Overview charts… (written policy on page 5)
OVERVIEW (updated 12th April 2022)
Paper files are locked away in a filing cabinet and only Alexandra and Judith have access to the key.
Alexandra and Judith have a ‘tidy desk’ policy. Personal and sensitive information is never left out where it is visible to others.
Digital files. Computer, phone and tablet are password protected at all times. Alexandra and Judith take care in every way possible to avoid loss or theft. Information gets synched/shared between these and backed up using cloud storage with its own security & encryption in place. Access is password protected and only Alexandra and Judith know the passwords. External hard drive or memory stick back up is stored in a locked filing cabinet when not in use.
3rd party companies and data controllers used by You Happy First Unite for communication, data storage, file transfers and more, have their own strict security in place with their own policies incl. for website cookies, needed for some functions to work. You Happy First Unite’s online accounts with all 3rd party companies are password protected.
|DATA TYPE||HOW IS IT COLLECTED||HOW IS IT STORED||FOR HOW LONG||WHAT THEN|
|Just name and email.||Positive opt-in with subscribe button||Online with Mailchimp||Personal choice||Unsubscribe any time or ask to be deleted|
All communication platforms – Email, SMS/text, Messenger, WhatsApp, Social Media etc.
|Anything shared by anyone enquiring or giving feedback related to all services offered by You Happy First Unite||
Exchanged through the persons and You Happy First Unite’s choice of platform
For as long as needed to complete the thread of exchange or reply to an enquiry or 12 months, whichever is longer.
|Deleted as per information in ‘for how long’ or if requested to delete at an earlier point|
Financial details (check our online purchasing and donation process)
|Not applicable||No financial info is collected by You Happy First Unite when someone makes a purchase in the online shop or makes a donation via PayPal, card payment or bank transfer.||The details are processed by PayPal and Stripe||The time needed to make the transaction||Deleted|
HOW IS IT COLLECTED
HOW IS IT STORED
FOR HOW LONG
|Workshops in person – medical screening form|
|Medical Screening Form with contact details such as name, email, phone and address and special category data (description of health conditions). Signatures or Tick Box to accept Waiver and Data Consent.||
By sending the form as an e-mail attachment.
Forms are either received via email, WhatsApp, in paper form or any other way the participant chooses to forward these to Alexandra and Judith.
|Forms on computer/phone/tablet or locked cabinet.||Medical Screening forms are kept up to 10 years for insurance purposes. Basic Information like participant name, date attending workshop and payment made, kept up to 7 years for tax accounting purposes.||
Digital records deleted. Paper records shredded.
Some records cannot be deleted till after 10 years.
Other information – like feedback and testimonials
|Written testimonials. Workshop feedback forms. E-mail permission obtained to use testimonials and feedback for marketing purposes.||Feedback forms collected at the end of the workshop or forwarded later via participant’s own choice of platform. Testimonials can be shared the same way.||
Computer/phone/tablet or a locked cabinet.
NOTE: Feedback and Testimonials may be shared with the public, either completely anonymously, if there are no personally identifying details or with first name, full name or initials as per participant’s authorisation.
|Indefinite (see also photo/audio/ video details). If personal feedback (with permission) is posted on social media it may be impossible to recall or delete fully later.||Deleted on request where possible (see also photo and audio/video details)|
|DATA TYPE||HOW IS IT COLLECTED||HOW IS IT STORED||FOR HOW LONG||WHAT THEN|
|Photos – digital and printed – from workshops, meetings (in person and online), talks and other events|
Any photo or screen shot taken of a person specifically,
individually or as part of a group photo.
|Taken in a workshop or other closed event or meeting. Asking for permission before taking a photo and for written permission (a signed form or an email for example) if it may be shared publically. With the exception of online screen shots, where the event is also audio recorded. Here verbal permission may be enough if agreed by all. The same can apply for more casual open style meetings and public talks.||Computer/phone/tablet. or a locked filing cabinet. Might be stored online with a 3rd party, for example Mailchimp (see full list in written part) or shared on social media or in other formats depending on permission given.||Consent will be asked lasting for an indefinite period. For example, a photo may be shared further on social media or used in a workshop manual that will be distributed to many people, making it impossible to fully recall, if the participant changes their mind about permissions later.||
If permission is withdrawn, all copies held and shared online by Alexandra and Judith will be deleted where possible. Physical copies will be shredded.
Some photos, once shared, will be impossible to recall and delete
Video and audio recordings – from workshops, meetings, talks and other events
Audio and/or video recordings of classes, workshops, meetings, public talks, audio apps or other public platforms.
Also capturing feedback and testimonials.
Recorded during workshops, in-person or online meetings and classes, or any other closed event.
Always asking for permission first, with the exception of public talks and meetings broadcast live on platforms open to the public, where it can be assumed that anyone attending and participating (in Q&A and commenting) is aware of the public format.
|Computer/phone/tablet. Online recordings stored with Zoom or Teams for a short time period. Testimonials and promotional video and audio might be shared on social media or through other channels.||Consent will be asked lasting for an indefinite period of cover. For example, a recording may be shared further with other participants or on social media, making it impossible to fully recall, if the participant changes their mind about permissions later.||
If permission is withdrawn, all copies held by Alexandra and Judith will be deleted where possible.
Some video and audio files, once shared, will be impossible to recall and delete.
Online meetings, talks and other events with YHF Unite – private & public
|For private meetings: contact details like name, email and maybe the place you are joining the meeting from.||
Via email, mail or online sign up through Eventbrite or You Happy First Unite website.
If joining an open meeting or public talk online where Alexandra and Judith are taking part, but it is hosted by someone else on their platform, no information is collected by Alexandra and Judith.
Computer/phone/tablet. Possibly online with Eventbrite and Zoom or Teams to invite you to join a meeting. Name and email entered in excel sheet if it is a paid event for tax/accounting purposes.
|Same as in person. Consent will be asked lasting for an indefinite period of cover. For example, a recording may be shared with other participants, making it impossible to fully recall.||Same as for photo, audio and video. Records of any payments will not be deleted till after 7 years.|
In person meetings, talks and other events with YHF Unite – private & public
|For private meetings: possibly a list with names and maybe email and phone number.||In person on the day or through the participant’s choice of communication platform or registering via Eventbrite or on You Happy First Unite website.||
Computer/phone/tablet or a locked filing cabinet.
Online possibly with Eventbrite or You Happy First Unite website.
|Up to 7 years for accounting purposes or till no longer relevant/out dated for the purposes of individual’s support or promotion.||
Records of any payments will be not be deleted till after 7 years.
The General Data Protection Regulation (GDPR, which came into effect in May 2018) is EU law and formed part of the data protection regime in the UK, until the UK left the EU in 2020. The UK Data Protection regime is now set out in the UK DPA 2018 (Data Protection Act 2018) and the EU GDPR has been retained in UK law as the UK GDPR.
We adhere to both the UK DPA 2018 and the EU GDPR.
We are aware there are a growing number of other location specific Data Privacy Laws around the world Overview of Data Privacy Laws Around The World. It is impossible for us to study the full content and follow all updates for every one of these at all times. We ask anyone from outside the UK and EU, to get in touch if you have any specific Data Privacy concerns or requests beyond the DPA 2018 and EU GDPR.
GDPR makes it law for businesses who store any data about you to make sure you are aware of how your data is used, and that you understand your rights.
This requires us to explain this to you in a transparent and easy to understand way separate from other Terms and Conditions. Our business is aimed at adults, but we may also work with younger people and people whose first language is not English. We aim to word this policy in the simplest way possible.
If you have any questions please do not hesitate to get in touch (details below).
Who is collecting your Data
You Happy First Unite – Alexandra Datwyler and Judith White
Office address: 27 Old Gloucester Street, London WC1N 3AX
Our business name is You Happy First Unite, and we will use the words ‘YHFU’, ‘Alexandra and Judith’ or ‘us/we’ in this policy. Alexandra and Judith are the ‘Data Controllers’, responsible for the way the data you share with us is handled.
We work with 3rd party businesses and people (based outside our business) who are called ‘Data Processors’. We use their services to be able to do everything we need to do for administration, marketing, organising workshops, classes, meetings and other services (see list below ‘who do we share your data with’).
What is your Personal Data
Anything that can be used to identify you. It can be obvious information like your name, phone number or email. But there are also lots of other ways to identify a person.
We use both the words Data and Information for the same purpose in this policy.
We take our responsibility to keep your information safe very seriously and will never share your information with anyone without your clear permission. We wish for you to feel in safe and respectful hands.
We will use the words ‘you’ and ‘yours’ in this policy to describe you as the person using our services.
Know your rights
It is a top priority for us to do all we can to make sure we deal with your data in a way that respects all your rights. You have the…
Right to be informed
About the way we collect and use your personal data. That is what this policy is all about.
Right to have access
You can send a formal written request to ask for a copy of the data we hold about you at any time. We will do this as soon as possible and no later than one month.
Right to rectification
You can send a formal written request to ask us to correct, revise and update any of the personal data we hold about you at any time.We will do this as soon as possible and no later than one month.
Right to erasure
Also called the right to be forgotten. You can send a formal written request asking for all your data to be deleted at any time. We will do this as soon as possible and no later than one month (see the table above for possible situations where exemptions apply. For example, where a photo was used in a workshop manual and already distributed widely or to comply with insurance and tax accounting).
Right to restrict processing
If, for example, you believe the data we have collected about you is not accurate or collected unlawfully, you can send a formal written request to request limitations on how we use your data.
Right to data portability
You can send a formal written request asking for your data to be given to you to re-use with another health service or organisation. We will do this as soon as possible and no later than one month.
Right to object
You have the right to question our purpose for holding your information in a formal written request, and we must be able to clearly explain why we store this information about you within a month. We trust this policy explains this well already. See ‘please be aware’ below.
Rights related to automated decision-making including profiling
We will never send you e-mails and communication based on automatic computer selection, like some bigger companies may do. We personally choose when and how we communicate with you. If you say yes (give your consent) to join our mailing list, we may use an internal label/tag to very simply identify if you are a client, workshop participant, student, etc. This information is contained only within our Mailchimp online marketing account and is only visible to Alexandra and Judith and possibly a Data Processor (someone helping us with admin tasks) working under our instructions. This will help us identify who we would like to send a specific promotional email to, about a workshop for example, which is only relevant to some people.
Please be aware: exceptions may apply to the above rights in some cases, such as in the fulfilment of any obligations for legal purposes, or to comply with our Professional Indemnity and Liability Insurance and Tax accounting, where information must be kept for a number of years. See the charts above for full details, and the description of Lawful Basis further below. Please contact Alexandra and Judith if you have any concerns or questions.
Children are defined as: anyone under age 18.
Children have the same rights as adults.
Relating to Data, GDPR says that anyone age 13 plus, is able to give their own consent, especially when someone offers a service directly to them (often online).
For further information about your rights
Please contact the ICO (Information Commissioners Office), or visit their website: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/
If you wish to contact us about anything related to your rights or have any complaints please contact us using the details at the top of this policy.
What data do we collect, how do we store it and for how long
We collect and store different kinds of data about you.
For some of our services we need to process information/data about your health and other sensitive data. This is classed as ‘special category data’ and anyone asking for this kind of information must have taken extra steps to make sure they have a very clear reason to do so.
NOTE: Special category data include information about your racial or ethnic background, political opinion, genetics, sexual orientation, religious, ideological or philosophical beliefs, trade union membership, criminal conviction and information relating to mental and physical health.
We only process any of this kind of information when we are requesting you to fill in the medical screening form for our workshops. You may also choose to share this type of information when you take part in a class or send us enquiries and feedback via email or other channels of communication.
We may ask for your consent to share your information as a testimonial. If you agree, you will have the choice to remain completely anonymous or give your permission to share just your initials or your full name and other information that could identify you (like your town, profession and a photo).
We store the minimum amount of information about you for the minimum amount of time needed, in order for us to provide our services like workshops, courses, classes and other events, newsletters and promoting our work.
“If you subscribe to our email newsletter we only need your name and email address”
“For us to assess if you are suitable for a particular workshop, we will give you an opportunity to share more specific, sensitive and private information on a Medical Screening Form. Whilst we cannot verify if you give full disclosure of any medical issues, we encourage you to do so in order for us to provide the safest possible environment and make necessary adjustments if applicable.”
The law states that we need to let you know what happens with this personal information/data. See the charts above for a full description.
There are different reasons why we might hold some data longer than others.
“To comply with our insurance we must store any medical screening forms for up to 10 years.”
“If you give your permission to share a photo with us and it is used in a workshop manual, it may be impossible to delete it completely if you should wish to do so later, after the manuals have been distributed. How any photos may be used will be clearly explained and you will always be asked for your full permission/consent before having any photos taken. We respect your privacy highly.”
“When you sign up to our newsletters you will always have the option to unsubscribe any time you wish.”
We do regular data reviews and destroy or delete any data once it is no longer necessary or reasonable to store it. We make sure any devices we throw out, recycle or give to another person is wiped clean of any information back to the factory setting.
Why do we need to collect your data
It is important for us to highlight that this policy is all about your data/personal information. This is different to the Terms and Conditions you may sign to attend a workshop or buy a product from our online shop. The law says that you must be informed and understand how your data is used in a separate statement to other terms.
We have many different needs to collect data about you such as:
- to be able to reply to enquiries via telephone, email, WhatsApp, Messenger and other platforms for communication
- to manage workshop or class bookings and communicate with you before and after
- to collect written, audio or video testimonials
- to collect photos for promotional use
- to register you for, and communicate with you before and after, a workshop
- to register you for, and communicate with you about, online meetings or other events we host
- to send you news and updates if you have subscribed to our mailing list
- in case we need to have your basic financial details to make refunds
- to comply with our insurance policy
GDPR have several categories of ‘Lawful Basis of Processing Data‘. These describe different reasons businesses and organisations may have for handling your data. All data controllers (like us) must be clear under which lawful basis we have the right to collect your data.
In situations where we are not able to give you full control over how we process and store your data through consent – as an example; having to store some files for a length of time, to comply with our insurance and tax accounting (also mentioned in other areas of this policy) – We are aware of the category called ‘Legitimate Interest’. We want to be clear that the way we handle your data is appropriate and necessary for the purposes of working with you and making our services available to you (again, explained in more details in other parts of this policy). Therefore we continuously assess if the information we are asking for is necessary and only process the minimum amount of data.
Who do we share your data with
Firstly – Data we never share with anyone else
All health and other sensitive information you share with us in connection with a workshop, a class, in an email or other communication directly with us, is only seen by us. We store all health and sensitive securely in a locked filing cabinet in our office/home and/or password protected on our computer/phone/tablet.
Data shared with 3rd party Data Processors
We are the Data Controllers ultimately responsible for carefully choosing the Data Processors we work with, such as other companies who need to have their own data privacy policies in place. When we work with another person, such as an admin help, we have a contract between us to ensure they also understand fully how to manage and protect your data in the same way we do.
To run a business and offer services that involve digital and online systems, we feel it is reasonable to acknowledge, that it is impossible to check out every single aspect of each 3rd party company whose services we use. We choose to use companies that are very well known and already used by thousands of other professionals. They are based both in and outside the EU and may have their own 3rd party connections to provide their services. See the links below if you wish to explore this further. They will be storing the data we share about you – or you share yourself, for example if you sign up to a newsletter or share on social media – on systems designed to have the highest standards of security in place.
- Email provider
Our email provider is SiteGround. When you email us, you choose to share information through SiteGround.
You have the option to pay or donate to us for our services using PayPal. Any transactions you do through PayPal are purely registered with PayPal. Our PayPal account will have a list of all transactions, but we do not store any financial details about you this way.
- Mail Chimp – Online contact management/email marketing tool
If you subscribe to our mailing lists your name and email will be stored on this system. You can always unsubscribe any time you like.
- Zoom – Online meeting and conferencing tool
If you attend one of our online workshops, classes or meetings, you will be required to download the Zoom app and you may share basic details like your name and where you are calling from when joining a meeting. Sometimes meetings are recorded and shared with the group who attended the meeting.
- Social Media – Facebook, Instagram, YouTube.
We used to share and may do so in the future, a collection of content such as photos, quotes, videos and more on Social Media and we posted videos on YouTube to promote our website. These posts may be forwarded and shared further by other users. We will of course only share any private information/data, if we have full permission to do so.
- Electronic communication – Email, SMS/text, WhatsApp, Messenger etc
We communicate across several different platforms and apps. Access to our phones, computers and tablets are always password protected and never shared with, or available to, anyone else.
- WeTransfer – Online temporary file sharing
WeTransfer store files so they can only be accessed by a person using a unique link that is emailed directly to them. The files are available to download for a week on WeTransfer’s system and are then deleted.
- External hard drives & USB sticks/flash drives
We use external hard drives and USB sticks to back up data and these are locked away in our filing cabinets.
- Public Events. If we are invited to do a public talk or join an online audio or video meeting, hosted by someone else on their platform, we do not collect or store any information about you. The host may do, so check with them before joining, if you have any queries about Data Privacy. Any information you may share in a Q&A session or comment on a public platform – sometimes live or shared later on YouTube and in other public places – is of course your own responsibility.
Data Breach Policy
It is impossible to always be completely fault free from computer or human errors. Yet we certainly aim to try our very best. If a security breach, loss, accidental or otherwise unauthorised destruction, changes, use or sharing of your data does happen, by us or one of the 3rd parties we work with, we will let you know as soon as we are aware and always within 72 hours.
We will keep a log of any incidents and if there is a risk to your rights and freedoms from the breach we will, by law, also notify the ICO.
ICO, Information Commissioners Office: https://ico.org.uk/your-data-matters/
We will update this policy within a reasonable time, if the law changes, or if we make any business decisions that directly relate to the policy, such as changing the 3rd party companies or data controllers we work with.
Last updated on 4th October 2022