top of page

Privacy Policy

MAPLE LEAF TRAINING & COUNSELLING CENTRE DATA PROTECTION POLICY (Privacy Policy)

 

1. INTRODUCTION

 

Maple Leaf Counselling & Training Centre (“the Centre”, “we” or “our”) obtains, uses, stores and otherwise Processes Personal Data relating to potential staff and students (applicants), current staff and students, former staff and students, current and former workers, contractors, website users, customers and contacts i.e. Data Subjects.

 

When Processing their Personal Data, the Centre is obliged to fulfil individuals’ reasonable expectations of privacy by complying with the General Data Protection Regulation (the GDPR) and the Data Protection Act 2018 (DPA)(collectively “Data Protection Law”).

 

This policy therefore seeks to ensure that we:

 

  • are clear about how personal data must be Processed and the Centre’s expectations for all those who Process Personal Data on its behalf;

  • comply with the Data Protection Law and with good practice;

  • protect the Centre’s reputation by ensuring the Personal Data entrusted to it is processed in accordance with Data Subjects’ rights

  • protect the Centre from risks of personal data breaches and other breaches of Data Protection Law and hence from liability.

 

The main terms used are explained in the glossary at the end of this policy.

 

2. SCOPE

 

This policy applies to all Personal Data we Process regardless of the medium on which that Personal Data is stored and regardless of the Data Subject. All staff and others Processing Personal Data on the Centre’s behalf (“You”) must read it.

 

A failure to comply with this policy may result in disciplinary action.

 

A team of colleagues are responsible for ensuring that all Centre staff within their area of responsibility comply with this policy and should implement appropriate practices, processes, controls and training to ensure that compliance, as follows:

 

  • Staff records – Central Office Manager

  • Student records - Central Office Manager

  • Supplier/Consultant records – Central Office Manager

  • Customer Records (e.g private practitioners / supervisors / CPD training companies) – Central Office Manager

 

The Data Protection Officer (DPO) is responsible for overseeing this policy and for developing related policies and privacy guidelines. The Centre’s DPO is Trevor Roberts, enquiries@mapleleafcounsellingcentre.co.uk

 

 

3. PERSONAL DATA PROTECTION PRINCIPLES

 

When you Process Personal Data, you should be guided by the following principles, which are set out in the GDPR. Those principles require Personal Data to be:

 

  • processed lawfully, fairly and in a transparent manner (Lawfulness, Fairness and Transparency).

 

  • collected only for specified, explicit and legitimate purposes and not further Processed in a manner incompatible with those purposes (Purpose Limitation).

 

  • adequate, relevant and limited to what is necessary in relation to the purposes for which it is Processed (Data Minimisation).

 

  • accurate and where necessary kept up to date (Accuracy).

 

  • not kept in a form which permits identification of Data Subjects for longer than is necessary for the purposes for which the Personal Data is Processed (Storage Limitation).

 

  • processed in a manner that ensures its security, using appropriate technical and organisational measures to protect against unauthorised or unlawful Processing and against accidental loss, destruction or damage (Security, Integrity and Confidentiality).

 

The Centre is responsible for, and must be able to demonstrate compliance with, the data protection principles listed above (Accountability).

 

4. LAWFULNESS, FAIRNESS, TRANSPARENCY

 

 

4.1. LAWFULNESS AND FAIRNESS

 

You may only Process Personal Data fairly and lawfully and for specified purposes. These restrictions are not intended to prevent Processing, but ensure that we Process Personal Data for legitimate purposes without prejudicing the rights and freedoms of Data Subjects. In order to be justified, the Centre may only Process Personal Data if the Processing in question is based on one (or more) of the legal bases set out below. Section 4.3 below deals with justifying the Processing of Sensitive Personal Data.

 

The legal bases for Processing non-sensitive Personal Data are as follows:

 

  • the Data Subject has given his or her consent

 

  • the Processing is necessary for the performance of a contract with the Data Subject (e.g.

  • monitoring academic performance in order to provide the relevant qualification for which the student has enrolled)

 

  • to meet our legal compliance obligations

 

  • to protect the Data Subject’s vital interests (i.e. matters of life or death)

 

  • to pursue our legitimate interests for purposes where they are not overridden because the Processing prejudices the interests or fundamental rights and freedoms of Data Subjects. The specific legitimate interest or interests that the Centre is pursuing when Processing Personal Data will need to be set out in relevant Privacy Notices. This ground can only be relied upon for private, rather than public, functions e.g. marketing, fundraising.

 

You must identify the legal basis which is being relied on for each Processing activity, which will be included in the Privacy Notice provided to Data Subjects.

 

4.2 CONSENT

 

You should only obtain a Data Subject’s Consent if there is no other legal basis for the Processing. Consent requires genuine choice and genuine control.

 

A Data Subject consents to Processing of their Personal Data if he/she indicates agreement clearly either by a statement or positive action to the Processing. Silence, pre-ticked boxes or inactivity are therefore unlikely to be sufficient. If Consent is given in a document that deals with other matters, you must ensure that the Consent is separate and distinct from those other matters.

 

Data Subjects must be able to withdraw Consent to Processing easily at any time. Withdrawal of Consent must be promptly honoured. Consent may need to be renewed if you intend to Process Personal Data for a different and incompatible purpose which was not disclosed when the Data Subject first consented, or if the Consent is historic.

 

You will need to ensure that you have evidence of Consent and you should keep a record of all Consents obtained so that we can demonstrate compliance.

 

Consent is required for some electronic marketing and some research purposes.

 

4.3 Legal bases for Processing Sensitive Personal Data

 

Sensitive Personal Data is data revealing:

 

  • racial or ethnic origin;

  • political opinions;

  • religious or philosophical beliefs; or

  • trade union membership.

 

It also includes the Processing of:

 

  • genetic data;

  • biometric data for the purpose of uniquely identifying a natural person;

  • data concerning health;

  • data concerning a natural person’s sex life or sexual orientation; or

  • Personal Data relating to criminal convictions and offences including the alleged commission of offences or proceedings for offences or alleged offences.

 

The Processing of Sensitive Personal Data by the Centre must be based on one of the following (together with one of the legal bases for Processing non-sensitive Personal Data listed above):

 

  • the Data Subject has given explicit consent (requiring a clear statement, not merely an action);

  • the Processing is necessary for complying with employment law;

  • the Processing is necessary to protect the vital interests of the Data Subject or another person where the Data Subject is physically or legally incapable of giving consent;

  • the Processing relates to personal data which are manifestly made public by the data subject;

  • the Processing is necessary for the establishment, exercise or defence of legal claims;

  • the Processing is necessary for reasons of substantial public interest (provided it is proportionate to the particular aim pursued and takes into account the privacy rights of the Data Subject);

  • the Processing is necessary for the purposes of preventive or occupational medicine, etc. provided that it is subject to professional confidentiality;

  • the processing is necessary for reasons of public interest in the area of public health, provided it is subject to professional confidentiality;

  • the Processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes if it is subject to certain safeguards (i.e. Psuedonymisation or anonymisation where possible, the research etc. is not carried out for the purposes of making decisions about particular individuals (unless it is approved medical research) and it must not be likely to cause substantial damage/distress to an individual and is in the public interest).

 

 

 

Sensitive Personal Data Processed by the Centre will include the following:

 

details of relevant unspent convictions for the purposes of assessing eligibility to enrol on the Centre’s academic programmes;

 

  • details of relevant unspent convictions for the purposes of recruiting relevant staff;

  • checks conducted by the Disclosure and Barring Service for the purposes of assessing eligibility

  • of staff or students to engage in work with children and vulnerable adults, as permitted by legislation relating to the rehabilitation of offenders or for determining fitness to practise relevant professions;

  • unspent convictions or allegations of sexual misconduct for staff and student disciplinary purposes; health data for the purposes for assessing eligibility to undertake relevant professional programmes, assessing fitness to study or to engage in Centre activities or for assessing fitness to work/occupational health;

  • details of disability for the purposes of assessing and implementing reasonable adjustments to the center's policies, criteria or practices;

  • details of racial/ethnic origin, sexual orientation, religion/belief for the purposes of equality monitoring.

 

Processing Sensitive Personal Data represents a greater intrusion in individual privacy than when Processing non-sensitive Personal Data. You must therefore take special care when Processing Sensitive Personal Data and ensure that you comply with the data protection principles (as set out in section 3 above) and with this policy, in particular in ensuring the security of the Sensitive Personal Data.

 

4.4 TRANSPARENCY (NOTIFYING DATA SUBJECTS)

 

There is a greater emphasis on transparency of Processing under GDPR and the Centre is required to provide detailed, specific information to Data Subjects depending on whether the information was collected directly from Data Subjects or from elsewhere. That information must be provided through appropriate Privacy Notices which must be concise, transparent, intelligible, easily accessible, and in clear and plain language so that a Data Subject can easily understand what happens to their Personal Data.

 

Whenever we collect Personal Data directly from Data Subjects, for example for the recruitment and employment of staff and for the recruitment and enrolment of students, at the time of collection we must provide the Data Subject with all the prescribed information which includes:

 

  1. Centre’s details

  2. Contact details of DPO

  3. Purposes of processing

  4. Legal basis of processing

  5. Where the legal basis is legitimate interest, identify the particular interests (e.g. marketing, fundraising)

  6. Where the legal basis is consent, the right to withdraw

  7. Where statutory/contractual necessity, the consequences for the Data Subject of not providing the data of non-provision

 

When Personal Data is collected indirectly (for example, from a third party or publically available source), you must also provide information about the categories of Personal Data and any information on the source. The Data Subject must be provided with all the information required by the GDPR as soon as possible after collecting/receiving the data. You must also check that the Personal Data was collected by the third party in accordance with the GDPR and on a basis which contemplates our proposed Processing of that Personal Data.

 

5. PURPOSE LIMITATION

 

Personal Data must be collected only for specified, explicit and legitimate purposes. It must not be further Processed in any manner incompatible with those purposes.

 

You cannot therefore use Personal Data for entirely new, different or incompatible purposes from those disclosed when it was first obtained unless you have informed the Data Subject of the new purposes. Where the further processing is not based on the Data Subject’s consent or on a lawful exemption from data protection law requirements, you should assess whether a purpose is incompatible by taking into account factors such as:

 

  • the link between the original purpose/s for which the Personal Data was collected and the intended further Processing;

  • the context in which the Personal Data has been collected – in particular the Maple Leaf Counselling & Training Centre-Data Subject relationship. You should ask yourself if the Data Subject would reasonably anticipate the further Processing of his/her Personal Data;

  • the nature of the Personal Data in particular whether it involves special categories of Personal Data (i.e. sensitive) or Personal Data relating to criminal offences/convictions;

  • the consequences of the intended further Processing for the Data Subjects;

  • the existence of any appropriate safeguards e.g. encryption or Pseudonymisation.

 

Provided that prescribed safeguards are implemented, further Processing for scientific or historical research purposes or for statistical purposes will not be regarded as incompatible. Safeguards include ensuring data minimisation (e.g. Psuedonymisation or anonymisation where possible), the research will not be carried out for the purposes of making decisions about particular individuals with and it must not be likely to cause substantial damage/distress to an individual.

 

6. DATA MINIMISATION

 

Personal Data must be adequate, relevant and limited to what is necessary in relation to the purposes for which it is Processed. You should not therefore amass large volumes of Personal Data that are not relevant for the purposes for which they are intended to be Processed. Conversely, Personal Data must be adequate to ensure that we can fulfil the purposes for which it was intended to be Processed.

 

You may only Process Personal Data when performing your job duties requires it and you should not Process Personal Data for any reason unrelated to your job duties.

 

You must ensure that when Personal Data is no longer needed for specified purposes, it is deleted or anonymised in accordance with the Centre’s data retention guidelines.

 

7. ACCURACY

 

Personal Data must be accurate and, where necessary, kept up to date.

 

You should ensure that Personal Data is recorded in the correct files.

 

Incomplete records can lead to inaccurate conclusions being drawn and in particular, where there is such a risk, you should ensure that relevant records are completed.

 

You must check the accuracy of any Personal Data at the point of collection and at regular intervals thereafter. You must take all reasonable steps to destroy or amend inaccurate records without delay and you should up-date out-of-date Personal Data where necessary (e.g. where it is not simply a pure historical record).

 

Where a Data Subject has required his/her Personal Data to be rectified or erased, you should inform recipients of that Personal Data that it has been erased/rectified, unless it is impossible or significantly onerous to do so.

 

8. STORAGE LIMITATION

 

You must not keep Personal Data in a form which allows Data Subjects to be identified for longer than needed for the legitimate educational/research or Centre business purposes or other purposes for which the Centre collected it. Those purposes include satisfying any legal, accounting or reporting requirements. Records of Personal Data can be kept for longer than necessary if anonynmised.

 

You will take all reasonable steps to destroy or erase from the Centre’s systems all Personal Data that we no longer require in accordance with all relevant Centre records retention schedules and policies. The Centre has a document retention policy which can be requested from central office.

 

You will ensure that Data Subjects are informed of the period for which their Personal Data is stored or how that period is determined in any relevant Privacy Notice.

 

9. SECURITY INTEGRITY AND CONFIDENTIALITY

 

9.1. PROTECTING PERSONAL DATA

 

The Centre is required to implement and maintain appropriate safeguards to protect Personal Data, taking into account in particular the risks to Data Subjects presented by unauthorised or unlawful Processing or accidental loss, destruction of, or damage to their Personal Data. Safeguarding will include the use of encryption and Pseudonymisation where appropriate. It also includes protecting the confidentiality (i.e. that only those who need to know and are authorised to use Personal Data have access to it), integrity and availability of the Personal Data. We will regularly evaluate and test the effectiveness of those safeguards to ensure security of our Processing of Personal Data.

 

You are also responsible for protecting the Personal Data that you Process in the course of your duties. You must therefore handle Personal Data in a way that guards against accidental loss or disclosure or other unintended or unlawful Processing and in a way that maintains its confidentiality. You must exercise particular care in protecting Sensitive Personal Data from loss and unauthorised access, use or disclosure.

 

You must comply with all procedures and technologies we put in place to maintain the security of all Personal Data from the point of collection to the point of destruction. You may only transfer Personal Data to third-party service providers who agree to comply with the required policies and procedures and who agree to put adequate measures in place, as requested in accordance with our standard contract for Data Processors. Any personal data transfers to third party systems will need to be approved by the DPO.

 

You must comply with and not attempt to circumvent the administrative, physical and technical safeguards we implement and maintain in accordance with the Data Protection Law standards to protect Personal Data.

 

9.2 REPORTING A PERSONAL DATA BREACH

 

The GDPR requires that we report to the Information Commissioner’s Office (ICO) any Personal Data Breach. Where the Personal Data Breach results in a high risk to the Data Subject, he/she also has to be notified unless subsequent steps have been taken to ensure that the risk is unlikely to materialise, security measures were applied to render the Personal Data unintelligible (e.g. encryption) or it would amount to disproportionate effort to inform the Data Subject directly. In the latter circumstances, a public communication must be made or an equally effective alternative measure must be adopted to inform Data Subjects, so that they themselves can take any remedial action.

 

We have put in place procedures to deal with any suspected Personal Data Breach and will notify Data Subjects or any applicable regulator where we are legally required to do so.

If you know or suspect that a Personal Data Breach has occurred, you should immediately contact Trevor Roberts at central office.

 

You must retain all evidence relating to Personal Data Breaches in particular to enable the Centre to maintain a record of such breaches, as required by the GDPR.

 

 

 

10. TRANSFER LIMITATION

 

The GDPR restricts data transfers to countries outside the EU in order to ensure that the level of data protection afforded to individuals by the GDPR is not undermined. You transfer Personal Data originating in one country across borders when you transmit or send that data to a different country or view/access it in a different country.

 

You may only transfer Personal Data outside the EU if one of the following conditions applies:

 

  • the European Commission has issued a decision confirming that the country to which we transfer the Personal Data ensures an adequate level of protection for the Data Subjects’ rights and freedoms. The countries currently approved can be found here:

 

https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/adequacy-protection-personal-data-non-eu-countries_en

 

  • appropriate safeguards are in place such as binding corporate rules, standard contractual clauses approved by the European Commission, an approved code of conduct or a certification mechanism, a copy of which can be obtained from the DPO;

  • the Data Subject has provided Explicit Consent to the proposed transfer after being informed of any potential risks; or

  • the transfer is necessary for one of the other reasons set out in the GDPR including:

  • the performance of a contract between us and the Data Subject (e.g. students’ mandatory year abroad in an overseas institution/placement),

  • reasons of public interest,

  • to establish, exercise or defend legal claims or

  • to protect the vital interests of the Data Subject where the Data Subject is physically or legally incapable of giving Consent.

 

11. DATA SUBJECTS’ RIGHTS

 

Data Subjects have rights in relation to the way we handle their Personal Data. These include the following rights:

 

  • where the legal basis of our Processing is Consent, to withdraw that Consent at any time;

  • to ask for access to their Personal Data that we hold (see below);

  • to prevent our use of their Personal Data for direct marketing purposes;

  • to ask us to erase Personal Data without delay:

  • if it is no longer necessary in relation to the purposes for which it was collected or otherwise Processed;

  • if the only legal basis of Processing is Consent and that Consent has been withdrawn and there is no other legal basis on which we can Process that Personal Data;

  • if the Data Subject objects to our Processing where the legal basis is the pursuit of a legitimate interest or the public interest and we can show no overriding legitimate grounds or interest;

  • if the Data Subject has objected to our Processing for direct marketing purposes;

  • if the Processing is unlawful.

 

With the exception of erasing Personal Data processed for direct marketing purposes, there are exemptions from the right of erasure, for example for research purposes provided that certain safeguards are complied with

 

  • to ask us to rectify inaccurate data or to complete incomplete data;

  • to restrict Processing in specific circumstances e.g. where there is a complaint about accuracy etc.;

  • to ask us for a copy of the safeguards under which Personal Data is transferred outside of the EU;

  • the right not to be subject to decisions based solely on Automated Processing [ADM], including Profiling, except where necessary for entering into, or performing, a contract, with the Maple Leaf Counselling & Training Centre; it is based on the Data Subject’s Explicit Consent and is subject to safeguards; or is authorised by law and is also subject to safeguards;

  • to prevent Processing that is likely to cause damage or distress to the Data Subject or anyone else;

  • to be notified of a Personal Data Breach which is likely to result in high risk to their rights and freedoms;

  • to make a complaint to the ICO; and

  • in limited circumstances, receive or ask for their Personal Data to be transferred to a third party (e.g. another Centre to which a student is transferring) in a structured, commonly used and machine readable format.

 

You must verify the identity of an individual requesting data under any of the rights listed

Requests (including for Data Subject access) must be complied with usually within one month of receipt. You must immediately forward any Data Subject request you receive to the DPO.

 

12. DATA SUBJECT ACCESS REQUESTS

 

Data Subjects have the right to receive copy of their Personal Data which is held by the Maple Leaf Counselling & Training Centre. In addition, he/she is entitled to receive further information about the Centre’s processing of their Personal Data as follows:

  1. the purposes

  2. the categories of Personal Data being processed

  3. recipients/categories of recipient

  4. retention periods

  5. information about their rights

  6. the right to complain to the ICO,

  7. details of the relevant safeguards where Personal Data is transferred outside the EEA

  8. any third-party source of the Personal Data

 

You should not allow above third parties to persuade you into disclosing Personal Data without proper authorisation. For example students’ parents do not have an automatic right to gain access to their son’s or daughter’s data.

 

13. ACCOUNTABILITY

 

13.1. The Centremust implement appropriate technical and organisational measures in an effective manner to ensure compliance with data protection principles. The Centre is

responsible for, and must be able to demonstrate compliance with, the data protection principles.

 

We must therefore apply adequate resources and controls to ensure and to document GDPR compliance including:

  • appointing a suitably qualified DPO;

  • implementing Privacy by Design when Processing Personal Data and completing Data Privacy Impact Assessment where Processing presents a high risk the privacy of Data Subjects;

  • integrating data protection into our policies, procedures, in the way Personal Data is handled by us and by producing required documentation such as Privacy Notices, Records of Processing, records of Personal Data Breaches;

  • training staff on compliance with Data Protection Law and keeping a record accordingly; and

  • regularly testing the privacy measures implemented and conducting periodic reviews and audits to assess compliance, including using results of testing to demonstrate compliance improvement effort.

 

13.2. RECORD KEEPING

 

The GDPR requires us to keep full and accurate records of all our data Processing activities.

You must keep and maintain accurate corporate records reflecting our Processing, including records of Data Subjects’ Consents and procedures for obtaining Consents.

 

These records should include, at a minimum, the name and contact details of the Centreas Data Controller and the DPO, clear descriptions of the Personal Data types, Data Subject types, Processing activities, Processing purposes, third-party recipients of the Personal Data, Personal Data storage locations, Personal Data transfers, the Personal Data’s retention period and a description of the security measures in place.

 

Records of Personal Data Breaches must also be kept, setting out:

 

  • the facts surrounding the breach

  • its effects; and

  • the remedial action taken

 

 

 

 

13.3. TRAINING AND AUDIT

 

We are required to ensure that all Centre staff undergo adequate training to enable them to comply with Data Protection Law. We must also regularly test our systems and processes to assess compliance.

 

You must undergo all mandatory data privacy related training.

 

You must regularly review all the systems and processes under your control to ensure they comply with this policy.

 

14. PRIVACY BY DESIGN AND DEFAULT AND DATA PROTECTION IMPACT ASSESSMENTS (DPIAs)

 

We are required to implement Privacy-by-Design measures when Processing Personal Data, by implementing appropriate technical and organisational measures (like Pseudonymisation) in an effective manner, to ensure compliance with data protection principles. The Centre must ensure therefore that by default only Personal Data which is necessary for each specific purpose is processed. The obligation applies to the amount of Personal Data collected, the extent of the Processing, the period of storage and the accessibility of the Personal Data. In particular, by default, Personal Data should not be available to an indefinite number of persons. You should ensure that you adhere to those measures.

 

The Centre must also conduct DPIAs in respect of high-risk Processing before that Processing is undertaken.

 

You should conduct a DPIA (and discuss your findings with the DPO) in the following circumstances:

  • the use of new technologies (programs, systems or processes), or changing technologies (programs, systems or processes);

  • automated Processing including profiling and ADM;

  • large scale Processing of Sensitive Data; and

  • large scale, systematic monitoring of a publicly accessible area.

 

A DPIA must include:

 

  • a description of the Processing, its purposes and the Data Controller’s legitimate interests if appropriate;

  • an assessment of the necessity and proportionality of the Processing in relation to its purpose;

  • an assessment of the risk to individuals; and

  • the risk-mitigation measures in place and demonstration of compliance.

 

14.1. DIRECT MARKETING

 

We are subject to certain rules and privacy laws when marketing to our applicants, students, alumni and any other potential user of our services.

For example, a Data Subject’s prior consent is required for electronic direct marketing (for example, by email, text or automated calls). The limited exception for existing customers (e.g. current students) known as “soft opt in” allows organisations to send marketing texts or emails if they have obtained contact details in the course of a sale to that person, they are marketing similar services (e.g. a post-graduate course or a professional qualification), and they gave the person an opportunity to opt out of marketing when first collecting the details and in every subsequent message.

 

The right to object to direct marketing must be explicitly offered to the Data Subject in an intelligible manner so that it is clearly distinguishable from other information.

 

A Data Subject’s objection to direct marketing must be promptly honoured. If a Data Subject opts out at any time, their details should be suppressed as soon as possible. Suppression involves retaining just enough information to ensure that marketing preferences are respected in the future.

 

15. SHARING PERSONAL DATA

 

In the absence of Consent, a legal obligation or other legal basis of processing, Personal Data should not generally be disclosed to third parties unrelated to the Centre(e.g. students’ parents, members of the public, private landlords).

 

Some bodies have a statutory power to obtain information (e.g. regulatory bodies such as the Health & Care Professions Council, the Nursing and Midwifery Council, government agencies such as the Child Support Agency). You should refer such requests to the DPO.

 

Further, without a warrant, the police have no automatic right of access to records of Personal Data, though voluntary disclosure may be permitted for the purposes of preventing/detecting crime or for apprehending offenders. You should refer such requests to the DPO.

 

Some additional sharing of Personal Data for research purposes may also be permissible, subject to certain safeguards.

 

16. CONTACTING THE DPO

 

You should contact the DPO if you have any questions about the operation of this policy or the application of Data Protection Law or if you have any concerns that this policy is not being followed.

 

In particular, you should contact the DPO if:

 

  • you are unsure of the lawful basis on which you are relying to process Personal Data (including the legitimate interests) used by the Centre and any additional Processing that may be for a purpose not originally envisaged and which may not be compatible with the agreed purpose;

  • you need to rely on Consent and/or need to obtain Explicit Consent;

  • you need to draft Privacy Notices;

  • you are unsure about the retention period for the Personal Data being Processed;

  • you are unsure about what security or other measures you need to implement to protect Personal Data;

  • there has been a Personal Data Breach;

  • you are unsure on what basis to transfer Personal Data outside the EU;

  • you need any help dealing with any rights invoked by a Data Subject;

  • whenever you are engaging in a significant new, or change in, Processing activity which is likely to require a DPIA or plan to use Personal Data for purposes other than for which it was collected:

  • If you need help complying with applicable law when carrying out direct marketing activities

 

 

 

Glossary of Terms

 

Profiling: any form of automated processing of Personal Data consisting of the use of Personal Data to evaluate certain personal aspects relating to an individual, in particular to analyse or predict aspects concerning that individual’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements. Profiling is an example of Automated Processing.

 

Consent: agreement which must be freely given, specific, informed and be an unambiguous indication of the Data Subject’s wishes by which they, by a statement or by a clear positive action, signifies agreement to the Processing of Personal Data relating to them.

 

Data Controller: the person or organisation that determines when, why and how to process Personal Data. It is responsible for establishing practices and policies in accordance with the GDPR. The Centre is the Data Controller of all Personal Data relating to it and used delivering education and training, conducting research and all other purposes connected with it including business purposes.

 

Data Subject: a living, identified or identifiable individual about whom we hold Personal Data.

 

Data Privacy Impact Assessment (DPIA): tools and assessments used to identify and reduce risks of a data processing activity. DPIA can be carried out as part of Privacy by Design and should be conducted for all major system or business change programs involving the Processing of Personal Data.

 

Data Protection Officer (DPO): the person appointed as such under the GDPR and in accordance with its requirements. A DPO is responsible for advising the Centre(including its employees) on their obligations under Data Protection Law, for monitor compliance with data protection law, as well as with the Centre’s polices, providing advice, cooperating with the ICO and acting as a point of contact with the ICO.

 

Personal Data: any information identifying a Data Subject or information relating to a Data Subject that we can identify (directly or indirectly) from that data alone or in combination with other identifiers we possess or can reasonably access. Personal Data includes Sensitive Personal Data and Pseudonymised Personal Data but excludes anonymous data or data that has had the identity of an individual permanently removed. Personal data can be factual (for example, a name, email address, location or date of birth) or an opinion about that person’s actions or behaviour.

 

Personal Data Breach: any breach of security resulting in the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or unauthorised access to, personal data, where that breach results in a risk to the Data Subject. It can be an act or omission.

 

Privacy by Design and Default: implementing appropriate technical and organisational measures in an effective manner to ensure compliance with the GDPR.

 

Privacy Notices: separate notices setting out information that may be provided to Data Subjects when the Centre collects information about them. These notices may take the form of general privacy statements applicable to a specific group of individuals (for example, employee, student and donor privacy notices or the website privacy policy) or they may be stand-alone, one-time privacy statements covering Processing related to a specific purpose.

 

Processing or Process: any activity that involves the use of Personal Data. It includes obtaining, recording or holding the data, or carrying out any operation or set of operations on the data including organising, amending, retrieving, using, disclosing, erasing or destroying it. Processing also includes transmitting or transferring Personal Data to third parties. In brief, it is anything that can be done to Personal Data from its creation to its destruction, including both creation and destruction.

 

Pseudonymisation or Pseudonymised: replacing information that directly or indirectly identifies an individual with one or more artificial identifiers or pseudonyms so that the person, to whom the data relates, cannot be identified without the use of additional information which is meant to be kept separately and secure.

 

Date last revised: 03/06/24

bottom of page