BWYQ Data Protection Policy
British Wheel of Yoga Qualification (BWYQ) is committed to processing data in an ethical and secure manner, in accordance with its responsibilities under current legislation.
The purpose of this data protection policy is to summarise procedures for the processing and storage of data. It can also be used as the basis for statutory data protection inspections. This is not only to ensure compliance with the UK General Data Protection Regulation (UK GDPR) and Data Protection Act (DPA) 2018 but also to provide proof of compliance.
(a) processed lawfully, fairly and in a transparent manner in relation to individuals (‘lawfulness, fairness and transparency’);
(b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes (‘purpose limitation’);
(c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);
(d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);
(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals (‘storage limitation’);
(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).
Definitions
UK GDPR defines personal data as;
information relating to natural persons who:
- can be identified or who are identifiable, directly from the information in question; or
- who can be indirectly identified from that information in combination with other information.
ICO (2022) (link active November 2022)
General provisions
BWYQ is registered with the Information Commissioner’s Office as an organisation that processes personal data.
The trustee-directors of BWYQ take responsibility for keeping this policy up-to-date and they ensure that staff members are compliant with this policy when collecting and processing personal data.
Review arrangements
BWYQ will review this policy as part of its regular self-evaluation process and will revise it as necessary in response to stakeholder or regulatory feedback.
If you would like to feedback any views, please contact BWYQ via the details below.
Roles and responsibilities
Whilst the organisation (BWYQ) has overall responsibility for compliance with Data Protection legislation, all employees or volunteers who have a legitimate need to process data must ensure that they comply with all data protection legislation. They must also report actual or suspected data breaches immediately, following the incident management plan (see BWYQ 015 Risk and Incident Management Policy).
All employees and volunteers must inform BWYQ of any changes to the personal information they have provided, such as bank details or contact details.
Support, advice and training will be provided as appropriate.
Lawful, fair and transparent processing
BWYQ aims to ensure that the processing of data is lawful, fair and transparent.
Individuals have the right to access their personal data and any such requests made to the charity shall be dealt with in a timely manner.
All data processed by BWYQ is done on one of the following lawful bases:
consent,
contract
legal obligation,
legitimate interests
Where consent is relied upon as a lawful basis for processing data, evidence of opt-in consent is gathered and stored.
Data minimisation
Accuracy
Security
UK GDPR requires that, ‘appropriate technical and organisational measures’ are used to store data. BWYQ personal data is stored securely using cloud storage, encrypted vaults and password protection. Access to personal data is limited to personnel who need access in order to minimise the chances of unauthorised transmission. When personal data is deleted this is done safely to ensure that the data is irrecoverable. This process is under regular review as part of risk analysis activities.
Storage
Learner contact details are stored securely for three years beyond the date they received their certificate. Employee data is also retained for three years beyond the date of the termination of their employment. This is in case of legal proceedings or regulatory audits.
All accounting records and Independent Examinations need keeping for 6 years from the end of the last company financial year they relate to, or longer if they show a transaction that covers more than one of the company’s accounting periods.
What happens if there is a breach of security.
In the event of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data, we will promptly assess the risk to people’s rights and freedoms and if appropriate report this breach to the ICO (more information can be found on the ICO website link active November 2022).
We will follow the procedures set out in our Incident management plan (see BWYQ 015 Risk and Incident Management Policy).