 2358, or write to us at CSTA, 27 Old Gloucester Street, London, WC1N 3AX.
Your right to make a complaint
You have the right to complain if you are unhappy about the way we look after your information, or feel we have not properly respected your rights – please contact firstname.lastname@example.org and we will do our best to answer you and work with you to resolve any concerns. If you are still unhappy you can appeal to the Information Commissioner’s Office (ICO) https://ico.org.uk/concerns/ or 0303 1231113.
Changes to this privacy notice
We may modify this privacy notice at any time to reflect best practice or changes in the laws or regulatory guidelines on data protection. If we make significant changes to this notice, we will contact our current officers by email.
This privacy notice was last updated on 12th June 2019