The General Data Protection Regulation (GDPR) protects the rights of individuals by setting out certain rules about what organisations can and cannot do with information about people. A key element to this is the principle to process individuals’ data lawfully and fairly. In order to meet the fairness part of this we need to provide information on how we process personal data.
CBPC takes its obligations under the General Data Protection Regulation seriously and will ensure personal data is collected, handled, stored and shared in a secure manner. The following statement will outline what personal data we collect, how we use it and who we share it with. It will also provide guidance on your individual rights and how to make a complaint to the Information Commissioner’s Office, the regulator for data protection in the UK.
What is personal data?
Personal data is information relating to an identified or identifiable person. Examples include an individual’s name, age, address, date of birth, gender and contact details.
Personal data may contain information which is known as special categories of personal data. This may be information relating to and not limited to an individual’s health or medical data, racial or ethnic origin, religious or philosophical beliefs or data relating to sexual orientation.
Personal data may also contain data relating to criminal convictions and offences for the purposes of safeguarding.
Why do we need your personal data?
We will use your personal data for the delivery of our services to you. This will be to deliver the contract for training with you, or to provide psychotherapy services to you.
Who are data subjects?
Data subjects are defined as individuals about whom information is held. These include:
- registered students and trainees of CBPC
- UKCP registered members of CBPC
- Supervisors, and Psychotherapists who offer their services to CBPC
- Staff, both academic and nonteaching
- Clients who apply for psychotherapy via CBPC
In order for us to provide and administer courses, trainings and employment, we will collect and process personal data about you. We will also collect your personal data where you request information about our courses.
We may also need to collect personal data relating to Clients, Tutors and Supervisors. In most circumstances, you will provide us with this information. Where you disclose the personal data of others, you must ensure you are entitled to do so.
You may provide us with personal data when completing your application forms via email or by hard copy through the post, when you contact us via the telephone, when writing to us directly or where we provide you with paper-based forms for completion or we complete a form in conjunction with you.
Who do we share personal data with?
CBPC is required to share personal data with certain other organisations in order to meet statutory requirements (such as tax, pensions and employment law, money laundering regulations) or to provide services to students, trainees, members, clients and staff.
Sharing will be undertaken in line with the requirements of data protection law, either through the consent of the individual, or another relevant legal gateway. The personal data that is actually shared will always be limited precisely to what the other organisation needs to meet its requirements or deliver its services.
CBPC shares personal data with:
- CBPC Training Committee
- CBPC Administrator
- UKCP to process student, trainee and UKCP registered members professional membership
- CBPC Training Supervisors
- CBPC Essay Markers
- External Examiners for accreditation and re-accreditation purposes
- CBPC’s insurers and legal advisers for the purpose of providing insurance cover or in the event of a claim
- Employers, agencies and other academic institutions who request a reference from CBPC (for relevant staff and students)
We will retain your personal data at the end of any contractual agreement for no longer than required and, at the end of any contractual agreement, for the statutory time required. This data will be retained for your protection and the protection of clients.
The retaining of data is necessary where required for contractual, legal, regulatory, professionally statutory and employment purposes.
Individuals are provided with legal rights governing the use of their personal data. These grant individuals the right to understand what personal data relating to them is held, for what purposes, how it is collected and used, with whom it is shared, where it is located, to object to its processing, to have the data corrected if inaccurate, to take copies of the data and to place restrictions on its processing. Individuals can also request the deletion of their personal data.
These rights are known as Individual Rights under the Data Protection Act 2018. The following list details these rights:
- the right to be informed about the personal data being processed
- the right of access to your personal data
- the right to object to the processing of your personal data
- the right to restrict the processing of your personal data
- the right to rectification (change what is held) of your personal data
- the right to erasure of your personal data
- the right to data portability (to receive an electronic copy of your personal data);
- rights relating to automated decision-making including profiling.
For more information about these rights see https://ico.org.uk/for-organisations/guide-to-thegeneral-data-protection-regulation-gdpr/individual-rights/
In exercising your Individual Rights, you should understand that in some situations we may be unable to fully meet your request, for example if you make a request for us to delete all your personal data, we may be required to retain some data for regulatory and other statutory purposes.
Right to object
If we become aware of any ongoing concerns or problems concerning our privacy practices, we will take these issues seriously and work to address them with you.
You also have the right to complain to the UK Regulator the Information Commissioner’s Office (ICO’s) if you believe you request has not been dealt with properly or you have a complaint to raise against BCPC for any other data protection related issue. A complaint can be raised via the ICO’s website or write to the following address:
The Office of the Information Commissioner,
All students, staff and any other relevant individual who handle personal information which CBPC Centre is responsible for must follow the requirements of our Data Protection Policy.