Rehab Guru needs to keep certain information on its users to carry out its day to day operations, to meet its objectives and to comply with legal obligations.
The organisation is committed to ensuring any personal data will be dealt with in line with the Data Protection Act 1998. To comply with the law, personal information will be collected and used fairly, stored safely and not disclosed to any other person unlawfully.
The aim of this policy is to ensure that everyone handling personal data is fully aware of the requirements and acts in accordance with data protection procedures. This document also highlights key data protection procedures within the organisation.
This policy covers all people including its staff, clients, users, and recipients of its products and services.
In line with the Data Protection Act 1998 principles, Rehab Guru will ensure that personal data will:
Be obtained fairly and lawfully and shall not be processed unless certain conditions are met
Be obtained for a specific and lawful purpose
Be adequate, relevant but not excessive
Be accurate and kept up to date
Not be held longer than necessary
Be processed in accordance with the rights of data subjects
Be subject to appropriate security measures
Not to be transferred outside the European Economic Area (EEA)
The definition of ‘Processing’ is obtaining, using, holding, amending, disclosing, destroying and deleting personal data. This includes some paper-based personal data as well as that kept on computer.
The Personal Data Guardianship Code suggests five key principles of good data governance on which best practice is based. The organisation will seek to abide by this code in relation to all the personal data it processes, i.e.
Accountability: those handling personal data follow publicised data principles to help gain public trust and safeguard personal data.
Visibility: Data subjects should have access to the information about themselves that an organisation holds. This includes the right to have incorrect personal data corrected and to know who has had access to this data.
Consent: The collection and use of personal data must be fair and lawful and in accordance with the DPA’s eight data protection principles. Personal data should only be used for the purposes agreed by the data subject. If personal data is to be shared with a third party or used for another purpose, the data subject’s consent should be explicitly obtained.
Access: Everyone should have the right to know the roles and groups of people within an organisation who have access.
Type of Information Processed
Rehab Guru processes the following personal information: of its clients, users, visitors and recipients of its products and services.
Personal information is kept in the following forms:
Contact details including email address and contact phone number
Interface usage including:
– Site and App page views and analytics throughout all Rehab Guru product range.
– Programs sent and received, exercises selected and products bought.
All the above information is stored on a secure server in line with industry standard security protocols. Your information may be used to identify usage patterns and analytics in the interest of improving Rehab Guru products and services. Your information will never be sold or transferred to a third party. Usage patterns and analytics may be used in the identification of malicious or miss use of Rehab Guru products and services.
What we do not store – We do not store any sensitive information about you. We do not and will not ever ask for your date of birth, mother's maiden names or other security type questions by email or over the phone. We do not store passwords in plain text, they are encrypted and not visible to anyone.
Groups of people within the organisation who will process personal information are its employed staff only.
The needs we have for processing personal data are recorded on the public register maintained by the Information Commissioner. We notify and renew our notification on an annual basis as the law requires.
If there are any interim changes, these will be notified to the Information Commissioner within 28 days.
The name of the Data Controller within our organisation as specified in our notification to the Information Commissioner is Rehab Guru as a company.
Rehab Guru holds overall responsibility for personal data and is responsible for:
understanding and communicating obligations under the Act
identifying potential problem areas or risks
producing clear and effective procedures
notifying and annually renewing notification to the Information Commissioner, plus notifying of any relevant interim changes
We ensure that all staff who process personal information must ensure they not only understand but also act in line with this policy and the data protection principles.
Breach of this policy will result in disciplinary action being taken that is equivalent to the violation of rules.
To meet our responsibilities all employees will:
Ensure any personal data is collected in a fair and lawful way;
Explain why it is needed at the start;
Ensure that only the minimum amount of information needed is collected and used;
Ensure the information used is up to date and accurate;
Review the length of time information is held;
Ensure it is kept safely;
Ensure the rights people have in relation to their personal data can be exercised
We will ensure that:
Everyone managing and handling personal information is trained to do so.
Anyone wanting to make enquiries about handling personal information, whether a member of staff, volunteer or service user, knows what to do;
Any disclosure of personal data will be in line with our procedures.
Queries about handling personal information will be dealt with swiftly and politely.
Training and awareness raising about the Data Protection Act and how it is followed in this organisation will take the following forms:
On induction with the company, all employees will receive a comprehensive training session on what information is needed and why. We will also explain to them how they keep this information safe and secure in line with our data protection policies.
Regular updates and reminders will be given to all staff on the importance of the data protection policies.
Gathering and checking information
Before personal information is collected, we will consider what information is necessary for the type of products and services you are either procuring or enquiring about and how long we need to keep hold of this information.
We will inform people whose information is gathered about the following:
why the information is being gathered
what the information will be used for
who will have access to their information (including third parties)
(in most cases, this is simply stated on the form that they complete)
We will contact our customers from time to time to ensure that personal information kept is accurate. If we do not hear back from our customers, we will have to determine whether we maintain the information we have on file. We decide this by considering if we think that individual is going to lose out by not receiving the information we are trying to pass on.
Personal sensitive information will not be used apart from the exact purpose for which permission was given.
The organisation will take steps to ensure that personal data is kept secure at all times against unauthorised or unlawful loss or disclosure. The following measures will be taken:
Using lockable cupboards (restricted access to keys)
Password protection on personal information files
Setting up computer systems to allow restricted access to certain areas
Not allowing personal data to be taken off site (as hard copy, on laptop or memory stick)
Backup of data on computers (onto a separate hard drive / drives kept off site)
Password protected attachments for sensitive personal information sent by email
Any unauthorised disclosure of personal data to a third party by an employee may result in disciplinary proceedings being taken.
Subject Access Requests
Anyone whose personal information we process has the right to know:
What information we hold and process on them
How to gain access to this information
How to keep it up to date
What we are doing to comply with the Act.
They also have the right to prevent processing of their personal data in some circumstances and the right to correct, rectify, block or erase information regarded as wrong. Rehab Guru reserves the right to request a small admin fee for any Subject Access Requests.
Individuals have a right under the Act to access certain personal data being kept about them on the computer and certain files. Any person wishing to exercise this right should apply in writing to Peter Dugmore, Rehab Guru, [email protected]
The following information will be required before access is granted:
Full name and contact details of the person making the request
their relationship with the organisation (former/ current member of staff, trustee or another volunteer, service user
Any other relevant information- e.g. timescales involved
Type of identification required before releasing any information (e.g. passport, birth certificate etc)
Queries about handling personal information will be dealt with swiftly and politely.
We will aim to comply with requests for access to personal information as soon as possible but will ensure it is provided within the 40 days required by the Act from receiving the written request.
This policy will be reviewed at intervals of 1-2 years to ensure it remains up to date and compliant with the law.
We reserve the right to amend this policy at any time. Any amendments will be updated on the site and within the mobile apps. If you are a registered user, we shall endeavour to notify you if we should amend this policy.