Kate Anthony

OTI Europe Ltd | Consultancy, Personal Training and Research for Online Therapeutic Services

   

Your Data

Online Therapy Institute (OTI) GDPR Compliance (including Havana Wellness (HW) of the USA) – Micro organisation ( 1 data controller (DCO) + 4 processors DPOs))

Date: 27th April 2018

Note on HW – Havana Wellness studios (http://www.havanawellnessstudio.com/) is a similar company to OTI, run by DeeAnna Nagel – a founder and past co-CEO of OTI, and, as such, is one of OTI’s DPOs)

DPC – Dr Kate Anthony, FBACP, CEO of OTI – kate@onlinetherapyinstitute.com

DPO1 – DeeAnna Nagel, LMHC, CIHC, BCC, CEO of Havana Wellness Studios  – deeannamn@gmail.com

DPO2 – Jeanette Hennigan, Programme Leader, OTI, Children and Young People Studies – Jeanette@onlinetherapyinstitute.com

DO3 –  Dr Stephen Goss – Faculty, OTI, (Research) – stephenpgoss@googlemail.com

  • Data flows at Online Therapy Institute:
    1. Email enquiries
    2. Newsletter signups (inc blog)
    3. Training signups
    4. Social media (Facebook; Twitter; Pinterest; LinkedIn)
    5. Accountancy needs
  • What personal data we hold, where it came from, who we share it with and what we do with it.
    1. Email enquiries – incoming emails are responded to and/or deleted (Gmail and Hushmail). Some emails are potentially shared with Havana Wellness if appropriate to fulfil your information or training requests.
    2. Newsletter signups – held on MailChimp for occasional use for information only
      1. MailChimp have been reviewing and updating internal data processes and systems to make sure they are ready by May. And soon, we’ll be releasing an updated version of our Data Processing Agreement to allow our customers to continue to lawfully transfer EU personal data to MailChimp when the GDPR goes into effect. (information at 27/4/18)
      2. We will update to the most current information available when available.
  1. Training signups – held on Jigsawbox for access to training
    1. Jigsawbox state (14/4/18) that “JigsawBoxThe new site was built based on the new GDPR regulations”
    2. We will update to the most current information available when available.
  2. Social media – mainly very occasional Facebook messaging (incoming): messages are responded to and then archived after 3 months
  3. Accountancy: some data points (usually only Name) are currently seen by my accountant. This will be rectified in future using code-identities only.
  • Our lawful bases for processing.
    1. Email enquiries – legal: legitimate interests
    2. Newsletter signups – legal: legitimate interests
    3. Training signups – legal: contracts
    4. Social media – potentially sensitive data – legal: vital interests
    5. Accountancy – legal: obliged by HMRC, destroyed after 5 years
  • How we (Pre-GDPR) ask for and record consent.
    1. Email enquiries – currently none
    2. Newsletter signups – Mailchimp standard signup (double opt-in)
    3. Training signups – Jigsawbox email/registration only
    4. Social Media – currently none
    5. Accountancy – currently none
  • Systems to record and manage ongoing consent.
    1. Email enquiries – we will implement standard sig change/website page
    2. Newsletter signups – as before (unsubscribe will always be available)
    3. Training signups – Pathwright email/registration only
    4. Social Media – change fb information on groups/website
    5. Accountancy – use of coding post-GDPR
  • Consent to process children’s personal data for online services
    1. Training Signups – memo to appropriate DPCs to ensure not applicable
  • Vital Interest. (This lawful basis is very limited in its scope, and generally only applies to matters of life and death. It is likely to be particularly relevant for emergency medical care, when you need to process personal data for medical purposes but the individual is incapable of giving consent to the processing).
    1. Social Media – on occasion contact is made including some sensitive data indicating police or medical intervention is needed. On these rare occasions the data would be shared with appropriate bodies, both in the UK (OTI) and the USA (HW as DPO).
  • Legitimate interest:
    1. email contact is received to pursue company services
    2. data is kept to identify potential customers of services and supply as necessary (including affiliated 3rd party secure companies)
  • You may have reasonable expectations for processing to achieve requested goals as per your enquiry

9)      ICO number: 00042860690

10)  Right to be informed including privacy information

In light of any breach or potential breach, individuals will be informed through the most appropriate route, including telephone where available.

11)  Communicate the processing of children’s personal data

No child data taken (N/A) but possible in light of CCT-C&YP – informed Programme Leader (DPO2)

12)  Right of access

Your data can be supplied on request to DCO

13)   Right to rectification and data quality

Your data can be rectified and/or amended on request to DCO

14)  Right to erasure including retention and disposal

Email data erased on request to DPO (or self-unsubscribe)

  • Right to restrict processing

Data restricted on request to DPO

  • Right to data portability

If required, data supplied to allow this

  • Right to object

All objections to be handled by DCO

18)  Rights related to automated decision making including profiling

Not applicable, we make no automated process and make no profiles

  • Accountability

Data protection policy

  1. http://onlinetherapyinstitute.com/privacy-policy/
    • regular monitoring to commence monthly of compliance with data protection policies and regularly reviews the effectiveness of data handling and security controls
  2. Data protection awareness training for all staff has been provided as part of this process
  • Whistleblowing: our DPOs understand the information as at https://ico.org.uk/media/report-a-concern/documents/1042550/protection_for_whistle_blowers.pdf
  1. Data is kept for 6 years, after which it is destroyed

20)Processor contracts

– have been provided as part of this process

21) Information risks

Our business manages information risks in a structured way so that management understands the business impact of personal data related risks and manages them effectively.  Our structure is:

Identify business data that is commercially sensitive

Parties to complete NDAs as appropriate

Restrict dissemination of information

22) Data Protection by Design

Our business has implemented appropriate technical and organisational measures to integrate data protection into our processing activities.

23) Data Protection Impact Assessments (DPIA)

Not applicable

24) Data Protection Officers (DPO)

Our business has nominated a data protection lead or Data Protection Officer (DPO)

See contact information at top

25) Management Responsibility

Decision makers and key people in your business demonstrate support for data protection legislation and promote a positive culture of data protection compliance across the business.

  • In place as of 25/5/2018 – confirmation via email received of compliancy and understanding

26) Security policy

As at http://onlinetherapyinstitute.com/oti-terms-of-use/ plus alternative Hushmail/Doxy.Me communication platforms available

27) Breach notification

Our business has effective processes to identify, report, manage and resolve any personal data breaches, which is the responsibility of our DPO

28) International transfers

Our business ensures an adequate level of protection for any personal data processed by others on my behalf that is transferred outside the European Economic Area.

Havana Wellness (DPO1) is based outside of the EEA in USA, is aware of GDPR and this document, and agrees to adhere if data is transferred between organisations to legitimately share information to comply with requests for company services.