Protecting your Privacy, the ACAT Promise
‘Because your data and privacy are so important, I wanted to let you know that when you share your information with ACAT, we take our responsibilities and obligation very seriously indeed.’
Alison Jenaway, Chair of the Association of Cognitive Therapy.
Updated June 2019
Our policy on data protection
Introduction
The Association of Cognitive Therapy (ACAT) is committed to protecting the privacy and ensuring the security of your personal data. ACAT is a data controller which means we are responsible for the information you give us or that we process for various purposes.
This Privacy Notice explains the types of personal data we may collect about you when you interact with us. It also explains how we store and handle that data and keep it safe.
First of all, here’s a few terms we may use in this document to explain ourselves. “Personal data” is information relating to you as a living, identifiable individual. So, this could be anything from a postal address to a telephone number or date of birth.
“Processing” your data includes various operations that may be carried out on your data, including collecting, recording, organising, using, disclosing, storing and deleting it. A “Condition for processing data” is essentially our justification for processing the information, for example we may ask you to agree for us to send you marketing information, in this instance we may ask you for your Consent.
The law requires us:
- To process your data in a lawful, fair and transparent way;
- To only collect your data for explicit and legitimate purposes;
- To only collect data that is relevant, and limited to the purpose(s) we have told you about;
- To ensure that your data is accurate and up to date;
- To ensure that your data is only kept as long as necessary for the purpose(s) we have told you about;
- To ensure that appropriate security measures are used to protect your data.
The following sections will answer any questions you have but if not, please do contact us, details are shown below.
It is likely that we will need to update this Privacy Notice from time to time, and you are welcome to come back and check this at any time or contact us by any of the means shown below.
What is ACAT?
ACAT is an organisation that promotes an understanding of Cognitive Analytical Therapy, establishes a platform for ideas and upholds the highest standards for those that work in CAT. ACAT is a membership organisation that delivers skills training and practitioner courses for therapists.
ACAT needs to process data, how?
The law on data protection sets out a number of different reasons or conditions for which an organisation may collect and process your personal data. When collecting your personal data, we will always make clear to you, what data is necessary for each purpose we have told you about. Most commonly, we will process your data on the following lawful grounds:
Consent & Implied Consent
In specific situations, we can collect and process your data with your consent.
This may include when you agree to receive an email about our training and educational services or an event we may hold. When you make an enquiry online for example, we may assume your implied consent to enable us to send information you have requested. This is a quick and easy way for you to indicate your agreement. You can easily stop these communications at any time by unsubscribing or Opting-out.
If you have not engaged with us for more than five years, you may be flagged as inactive individual and we will contact you to ask whether you want us to keep your data or not. Unless you reply to say ‘yes’, we will delete or anonymise your personal data.
ACAT may have some Contractual obligations
In certain circumstances, we need your personal data to comply with our contractual obligations. If a law says we must process your information we have no alternative. This might be for example if you become a member of ACAT.
Other Legal compliance
If the law requires it, we may need to collect and process your data. This might be when a Criminal Act is detected or matters relating to taxation for example. Again, we have no option but to comply with the law.
Legitimate interest
In certain circumstances, we require your data to pursue the ACAT legitimate interest in a way which might reasonably be expected when we pursue our aims and objectives as an organisation. When we process data in this way we’ll make sure there isn’t a chance of any materially impact your rights, freedom or interests, we promise.
For example, ACAT has a legitimate interest in maintaining a record of its activities, the people with whom it has interacted and its members past and present. ACAT interests may also include maintaining a record of its organisational history and the development of future services, methods of learning and how the understanding of CAT has developed. In these circumstances we may process your data where we believe it benefits ACAT, its members and others that may have an interest in our objectives.
Vital use of data
We may also use your data, typically in an emergency, where this is necessary to protect your vital interests, or someone else’s vital interests. In a small number of cases where other lawful bases do not apply, we will process your data on this basis and in your best interest.
Special category data – The most sensitive of all information
ACAT may need to collect some sensitive information about you, the types of which are shown below. Generally, we have no need for this information, so we don’t collect it. However, we are mindful that information of the type may be available to us from time to time. For example, if ACAT needs to make special arrangements for someone with a disability to attend one of our courses. We don’t process this data for the purpose of understanding a person’s health condition, but we have a duty of care to protect anyone who may interact with us. However, when we are upholding the highest standards of therapy delivered by our membership and need to investigate a complaint, our procedures include the use of a number of Committees. Members of these committees are committed and experienced individuals and are in place to ensure transparency and fairness. In these cases, more sensitive information may need to be reviewed.
“Special categories” of particularly sensitive personal data require higher levels of protection. We need to have further justification for collecting, storing and using this type of personal data. We aim to collect and process special category data as little as possible. ACAT will document all incidents of its processing of special category data in its Information Asset Register. We have carefully measured the risk associated with this by conducted an impact assessment where required.
The Special Categories of personal data consist of data that may reveal:
- racial or ethnic origin;
- political opinions;
- religious or philosophical beliefs;
- trade union membership.
They also consist of the processing of:
- genetic data;
- biometric data (e.g. fingerprints) for the purpose of uniquely identifying someone;
- data concerning health;
- data concerning someone’s sex life or sexual orientation.
Whilst individual therapists and practitioners regularly process this type of information about their clients, this data is not systematically shared with ACAT. Instead, it is only shared where absolutely necessary and even them may be anonymised.
We may process special categories of personal data in the following circumstances:
- With your explicit written consent; or
- Where it is necessary in the substantial public interest, Vital interests of the data subject or other subjects, and further conditions are met;
- Where it is necessary for the purposes of preventive or occupational therapy, subject to further safeguards for your fundamental rights and interests specified in law;
- Where there is a legal obligation or in the defence of a legal claim.
Further legal controls apply to data relating to criminal convictions and allegations of criminal activity. We may process such data on the same grounds as those identified for “special categories” referred to above. Amore detailed explanation of when we might process sensitive data can be found in our full data protection policy which is available upon request.
When ACAT collects your personal data:
These occasions will include, but are not limited to:
- When you work with the ACAT team;
- When you visit our offices or an event we may organise;
- When you supply good and services to ACAT;
- When you write to us about any subject by any means;
- When you post, like, follow or reply on any of our social media feeds;
- When you are a member or friend of ACAT;
- When you are a committee member or mentor;
- When you are a supporter of our chartable cause;
- When you enquire about our range of training courses;
- When you attend an event we may organise;
- When you access or engage with our website.
How and why ACAT collects your personal data
ACAT collects personal data in order to manage its day to day business activities and deliver its services. The data collected is most likely in electronic format but can also be in paper form.
When you visit our website, we may collect your IP Address, page visited, web browser, any search criteria entered, previous web page visited and other technical information. This information is used solely for web server monitoring and to deliver the best visitor experience. We may use technology such as cookies to help us deliver relevant and interesting content in our communications in the future. We may use information with gather about you you to find out more about you but in the least most intrusive way. We may use information we collect to display the most interesting content to you on our website or to send communications that you’ll find of interest.
We may also collect your social media username if you interact with us through those channels in order to help us respond to your comments, questions and feedback. The data privacy law allows this as part of our legitimate interest in understanding our audience.
For your security, we use all appropriate organisational and technical security controls to safeguard your data.
When we interact with you we may also collect notes from our conversations with you, and details of any complaints or comments you make. We may record your age or identity where the law requires this.
We will only ask for and use your personal data collected for the purpose stated at the point at which it is collected. If we believe your data is no longer needed for this purpose, we will not process your data further.
ACAT is committed to your data protection rights
You have eight important rights detailed in the GDPR and the data protection act 2018, here’s a brief explanation of each.
Right to Object
You have the right to object to our processing of your personal information if we used it for the purpose of direct marketing. But remember in some cases we are bound by law to process your data. If you have given consent for ACAT to collect and process your personal data, you have the right to change your mind at any time and to withdraw that consent. We’ll let you know how every time to communicate with you.
Right to challenge automated decisions
You have the right to challenge automated decisions we make about you. You may ask for these to be assessed by a member of the ACAT team. We don’t currently make decisions in this way but may do in the future.
Right to a copy of your information and a chance to correct inaccuracies
You have the right to request a copy of any information about you that ACAT may hold at any time to check whether it is accurate. To ask for that information, please contact ACAT using the details below. To protect the confidentiality of your information and the interests of ACAT, we will ask you to verify your identity before proceeding with any request for information. If you have authorised a third party to submit a request on your behalf, we will ask them to prove they have your permission to request such information.
Right to be Forgotten
You have the right to ask us to forget you from our records. We will uphold this right unless there is a legal obligation such as a contractual agreement or it is in our legitimate interest to keep your data.
Right to be informed
You have a right to be informed, to know what we are doing with your data and why. We promise to publish privacy notices wherever they may be required to clearly explain our reasons.
Right to Restriction
You have the right to ask us to stop processing your data for a number of difference reasons. For example, it might be because you think the data we hold about you is incorrect. Or maybe you think we are doing something wrong. Please contact us for further details.
Your right of portability
If we hold information about you and you want us to ‘port’ it or send it to another organisation that does similar work to us or provides a similar service, you can ask us to do this. This service will be free of charge and we will endeavour to provide this service without undue delay.
Other important information
Sometimes we are required to inform you about certain changes, including updates to this Privacy Notice and where we have a legal obligation such as a duty of care or safeguarding. These administrative messages will not include any marketing content and do not require prior consent when sent by email. This ensures that we are compliant with our legal obligations.
We may use your data to send you a survey and feedback requests to help improve the way we communicate. Again, these messages will not include any marketing and do not require prior consent when sent by email. We have a legitimate interest to do so as this helps improve our services and make them more relevant to you. Of course, you are free to opt out of receiving any of these communications should you wish.
Data retention and how long ACAT may keep information
Whenever we collect or process your personal data, we will only keep it for as long as is necessary for the purpose for which it was collected. ACAT Information Asset Register includes retention periods and this Register will indicate the types of data concerned and clearly indicate the period it will be retained. Annual reviews will ensure that retention schedules are followed. At the end of the retention period, your data will either be deleted completely, put beyond use or anonymised. In some cases, personal data will be kept in perpetuity.
Protecting your data outside the EEA
Occasionally we will need to share your personal data with third parties and suppliers outside the European Economic Area (EEA). The EEA includes all EU Member countries as well as Iceland, Liechtenstein and Norway.
We may transfer personal data that we collect from you to third-party data processors in countries that are outside the EEA such as the USA. For example, this might be required when we store data in a Cloud Service. If we do this, we have procedures in place to ensure your data receives the same protection as if it were being processed inside the EEA, and we will treat the information under the guiding principles of this Privacy Notice.
Stopping us from using your data in the future
You can stop ACAT from processing your data by either:
clicking the ‘unsubscribe’ link in any email communication that we send you. We will then stop any further emails in line with your rights unless we have a legal obligation to inform you about something; or
by contacting us using the information below.
Remember, some administrative communications cannot be stopped.
How to complain about our processing of your data
If you feel that your data has been handled incorrectly, or you are unhappy with the way we have dealt with your query regarding the way we use your personal data, you have the right to complain to the Information Commissioner’s Office (ICO) which regulates the use of information in the UK.
You can call them on 0303 123 1113 or go online to www.ico.org.uk/concerns
If you are based outside the UK, you have the right to complain to the relevant data protection supervisory authority in your country.
If you would like to discuss any aspect of this policy or the way ACAT processes your information, please contact;
The Data Protection Officer/The Data Controller;
By Post – ACAT, PO Box 6793, Dorchester DT1 9DL
By Email – admin@acat.me.uk
By Telephone – +44 (0)1305 263511
June 2019
Privacy Information Specific to ACAT’s Public Engagement Site
Who has access to information relating to ACAT’s Public Engagement Site?
Personal data gathered through or relating to this Public Engagement blog/website is accessible to ACAT administrative staff and ACAT members assisting with the ACAT’s Public Engagement initiative for the purposes of administering our services and reporting on the website activity. Additionally web developer/technical support staff engaged by ACAT may have access to email addresses, IP addresses etc collected through comments.
All those working with ACAT comply with data protection legislation and maintain appropriate security measures in relation to the website.
Reports drawing on anonymised information obtained via third party applications such as Google Analytics and WordPress plus related toolkits, tools and plug-ins, may be shared with ACAT Trustees and Council of Management but this would not include any personal data. This is for the purpose of improving and delivering ACAT services.
Retention periods for personal data held on ACAT’s Public Engagement Site
We delete any personal data held on ACAT’s Public Engagement Site as soon as possible.
Cookies: How we use cookies on ACAT’s Public Engagement Site
A cookie is a small file which asks permission to be placed on your computer’s hard drive. Once you agree, the file is added and the cookie helps analyse web traffic or lets you know when you visit a particular site. Cookies allow web applications to respond to you as an individual. The web application can tailor its operations to your needs, likes and dislikes by gathering and remembering information about your preferences.
We use traffic log cookies to identify which pages are being used. This helps us analyse data about web page traffic and improve our website in order to tailor it to customer needs. We only use this information for statistical analysis purposes and then the data is removed from the system.
3rd party services on this site, other websites this site links to and the services on them may also use cookies.
(Some examples of these are Twitter (eg: _twitter_sess, external_referer, guest_id).
Overall, cookies help us to provide you with a better website, by enabling us to monitor which pages you find useful and which you do not. A cookie in no way gives us access to your computer or any information about you, other than the data you choose to share with us.
Turning Cookies Off
You can choose to accept or decline cookies. Most web browsers automatically accept cookies, but you can usually modify your browser setting to decline cookies if you prefer.
Doing so, however, may prevent you from taking full advantage of this website and possibly many others, as cookies are a standard part of most modern websites.
You can usually switch cookies off by adjusting your browser settings to stop it from accepting cookies. If you want to do this we’d suggest using a search engine to search for “How to switch off cookies” (adding in your browser and device) or ask your supplier or technical support.
Links to other websites from ACAT’s Public Engagement Site
This website contains links to enable you to visit other websites of interest easily. However, once you have used these links to leave our site, you should note that we do not have any control over that other website. Therefore, we cannot be responsible for the protection and privacy of any information which you provide whilst visiting such sites. Such sites are not governed by this privacy statement. You should exercise caution and look at the privacy statement applicable to the website in question.
Embedded Content on ACAT’s Public Engagement Site
Articles on this site may contain embedded content from other sites or links to other websites. If you click on this embedded content then your personal data may be collected by the other site and you will need to read their privacy policy to find out how they manage your personal data.