Theraplay® UK Data Protection and Privacy Policy
Theraplay UK aims to be as clear as possible about how and why we use information about you so that you can be confident that your privacy is protected. This policy describes the information that Theraplay UK collects when you use our services or buy products from us. This information includes personal information as defined in the UK Data Protection Act 2018.
Last review/update: 24/01/2022
The policy describes how we manage your information when you use our services, if you contact us or when we contact you. It also provides extra details to accompany specific statements about privacy that you may see when you use our website (such as cookies) or with other online presence (such as Facebook or Twitter). In respect of cookies the policy includes information about the type of cookies that we use and how you may disable those cookies.
Theraplay UK uses the information we collect in accordance with all laws concerning the protection of personal data, including the Data Protection Act 1998 and the GDPR 2016. As per these laws, Theraplay UK is the data controller; if another party has access to your data we will tell you if they are acting as a data controller or a data processor, who they are, what they are doing with your data and why we need to provide them with the information – this includes telling you when The Theraplay Institute, based in the USA, is acting as a data controller and/or a data processor for your data.
If your questions are not fully answered by this policy, please contact the person responsible for data management. If you are not satisfied you can contact the Information Commissioner’s Office (ICO) https://ico.org.uk
1. Why do we need to collect your personal data?
We need to collect information about you so that we can:
-
Know who you are so that we can communicate with you in a personal way. The legal basis for this is a legitimate interest.
-
Deliver services to you. The legal basis for this is the contract with you.
-
Process your payment for the services. The legal basis for this is the contract with you.
-
Verify your identity so that we can be sure we are dealing with the right person. The legal basis for this is a legitimate interest.
-
Optimise your experience on our website. The legal basis for this is a legitimate interest.
-
Send you information about training and events. The legal basis for this is your consent.
-
Provide you with a useful and relevant website. The legal basis for this is legitimate interest.
2. What personal information do we collect and when do we collect it?
For us to provide you with services, we need to collect the following information:
-
Your name
-
Your contact details including a postal address (this can be a place of employment postal address), telephone number(s) and electronic contact such as email address, your role and professional status, your professional qualifications, your Theraplay training and practitioner status.
We collect this information in the first instance, either from the organisation organising your Theraplay training, your employer, your Theraplay Practicum Supervisor, or directly from yourself. When we engage in communication with you we will seek additional information and also check that the information we already hold is accurate.
3. How do we use the information that we collect?
We use the data we collect from you in the following ways:
-
To communicate with you via telephone, email, letter or via virtual meetings or training sessions (e.g. Zoom, Teams)
-
To deliver the appropriate services to you, in relation to your Theraplay training and qualification (Practicum).
4. Where do we keep the information?
We keep your information in the ways described below
-
Our company computers store your information in the Google cloud service, G Suite. Your data is encrypted whilst in transit and storage with Google and its security is GDPR compliant. Users of these computers have personal accounts authentication access protection.
-
Our staff can access the cloud based data via mobile devices. These devices are protected with password protection and are device managed, meaning that all data can be remotely wiped should the device be lost or stolen.
Your records
-
We (the data controller) keep a database of your core professional training, your Theraplay Training, and Theraplay Practitioner status, in order to communicate with you. This database is stored in the ways described as above.
-
You have the option to subscribe to our communications newsletter, which you may choose to do by following a link provided by Theraplay UK.
5. How long do we keep the information?
-
We keep paper copies of invoices for 7 years.
-
We keep the electronic invoice for 7 years to comply with HMRC requirements. After seven years we delete the invoices.
-
We keep Theraplay Practitioner contact, professional, and training status information for 7 years, following the most recent active communication from you.
-
We keep staff files for 7 years.
6. Who do we send the information to?
-
We send information to you, to your Training host or Training provider, and to The Theraplay Institute in the USA. If you request a Theraplay Supervisor, we will send your details to that Supervisor.
-
We send the paper copy of our invoices to our accountant. The accountant is based in the UK and all their computer systems are in the UK.
-
We may need to share your information with others if we had cause for concern of immediate risk of significant harm to self or others, or under other legal requirement (eg terrorism or court order for disclosure).
All data shared between Theraplay UK and The Theraplay Institute is covered by two Data Processing Agreements – one whereby Theraplay UK is Data Controller and The Theraplay Institute is Data Processor, and one whereby The Theraplay Institute is Data Controller and Theraplay UK is Data Processor. Copies of these agreements can be provided on request.
7. How can you see all the information we have about you?
You can make a subject access request (SAR) by contacting us. We may require additional verification that you are who you say you are to process this request. We may withhold such personal information to the extent permitted by law. In practice, this means that we may not provide information if we consider that providing the information will violate your vital interests.
8. What if your information is incorrect?
Please contact us. We may require additional verification that you are who you say you are to process this request. If you wish to have your information corrected, you must provide us with the correct data and after we have made any correction we will send you a copy of the updated information in the same format at the subject access request in Section 7.
9. How can I have my information removed?
If you want to have your data removed we have to determine if we need to keep the data, for example in case HMRC wish to inspect our records. If we decide that we can agree to delete the data, we will do so without undue delay.
10. Will we email you or telephone you?
If you are engaged in a service with us we will need to communicate with you via email, post and telephone. When we need to send sensitive documents to you we will email them encrypted using Egress Switch. We will send you emails about additional services we provide only with your consent.
11. How do you opt out of receiving emails from us?
If you are receiving emails from us you may unsubscribe at any time by clicking the Unsubscribe link on the email or by asking us to remove your name from our mailing list. When you unsubscribe (i.e. opt out) from email communications, we will suppress your details on our systems to ensure we have a record of your decision to not be contacted in that particular manner. We will not use the email address for such messages again unless you opt back in.
12. Can I browse your website without receiving any cookies?
Yes. If you have set your computer to reject cookies, you can still browse our website.
13. How can I find and control cookies?
You can usually adjust for yourself the number of cookies that your computer (or other device, such as a mobile phone) receives. How this is done, however, varies according to which device and what browser software you are using. As a general rule, the more commonly used web browser software packages tend to have a drop-down menu entitled ‘Tools’. One of the options on this menu is usually ‘Options’ – and if this is selected, ‘Privacy’ is usually one of the settings that may be adjusted by the user. In the case of any device other than a PC (e.g. mobile phone), you should always refer to the manufacturer’s instructions.
Alternatively, you may wish to opt-out from only the cookies used by third-party companies (acting on our behalf) to measure the traffic to our site. This has the advantage of leaving other cookies in place, thereby minimising the loss of functionality associated with blocking all cookies. You may find the following website useful for information on how to change cookie settings in a range of commonly used browsers: www.aboutcookies.org
Please note we only use cookies for the purpose of enhancing your online experience and no personal data is collected from you through this process.
14. Data Protection Training
Training is provided to staff at induction, then fortnightly review meetings are held to monitor our data compliance. Theraplay UK employees are required to sign the Theraplay UK Confidentiality Form (available on request).
15. Data Breach Process
Any data breaches are recorded immediately on our Data Breach Form (blank copy is available on request) and reported to the ICO, if appropriate. All users who are potentially impacted by such a Data Breach will be immediately informed by email.
16. Organisation Contact Information
Theraplay UK
Registered Address: Kilvert’s School, Clyro, Hay-on-Wye, Hereford HR3 5SB
Companies House Registration: 12543244