Data Protection Policy May 2018
The Mindfulness Association (MA) CIC (including its directors, employees, advisors and self-employed contractors) will to the best of its ability adhere to the data protection principles of the Data Protection Act (DPA) which comes into force on 25 May 2018, which are:
- Personal data shall be processed fairly and lawfully.
- Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
- Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
- Personal data shall be accurate and, where necessary, kept up to date
- Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
- Personal data shall be processed in accordance with the rights of data subjects under this Act.
- Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
- Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
Use of personal data
The records we use that contain personal data are hosted by the following DPA compliant software providers:
- Customer Relationship Manager (CRM) software provider ‘Infusionsoft’;
- document storage provider ‘DropBox’;
- Merchant account provider ‘Paypal’;
- and bank account provider ‘Triodos’.
These records are used solely for the purposes of administering course attendance and supporting continued engagement by individuals with the work of the MA. The personal data typically includes name, address, email address, payment card details (not accessible to MA employees), emails sent to individuals via the CRM, courses attended and other engagement with the work of the MA (eg. being a member, on email list, etc.) for the purposes of administering attendance on MA courses and supporting continued engagement with the work of the MA.
Individual emails to and from the @mindfulnessassociation.net email addresses are hosted by our DPA compliant email provider GoDaddy, for the purposes of administering attendance on MA courses and supporting continued engagement with the work of the MA, and will be reviewed and if no longer needed for these purposes will be deleted after a period of 1 year.
Personal data will be shared only with MA employees and self-employed MA tutors (also subject to the DPA) delivering the courses participated in and only to the extent necessary for administering the attendance of individuals on MA courses and supporting engagement with the work of the MA.
Personal data will not be shared with third parties.
Collection of data
When an individual’s data is initially collected, eg. via an online booking or by being inputted manually on Infusionsoft, the individual will be made aware of the use which will be made of their information, by using the ‘Privacy Notice’ below and of this data protection policy.
The data you provide to Mindfulness Association CIC (MA) will be stored securely and will be used for the purposes of administering your attendance on MA courses and supporting your continued engagement with the work of the MA in accordance with our data protection policy, which can be downloaded from the MA’s website and is in accordance with the UK Data Protection Act. To support your engagement with us we will contact you from time to time via email with guidance to support your ongoing mindfulness practice, including details of upcoming courses, which may be of interest to you. You can opt out of receiving emails from the MA, at any time, by clicking the ‘Unsubscribe’ link at the bottom of our emails or by contacting firstname.lastname@example.org.
Deletion of data
At any time you can request that your records on Infusionsoft be deleted by contacting email@example.com.
Records on Infusionsoft will be deleted, where an individual has opted out of email communication and has not done any prerequisite courses with the MA.
Paper or electronic copies of documents held by the MA and which contain personal information will be destroyed or deleted when a course ends.
Emails to and from MA course participants or other individuals making enquiries to the MA will be reviewed after a period of 1 year and if no longer necessary for the purposes will be deleted.
Paper records will be destroyed by shredding or burning.
Right to a copy of information held
On request an individual will be provided with a copy of the information comprising their personal data and held by the MA CIC, within 40 days of the request. All such requests should be sent via email to firstname.lastname@example.org.
Personal data is hosted by the following data processors, who are compliant with the new Data Protection Act:
- merchant account provider Paypal, and bank account provider Triodos (accessible by Heather Regan-Addis & Helen Mathieson);
- and CRM provider Infusionsoft, email provider GoDaddy and document storage provider DropBox accessible by MA employees and authorised IT support contractors.
The data security arrangements of these providers have been reviewed to ensure that they meet the requirements of the Data Protection Act.
The MA CIC Directors and authorised IT support contractors will review information security on an annual basis and review this with all MA CIC employees on or around 25 May each year. No personal data will be passed to an individual who is not the individual concerned. Personal data passed on to the individual concerned will be sent to their Infusionsoft registered email address only. On receiving or making a phone call MA employees will establish the identity of the caller before disclosing or amending any of their personal data, asking for their postcode and details of the most recent course they attended.
All MA CIC employees and authorised IT support contractors work from home and will ensure that all computers used for processing personal data are password protected, that the password is changed every three months and that home computers are securely stored when not in use. Computers will be screen locked or logged out of when employees are away from their desks. Desks will be cleared at the end of each day and any personal information or other sensitive information securely stored in a locked cabinet. Computer screens should be positioned facing away from windows.
The passwords to the membership site are stored on Infusionsoft and are not encrypted and so can be seen by those authorised to access Infusionsoft, for example, for the purpose of informing those who have forgotton their password what it is. Passwords will only be disclosed to the email address for the account holder, or after the account holder has verified their identity over the phone (by giving their postcode and details of the last course attended). When changing their passwords individuals should be aware that their password is not encrypted and are advised to select a password that they do not use for another purpose. Care will be taken to prevent virus attacks by ensuring computers have virus protection software and undergo regular software updates and care should be taken when opening email attachments and when visiting new websites.
Contacting Our Mailing Lists
We will continue to send you the monthly upcoming courses email and other emails promoting courses to you may be interested in as a way of supporting your continued engagement with the MA. Our aim is to make these emails engaging and supportive for your ongoing mindfulness practice. If you are a member the weekly membership emails will continue as they are now. These emails contain an unsubscribe button at the bottom that changes your email status on Infusionsoft so that you will no longer receive emails from us.