The Mindfulness Network have prepared this policy for you to understand how and why we handle personal data. Under the General Data Protection Regulations, we are a “data controller”, as we collect and use personal data. We also use “data processors” who handle some of our data. We therefore have a number of responsibilities to protect our customers, suppliers and staff.
What personal data do we hold?
We collect and retain personal data for:
- Individuals who use our services.
- Suppliers of products and services.
What type of data do we hold?
We hold the following data:
- Contact data for customers, suppliers and staff.
- Details of bookings for services, and a record of previous services used.
- Sensitive data related to bookings (such as health or personal circumstances) that may be relevant to attendance at one of our events.
We expressly do not hold:
- Banking or credit card data for clients unless given to us for a purpose (e.g. a reimbursement).
- Cookies or any means of tracking an individuals use of services on the internet other than through direct applications where the data is freely given.
Where do we store personal data?
Personal data, including sensitive data, for our clients is stored on a secure server, password protected that meets the highest standards. Personal data is available to administrative staff for routine processing. Sensitive data is held in a restricted area, and only accessed by staff for specific purposes.
We use a cloud-based accounting system called Quickbooks for payments and receipts. We will enter client and supplier details necessary to process payments on that system. You can read their privacy statement here.
We use Paypal for card processing. We do not enter details of our clients on PayPal, but details entered for payments are available to us. You can read their privacy statement here.
We use the Co-op Bank for our financial transactions. We will enter details of anyone we pay on there to facilitate payments. You can read their privacy statement here.
We use Mail Chimp to contact people who have signed up to read our newsletters. The only information held here is names and email addresses. You can read their privacy statement here.
We use Andrew Wells Accounting for our accountancy services, including payroll. They hold data on staff for payroll purposes.
Who can see the data we hold?
Personal data (not including sensitive data) may be viewed by:
- Staff, for the purposes of administering a service.
- Third parties for the purposes of processing payments.
- Third parties for the purposes of distributing information.
Personal sensitive data may be viewed by:
- A member of staff who is trained to assess individuals prior to acceptance on an event.
- A trainer or retreat lead, who needs to know of any relevant issues for an attendee on an event.
- A supervisor, where the supervisee has named that supervisor and given permission for their application to be viewed (same for PPM)
Personal sensitive data may not be viewed by a member of staff:
- For any purpose other than the above.
- If the individual is known personally to a staff member as a friend, family member of in another social context, unless express permission has been granted by individual for the staff member to see that information.
Who do we share for data with?
We will comply with all legal and legislative obligations on personal data.
We will not share personal sensitive data with any third party.
We will share attendance information for participants on courses operated under the collaboration agreement with Bangor University for the delivery of Continuing Professional and Personal Development under the Teacher Training Pathway.
When people enquire with us or apply for a service, we will restrict our communications to that service.
People will be offered the option to sign up to our newsletter service, and we will email those who do from time to time to advise of our activities and of other related activities that may be of interest.
We use social media to reach out to the general public. We do not harvest personal data from our social media sites.
We hold personal data for the minimum amount of time necessary.
Unless there is a need to retain the data for longer, sensitive data will be deleted within three years of its use. During that period it will not be accessed without permission of the individual concerned.
We will delete data about an individual on request from that person, unless there is some legal obligation to retain that data.