Data Protection Policy
The International Federation of Aromatherapists (‘IFA‘) recognises in order to protect the public and fulfil its regulatory function the IFA needs to collect and use personal data for its registrants and customers which will be treated in accordance with the Act. This policy provides the framework through which the IFA effectively manages and fulfils its legal responsibilities.
The purpose of this policy is to set out the IFA’s commitment to the Data Protection Act 1998 (‘the Act’) and set out the principles of data protection that it follows in its work when processing and storing your data.
The IFA strives to ensure it treats personal information lawfully and correctly and its staff are trained how to handle personal data during induction and other continual professional development activities. The IFA is a registered data controller with the Information Commissioner’s Office, reference number ZA067772. This means that it is required by law to ensure that everyone who processes personal data and special categories of personal data during the course of their work with the IFA does so in accordance with the data protection legislation, including the GDPR principles. Any deliberate infringement of the Act will be reported to the IFA’s Data Protection Officer Keely Eleftheriou at firstname.lastname@example.org, which may be considered under the Disciplinary Procedure.
The IFA predominantly holds information about those who are registered with the IFA, those who have applied to register and those who are no longer registered with it. The IFA holds personal information about:
- Members (all categories)
- Makers of public enquiries
- Board and Committee Members
- Centre owners
- Quality Assurance Assessors
- Independent individuals involved in investigating complaints
- Specialist advisors
- Customers who have made purchases through our online shop
- Speakers at conferences and other events organised by the IFA
- Applicants and named students re applications for sponsorship
All personal information is collected, stored, used and disposed of in accordance with the data protection legislation, including the GDPR principles.
5. What is the Data Protection Act/GDPR?
The UK’s data protection legislation, including the General Data Protection Regulations (GDPR) contain strict principles and legal conditions which must be followed before and during any processing of any personal information. The Act implements the European Directive on Data Protection. According to the European Commission "personal data is any information relating to an individual, whether it relates to her or his private, professional or public life. It can be anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address."
The Act contains eight basic principles:
1. Personal data shall be processed fairly and lawfully and shall not be processed unless certain conditions are met in relation to personal data and additional conditions are met in relation to sensitive personal data. The conditions are:
- The data subject has given his consent to the processing, or
- The processing is necessary for the various purposes set out in the Act.
2. Personal data shall be obtained only for one or more specified and lawful purposes and shall not be processed in any manner incompatible with that purpose or those purposes.
3. Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
4. Personal data shall be accurate and, where necessary, kept up to date.
5. Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
6. Personal data shall be processed in accordance with the rights of data subjects under the Act.
7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, data.
8. Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
6. Use of Personal Data
If we have gathered data for one specific purpose, we will not simply use the same information for another incompatible purpose.
The personal data we hold for you will be kept confidential and secure and only processed by authorised personnel. The IFA has in place proportionate and appropriate technical and organisational measures to protect against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to data. Appropriate obligations will be incorporated into third party contracts.
8. Transfer to another country
Transfer of personal data to countries or organisations outside of the EEA will only take place if appropriate measures are in place to protect the security of that data. We do not generally have a need to transfer data outside of the European Economic Area (EEA). However, if we are requested to transfer personal data to a country or organisation outside of the EEA we will not transfer personal data to a country or organisation unless that country or organisation ensures an adequate level of protection in relation to the processing of personal data and have in place safeguards to ensure this is done.
9. Data subject rights
Unless subject to an exemption under the GDPR, data subjects have available a number of legal rights regarding how their personal data is processed. At any time a data subject can request that the IFA take any of the following actions, subject to certain legal limitations, with regard to their personal data:
- Allow access to the personal data
- Request corrections to be made to data
- Request erasure of data
- Object to the processing of data
- Request that processing restrictions be put in place
- Request a transfer of personal data
- Right to be notified of a data security breach
An individual may make a written ‘subject access request’ to access any of their personal data of which he or she is the subject. This must be sent to the attention of the IFA’s Data Protection Officer Keely Eleftheriou at email@example.com, 146 South Ealing Road, Ealing, London W5 4QJ. The IFA is not obliged to supply the information mentioned above unless the data subject has made a written request called a subject access request and has paid the fee of £10.00. All requests will be addressed promptly and within the statutory deadline of 40 days.
10. Breaches of Data Protection
The IFA and all employees comply with these principles of GDPR and rules at all times in their information-handling practices. We are committed to ensuring that these principles and rules are followed, as the IFA takes the security and protection of data very seriously.
You must inform us immediately if you become aware that any of these principles or rules have been breached or are likely to be breached by contacting the IFA’s Data Protection Officer Keely Eleftheriou at firstname.lastname@example.org, 146 South Ealing Road, Ealing, London W5 4QJ.
A personal data breach will arise whenever any personal data is lost, destroyed, corrupted or disclosed; if someone accesses the data or passes it on without proper authorisation; or if the data is made unavailable and this unavailability has a significant negative effect on a data subject.
In the event of a Breach the IFA’s Data Protection Officer will take the following steps:
- Contain the breach;
- Assess the potential adverse consequences for individuals, based on how serious or substantial these are, and how likely they are to happen; and
- To limit the scope of the breach by taking steps to mitigate the effects of the breach.
- The Data Protection Officer will determine within 72 hours the seriousness of the breach and if the Information Commissioner’s Office (ICO) and/or data subjects need to be notified of the breach.
11. Changes to this policy
We reserve the right to change this policy at any time so please always check this document regularly to ensure you are following the correct procedures. This policy was last updated on 26th May 2018.
12. Further information
The Information Commissioner has produced a Guide to the Act. This can be obtained by contacting the Office of the Information Commissioner on (01625) 545745. Alternatively, you can access their web site at www.ico.gov.uk