Please note that I have two separate privacy policies, one for those engaging me for my teaching services, and the second for my coaching clients. Clearly the intention is the same in both, that is, to keep your data secure, according to the ICO guidelines effective from 25th May 2018.
I process personal data relating to clients and customers, and to those who are interested in the services I provide.
! am committed to complying with my legal obligations in respect of data protection and privacy.
This statement sets out the principles I apply when processing personal data. This statement describes the types of personal data I may collect about you. This statement also describes what I do with any data I collect about you, how I will keep it secure and the legal bases on which I rely for processing your data. This statement also informs you of your rights and how you can contact me.
- About me and my services
- I am a sole trader.
- I provide educational services.
- I am a Data Controller for the purposes of current data protection legislation.
My contact details are:
Mrs S M Hughes BA ARCM FISM
17 Weald Close, Brentwood, Essex. CM14 4QU
Tel. 07710 172976
Sue Hughes Values Living – www.valuesliving.com
- What personal data do I collect from you?
Personal data is any information relating to an identifiable living individual. I only collect the personal data I need to be able to provide you with the services you have asked me to provide or tell you about.
Personal/contact information: this can include your name, contact address, email addresses, telephone numbers, your child’s date of birth.
Payment information: your bank details for billing purposes.
Digital information: IP addresses, and details of your interaction with my website and social media, should you engage with me through these channels.
Correspondence: information relevant to your specific enquiries.
Other: any other information you choose to provide to me.
- When do I collect personal data?
I will collect information about you when you enter into a contract with me, make enquiries about my services, visit my website and engage with me on social media.
- What is my lawful basis for processing your data?
I may only process personal data where I have a lawful basis to do so.
I may collect and process your personal data when:
- it is necessary for the performance of contracts with you;
- it is necessary for the purposes of my legitimate interests as a business. In these cases I will do so in a way which might reasonably be expected from my relationship with you, and which does not impact materially on your fundamental rights, freedom and interests. I will not process your personal data on this basis if I believe your rights override mine. Instead, I may seek your specific consent, and/or another legal basis;
- it is necessary for compliance with legal obligations;
- I have your consent to do so, for example in relation to marketing by electronic means.
Please see below for more detailed information about how I will use your data and on what basis.
If you have any concerns about my data processing please contact me: see Contact. Please also see Your rights, below.
- How will I use your personal data?
I may process the information I collect about you:
- to perform any contract I have agreed with you, or to respond to any enquiries you make in this connection before I enter into a contract. The lawful basis for this processing is performance of a contract with you or because you have asked me to take specific steps before entering into a contract in respect of these activities and services;
- to respond to any other enquiries or complaints. I need the information you supply to enable me to respond.
- to provide you with information by post (or by email, with your consent) about other products and services I offer similar in nature to those you currently receive or have previously asked about. Information I may process for this purpose includes your name, address and email address. This processing is necessary for marketing my services, which is a legitimate business interest.
- I will only send marketing information to you by email if I have your consent. You have the right to withdraw your consent at any time. Please write, email or telephone me: see Contact
- to send you communications required by law or which are necessary to inform you about changes to the services I provide you, for example, updates to this Privacy Statement, and any information legally required which relates to any contracts between us. These service messages will not include any promotional content and do not require prior consent when sent by email or text message. This processing is necessary for me to comply with my legal obligations.
- to administer my website, and send you survey and feedback requests to help improve my services. These messages will not include any promotional content and do not require prior consent when sent by email or text message. This processing is necessary for development of my services, which is a legitimate interest of my business. I have a legitimate interest to do so as this helps make my products or services more relevant to you. You are free to opt out of receiving these requests from me at any time by contacting me.
- Whom do I share your data with?
In some circumstances I may need to share your data with the following:
- My accountants/auditors
- Accounting software company
- Direct debit company
- Examination boards
I may also share your data with third parties, such as my IT consultants/cloud–based back-up service/mailing house/email marketing company to support the efficient running of my business.
If this is necessary, I will provide only the information they need to perform the services I require. They will only use the data for the purposes I specify. I require third parties to maintain appropriate security to protect information from unauthorised access or processing.
In some circumstances, I may need to share your personal data with other third parties (including legal or other advisers, regulatory authorities, courts and government agencies) to enable me to enforce my legal rights, or where such disclosure may be permitted or required by law.
Unless we tell you otherwise, your data will not be processed outside the EEA.
- How long will I keep your data?
I will only keep personal data for as long as is necessary to provide my services, or for as long as I reasonably need to keep the information for the lawful business purposes or to comply with a statutory or other legal requirement.
- Data security
I will take appropriate technical and organisational measures to protect the personal data I transmit, store or otherwise process against accidental or unlawful destruction, loss, alteration or unauthorised disclosure or access. My computers and mobile devices are password protected. Any paper records are kept secured by lock and key.
- Your rights
You may exercise your rights by contacting me using the details in Contact, below. I aim to handle any requests within a reasonable period and, in any event, within one calendar month of the original request.
- Right to information and access
You have the right to be informed about what personal data I collect about you, why, on what lawful basis and what your rights are. This Privacy Statement is the key document I use to inform you about this.
You also have a right to request access to the information that I hold about you, and to receive a copy of this information, along with other information which is generally contained in this Privacy Statement.
- Right to rectification
You have the right to request that inaccurate personal data be rectified, or completed if it is incomplete.
- Right to erasure and restriction
You have the right to ask me to limit or cease processing or erase information I hold about you in certain circumstances. When responding to such requests, I will tell you how such restrictions or deletions may affect my ability to fulfil my contracts with you or otherwise affect your interests.
- Right to object
You have the right to object to my using your information for direct marketing. You can also ask me to stop using your information, where I am processing it on the basis of my legitimate interest. I will do so unless I believe I have a legitimate overriding justification to continue processing your personal data.
- Right to withdraw consent
If you have given me any specific consent to use your personal data, you have the right to withdraw it any time. If you wish to tell me that you are withdrawing your consent, please email me at firstname.lastname@example.org or email@example.com.
If you are unhappy with the way I process your personal data, please contact me using the information provided below. You also have the right to lodge a complaint with the Information Commissioner’s Office (ICO):
Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF; Tel: 0303 123 1113 or 01625 545 745
If you have any questions about this policy, or you wish to exercise any of your rights, please email me at firstname.lastname@example.org, telephone me on 07710 172976, or write to 17 Weald Close, Brentwood, Essex. CM14 4QU
- Updates to this statement
I may change this privacy statement from time to time. I will post updates to this privacy statement on my website, and where appropriate, I may notify you by post or email. Please check my website to stay up to date.
Last updated May 2018
and as the following website(s) and social media identities:
www.valuesliving.com and Facebook pages Sue Hughes Values Living and Sue Hughes Writing
17 Weald Close, Brentwood, Essex, UK.
There are two sections to the following information:
- About your personal data – the type of data that is collected or used, including when, how and why
- Your rights – all the ways that you can control what happens with your data
About your personal data:
When you make an enquiry
The name and contact details you give and the content of your message(s) are retained for three reasons:
- By your consent
- As part of a ‘contract’ (only while we communicate)
- For legitimate business interests – for good business practice I keep tabs on who has made contact before, the types of questions asked etc
When you work with me as a coach 1:1
Client work is different. Dependent on the work, you may wish (or need) to provide personal details of a sensitive nature.
As an intake form these are retained in printed or handwritten format and include your contact details and where appropriate, signature. The sensitive nature of such documents will generally be in relation to health or medical history.
As session notes these are scant memos handwritten by me for the purpose of fulfilling our contract and keeping tabs on the work during the session and from one week to the next, filed separately with only initials and date as identifiers so that no other person may connect these details alone to your personal identity.
In both cases I am required by law to retain these records for six years after the completion of our contract – or in the case of a minor, from six years beyond the date of their eighteenth birthday.
Other data sources:
Incoming data is also received from my website host WordPress, Paypal, Skype, Zoom, Appear.in.
I may receive information from another practitioner or therapist as part of a referral. In such a case you may be unaware that the consented data transfer has taken place, I will therefore inform you of receipt within 28 days.
Sharing your data
Your privacy is important and I do not sell your data nor share it except by your consent or under the law.
When working together, I may give out elements of your personal information to another practitioner or therapist as part of a referral. This will always only be with your personal consent.
In continuation of current UK law on confidentiality I also retain the right and in some cases the legal requirement to breach confidentiality to inform an authority such as the police or your GP of impending harm or illegality.
The GDPR sets out clearly what your rights are. It also lays out deadlines for a reply and other rules which are reproduced for your information at the bottom of this section.
Right to be informed
You have the right to be informed about the collection and use of your personal data. This is a key transparency requirement under the GDPR.
I must provide you with information including: my purposes for processing your personal data, my retention periods for that personal data, and who it will be shared with. This ‘privacy information’ is provided above.
I must provide you with privacy information at the time I collect your personal data from you, in other words it has to be available to you before you fill in a form or hand over your data such as your email address.
If I obtain your personal data from other sources, e.g. by referral or from the payment service provider your selected, I must provide you with privacy information within a reasonable period of obtaining the data and no later than one month.
There are a few circumstances when I do not need to provide people with privacy information, such as if an individual already has the information or if it would involve a disproportionate effort to provide it.
The information I provide to people must be concise, transparent, intelligible, easily accessible, and it must use clear and plain language. Therefore if there is anything you do not understand, please get in touch.
Right of access
You have the right to access your personal data and supplementary information. This allows you to be aware of and verify the lawfulness of the processing.
You are entitled to confirmation that your data is being processed, access to your personal data, and
other supplementary information as provided in this privacy notice.
Right to rectification
You have the right to have your personal data corrected if it is incorrect, or completed if it is incomplete.
Right to erasure
You may request, verbally or in writing, to have your data erased. This is also commonly known as ‘the right to be forgotten’. This right only takes effect when:
- Your personal data is no longer necessary for the purpose for which it was originally collected or processed,
- you withdraw your consent when the sole legal basis to hold this information is your consent,
- There is a legitimate interest in processing this data, which does not override your request
- processing/analysing of the personal data was for direct marketing purposes and this is the use you object to
- your personal data was processed unlawfully without a proper legal basis
- There is a legal obligation to comply with your request; or
- If the personal data was processed to offer information society services to a child.
Right to restrict processing
You have the right to request the restriction or suppression of your personal data. In other words you want to stop the data being used but keep it on file.
In this case your personal data cannot be used and can only be stored unless:
- you give your consent;
- it is for the establishment, exercise or defence of legal claims;
- it is for the protection of the rights of another person (natural or legal); or
- it is for reasons of important public interest.
Right to data portability
This allows you to obtain and reuse your personal data for your own purposes across different services. It allows you to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without affecting its usability. Doing this is meant to enable you to take advantage of applications and services that can use this data to find you a better deal or help you understand your spending habits. In general this rule exists for data held by big service providers, such as your call history or insurance or gas bill history. The right also only applies to information you have provided.
If, as a private client you wish to carry a copy of your case notes or other sensitive data to another practitioner or other mental, physical or spiritual health service, these may be provided to you or to the nominated service provider, on request, as an encrypted and password protected document.
Right to object
Individuals have the right to object to:
- processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling);
- direct marketing (including profiling); and
- processing for purposes of scientific/historical research and statistics.
Your objection must be made on grounds relating to your particular situation.
Once you object your data can no longer be processed, unless
- there are demonstrably compelling legitimate grounds for the processing, which override the interests, rights and freedoms of the individual; or
- the processing is for the establishment, exercise or defence of legal claims.
You may complain directly to me using the contact details above. If you find the outcome unsatisfactory you are then able to object or complain to:
Information Commissioner’s Office (ICO) at ico.org.uk,
or Towergate Insurance at towergateinsurance.co.uk
You may of course also exercise your right to legal action.
You can claim a right verbally or in writing.
A response should come without delay and at least within one month of receipt. The time limit is calculated from the day after you make the request (whether the day after is a working day or not) until the corresponding calendar date in the next month.
I aim to respond within 28 days.
When you request access to your data, a copy must be provided free of charge. However, you can be charged a ‘reasonable fee’ when a request is:
- manifestly unfounded or excessive, particularly if it is repetitive, unless that’s because I failed to respond; or
- for further copies of the same information (that’s previously been provided).
Last updated May 2018