New EU regulations known as the General Data Protection Regulation (GDPR) came into force on 25th May 2018. The GDPR places significant additional responsibilities, over and above those defined in the Data Protection Act 1998, on those who collect and process personal data to ensure that providers of personal data understand the lawful basis for the collection and processing of their data. The document which explains this basis is known as a ‘Privacy Notice’. The present document constitutes the Sisters of the Mists Privacy Notice.
What personal data does the SOTM need to collect?
For each person making enquiries about training, healing, readings, books or enchantments with the Sisters of the Mists, either an email address or contact number is held for reply and contact.
For those who apply for training or book for healing and / or readings appointments, their name, address, email, contact number, DOB, medical history and path followed is held in a data base either for Priestess training or a client directory. All of which is confidential.
For those who order enchantments, Flame of the Mists candles or books, their name, address, email and contact number is held for shipping purposes only.
Who is collecting the data?
The data will be collected by the Sisters of the Mists
How is the data collected?
Data is mainly collected by means of electronic e-mail. Or through social media enquires, phone enquires or at markets and fayres.
Why do the Sisters of the Mists need to collect this data?
SOTM collects this data so that information is held for those who are undertaking the training and for communication about the sisters, the teachings and the community of the sisterhood. To book appointments and to ship purchases.
How will the data be used?
Each application form for training is placed within a personal file (which is pass worded) for each individual, along with payment preferences, teaching reflections, feedback, nine month evaluations, braid and veils completes and teachings sent.
Booking for clients is used during the duration of booked sessions and removed after all sessions are completed. No information is written down during a session, other than a medical and health questionnaire to ensure the safety of the client’s well being during therapy and thereafter.
Contact and address Information is not retained on a database after purchases have been shipped.
With whom will the data be shared?
Does anyone else associated with the SOTM collect data?
As friendships build and the sisterhood expands it is usual for connections to exist between members of the online and physical meeting groups of the Sisters of the Mists. Often addresses and contact information is shared amongst members. The SOTM accepts no responsibility for any data provided or collected among the sisters themselves.
Can I see my data or ask for it to be deleted?
You have the right to see your personal data, and to ask for it to be deleted. A request to view your data is known as a ‘subject access request’. Such requests should be made to Phiona Hutton, and the SOTM is legally obliged to respond to your request within 30 days.( If you decide to leave the training and request your training file to be deleted and wish to return at a later date you will have to begin again from the first Braid and teaching as all training records will have been deleted in compliance with your request)
How long will my data be kept?
The SOTM has no timescale for the erasing of electronically held data. The data form a historical record of the SOTM training, healing, reading and purchases, and the aim is to preserve that record. We would therefore like to maintain a reasonable historical record. If you would like your details erased from the historic record you should make a subject access request. Your data will then be anonymised in the database.
How secure is my data?
Electronic data is held in a password-protected database and a backup copy maintained. None of the data is accessible online or stored in the Cloud. Paper documents (e.g application forms, client questionnaires and consultation forms) are kept in a private dwelling with normal domestic security measures in place; the SOTM will take reasonable measures to ensure that the paper data is not lost or stolen or viewed by unauthorised persons, but does not guarantee to store it under lock and key. e-mail communications are not subject to special encryption measures. The GDPR mandates procedures which must be followed for reporting a breach or suspected breach of data security.
How will the new measures affect the enquiries and application in future years?
You will need to tick a lot more boxes in future to make it clear that you understand data collection issues and have ‘opted in’. A requirement of the GDPR is that providers of personal data must positively ‘opt in’ to having their data collected; it is no longer sufficient to assume that ‘silence gives consent’. Application forms will contain suitable ‘opt-in’ statements, but it is the responsibility of applicants, clients and purchasers to ensure that these are completed.
Phiona Hutton. Founder of the Sisters of the Mists - 2018-05-16