Background Image

Yogamindspace Data Protection
Policies and Procedures

The following is an update to our Data and Privacy Policy summary 2016 and GDPR regulation compliance.

Yogamindspace Data protection summary and GDPR Compliance


We have attempted to cover all data aspects in this page.
If you find something is missing, wrong or you would like to see included, please contact us using this button.

Contact Data Admin

Whats this about?

The Data Protection Act 1998 (the Act) regulates the way in which all personal data is held and processed. This is a statement of the data protection policy adopted by Yogamindspace. It applies to all Yogamindspace staff. In order to operate efficiently Yogamindspace needs to collect and use information about the people with whom we work. This includes current, past and prospective staff, reviewers, professional experts, stakeholders, delegates, students, trainees and others with whom we communicate. Yogamindspace regards the lawful and correct treatment of personal information as integral to our successful operation, and to maintaining the confidence of the people we work with. To this end we fully endorse and adhere to the principles of the Act.

Purpose

The purpose of this policy is to ensure that everyone handing personal information at Yogamindspace is fully aware of the requirements of the Act and complies with data protection procedures and that our yoga students are aware of their rights under the Act.


Responsibility for Yogamindspace's compliance with the Act

The Faculty Administrator has overall responsibility for compliance with the Act but individual members of staff are responsible for the proper use of the data they process.

Policy statement

The principles of the Act require require that personal information must:

  • • be processed fairly and lawfully.
  • • not be used for a purpose for which it was not collected.
  • • be adequate, relevant and not excessive for the purpose.
  • • be accurate and up-to-date.
  • • not be kept longer than necessary.
  • • be processed in accordance with the student's rights.
  • • be kept secure and protected from unauthorised processing, loss or destruction.
  • • Must be transferred only to those countries outside the European Economic Area that provide adequate protection for personal information.



What we do in order to meet the requirements of these principles:

  • • fully observe conditions regarding the fair collection and use of information.
  • • meet its legal obligations to specify the purposes for which information is used.
  • • collect and process appropriate information, and only to the extent that it is needed to fulfil operational needs or to comply with any legal requirements.
  • • ensure the quality of the information.
  • • hold personal information on Yogamindspace systems for as long as is necessary for the relevant purpose, or as long as is set out in any relevant contract held with Yogamindspace or Yogamindspace's Records Retention Schedule (this is a document that defines which documents should be kept and for how long) or the retention attached to the record's content type.
  • • ensure that the rights of people about whom information is held can be fully exercised under the Act (these include: the right to be informed that processing is being undertaken; the data subject's right of access to their personal information; the right to prevent processing in certain circumstances; the right to correct, rectify, block or erase information which is regarded as wrong information).
  • • take appropriate technical and organisational security measures to safeguard personal information.
  • • ensure that personal information is not transferred outside the EEA without suitable safeguards. Yogamindspace's responsibilities for data protection and confidential information Yogamindspace will ensure that there is someone with specific responsibility for data protection in the organisation. The nominated person is currently the Faculty Administrator. As of May 2018 we have not nor do we anticipate sharing any personal data.

Contact Data Admin


Yogamindspace will ensure that:

  • • Everyone managing and handling personal information understands that they are responsible for following good data protection practice .
  • • This policy is available to each member of staff.
  • • Everyone managing and handling personal information is appropriately trained and supervised.
  • • Queries about handling personal information are promptly and courteously dealt with and clear information is available to all staff.
  • • The Faculty Administrator reports to the lead team, which approves all changes to policy and procedure, staff responsibilities for data protection and confidential information.
  • • All staff should be aware of the requirements of the Act and how the rules apply to them.
  • • All staff must complete data protection induction and annual training
  • • All staff have a responsibility to ensure that they respect confidential information in their possession and maintain information security. Disclosure of confidential information gained as part of your employment to a third party, or assisting others in disclosure, is viewed by Yogamindspace with the utmost seriousness.
  • • All staff are responsible for ensuring personal information is kept no longer than is necessary. For further advice, please contact the Faculty Administrator.


Privacy Statement

Yogamindspace respects your privacy. The information that you provide us with, or that is gathered automatically, helps us to monitor our services and provide you with the most relevant information. More information on how Yogamindspace safeguards your privacy in relation to websites, email, voicemail, social media, testing and training can be found on our website: www.Yogamindspace.com/privacy.

Access Requests

Under the Act individuals have the right to access personal information Yogamindspace may hold about them. If you wish to request such information please contact us below.

Contact Data Admin


Data Protection Complaints Procedure

Yogamindspace aims to comply fully with its obligations under the Act. If you have any questions or concerns regarding Yogamindspace's management of personal data, including your right to access data about yourself, or if you feel Yogamindspace holds inaccurate information about you, please contact Yogamindspace's Faculty Administrator (button above).
If you feel that your questions or concerns have not been dealt with adequately or that a subject access request you have made to Yogamindspace has not been fulfilled you can use yogamindspace's complaints procedure. Contact the Faculty Administrator for a copy. If you are still dissatisfied, you have the right to contact the office of the Information Commissioner, the independent body overseeing compliance with the Act: http://ico.org.uk/.




GDPR 2018 Policy statement

In May 2018, the EU General Data Protection Regulation (GDPR) replaces the existing 1995 EU Data Protection Directive (European Directive 95/46/EC).

Yogamindspace training currently complies with applicable data protection regulations and is committed to GDPR compliance across its relevant services, users, staff and students when the GDPR takes effect May 25, 2018.

Yogamindspace's continuing and ongoing compliance reviews include:

• ASSESSMENT
Yogamindspace training is regularly reviews where and how our relevant services collect, use, store and dispose of personal data alongside updating policies, standards, governance and documentation as needed.

• CONTRACTUAL COMMITMENTS
Working in conjunction with our partners and customers, Yogamindspace training is reviewing our contractual commitments and updating as needed to directly address GDPR requirements. Yogamindspace is also regularly reviews its supplier contracts to ensure GDPR compliance throughout our supply chain.

• CROSS-BORDER DATA / ANY DATA TRANSFER
In addition to ensuring Yogamindspace's contractual commitments meet the requirements to legally transfer data from the EU to the rest of the world under applicable law, Yogamindspace plans to certify under the EU-US Privacy Shield Framework when and if this is applicable. Currently we do not share information with any entity, and we do not anticipate this changing, if it does change we will check that you are happy before we do.
This is only likely possibly for accreditation (British Wheel of Yoga, Independent Yoga Network, or Yoga Alliance) or for insurance / medical purposes. Your data is yours - we will pass all queries in the first instance back to you.

• EMPLOYEE TRAINING AND AWARENESS
All Yogamindspace employees full or part time must complete data privacy and security training. Yogamindspace will supplement existing training modules with GDPR-specific content. In addition to these training requirements, Yogamindspace conducts ongoing awareness initiatives on a variety of topics, including data protection, security and privacy. This includes user and student awareness on an annual basis.

• PARTNERS, CUSTOMERS AND STUDENTS
Compliance with the GDPR requires a partnership between Yogamindspace and our partners and customers in their use of applicable Yogamindspace services or courses. In this context, Yogamindspace generally acts as a data processor and our partners and customers, users and students generally will act as data controllers. Working together, we hope to explore opportunities within our relevant service offerings to assist our partners and customers and students meet their GDPR obligations. In the meantime, Yogamindspace encourages partners and customers to independently familiarize themselves with the GDPR.
If you feel you need to know more - ask us. We want you to be in control.

• BREXIT
The UK is drafting a new Data Protection Bill which in the main includes all the provisions and legislation of GDPR. There will be some smaller changes and the Yogamindspace policies and procedures will be updated in accordiance with this as more is known.



Contact Data Admin

Information we hold

We hold the following informtion:
This information is required for membership and attendance.

  • • Contact information
  • • Medical Overview
  • • Marketing Consent

We collect this information in a really simple manner. You fill out and sign a handwritten form which contains a simple explanation of your membership T&Cs.
You fill out a Simple Medical Form that is standard across the wellness industry.
You give us consent to contact you via text or email.

We collect and retain the medical information you provide to us.
This is detailed in our medical form download available on the yogamindspace website.
We use this information to ensure you are safe in the class environment, and so we know of any injuries in advance.
All information is considered extremely sensitive and not available to third parties.
Our teachers hold regular meetings and may discuss students progress and health in order to ensure class safety.
These meetings are considered confidential, in which discussions are of a professional nature.


Lawful basis for data retention

We only keep information that we consider to be vital to the running of our business, your safety, and your contact information.
We hold data that is of legitimate interest to your contract with yogamindspace. Legitimate Interest means the interest of our business in conducting and managing our business to enable us to give you the best service and the best and most secure experience. We make sure we consider and balance any potential impact on you (both positive and negative) and your rights before we process your personal data for our legitimate interests. We do not use your personal data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law). You can obtain further information about how we assess our legitimate interests against any potential impact on you in respect of specific activities by contacting us. Performance of Contract means processing your data where it is necessary for the performance of a contract to which you are a party or to take steps at your request before entering into such a contract. Comply with a legal or regulatory obligation means processing your personal data where it is necessary for compliance with a legal or regulatory obligation that we are subject to.


Your Consent

We believe in transparency! We use paper forms in order that you can take them away, review, and decide whether you wish to fill them out.
If there is something that you do not want us to know, we are happy to talk about your concerns, and if possible; modify accordingly.
By signing your forms it is considered that you consent to us processing your data in line with lawful use (see above "Lawful basis").


Right to be informed

We ensure you know your rights by including them on the paper forms.
If you feel you dont understand your rights or that we haven't kept you up-to-date; contact us.

Processing of children’s personal data

We rarely have under 18's in our classes.
If we do they must always be accompanied by an Adult who takes soles responsibility for them.
We currently do not process data for under 18's.

Right of access

You may request to see what information we have about you.
The process may take as long as 28 days, however it will normally take around 14.
Please make allowances for us if we are on retreat, holiday, ill or indisposed. If we anticipate that there may be a delay we will contact you within that 28 period, with an estimated date.

Right to rectification and data quality

If you make a data request and see something that's incorrect or you want deleted, you can make a request for data rectification.
As above we will do this within 28 days unless circumstances mean we are unable to do so, in which case we will contact you with an estimated date within that 28 day period.

Acountability

Yogamindspace has clear policies and procedures for processing and retaining your information.
We have an annual review of what works, and what does not. We collect information from teachers and students regarding our processes and their experiences. We review our data protection and data security annually, or more frequently if we have a change in circumstances.
We collect this information using a combination of verbal and written processes.

We also ensure that all our teachers and staff are data protection aware and understand how to apply it to their classes.

Breach notification

Yogamindspace takes data security seriously.
All paper is stored securely, and any data stored digitally is encrypted (scrambled) with a 256hash .
If we have a data breach or we find data has been modified we will notify you IMMEDIATELY having taken steps to ensure that the breach vector has been closed and the 'breach' has been stopped and further breaches prevented.



Contact Data Admin



• More information may be found here :

A well written article covering what you need to know:
Wired Magazine's Guide For Consumers & Businesses

A series of in-depth articles from the Information Commissioner relating to GDPR:
UK Information Commissioner