Three In One Concepts, Inc.
Web Data Protection and Privacy Notice
with respect and in compliance with the EU GDPR
I. Our Privacy Pledge
Three In One Concepts (hereinafter referred to as "Three In One Concepts") values and respects your privacy. Our commitment is to put users first. We strive to be transparent about how we collect and use your information, to keep your information secure, and to provide you meaningful choices. We are in the business of providing services and our goal is to build a trusting relationship.
II. Information Collection and Use
a. Objective
As part of its functions, Three In One Concepts is required to receive and process relevant Personal Data regarding specialized kinesiology students.
This policy sets out our commitment to protecting Personal Data, and particularly how we will ensure that:
1. Three In One Concepts staff understand how to handle data they have access to as part of their work; and
2. Three In One Concepts updated certified specialized kinesiology instructors understand how to handle data they have access to as part of the provision of their services to specialized kinesiology students.
b. Scope
This policy applies to anyone who obtains Personal Data that is controlled or processed by or on behalf of Three In One Concepts. This includes and is not limited to Three In One Concepts employees and Three In One Concepts updated-certified specialized kinesiology instructors. This policy applies regardless of where the Personal Data is held or whether it is held manually or electronically.
c. Information You Provide to Us
We may collect the information that you provide to us, such as:
1. Name
2. Email address
3. Street address
4. Telephone number
5. Name of Three In One Concepts® classes taken
6. Dates of the classes
III. Definitions
1. "GDPR" means General Data Protection Regulation, 2016 (EU)
2. "DPA" means Data Protection Act, 1998 (UK).
3. "APA" means Privacy Act, 1988 (AU).
4. Data Sharing Agreement", means an agreement that sets out the framework for the sharing of Personal Data.
5. "Data Protection Team" means persons established by Three In One Concepts to oversee data protection compliance.
6. "Personal Data" means any data or information, in paper or digital format, relating to a living individual.
It includes but is not limited to names, contact details, financial details, course details and appropriate personal circumstances, and also Sensitive Personal Data (see #9 below). It does not include information that is already in the public domain.
7. "Personnel" means Three In One Concepts employees, Three In One Concepts updated/certified specialized kinesiology instructors and anyone else who obtains Personal Data that is controlled or processed by or on behalf of Three In One Concepts.
8. "Privacy Impact Statement" means an analysis of the likely impacts of a project upon the privacy rights of individuals.
9. "Sensitive Personal Data" is defined in the DPA and includes data relating to medical information, gender, religion, race, sexual orientation, trade union membership and criminal records and proceedings.
10. "Subject Access Request" means a request by an individual for access to Personal Data.
11. "Processing" or "processed" in relation to information or data, means obtaining, recording or holding the information or data or carrying out any operation or set of operations on the information or data, including:
a) Organization, adaptation or alteration of the information or data,
b) Retrieval, consultation or use of the information or data,
c) Disclosure of the information or data by transmission, dissemination or otherwise making it available, or
d) Alignment, combination, blocking, erasure or destruction of the information or data.
IV. Data Protection Principles
1. Three In One Concepts will comply with the GDPR and the DPA principles, as well as the Information Privacy Principles of the APA and the United States Data Protection Laws.
2. Any Personal Data received by Three In One Concepts will be used solely for Three In One Concepts' internal database, record of classes taken, student progressions and other lawful purposes.
3. Three In One Concepts will not disclose, sell or share any Personal Data with any third party or external agency on any occasion without the expressed consent of the individual to whom the Personal Data relates.
4. For the purposes of GDPR, Three In One Concepts will ensure that Personal Data is:
a) Processed fairly and lawfully and in a transparent manner;
b) Obtained for one or more specified, explicit and lawful purposes;
c) Adequate, relevant and only limited to what is required;
d) Accurate and where necessary kept up to date;
e) Not kept in a form which permits identification of data subjects for longer than is necessary;
f) Processed in accordance with the rights of data subject;
g) Processed in a manner that ensures appropriate security of the Personal Data; and
h) Not transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of individuals in relation to the processing of personal information. We will not disclose your emails or private information to third parties for private gains.
V. General requirements
1. Three In One Concepts will comply with general requirements under the DPA and GDPR, including that:
a) Personal Data should only be accessed by those who need to, for work or legitimate business purposes
b) Personal Data should not be divulged or discussed except when performing normal work
c) Duties or providing normal professional service
d) Personal Data must be kept safe and secure at all times, including at the office, public areas, home or in transit
e) Personal Data should be regularly reviewed and updated
f) Queries about data protection, internal and external, to Three In One Concepts must be dealt with effectively and promptly
2. Three In One Concepts will take appropriate technical and organizational steps to ensure the security of Personal Data.
3. All Personnel (who are known to Three In One Concepts) will be made aware of this policy and their duties under the DPA.
4. Three In One Concepts and all Personnel are required to respect the Personal Data and privacy of others. They must ensure that appropriate protection and security measures are taken against unlawful or unauthorized processing of Personal Data, and against the accidental loss of, or damage to Personal Data.
5. An appropriate level of data security must be deployed for the type of data and the data processing being performed. In most cases, Personal Data must be stored in appropriate systems.
VI. Information Sharing
1. Personal Data may need to be shared with other organizations in order to deliver services or perform our duties. This can only be done where we have permission or there is legal obligation for us to share.
2. Personal Data can be shared within Three In One Concepts or with other third parties and the sharing can be:
a) "Systematic" or routine information sharing where there is an established purpose; or
b) "Exceptional" or one-off decisions, for example in conditions of real urgency.
3. Data Sharing Agreements should be completed when setting up 'on-going' or 'routine' information sharing arrangements with third parties. They are not needed when information is shared in one-off circumstances but a record of the decision and the reasons for sharing information should be kept.
4. The President of Three In One Concepts must sign off all Data Sharing Agreements. Three In One Concepts will keep a register of all Data Sharing Agreements.
VII. Privacy Impact Assessments
1. Privacy Impact Statements will be completed in the following situations that involve Personal Data:
a) At the beginning of a new business project or when implementing a new system that may affect the processing of Personal Data
b) Before entering into a Data Sharing Agreement
c) When major changes are introduced into a privacy system or process
VIII. Subject Access Requests
1. Three In One Concepts recognizes that access to Personal Data held about an individual is a fundamental right provided in the DPA.
2. Three In One Concepts will ensure that all requests from individuals to access their Personal Data are dealt with as quickly as possible and within the timescales allowed in relevant legislation.
3. Individuals must submit Subject Access requests in writing (including by electronic methods) and provide any necessary proof of identification and required fee as part of the request.
IX. Complaints
1. Anyone who feels that Three In One Concepts has broken data protection law in any way, can complain. Examples of this are when they believe their information has not been obtained fairly, it has not been handled securely or they have asked for a copy of their information and they are not happy with Three In One Concepts' response.
2. Three In One Concepts will endeavor to ensure that all Personal Data held in relation to an individual is accurate.
3. Individuals who consider that data is inaccurate or out of date may also request, in writing, that the information be corrected or erased. They will receive a written response indicating whether or not Three In One Concepts agrees and if so, the action to be taken. Three In One Concepts will rely on individuals to provide accurate and complete Personal Data when completing any enrolment or registration form or otherwise providing information to Three In One Concepts or Personnel.
4. Individuals can also ask Three In One Concepts to stop handling their Personal Data if they believe this will cause them harm or distress. Three In One Concepts will act reasonably in relation to such request.
X. Training
1. Data Protection training is important so that all Personnel understand their responsibilities.
2. All Three In One Concepts employees (including temporary employees) will receive mandatory internal training annually.
3. Other Personnel are encouraged to attend online training.
XI. Non Compliance
Serious breaches of this policy caused by deliberate, negligent or reckless behavior could result in disciplinary action and may even lead to criminal prosecution.
Where those breaching this policy are not employees, this may be regarded as a serious breach of contractual obligations.
XII. Policy Review
1. Three In One Concepts has established a Data Protection Team.
2. Data Protection Team comprises of Three In One Concepts' President, Three In One Concepts' Board Members, and any Three In One Concepts' Faculty Members to whom data protection functions are delegated from time to time.
3. Data Protection Team has direct responsibility for coordinating the maintenance and review of this policy annually.
4. Reviews will take into account changes in legislation, best practice, lessons learnt and may be in consultation with any relevant IT service providers or industry professionals.
XIII. Further Information and guidance
1. Enquiries regarding this policy should be directed to the Data Protection Team by using any of the contact details of Three In One Concepts set out in its website.