GDPR stands for General Data Protection Regulation and replaces the previous Data Protection. It came into effect on 25th May 2018.
GDPR states that personal data should be ‘processed fairly & lawfully’ and ‘collected for specified, explicit and legitimate purposes’ and that individuals data is not processed without their knowledge and are only processed with their ‘explicit’ consent. GDPR covers personal data relating to individuals. MamaSerene is committed to protecting the rights and freedoms of individuals with respect to the processing of clients’ personal data.
The Data Protection Act gives individuals the right to know what information is held about them. It provides a framework to ensure that personal information is handled properly.
GDPR includes 7 rights for individuals
1) The right to be informed
MamaSerene is a business owned and managed by Dani Diosi. We provide hypnobirthing group courses and workshops, one-to-one hypnobirthing courses and workshops, postnatal hypnosis and relaxation courses and Doula services for pregnancy and birth.
The basis on which I keep client data is that of “Legitimate Interests”. This means that the data is necessary for me to fulfil the contract that we have together (i.e. to provide therapy and support) and that it is data that you would reasonably expect me to hold and use.
For those who enquire about my services, the data I hold includes any information you have sent me by email/text/message.
For those who book and attend at least one session, the data I hold includes:
- Basic information such as name, email address, phone number
- Information that you give me as part of the work we do together
- Records of what learning we have covered in our sessions
- Emails, texts and/or messages that are sent between us
Some of the information that you give me may fall under the definition of special category of data as defined by the General Data Protection Regulation. The condition for processing this special data is (précised from the Act) “processing is necessary for medical diagnosis, the provision of health care or treatment pursuant to contract with a health professional”.
Data is not shared with anyone, and is used to enable me to provide therapy for you. It may also be used for statistical purposes within my business.
MamaSerene may use an accountant, who will have access only to names attached for payments and the purposes of payments.
2) The right of access
Dani Diosi, 23 Ashlyn Close, Bushey, Hertfordshire, WD23 2EJ is the named data controller for MamaSerene.
At any point an individual can make a request relating to their data and MamaSerene will need to provide a response (within 1 month).
3) The right to erasure
You have the right to request the deletion of your data where there is no compelling reason for its continued use. However MamaSerene has a legal duty to keep individual details for a reasonable time*, MamaSerene obtain these records for 7 years after using MamaSerene services. This data is archived electronically and in paper form securely onsite and shredded after the legal retention period.
4) The right to restrict processing
Clients can object to MamaSerene processing their data. This means that records can be stored but must not be used in any way, for statistical reports or for research.
5) The right to object
Individuals can object to their data being used for certain activities like marketing or research. MamaSerene will only use your details with your permission as part of a secure mailing list to email you details of future MamaSerene courses that may be of interest to you prior to your due date or in your post-natal period. These details will never be used for any other form of marketing nor be given to another organisation for marketing their own products and services.
6) The right not to be subject to automated decision-making including profiling.
Automated decisions and profiling are used for marketing based organisations. MamaSerene does not use personal data for such purposes.
Storage and use of personal information
All paper copies of individual training records are kept in a locked filing cabinet in MamaSerene offices (accessed only by Dani Diosi). All information is confidential and these records remain on site at all times, including for archiving. These records are shredded after the retention period.
MamaSerene collects personal data every year including; names, telephone numbers and email addresses of those on the waiting list for a course or who have asked to be informed of future courses via a mailing list.
MamaSerene stores personal data held visually in birth stories, photographs or video clips or as sound recordings, only where full written consent has been obtained. No full names are stored with images in photo albums, displays, on the website or on MamaSerene’s social media sites.
Data of names, email addresses, telephone numbers is also held electronically on a computer hard drive and on a cloud storage system. Access to all office computers, cloud accounts and to websites is password protected.
GDPR means that MamaSerene must;
* Manage and process personal data properly
* Protect the individual’s rights to privacy
* Provide an individual with access to all personal information held on them
If there is any breach of data security, MamaSerene will give full details to the Information Commissioners Office and any person affected within 72 hours of the breach and do all possible to minimise any potential impact.
This Policy was adapted at MamaSerene on 23rd May 2018