GDPR Policy
The Consultation Process
WHAT PERSONAL DATA DO WE HOLD AND WHERE?
| Type of personal data held | Where held e.g. office, software, paper | What we use the data for | Where we got the data from | Do we have consent? | Who we share it with (if anyone) |
The Institute of Trichologist Members
Contact details (address, phone number, email) Clinic information (Clinic name, address, contact information, clinic website) Membership (AIT/MIT/FIT) CPD Records and Certificates Certificate of Insurance Agreement declarations to the Code of Ethics and Articles of Association Membership forms Student membership forms.
| Electronically – stored securely in a Private and confidential Dropbox | Held in order to maintain database of memberships, to update the register that is accessible to the general public and for permission to hold mailing lists for CPD etc. | Members fill forms in annually when membership payments are due, which includes collection of all the relevant data. | yes | Chairman, Vice Chairman, Registrar, Education Director. Clinic information is shared on the IOT website with members of the public via our Member Register. Member’s can choose to opt out of having their clinic information accessible to the public. |
STUDENT DATA Contact details (address, phone number, email) Emergency contact details i.e. next of kin Previous qualifications. Entry test results. Personal references. Clinical training records / Assessment feedback. Examination results. Grading and certification.
| Office and software | Data is used to enable the IOT to contact learners using the correct details. To ensure students are using the correct identification and are who they say they are. To ensure learners are placed on the correct level / programme of study. To ensure learners meet the appropriate entry levels for the course. To record and monitor student progress on the course. To ensure learners are certificated using their correct name and spelling. | Information is gathered from the candidate themselves along with two referees provided by the student. | Yes | Information held on students is shared only within the educational team as and when necessary. The educational team consists of six staff in which this information may be shared. |
PATIENT DATA: Name Contact details (address, phone number, email) Patient history eg Clinical Treatments and blood test results | Patient details for consultants / students is held in paper form. Patients who attend the IOT’s Wednesday and Saturday clinics have details stored in paper form and electronically on the PPS booking system. | All patient information is taken for clinical appointments. | All information is provided directly from the patient themselves. | Yes | Information is shared with a student and teacher who will perform a clinical consultation/treatment with the patient. |
EMPLOYEE DATA:
Contact details (address, phone number, email) Emergency contacts/next of kin Medical information CVs Job applications Training records Disciplinary records Appraisals / performance reviews | Paper form at the office and electronically | This is held for employment records. | All information relating to employment is gained from the candidate themselves. | Yes | Chairman, Education Director, Education Manager, Board of Directors if necessary, Trustees, if necessary, administration if necessary. |
FINANCIAL DATA: Suppliers Invoices Bank account details Credit/debit card details Payment history | Paper copies of invoices All other information held electronically | This is held for accounting. IOT bank account details are held in line with on-line banking plus patients/members/students are given bank account details to be able to pay by direct bank transfer. Bank account details of patients, staff, members or students are not stored and are disposed of immediately after use. | IOT | Yes | Chairman, Vice Chairman, Education Director, Accountants, Administration if necessary |
MARKETING DATA: Mailing lists (email, text, post) Social media Marketing | electronically | Held in order to email members/students with details of CPD events, AGMs etc. or newsletters regarding IOT developments | Members/students themselves from Membership forms | yes | Administration, Chairman |
General Data Protection Regulations
This privacy notice explains how The Institute of Trichologists (IOT) looks after personal information given to us by members, students, staff or by patients and the choices you can make about marketing communications you agree we may send you. This notice explains how we do this and tells you about your privacy rights and how the law protects you.
TOPICS:
● What information we collect about you
● How information about you will be used
● Marketing
● Employment
● How long your information will be kept for
● Where your information is kept
● Access to your information and correction
● Cookies
● Other websites
● Changes to our privacy notice
● How to contact us
WHAT INFORMATION DO WE COLLECT ABOUT THE IOT’S STUDENTS, PATIENTS, OUR EMPLOYEES, OR MEMBERS.
We collect information about individuals when individuals study with us, book an appointment with us for a consultation or treatment, buy a product, apply for a job, or become a member of the IOT with us whether contact is online, on paper, by email or over the phone.
The information you give us may include your name, address, email address, phone number, relevant history which may suggest that a service or treatment should not go ahead or certain products should not be used (eg allergies, pregnancy, skin conditions), payment and transaction information, IP address and CVs.
For patients under the age of 16, we will only keep and use their personal information with the consent of a parent, carer or guardian.
HOW INFORMATION ABOUT YOU WILL BE USED
In law, we are allowed to use personal information, including sharing it outside of the clinic, only if we have a proper reason to do so, for example:
● To fulfil a contract with you surrounding your education
● To fulfil a contract with you, ie to provide the service or treatment you have requested and to communicate with you about your appointments
● When it is in our legitimate interest ie there is a business or commercial reason to do so, unless this is outweighed by your rights or interests
● When you consent to it: we will always ask for your consent to hold and use health and medical information.
We may therefore share your information with
● Tutors / Assessors / staff within the educational team
● Admissions and Communications Manager
● Website company for updating information on the website
● Administration / Registration team
Students who are studying with the IOT may experience a number of different tutors and assessors during their time of study. Student information may at times be shared with other tutors and assessors based within the IOT’s educational team of staff, this is for educational and developmental purposes only.
We have rigorous data protection and security policies in place.
When student patients’ book into the IOT clinic this is done so through the Education Manager and Registrar and Communications Manager. If patients are booking into the Wednesday or Saturday IOT clinics they do so via the on-line booking system – PPS or via telephone to the clinic manager.
Student information is stored either electronically or in filing cabinets in the office and can only be accessed by authorised members of the IOT’s educational team.
Information held on our IOT members is held electronically and can only be accessed by administration.
We will not share your information with any other third party without your consent except to help prevent fraud, or if required to do so by law.
MARKETING – PATIENTS / STUDENTS / EMPLOYMENT / IOT MEMBERS
We would like to send our students, patients, employees and board members information which may be of interest to you. We will ask for your consent to receive marketing information.
If you have consented to receiving marketing, you may opt out at a later date.
You have the right at any time to stop us from contacting you for marketing purposes or giving your information to third party suppliers of products or services. If you no longer wish to be contacted for marketing purposes, please contact Lucy Johns BSc MSc at admin@trichologists.org.uk (Registrar and Communications Manager)
The information we collect about employees, the purposes it is used for and who it will be shared with is set out in our employment contracts and employee handbook.
HOW LONG YOUR INFORMATION WILL BE KEPT FOR
Patients – Unless you request otherwise, we will keep your information for seven years from the last communication we have with you. This is in accordance with the IOTs Code of Professional Practice and Ethics.
After 7 years we will delete all your personal information, including your name, relevant patient history) and financial transactions.
Students – Student information will be kept secure and held for three years in line with our awarding bodies quality process (longer if the student postpones their studies). Students will be contacted for educational purposes only. The Institute may from time to time contact students regarding developmental opportunities if it is felt this may be of benefit to them.
Institute Members – Unless you request otherwise, your information will be held on record for the duration of your membership. We shall contact you regarding relevant information such as CPD events, annual membership updates.
Employees – Refer to individual contracts of employment. Employees can at any time request not to be contacted regarding IOT events.
Information about unsuccessful job applicants will be deleted after four months.
WHERE YOUR INFORMATION IS KEPT
● Information is stored in filing cabinets in the office or electronically.
● Any payment transactions are encrypted (this is currently dealt with via our accountants).
● Sending information via the internet is not completely secure, although we will do our very best to protect your information and prevent unauthorised access.
● Google Classroom is used for educational purpose however this only contains information surrounding student names and is set up using a secure network.
ACCESS TO YOUR INFORMATION AND CORRECTION
You have the right to request a copy of the personal information that we hold about you. This will normally be free, unless we consider the request to be unfounded or excessive, in which case we may charge a fee to cover our administration costs.
If you would like a copy of some or all of your personal information, please contact
The Manager of Education, Sara Alkazraji:
educationmanager@trichologists.org.uk
We want to make sure that all personal information we hold is accurate and kept up-to-date. Please contact the IOT to correct or remove information you think is inaccurate.
You have the right to ask us to object to our use of your personal information, or to ask us to delete, remove or stop using your personal information if there is no need for us to keep it.
E-NEWSLETTERS – Sent to Institute members only.
We email newsletters from time to time to inform our members about updates, information, development opportunities and clinical changes. You have the opportunity to unsubscribe from newsletters at any time.
COOKIES –
Cookies are text files placed on your computer to collect standard internet log information and visitor behaviour information. This is used to track visitor use of the website and to compile statistical reports on website activity. For further information visit www.aboutcookies.org or www.allaboutcookies.org
You can set your browser not to accept cookies and the above websites tell you how to remove cookies from your browser. However, in a few cases some of our website features may not function as a result.
See our cookies policy here https://trichologists.org.uk/privacy-policy/
OTHER WEBSITES
Our website includes links to other websites. These include links to other qualified Trichologists clinic websites.
This privacy notice only applies to this website so when you link to other websites you should read their own privacy notices.
CHANGES TO OUR PRIVACY NOTICE
Privacy Policy
We keep our privacy notice under regular review and we will place any updates on this webpage. This privacy notice was last updated in May 2019.
HOW TO CONTACT US
Please contact us if you have any questions about our privacy notice or information we hold about you:
By email admin@trichologists.org.uk
Or write to us at: The Institute of Trichologists, 10 Harley Street, London, W1G 9PF.
You also have the right to complain to the Information Commissioner’s Office. Find out on their website how to report a concern:
www.ico.org.uk/concerns/handling
Data Retention Policy
This policy sets out what information The Institute of Trichologists holds, how long we hold it for and when it will be deleted.
It also covers the procedure to follow regarding data requests.
● Information held by us
● How long is personal data held for?
● Where is personal data held?
● How is personal data deleted?
● Access to personal information, correction and deletion
INFORMATION HELD BY US
We hold personal information about:
● Students
● Patients
● Employees
● The Institute of Trichologists Members
● Job applicants
We also hold information about financial transactions relating to these services or treatments provided, products bought, payroll information.
HOW LONG IS PERSONAL DATA HELD FOR?
We aim not to hold personal data longer than necessary.
Unless requested by an individual, the following types of data will be held for the periods shown below, after which it will be securely deleted or destroyed:
TYPE OF INFORMATION RETENTION PERIOD
Student information Held for the duration of study and held for 3 years following completion of study.
Patient general records 7 years (after the last communication with patient)
Patient health records 7 years (after the last communication with the patient)
Financial transactions, invoices and supplier details 7 years
Employee records, contracts of employment, changes to terms and conditions, annual leave, training records While employment continues and up to 7 years after employment ends
Payroll and wage records including PAYE, income tax, national insurance, sick pay, redundancy payments 7 years from the financial year-end in which payments were made (that includes the current year).
Maternity records 7 years after the end of the tax year in which the maternity pay period ends
Job applications (unsuccessful) 4 months after notifying unsuccessful candidates
Emails One year from the end of the month in which they were received or sent unless a longer period is relevant as above. Emails to and from ex-employees or contractors will be deleted within 2 weeks of them leaving unless these form part of the employment record – see above. Emails to and from students will be keep for the duration of their period of study.
WHERE IS PERSONAL DATA HELD?
Personal data about members, students, patients, financial transactions and employees are either held in filing cabinet in our office or electronically which is backed up every day or held in secure electronic files, which can be accessed by the relevant people within the IOT.
Paper records are held in a locked cabinet or in secure archive storage.
HOW IS PERSONAL DATA DELETED?
Personal data is permanently deleted in accordance with the retention periods listed above from:
● Clinic software system
● Electronic files
● Emails
● Paper records, which are securely shredded.
ACCESS TO PERSONAL INFORMATION, CORRECTION AND DELETION
See our privacy notice https://trichologists.org.uk/privacy-policy/
All requests for access to personal information will be handled by Regisrar and Communications Manager, Lucy Johns – admin@trichologists.org.uk
Responses to requests will be made within 30 days.
All information relating to the individual will be compiled into a report and collected from:
● Clinic software system
● Financial transactions
● Emails
● Other electronic records
● Paper records (where applicable)
Procedure for Personal Data Breaches
This procedure is to be followed if there is a breach of personal data. The person responsible for managing the process is the Registrar and Communications Manager, Lucy Johns, admin@trichologists.org.uk.
All decisions on whether or not to notify the Information Commissioner’s Office (ICO) or individuals affected will be countersigned by the Chairman, Neil Harvey MIT.
This procedure covers:
- What is a personal data breach?
- What must be recorded?
- Assessing the likelihood and severity of the adverse consequences of the breach
- When do breaches have to be reported to the ICO?
- What must be reported to the ICO?
- How to report a breach to the ICO
- Telling individuals affected about a breach
- What are the consequences of failing to notify the ICO?
WHAT IS A PERSONAL DATA BREACH?
A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to, personal data.
Examples include:
- access by an unauthorised third party
- deliberate or accidental action by a data controller within the Institute of Trichologists or a data processor (third party supplier, who must inform you without undue delay as soon as they become aware of it)
- sending personal data to an incorrect recipient
- computer or data storage devices containing personal data being lost or stolen
- alteration of personal data without permission
- loss of availability of personal data (ie data is made unavailable and this unavailability has a significant negative effect on individuals)
WHAT MUST BE RECORDED?
All breaches must be recorded, whether or not they need to be reported to the ICO. If you decide not to report a breach, you must be able to justify this decision and it must therefore be documented.
Record:
- The facts relating to the breach
- Its effects
- Remedial actions taken
- What caused the breach and how a recurrence could be prevented
ASSESSING THE LIKELIHOOD AND SEVERITY OF THE NEGATIVE CONSEQUENCES OF THE BREACH
Use the template in Appendix A to help answer the following questions:
- What is the likelihood and severity of the resulting risk to people’s rights and freedoms?
- What are the potential negative consequences to the individuals concerned?
- How serious and substantial are the consequences? Don’t forget this can include emotional distress, as well as financial, physical or material damage.
If there is a high risk of negatively affecting individuals’ rights and freedoms (scoring 6 or more points on the risk assessment template at Appendix 1), then it must be reported to the ICO. This includes personal data breaches notified to you by third party data processors.
You may also need to notify third parties such as the police, insurers, banks or credit card companies who could help to reduce the risk of financial loss to individuals.
WHEN DO BREACHES HAVE TO BE REPORTED TO THE ICO?
Breaches which are likely to result in a high risk of negatively affecting individuals’ rights and freedoms must be reported no later than 72 hours after you first become aware of it. If you take longer than this, the reasons for delay must be documented.
WHAT MUST BE REPORTED TO THE ICO?
A description of the nature of the personal data breach including:
- The categories and approximate number of individuals concerned and the categories and approximate numbers of personal data records concerned (which may be the same number)
- The name and contact details of the person who can provide more information if required
- The likely consequences of the personal data breach
- The measures taken, or proposed to be taken, to deal with the personal data breach including measures taken to mitigate any possible negative effects
The information can be provided in phases if it is not all available within 72 hours, as long as this is still done without undue further delay and you tell the ICO when to expect further information from you.
You must prioritise the investigation, give it adequate resources and deal with it urgently.
HOW TO REPORT A BREACH TO THE ICO
The section of the ICO website on reporting breaches has not yet been updated for GDPR. However, the following contact details are provided:
Data breaches : Call 0303 123 1113
Open Monday to Friday between 9am and 5pm, closed after 1pm on Wednesdays for staff training.
TELLING INDIVIDUALS AFFECTED ABOUT A BREACH
If the breach is likely to result in a high risk to the rights and freedoms of individuals (scoring 6 or more on the more points on the risk assessment template at Appendix 1), you must inform the individuals affected as soon as possible.
One of the main reasons for informing individuals is to help them take steps to protect themselves from the effects of a breach.
You need to tell individuals:
- The nature of the personal data breach
- The name and contact details of the person who can provide them with more information
- The measures taken or proposed to be taken to deal with the personal data breach and the measures taken to mitigate any possible adverse effects
If you decide not to notify individuals, you still need to notify the ICO unless you can show that the breach is unlikely to result in risks to rights and freedoms. The ICO has the power to make you inform individuals if they consider there is a high risk. The decision-making process must be documented.
WHAT ARE THE CONSEQUENCES OF FAILING TO NOTIFY THE ICO?
A fine of up to 10 million euros or 2% of your turnover or a fine of up to 20 million euros or 4% of your turnover in the most severe cases.
