Mind-Retreat is committed to complying with data protection law and to respecting the privacy rights of individuals.

Who is responsible for data protection?

I am responsible for data protection, and I have a role to play to make sure that I am compliant with data protection laws.

Why does Mind-Retreat have a Data Protection Policy?

I recognise that processing of individuals’ personal data in a careful and respectful manner cultivates trusting relationships with those individuals and trust in my service.  I believe that such relationships will enable my organisation to work more effectively with and to provide a better service to those individuals.

Data protection laws

The Data Protection Act 1998 (“DPA”) applies to any personal data that I process, and from 25th May 2018 this will be updated with the General Data Protection Regulation (“GDPR”) and the Data Protection Act 2018 (“DPA 2018”) (together “Data Protection Laws”(DPL)) and then after Brexit the UK will adopt laws equivalent to these DPL’s.

The DPL’s all require that the personal data is processed in accordance with the Data Protection Principles and gives individuals rights to access, correct and control how I use their personal data.

Personal data

Data will relate to an individual and therefore be their personal data if it:

  • Identifies the individual. For instance, names, addresses, telephone numbers and email addresses.
  • It’s content is about the individual personally. For instance, medical records, a recording of their actions, or contact details.

Examples of information likely to constitute personal data:

  • Unique names.
  • Names together with email addresses or other contact details.
  • Video and/or photographic images.
  • Information about individuals obtained as a result of Safeguarding checks.
  • Medical and disability information.

I will only process personal data for certain purposes.

  • I will process personal data in accordance with the 6 principles of ‘good information handling’ (including keeping personal data secure and processing it fairly and in a transparent manner.)
  • I will respect the rights of those individuals about whom I process personal data (including providing them with access to the personal data we hold on them.)
  • I will keep adequate records of how data is processed and, where necessary, notify the ICO and possibly data subjects where there has been a data breach.

Data protection principles

The DPL’s set out 6 principles for maintaining and protecting personal data, which form the basis of the legislation.  All personal data must be:

  1. Processed lawfully, fairly and in a transparent manner and only if certain specified conditions are met.
  2. Collected for specific, explicit and legitimate purposes, and not processed in any way incompatible with those purposes (“purpose limitation”.)
  3. Adequate and relevant, and limited to what is necessary to the purposes for which it is processed (“data minimisation”.)
  4. Accurate and where necessary kept up to date.
  5. Kept for no longer than is necessary for the purpose (“storage limitation”.)
  6. Processed in a manner that ensures appropriate security of the personal data using appropriate technical and organisational measures (“integrity and security”.)

Data subject rights

Under DPL’s individuals have certain rights (“Rights”) in relation to their own personal data.  In summary these are:

  • The rights to access their personal data, usually referred to as a subject access request.
  • The right to have their personal data rectified.
  • The right to have their personal data erased, usually referred to as the right to be forgotten.
  • The right to restrict processing of their personal data.
  • The right to object to receiving direct marketing materials.
  • The right to portability of their personal data.
  • The right to object to processing of their personal data.
  • The right to not be subject to a decision made solely by automated data processing.

My main obligations

What this all means for you can be summarised as follows:

  • I will treat all personal data with respect.
  • I will treat all personal data how you would want your own personal data to be treated.
  • I will immediately notify the PD if any individual says or does anything which gives the appearance of them wanting to invoke any rights in relation to personal data relating to them.
  • I will take care with all personal data and items containing personal data you handle or come across so that it stays secure and is only available to or accessed by authorised individuals.
  • I will immediately notify the PD if you become aware of or suspect the loss of any personal data or any item containing personal data.