The Creative Kinesiology Association (CKA) is committed to keeping your personal data safe and secure. Your trust is really important to us and we want you to be confident when sharing your personal information with us that we will keep it safe.
The Policy meets the requirements of the General Data Protection Regulation (“GDPR”).
The services we offer
The Creative Kinesiology Association is a ‘not-for-profit’ organisation, offering 4 main services:
- publishing information about our practitioners and training to members of the public via our website
- publishing a free regular newsletter sent out to subscribers
- co-ordinating high quality training in Creative Kinesiology, including on-going mentoring and Continuing Professional Development
- providing membership services to our Practitioner Members
The CKA is registered with the Information Commissioners Office (“ICO”) and our notification number is: Z7404151
The type of data collected will differ for each of these services and so each is outlined separately below.
Whilst we aim to ensure that there are no breaches to this Policy, mistakes do, unfortunately, sometimes happen. We would take any breach of this kind very seriously and would contact the individual concerned, as well as the ICO if necessary.
What counts as personal data?
Personal data is information relating to an identified or identifiable individual, such as name, address, contact details and in some cases age, date of birth and gender.
Specific details about the data that we collect for each of the four categories outlined above is set out here:
1. Publishing information for the public about our practitioners and training via our website
Our website is set up to automatically collect cookies from our visitors. When you visit the site you will be asked to confirm that you are happy for this information to be collected.
Cookies are small text files placed on your device that remember your web preferences and some details of your visits to websites. They don’t collect personal information. The point of them is to enhance your online user-experience by helping a website respond to you as an individual user and tailor how it works to your needs, likes and dislikes.
We also have Google Analytics set up on our website so that we can get a sense of how our website is being used and it it’s effective. This is to help us to continue enhancing our website going forwards, that matches the needs of our users. Google Analytics collects anonymised data bout general location, browser and device type, page clicks and so on.
What if I don’t want you to collect this information?
By continuing to use our website you agree that we can save cookies on your device. If you don’t want this to happen, we can’t stop them from being collected but there’s a clever way to switch off cookies at your end in your web browser (e.g. Firefox, Safari, Internet Explorer). To find out how to do this you just need to search online for ‘Disable Cookies’ along with the browser you use (or your device e.g. Samsung phone, iPad, Android tablet).
As far as we understand, Google Analytics also works on the principles of cookies, so if you switch yours off then your website use information can’t be collected. Our Google Analytics anonymised data has been set up to automatically wipe from their database after 14 months.
2. The Creative Kinesiology Newsletter list
Our newsletter is a free service open to members of the public and our practitioners. We use it to publicise what is happening within the CK Association – including forthcoming events, training courses etc – as well as sharing other information that we feel might be of interest to people who have signed up to receive the newsletter.
You will only be on our mailing list if you have signed up to be on it since May 2018. You might have joined through the button on our website or at an event run by one of our Members.
We will have asked you to sign up with your name and email address and you will have given your permission to us to send specific emails to you.
Some key points:
We will only keep your name and email address and these will be stored on the newsletter site (we use MadMimi) and on the database held by our administrators. This database is password protected.
We will never share this information with any other company or use to contact you except for the purpose of sending you our newsletter.
If, at any time, you no longer want to receive the newsletter, use the ‘unsubscribe’ link at the bottom of the newsletter to take your contact details off the mailing list.
3. Co-ordinating professional and on-going training for practitioners
All students in training and practitioners post-training are covered by the data protection policy in point 4 below.
Members of the public contacting us for information about finding a practitioner or for details of our training courses will be contacted by phone or email, having given their contact details for this purpose. All electronic correspondence will be kept on a password protected computer.
4. Membership services to CKA Practitioners
In order to provide and administer membership services, we collect and process personal data about our registered members. Members provide us with personal data when applying for new membership or renewing their membership – this can be via post, email, telephone and then in writing.
As a provider of membership services, we will process the following categories of personal data:
Personal data such as the member’s name, address, date of birth, home contact details and practice contact details. Members are asked to state which of these personal details they would like to be published on our website and which are to be held for our records but not available to the public.
Special categories of personal data such as insurance cover, course certificates and qualifications.
Data relating to unspent criminal convictions.
The CKA is considered to be the controller of the data that we collect from our members. As a data controller we determine the purpose and means of processing your personal data.
Why do we need your personal data?
We will use your personal data to manage your membership with us, to process your renewal and to keep you up to date with developments within the CKA. We will publish on your website practitioner page the information that you have given us permission to publish.
The CKA is a membership organisation representing our registered members. We have set specific standards for each membership level and need to see proof of our members’ qualifications. These documents are held on a physical and/or electronic file for each member. The physical files are held in a lockable archiving cabinet, the electronic files are saved on a password protected laptop.
We only ask for what we need to ensure that each member meets the standards related to their category of membership, including their insurance cover and requirements for CPD, mentoring and personal sessions. Full details of our Membership categories are detailed on the website.
Members’ right to update and change the details we hold
Each member is in full control of the content, extent and correctness of their personal and practice details listed on the CKA’s website. Each member chooses which details they wish to be advertised on their personal practitioner page.
If a member does not agree with what contact details are listed for them on our website or if they would like to have their contact details taken off the CKAs register completely, then they can contact the CKA office via phone, email or post. Removal of all details would mean that the practitioner was no longer a member of the CKA.
All of our Members are listed on the newsletter database outlined at point 2 above. In addition to newsletters, we contact all Members periodically – usually by email and sometimes also by post – with any additional updates and information.
Where deemed of interest to our members, we might also send out advertising information on third parties (i.e. information on health programs or platforms) to a group of members or all of our members.
Guidance to our Members – duties of the practitioner
We give guidance to all our members on the type of data they might keep about their clients and how to do this in a safe manner.
For example, they might keep:
- Contact information – phone, email, address and next of kin
- Session notes – details of what has been worked with in the sessions
Why do practitioners keep this information?
- To enable them to get in touch with their clients about booking and organising your sessions
- It helps to know who to contact in an emergency and flags up any medical conditions the practitioner needs to be aware of
- To have a better idea of what the client is bringing to the sessions and what they hope to get out of it
- The CKA and BCMA – our professional body – and insurance companies require practitioners us to keep records of their work for legal purposes
How do practitioners keep data about their clients safe?
Confidentiality is in the very nature of each practitioner’s work with their clients – it underpins all of their work and so it’s important that clients can trust that any information they share will be looked after and respected. This allows the practitioner and client the opportunity to work together in a deep and safely held way.
As an Association, the CKA ensures that all our members see keeping personal information safe as central to their work and a priority. To this end, we advise our practitioners to ensure that they keep data (electronic and on paper) secure by:
- Using locked storage of all paper records
- Using security and passwords on all devices (phones, laptops) where information is stored. This might include encryption, if possible
- Agreeing not to share client information and session notes without their consent. The exception here is when practitioners might use information from sessions as the basis for discussion in mentoring for reflection and guidance. In this case the identity of the client is not revealed.
There are also exceptional circumstances when it is necessary to share information – when you or another person are at risk of serious harm.
- In this case, practitioners would first support their client to find a course of action to create safety.
- If that proved impossible, the practitioner might need to contact other appropriate professionals, for example the client’s GP, and they would hope to do this with the client’s permission.
- In the unlikely event of a practitioner being under a legal obligation to disclose information, they would first take appropriate professional advice, discuss the matter with the client if possible and keep the disclosure to the minimum necessary.
What if clients want their information deleted?
For legal purposes, insurance companies ask practitioners to keep client records and notes for seven years from the point of their final session.
Our guidance to our members is to regularly check their records to make sure that any client information that has passed this ‘retention’ period is taken out of secure storage and safely destroyed.
The rights of individuals
For all of the above categories, all individuals have legal rights governing the use of their personal data. These grant them the right to understand what personal data relating to them is held; for what purpose; how it is collected and used; with whom it is shared; where it is located; to object to its processing; to have the data corrected if inaccurate; to take copies of the data and to place restrictions on its processing. Individuals can also request the deletion of their personal data.
The GDPR provides eight rights for individuals. This section summarises each of these and provides the CKA Process associated with each.
When an individual makes a request regarding any of these rights then, before any action is taken concerning the request, the CKA will check that:
- The request is reasonable.
- Their identity is confirmed.
- There is no impact on other individuals’ personal data and their rights.
- There is no legal, regulatory or contractual requirement to retain the data in its current form.
So, here is a summary of your rights and how we intend to meet them:
1. The right to be informed about the personal data being processed
2. The right of access to your personal data
You can ask us to send you a copy of the all personal data we hold about you (subject to some exceptions). You need to officially ask us in writing for this – the best way to do this is to email us at firstname.lastname@example.org. We will get this data to you as quickly as we can, but bear in mind that it may take some time for us to pull the information together, make copies of it and send it all on to you.
3. Right to rectification
Please get in contact with us if you think we hold any incorrect details for you and we will check our records and amend as necessary. Personal data can be rectified if it is inaccurate or incomplete.
The CKA will amend the relevant data as soon as is reasonably possible. An email will be sent to the requesting individual to confirm, and act as a record of, the completion of the request.
4. The right to erasure
The Right to Erasure is also known as ‘the right to be forgotten’. The broad principle underpinning this right is that an individual can request the deletion or removal of personal data where there is no compelling reason for its continued processing.
You can ask to have your data deleted if we’ve done something unlawful with it (e.g. sold it on to someone else) or we no longer need it (e.g. you’ve asked to be taken off our mailing list or you’re no longer a client). Obviously, this is subject to the rules we have to follow about keeping notes and info for legal/insurance purposes.
You can find out more about all the rights you have on the Information Commissioner’s webpage about individual rights.
After completing the checks detailed at the top of this section, the CKA will delete the relevant data as soon as is reasonably possible. An email will be sent to the requesting individual to confirm, and act as a record of, the completion of the request.
5. Right to restrict processing
Individuals have a right to ‘block’ or suppress processing of their personal data.
When processing is restricted, the CKA is permitted to store the personal data, but not further process it. The CKA can retain just enough information about the individual to ensure that the restriction is respected in future.
After completing the checks detailed at the top of this section, the CKA will not process the requesting individual’s personal data until notified. An email will be sent to the requesting individual to confirm, and act as a record of this.
6. Right to data portability
The Right to Data Portability allows individuals to obtain and reuse their personal data for their own purposes. It allows them to move, copy or transfer their personal data easily from one IT environment to another in a safe and secure way, without hindrance to usability.
The CKA holds only basic personal data. As such there is no data that falls under this Right.
7. Right to 0bject
Individuals have the right to object to:
- Processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling).
- Direct marketing (including profiling).
- Processing for purposes of scientific/historical research and statistics.
8. Rights related to automated decision making including profiling
Companies can only carry out this type of decision-making where the decision is:
- Necessary for the entry into or performance of a contract; or
- Authorised by Union or Member state law applicable to the controller; or
- Based on the individual’s explicit consent.
No automated decision-making (nor profiling) is undertaken by the CKA either directly or on behalf of third parties. Should it ever be, then a process will be put in place and this Policy document updated.
Summary of Objectives
The CKA will:
- Adhere to the GDPR Principles for processing personal data, as detailed in this Policy.
- Respect and support individuals’ rights concerning their personal data as detailed in GDPR.
- Ensure data protection is built in by design and default to all processes that include personal data.
- Consider and put in place organisational and technology measures to mitigate risks to personal data.
- Report data breaches to the individual concerned and the ICO if necessary.
- Handle complaints according to the CKA Complaints Process.
- Monitor and maintain records to support the accountability requirement of GDPR.
- Review and audit this Policy and supporting processes and procedures annually as a minimum.
- Correct any identified deficiencies in this Policy and the supporting processes and procedures within a defined and reasonable time frame.
Everyone who works for or with the CKA has responsibility for ensuring that personal data is collected, stored and handled appropriately.
The Chair of the CK Association is ultimately responsible for meeting the CKA legal Data Protection Obligations.
To ensure the understanding of responsibilities when handling personal data, the CKA will:
- Provide training to all members of our Management Team on their responsibilities including security measures, so that they are aware of, and will adhere to, this Policy and associated documentation.
- Offer guidance to our members about their responsibilities in relation to data protection and privacy for their clients.
Data Protection Principles
i) Lawful, Fair, and Transparent Data Processing
The CKA will maintain a register of all personal data that it stores and processes, the purpose, the lawful bases for doing so, and any personal data that is shared with third parties.
ii) Processed for Specified, Explicit and Legitimate Purposes
The CKA will obtain personal data only by lawful and fair means and, where appropriate with the knowledge and consent of the individual concerned.
CKA Consent Policy
Where a need exists to request and receive the consent of an individual prior to the collection, use or disclosure of their personal data, the CKA is committed to seeking such consent. Where special categories of data are stored and processed consent will always be required. There are some exceptions to this as detailed in Article 9 of GDPR.
If and when the CKA wishes to use personal data for any reason apart from what was originally agreed under the first principle, the CKA will seek explicit consent.
Consent may be withdrawn by an individual at any time. The CKA will record and manage consent given and withdrawn.
iii) Adequate, Relevant and Limited Data Processing
The CKA will identify for each Data Subject the purpose of the processing and the minimum personal data it requires for the purpose.
iv) Accuracy of Data and Keeping Data up to Date
The CKA will periodically check the accuracy of any personal data it stores and processes. Where reasonable, any rectifications identified, or notified by an individual will be undertaken as soon as is practicable.
v) Timely Processing
The CKA will identify the retention period for personal data stored and processed. Personal data will be deleted as soon as is practicable after that time.
vi) Secure Processing
The CKA will use appropriate technical and organisational measures to ensure the integrity and confidentiality of personal data.
a. What is a cookie?
A cookie is a small amount of data, often including a unique identifier, sent to the browser of your computer or mobile phone (referred to here as a “device”) from a website’s computer. It is stored on your device’s hard drive. Each website can send its own cookie to your browser if your browser’s preferences allow it. To protect your privacy, your browser only permits a website to access the cookies it has already sent to you, and not the cookies sent to you by other websites. Many websites do this whenever a user visits them to track online traffic flows.
On the Theatre is Real Life Productions web site, our cookies record information about your online preferences so we can tailor the site to your interests. You can set your device’s preferences to accept all cookies, notify you when a cookie is issued, or not receive cookies at all. Selecting the last option means you will not receive certain personalised features, which may result in you being unable to take full advantage of all the website’s features. Each browser is different, so please check the “Help” menu of your browser to learn how to change your cookie preferences.
Information supplied by cookies can help us analyse the profile of our visitors, which helps us provide you with a better user experience. For example, if on a previous visit you went to our marketing pages, we might find this out from your cookie and highlight marketing information on subsequent visits.
From time to time we may use Google Analytics. This is a web analytics service provided by Google, Inc. Google Analytics sets a cookie in order to evaluate use of our web site and compiles a report for us.
Opt-out of Google Analytics cookies
c. Third party cookies on our pages
Please note that during your visits to our website you may notice some cookies which are unrelated to us. When you visit a page with content embedded from, for example, YouTube or Flickr, you may be presented with cookies from these websites. We do not control the dissemination of these cookies. You should check the third party websites for more information about these.
You will also see embedded ‘share’ buttons on our web pages; these enable users to easily share content with their friends through a number of popular social networks. When you click on one of these buttons, a cookie may be set by the service you have chosen to share content through. Again, we do not control the dissemination of these cookies.
d. How to delete cookies or control them
Alternatively, you may wish to visit www.aboutcookies.org which contains comprehensive information on how to do this for a wide variety of browsers. You will also find details on how to clear cookies from your computer as well as more general information about cookies. For information on how to do this on your mobile phone’s browser, you will need to refer to your handset manual.
Please be aware that restricting cookies may impact on the functionality of this website.