We take the privacy of your data very seriously. We want to fulfil the spirit of GDPR which is about protecting your right to privacy, not just the letter of the law. This includes everyone who works with TouchBase in any capacity. This Privacy Statement will be updated from time to time. The current version will be maintained at attachmentleadnetwork.net and touchbase.org.uk
Here is a list of what we do to protect your personal information.
1. All our files are held on secure systems, encrypted where appropriate, and with strong password protection for access. Multi-factor authentication is also in use where appropriate to ensure security of sensitive personal data.
2. Access to resources is limited to the appropriate team members, such as our education & therapy teams and administrator. Access and security is also managed by our two IT service providers, Invona Ltd and Open Formula Ltd.
3. Every person having access to those files has signed a confidentiality agreement with TouchBase.
4. We require all organisations working with us (such as website building, newsletter management) to sign a confidentiality agreement. This is a standard part of contractual agreements.
5. Any specific files, such as databases, also have their own password(s) for a second level of protection. This includes our master password list which is itself password protected and held securely.
6. Wherever emails are sent to more than one person, apart from internal emails amongst staff members, all recipients of emails are blind carbon copied (“BCC”), with the sender sending the email to themselves so that no one else shows in the ‘to’ line.
7. Where sensitive information is sent, we use a specific web-based encrypted service, or alternatively we may send them using a password-protected file attached to an email. If we use this second method we send the password using another method, such as an SMS message sent using a mobile phone.
8. We only use software where data security is fully implemented and where their adherence to GDPR compliance is confirmed in their Terms and Conditions. In particular we use Zoom for all our teaching, supervision and consultations: https://support.zoom.us/hc/en-us/articles/360000126326-Official-Statement-EU-GDPR-Compliance
9. We will never share or sell your information. In the case where the management of the organisation is changed, all data will move too, but you retain your rights to erasure at all times.
10. If you would like to have your details removed from our system, partially or entirely, we will be happy to do so, providing that there is no other legal obligation for us to keep it (such as a complaint or a for any required record keeping). If you want your information removed, please send an email requesting this to firstname.lastname@example.org putting “right to erasure” in the email subject field.
11. We will review our data protection management annually to ensure it is still fit for purpose and complies with current regulations.
12. We have appointed Sarah Relf as our Data Protection Officer, who can be contacted by email at email@example.com.
13. When we undertake any new project, we will implement a Data Protection Impact Assessment to ensure we think through your privacy.
We will sometimes collect IP addresses for contact form submissions. These are only used for the protection of staff and contractors. We do not use this information for marketing purposes and will only share the information with relevant parties where required to identify any malicious communications and share that with the authorities.