Data Protection and GDPR

This Content Was Last Updated on March 10, 2024 by Jessica Garbett

 

Data Protection is not a new obligation – it is something businesses have had to comply with for many years, although its been more prominent since the 2018 GDPR regulations..

The 2018 GDPR provisions are incremental, building on existing UK Data Protection rules.  GDPR stands for “General Data Protection Regulations” and stems from the EU – post Brexit the regulations remain in UK law and de facto we are still following EU GDPR now within UK law.

Data Protection in the UK is regulated by the Information Commissioner’s Office (ICO)

 

Defining Data

Data Protection applies to Personal Data – defined as:

“‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”. (ICO)

This could be held on paper or electronically, and safeguards need to be considered for both types of medium, not just electronic data.

Yoga Teachers need to be aware some of the data they hold, eg health forms,  is likely to be “Special Category Data” under GDPR (formally known as Sensitive Personal Data).  Special Category Data is defined as:

“special category data is more sensitive, and so needs more protection. For example, information about an individual’s: race; ethnic origin; politics; religion; trade union membership; genetics; biometrics (where used for ID purposes); health; sex life; or sexual orientation.”
(ICO)

The health element of that is likely to be relevant to Yoga Teachers.

 

Registration with Information Commissioners Office

Most Yoga Teachers who process or store personal data electronically will need to register.    Bear in mind processing in this context could be as simple as an email with a client.

If you re not sure whether you need to register, use the Self Assessment tool https://ico.org.uk/for-organisations/data-protection-fee/self-assessment/ .

If you need to register there is a £40 annual fee.  This will apply to most Yoga Teachers working for themselves.

If you don’t store records electronically, and don’t use email to communicate with clients, you will be exempt from registering but the various Data Protection principles still apply.

Ethical point – at the time of GDPR, some yoga businesses used a narrow interpretation of answers to the ICO’s Self Assessment questions, and considered themselves exempt from registration.  Our view is you should err on the side of caution when answering and thus, in most cases, registration will be necessary.

 

Key Data Protection Principles

The key principles pre GDPR which still exist are:

  • Personal data shall be processed fairly and lawfully
  • Personal data shall be obtained only for one or more specified and lawful purpose or purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
  • Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
  • Personal data shall be accurate and, where necessary, kept up to date.
  • Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
  • Personal data shall be processed in accordance with the rights of data subjects under this Act.
  • Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data, and against accidental loss or destruction of, or damage to, personal data.
  • Personal data shall not be transferred to a country or territory outside the European Economic Area, unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.


Key Principles Added by GDPR – Article 5 of the GDPR requires that personal data shall be:

  1. Processed lawfully, fairly and in a transparent manner in relation to individuals;
  2. Collected for specified, explicit and legitimate purposes, and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;|
  3. Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
  4. Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
  5. Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals; and
  6. Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

GDPR requires that: “the controller shall be responsible for, and be able to demonstrate, compliance with the principles.”

These principles are normally summarised as:

  • The right to be informed
  • The right of access
  • The right to rectification
  • The right to erasure
  • The right to restrict processing
  • The right to data portability
  • The right to object
  • Rights in relation to automated decision making and profiling.

 

 

Lawful Basis for Processing Data

You will need to consider your Lawful Basis for processing data.  Under the GDPR these are:

  1. Consent: the individual has given clear consent for you to process their personal data for a specific purpose.
  2. Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
  3. Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).
  4. Vital interests: the processing is necessary to protect someone’s life.
  5. Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
  6. Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.

For most Yoga Teachers bases (1) (2) or (6) will be relevant.  Note that each Basis is independent, therefore if a client refuses or withdraws consent, eg for retaining session records, then you are still able to retain records under, say (2) or (6) for insurance purposes.

Where you are processing Special Category Data, eg Health Forms or Client Records, then as well as a Lawful Basis for processing data you must also satisfy one of the following specific conditions (under Article 9 GDPR):

  1. Consent
  2. For Employment or Social Security reasons
  3. Necessary for protecting vital interests of client, and they cannot give consent themselves
  4. Not for profit bodies, eg trade union or foundation, regarding membership
  5. Data has manifestly been made public by data subject
  6. Processing is necessary for the defence of legal claims
  7. Public Interest
  8. Preventative or occupational medicine; health, social care or treatment; management of health and social care services, on the basis of UK law or pursuant to a contract with a health professional
  9. Public Health
  10. Archiving purposes in the public interest for scientific or historic research

Basis 1 will be relevant to most Yoga Teachers.  Yoga Therapists or similar registered with organisations like CNHC may also find 8 relevant (and note then that technically consent isn’t needed, but its good practice).

 

Practicalities

Yoga Teachers not expected to be Data Experts.  Although ICO has extensive rights of enforcement and fining powers, these are for egregious cases – no one is out to trip you up.

 

Privacy Notice

This is considered important by ICO.  Suggested contents:

  • What information is being collected?
  • Who is collecting it?
  • How is it being collected?
  • Why is it being collected?
  • How will it be used?
  • Who will it be shared with?
  • What will be the effect of this on the individuals concerned?
  • Is the intended use likely to cause individuals to object or complain?

Make this available to clients on request, and publish on your website.

There is no need to explicitly provide it to clients, eg with first booking, although you may wish to do so, or make reference to it.   Likewise there is no need to expressly have clients approve it.

Here is a Template Privacy Statement

 

Data Audit

A periodic data audit is good practice, say annually, with a record of date of review.   One way to approach this is to have a register of documents for your business, such as: privacy policy, data audit, health and safety risk assessments, and have a structured review of these annually. This provides an audit trail for your having considered and reviewed Data Protection regularly.

Don’t over think it, this could be a simple log showing:

  • Source of data
  • Nature of data
  • Purpose for holding data
  • IT programmes its used for
  • How processed and stored
  • Who has access
  • How it is secured
  • Retention / deletion policy

Here is a Sample Data Audit

 

Contact Database

  • Make sure your permissions are in order for how you are using your database – if you simply have details of people who have attended classes then you will most likely have a contractual right to process.
  • All newsletters, updates and bulk mail should have clear unsubscribe options
  • All sign up forms should have an opt in / opt out option which isn’t pre ticked
  • Do you need to prepare and send an email asking people to re-opt in?  A lot of businesses did this for GDPR, but if you’ve had reasonable data hygiene in the past and have an unsubscribe link on your mailings, you don’t need to.
  • Do you need to delete people you haven’t heard from in, say, two years?  Again if you have a simple and clear unsubscrbe process probably not.

If you are using your contact database for marketing rather than class updates, then the issue of Basis of Processing is more important, although where class updates pursuant to contract ends, and marketing begins, is a fine line, and for the most part consent can be implied, the so called soft opt in – see below.

  • Make sure that if you send marketing material to anyone, they have consented.  The so called “soft opt in” is useful in this regard and applies:
    • Where you’ve obtained a person’s details in the course of a sale or negotiations for a sale of a product or service;
    • Where the messages are only marketing similar products or services; and
    • Where the person is given a simple opportunity to refuse marketing when their details are collected, and if they don’t opt out at this point are given a simple way to do so in future messages.This probably covers most mailings and newsletters

 

Email Marketing – Privacy and Electronic Communications Regulations

The regulations on sending marketing email are in the Privacy and Electronic Communications Regulations 2003.   These:

  • Apply to Electronic Communications sent to individuals (not companies) – email, text, phone
  • They state “You must not send marketing emails or texts to individuals without specific consent. There is a limited exception for your own previous customers, often called the ‘soft opt-in’.”
    Note you could buy a mailing list of Consented email addresses from a reputable source, but you can’t sell your own mailing list unless your consents allow it.
  • Soft opt in defined as: “The term ‘soft opt-in’ is sometimes used to describe the rule about existing customers. The idea is that, if an individual bought something from you recently, gave you their details, and did not opt out of marketing messages, they are probably happy to receive marketing from you about similar products or services even if they haven’t specifically consented. However, you must have given them a clear chance to opt out – both when you first collected their details, and in every message you send. The soft opt-in rule means you may be able to email or text your own customers, but it does not apply to prospective customers or new contacts (eg from bought-in lists). It also does not apply to non-commercial promotions (eg charity fundraising or political campaigning).”

See Guide to Privacy and Electronic Communications Regulations for more information
Guide to Privacy and Electronic Communications Regulations

 

Data Storage and Security

  • Consider IT hygiene
    • Password protection on your PC or devices;
    • Security and strength of passwords
    • Remote wipe facility on phones and tablets;
    • Anti virus and firewalls
    • HTTPS on your website
  • Consider where data is stored / backed up.  If you use cloud services consider their safety and security – there is no outright restriction on any particular provider, or their location, but if you store sensitive data on them, check their policies, eg Google Drive, Dropbox – in almost all cases they will have GDPR compliant “Safe Harbour” policies.
  • Consider how long data is stored for? Periodic deletion of intakes and class records after a time – after eight years is suggested.
  • If you use a web based intake form, eg Google Forms or Gravity forms, consider HTTPS on your website and purging of cache.
  • Be cautious about emailing information to yourself, eg don’t have web based health forms emailed to you; have them saved direct to a cloud service like Dropbox, website cache cleared, and send an email notification to review them.
  • Consider your own communication boundaries – eg do you allow clients to contact you by SMS, WhatsApp, Facebook Messenger, Email, or do you restrict the contact methods?  How does this impact security if, say, you lost your phone.
  • Consider physical security, eg paper files in a locked cabinet, lock your laptop away, is there sensitive information on your phone or ipad (which most likely to be lost – so make sure you can remote wipe).

Generally these are common sense requirements.

 

Client Requests for Data

Data Protection regulations give a wide right of access to clients.  Its good practice to write up notes so they are “sanitised” and would not cause embarrassment if your client saw them.

Be prepared for formal requests like a Subject Access Request – they are time consuming and demanding.

 

Yoga Therapists – Regulators Guidance

See CNHC Code of Ethics sections B6, B7 and B8
https://www.cnhc.org.uk/sites/default/files/Downloads/CodeofConductEthicsandPerformance.pdf

 

Summary

  • The new GDPR rules are incremental, building on existing rules, not a wholesale change
  • You need to think about, and document, what’s being stored, how, where, why, and for how long, but you probably don’t need to make wholesale changes
  • You need a privacy policy on your website, if you have one
  • If you are not registered with the ICO you probably should be, this isn’t new.

Data Protection is not a one off “do and forget” task – keep it to the forefront of your business processes and you will be fine.