UK Academy of Therapeutic Arts and Sciences
#7, 23-24 Great James St, London, WC1N 3ES
0207 831 8801
The UK Academy of Therapeutic Arts and Sciences Ltd is a limited company, registered in England and Wales/Scotland/Northern Ireland. Company Number 04706144.
The Data Controller and Processor is Fiona Biddle.
The other Key Decision Maker is Shaun Brookhouse.
The lawful basis for processing data
The basis on which we keep data is that of “Legitimate Interests”. This means that the data is necessary for us to fulfil the objectives of the UK Academy and that it is data that would reasonably be expected for us to hold and use.
The data we hold includes:
- Student information
- As provided on the forms required for entry to courses. NB data from the diversity form is added to a spreadsheet for the year and no identifiable data is added. If the form has been sent as a hardcopy it is then shredded, and if electronically the email is permanently deleted. NB this is particularly important as some elements (eg ethnicity), which we need in order to gather statistics for UKCP, are considered “special category data” and as such should not be held in an identifiable way.
- Work submitted
- Information submitted in order to achieve qualifications
- Reports from tutors/supervisors
- Financial information
- Emails that are sent between us
- Details of any complaints/concerns
- Email lists
- Email address
- A record of which emails have been opened etc
- Enquirers information
- Emails that are sent between us
Data is shared in the following situations:
- With our regulator (CNHC) who may ask questions such as whether you are in good standing.
- Our accountant will see bank, credit card and Paypal records which will contain any information that you submit when making payment. If you would like us to redact your identifiable data before sending to the accountants then please let us know.
- With venues who may need an attendee list for their own regulations
- Within the organisation, eg with tutors and assessors.
The data is primarily used to enable us to provide the service(s) that you have engaged us to provide. It may also be used scientific research purposes and statistical purposes.
Details of where data is held:
- Any emails are held either on our computer’s hard drive or if archived in Dropbox which is secure cloud based storage which is itself GDPR compliant.
- Student information is also held in Dropbox.
- Credit card information is shredded as soon as processed.
- Standing order mandates are shredded and/or deleted as soon as payments start to come through.
- If you use Paypal, standing orders or online banking then clearly these systems will hold your data. We will download from these systems for accounting purposes and the resulting spreadsheets are held in Dropbox. When sent to our accountants, they will be password protected.
- Email addresses are held within our email processing software, Icontact which is itself GDPR compliant.
Student data is kept for 40 years. The length of time is based on the likely length of career during which time you may need us to confirm your training. Enquirer information is kept for three years. After this time any paper records are shredded and computer records permanently deleted.
The UK Academy takes the security of data seriously and as such:
- All data is held securely (see details of where data is held above)
- Any sensitive data transmitted is sent encrypted where possible
- For accounting purposes Excel spreadsheets are used
However, we are not in control of data (including emails) which you send us.
If there is any breach of data security, the UK Academy will give full details to the Information Commissioners Office and any person affected within 72 hours of the breach and do all possible to minimise any potential impact.
You have rights with regards to the data held:
- The right of access. We will provide you with all data we hold on you as soon as we can following a request (and definitely within 30 days, unless this is impossible due to holidays or illness).
- The right to rectification. If any data we hold is incorrect, just let us know and we will correct it as soon as we can following a request (and definitely within 30 days, unless this is impossible due to holidays or illness).
- The right to erasure. If you wish us to erase your data just let us know and we will delete any computer records and shred any paper records as soon as we can following a request (and definitely within 30 days, unless this is impossible due to holidays or illness). Data may be retained for scientific research, historical research or statistical purposes where erasure is likely to render impossible or seriously impair the achievement of that processing but this would never include data such as address/email/phone. NB if you are a student/graduate then erasure of your data will mean that we will not, in any circumstance, be able to confirm your status/qualification. Please carefully consider the implications of this before requesting erasure. You may choose partial erasure, eg to delete contact information only.
- The right to restrict processing. This would usually be a stop-gap measure before correction of any errors or before erasure
- The right to data portability. This might apply if you want your notes sent to another school for example, but it is likely that the easiest solution would come under the right to access, ie we would send the data to you.
- The right to object to:
- processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling). The UK Academy does not engage in these things
- direct marketing. You can opt-out at any time.
- processing for purposes of scientific/historical research and statistics. For this, you must provide grounds for your objection.
- automated decision making and profiling. The UK Academy does not engage in automated decision making or profiling