Version number :



Replacing previous version


IFT Leadership Team


November 2022

Next Review Date:

November 2023

Approval body:

Board of Trustees

Ratified by:

Board of Trustees

Date ratified:

December 2022

Implementation Date:

December 2022

November 2022 


The Institute of Family Therapy (IFT) takes the security and privacy of your data seriously. IFT holds personal information about a wide range of people including employees, volunteers, donors and service users – this is information that could be used to identify them, e.g. name, address, tax details or national insurance number, or which may be sensitive, such as information about their health or family situation. At IFT, personal information is held in a variety of ways – in databases, clinical records, spreadsheets, paper files, documents, emails, photographs and recordings.

We need to gather and use this information or ‘data’ as part of our business and to manage our relationship with you. To comply with the law, data must be collected and used appropriately, and fairly, stored and disposed of securely and not disclosed to any other unauthorised person unlawfully. We will comply with our legal obligations under the Data Protection Act 2018 (the ‘2018 Act’) and the EU General Data Protection Regulation (‘GDPR’) in respect of data privacy and security. We have a duty to notify you of the information covered by this Policy.

IFT is the ‘data controller’ for the purposes of your ‘personal data’. This means that IFT determines the purpose and means of the processing of your personal data and, within IFT, responsibility for co-ordinating this lies with the ‘Data Protection Officer’ (DPO), the Director of Operations.

This Policy explains how IFT will hold and process your personal data. It explains your rights as a data subject. It also explains your obligations if you should obtain, handle, process or store personal data in the course of your contact with IFT.

This Policy applies to clients. You should read this Policy alongside any written form of agreement that exists between us and any other notice we issue to you from time to time in relation to your data. (Similar but separate Policies apply to a). Staff and b). Seasonal staff, students, IFT members and those on IFT’s mailing lists.)

This Policy does not form part of any contractual relationship with you but it is intended that this Policy is fully compliant with the 2018 Act and the GDPR. If any conflict arises between those laws and this Policy, the Company intends to comply with the 2018 Act and the GDPR.

IFT will not sell your data, keep your personal data for longer than is necessary or make your personal data available to third parties, other than stated below.


IFT is a training provider and a provider of therapy to clients, and therefore has a legitimate interest in holding and processing data. We will collect, use and hold personal data about you, dependent on the nature of your involvement with IFT, as set out in this Policy.

Personal data must be processed in accordance with six ‘Data Protection Principles.’ It must:

be processed fairly, lawfully and transparently;
be collected and processed only for specified, explicit and legitimate purposes;
be adequate, relevant and limited to what is necessary for the purposes it is processed;
be accurate and kept up to date (inaccurate data must be deleted or rectified without delay);
not be kept for longer than is necessary for the purposes it is processed; and
be processed securely.

IFT is accountable for these principles and must be able to show that it is compliant.


IFT will process your personal data (including special categories of personal data) in accordance with our obligations under the 2018 Act.

We will use your personal data:

to comply with any legal obligation; or
to manage the working relationship between us; or
if it is necessary for our legitimate interests (or for the legitimate interests of someone else). We can do this only if your interests and rights do not override ours (or theirs). You have the right to challenge our legitimate interests and request that we stop this processing.

We can process your personal data for these purposes without your knowledge or consent. We will not use your personal data for an unrelated purpose without telling you about it and the legal basis that we intend to rely on for processing it.

Data Retention
We will only retain your personal information for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.

After you have graduated, IFT is required to retain some of your information to provide statutory analytical data and to verify awards, provide transcripts of marks and to provide academic references for career support. Once you are no longer a trainee / student we will retain or securely destroy your personal information. We will not keep any records for longer than seven years.

In some circumstances we may anonymise your personal information so that it can no longer be used to identify you, in which case we may use such information without further notice to you.


It is the responsibility of everyone working at or with IFT to ensure they understand how to handle data appropriately, are familiar with all the relevant policies and guidance and undertake regular training to maintain their awareness of DPA legislation and practice. Some staff also have specific responsibility around DPA compliance.

Trustees – They have overall responsibility for ensuring that the organisation complies with its legal obligations.

Staff and volunteers – All staff and volunteers are required to complete initial data security training and attend an induction session which includes IG. A full programme of data protection and security training is available to all staff. Staff are expected to familiarise themselves with and follow any policies and procedures that relate to the personal and / or confidential data they may handle or encounter in the course of their work and their line manager is responsible for flagging policies relevant to their role and work during their induction period.


We have robust measures in place to minimise and prevent data breaches taking place.
If a breach of personal data occurs (whether in respect of you or someone else) we must take notes and keep evidence of that breach. If the breach is likely to result in a risk to the rights and freedoms of individuals, we must notify the Information Commissioner’s Office within 72 hours.

If you are aware of a data breach you must contact the Director of Operations immediately and keep any evidence you have in relation to the breach.


All records are kept securely and all computers are password protected.

The law states that if you would like to make an SAR in relation to your own personal data you should make this in writing to the Director of Operations. We must respond within one month unless the request is complex or numerous in which case the period in which we must respond can be extended by a further two months.

There is no fee for making a SAR. However, if your request is manifestly unfounded or excessive we may charge a reasonable administrative fee or refuse to respond to your request.

You may have access to your own records by making a request to the Director of Operations. For clients, this would be on IFT premises and under the supervision of a member of staff.

Access to written notes – written consent of all parties involved in the sessions has to be secured before notes can be accessed, otherwise all reference to other parties will be redacted.

Access to view DVD recordings – written consent of all parties on the recordings has to be secured before DVDs can be viewed.


You have the right to information about what personal data we process, how and on what basis, as set out in this Policy.

You have the right to access your own personal data by way of an SAR (please see above, 5.d), or by requesting this via the Director of Operations.