GDPR and data protection - Revised June 2018
Oloruntobiloba Adepegba trading as Total Transition Personal Training. I am a sole trader and do not employ staff.
This document is intended to show I have considered the provisions of the GDPR and Data protection legislation and understand my obligation to protect the privacy of my clients.
Schedule 1 details the data I obtain from clients, the purposes I obtain it for and details the data supplied to third parties.
I am the sole Data Protection Officer, Data Processing Officer and have sole responsibility for the maintenance and deletion of client data.
I have reviewed my business and decided to rely on Client Consent to allow me to obtain and use client data.
I will obtain Consent via the signing of a Charter of Expectations (Schedule 2) that will be signed by myself and the client and will include a privacy statement explaining the client’s rights, how data will be used, stored and how the client can arrange for it to be amended or deleted.
IT and Storage
I will use four systems:-
Client data will be stored within a secure Dropbox facility. Dropbox use encryption and password protection to secure the data held on their servers, full details are available on their website.
2. Gocardless - for processing Direct Debit Payments
Only data relevant to the processing of direct debits for the payment of training fees will be submitted to Gocardless. Gocardless has a privacy statement and policy that can be accessed via their website.
3. Mailchimp - for distributing marketing material and newsletters.
Mailchimp is a facility that allows me to circulate marketing information and newsletters to my clients, I will supply them with client names and email addresses only.
4. My personal laptop.
No client data will be held on the laptop it will merely be used to update the systems details above.
The operating system and security software will kept up-to-date.
All passwords used will with the online services and for the laptop will be tested via the my1login.com password checker and must meet a “time to crack” target of 1 Century or longer.
When clients contact me via the website an email is generated which is forwarded to Mailchimp. The website requires the client to consent to being contacted only for the purposes of arranging a meeting to discuss their requirements and will complete a Charter of Expectations if they decide to use my services. The email generated by the client on making the web enquiry will include the consent. The email will be stored in Dropbox for future reference.
The Charter of Expectations will be scanned and uploaded to a “Clients” folder within the Dropbox facility, the hard copy will then be shredded. On receiving the clients signed Charter of Expectation the document will be held in a locked brief case under my control. The document will be scanned to Dropbox and the original will be shredded within 72 hours of receipt.
If consent is withdrawn before any training is provided, all data will be removed from My PT Hub, Gocardless and Mailchimp subject to there being no legal obligation to retain data.
If consent is withdrawn after training has been given, I will seek legal advice at the time of the request to ascertain what data should be retained. I anticipate that data may need to be retained for a period of six years following the cessation of training in accordance with the state of limitations.
I assume Gocardless are required to keep client payment related data for a minimum of six years. (The statute of limitations for debt is six years, it is bank practice to keep payment data for six years.)
The statute of limitations for injury claims is three years therefore:
I may need to retain My PT Hub profile for three years as protection against claims in respect of professional negligence, failure to keep this information could prejudice claims I need to make under my professional indemnity insurance.
I may need to retain client’s health questionnaire’s for three years as this would also be relevant in the event of a professional negligence claim.
A monthly review of client data is undertaken to ascertain which inactive client data has been held for six years or longer. All data over six years old will be deleted unless there is legal action pending in which case appropriate legal advice will be obtained.
On an annual basis any clients still using my services would be asked to renew consent by countersigning a copy of their original Charter of Expectations, this will be scanned and stored in Dropbox and then the paper copy will be shredded.
I will not be training children and therefore will not hold any data for children.
Requests for data
If a client requests a copy of the data I hold for them, it will be provided within the timescale details within the GDPR guidelines although I anticipate providing the information within 5 working days. The information will include details of how the data has been used and details of what data has been provided to the third parties. No charge will be levied.
Right to data portability
In the unlikely event I am requested to transfer client data to another business by my client, I will seek clarification for the client and the proposed recipient on what format and method should be used for data transfer.
Right to object
If a client does not want their personal data to be processed the client relationship will be terminated and their data will be deleted subject to me meeting my legal obligations for data retention.
As I cannot provide my services without using ‘My PT Hub’, I will not take on clients that choose to withhold consent.
I have supplier defined user agreements with ‘Gocardless’, ‘My PT Hub’ and ‘Mailchimp’, these are the standard user agreements entered into when signing up for services via their respective websites.
I understand that any leak of information is a serious issue. I consider the majority of data would cause little risk to the client as much of it is a matter of public record. I acknowledge health data is sensitive and for this reason but such data is limited to that relevant to ensure a safe training program is provided for the client.
If there is a data breach, then clients would be advised and individual assessments of the risks faced by such a breach would be undertaken and all steps to resolve the issue with the clients would be undertaken.
If I assess the breach is not likely to result in a risk to the rights and freedoms of my client(s), I will not report the issue to the ICO. If the breach does result in risk of the rights and freedoms of my client(s), then I will be obliged to report the breach to the ICO.