Cookie policy (UK)

I am committed to encouraging equality and diversity among our workforce, and eliminating unlawful discrimination.

I am also committed against unlawful discrimination of clients.

The policy’s purpose is to:

Not unlawfully discriminate because of the Equality Act 2010 protected characteristics of status, age, disability, gender alignment, marriage and civil partnership, pregnancy and maternity, race (including colour, nationality, and ethnic or national origin), religion or belief, gender, sex or sexual orientation.

I oppose and avoid all forms of unlawful discrimination. This includes in terms and conditions, dealing with grievances and discipline, commencing and terminating therapy.

Within my profession I want to create a working environment free of bullying, harassment, victimisation and unlawful discrimination, promoting dignity and respect for all, and where individual differences and all contributions are recognised and valued.

Everyone should understand they, as well as their employer, can be held liable for acts of bullying, harassment, victimisation and unlawful discrimination, in the course of their employment, against fellow employees, customers, suppliers and the public

I take seriously complaints of bullying, harassment,

victimisation and unlawful discrimination by fellow employees, customers, suppliers, visitors, the public and any others in the course of the organisation’s work activities

Further, sexual harassment may amount to both an employment rights matter and a criminal matter, such as in sexual assault allegations. In addition, harassment under the Protection from Harassment Act 1997 – which is not limited to circumstances where harassment relates to a protected characteristic – is a criminal offence

To regularly review my practices and procedures when necessary to ensure fairness, and also update them and the policy to take account of changes in the law

Monitoring will include assessing how the equality policy, and any sporting action plan, are working in practice, reviewing them annually, and considering and taking

action to address any issues

I am committed to uphold an individual’s access to courses of training when providing any CPD.

I am committed to running an ethical nonexploitative and antidiscriminatory practice.

I aim to treat everyone with integrity, impartiality and respect.

They must recognise and work in ways that respect the values and dignity of my clients with due regard to issues such as

I have a responsibility to be aware of my own issues of prejudice and stereotyping and particularly to consider ways in which these may be affecting any relationship.

I am committed to working through these issues in my own personal life so they do not effect my professional life.

I need to be alert to any prejudices and assumptions that clients reveal in our work and to raise awareness of these so that the needs of clients may be met with sensitive recognition and appreciation of difference.

Key details

Policy prepared by:
Policy became operational on:

Next review date:


Zayna Ratty 01/01/2020 01/01/2021

Zayna Ratty and ZRTherapy will be herby referred to as ZRT throughout the document. ZRT needs to gather and use certain information about individuals.

These can include clients, suppliers, business contacts, employees and other people the organisation has a relationship with or may need to contact.

This policy describes how this personal data must be collected, handled and stored to meet the company’s data protection standards — and to comply with the law.

Why this policy exists

This data protection policy ensures ZRT:

Complies with data protection law and follow good practice Protects the rights of staff, clients and partners
Is open about how it stores and processes individuals’ data

Protects itself from the risks of a data breach

Data protection law

The Data Protection Act 1998 describes how organisations — including ZRT— must collect, handle and store personal information.

These rules apply regardless of whether data is stored electronically, on paper or on other materials.

To comply with the law, personal information must be collected and used fairly, stored safely and not disclosed unlawfully.

The Data Protection Act is underpinned by eight important principles. These say that personal data must:

  1. Be processed fairly and lawfully

  2. Be obtained only for specific, lawful purposes

  3. Be adequate, relevant and not excessive

  4. Be accurate and kept up to date

  5. Not be held for any longer than necessary

  6. Processed in accordance with the rights of data subjects

Context and overview

  1. Be protected in appropriate ways

  2. Not be transferred outside the European Economic Area (EEA), unless that country or

    territory also ensures an adequate level of protection

Policy scope

This policy applies to:

The primary office of ZRT
All temporary offices used by ZRT All staff and volunteers of ZRT

All contractors, suppliers and other people working on behalf of ZRT

It applies to all data that the company holds relating to identifiable individuals, even if that information technically falls outside of the Data Protection Act 1998. This can include:

Names of individuals Postal addresses Email addresses Telephone numbers Therapy notes

…plus any other information relating to individuals

Data protection risks

This policy helps to protect ZRT from some very real data security risks, including:

Breaches of confidentiality. For instance, information being given out inappropriately.
Failing to offer choice. For instance, all individuals should be free to choose how the company

uses data relating to them.
Reputational damage. For instance, the company could suffer if hackers successfully gained access to sensitive data.


Everyone who works for or with ZRT has some responsibility for ensuring data is collected, stored and handled appropriately.

Each team that handles personal data must ensure that it is handled and processed in line with this policy and data protection principles.

However, these people have key areas of responsibility:
I am ultimately responsible for ensuring that [ZRT meets its legal obligations. ZRT, is responsible for:

o Keepingtheboardupdatedaboutdataprotectionresponsibilities,risksandissues.

People, risks and responsibilities

o Reviewingalldataprotectionproceduresandrelatedpolicies,inlinewithanagreed schedule.

o Arrangingdataprotectiontrainingandadviceforthepeoplecoveredbythispolicy. o Handlingdataprotectionquestionsfromstaffandanyoneelsecoveredbythis

o Dealingwithrequestsfromindividualstoseethedata[companyname]holdsabout

them (also called ‘subject access requests’).
o Checkingandapprovinganycontractsoragreementswiththirdpartiesthatmay

handle the company’s sensitive data.

o Ensuringallsystems,servicesandequipmentusedforstoringdatameetacceptable security standards.

o Performingregularchecksandscanstoensuresecurityhardwareandsoftwareis functioning properly.

o Evaluatinganythird-partyservicesthecompanyisconsideringusingtostoreor process data. For instance, cloud computing services.

o Approvinganydataprotectionstatementsattachedtocommunicationssuchas emails and letters.

o Addressinganydataprotectionqueriesfromjournalistsormediaoutletslike newspapers.

o Wherenecessary,workingwithotherstafftoensuremarketinginitiativesabideby data protection principles.

The only people able to access data covered by this policy should be those who need it for their work.

Data should not be shared informally. When access to confidential information is required, employees can request it from their line managers.

ZRT will provide training to all employees to help them understand their responsibilities when handling data.

Employees should keep all data secure, by taking sensible precautions and following the guidelines below.

In particular, strong passwords must be used and they should never be shared.
Personal data should not be disclosed to unauthorised people, either within the company or


Data should be regularly reviewed and updated if it is found to be out of date. If no longer required, it should be deleted and disposed of.

These rules describe how and where data should be safely stored. I should be registered with the


General staff guidelines

Data storage


When data is stored on paper, it should be kept in a secure place where unauthorised people cannot see it.

These guidelines also apply to data that is usually stored electronically but has been printed out for some reason:

When not required, the paper or files should be kept in a locked drawer or filing cabinet.
I should make sure paper and printouts are not left where unauthorised people could see them,

like on a printer.
Data printouts should be shredded and disposed of securely when no longer required.

When data is stored electronically, it must be protected from unauthorised access, accidental deletion and malicious hacking attempts:

Data should be protected by strong passwords that are changed regularly and never shared.
If data is stored on removable media (like a CD or DVD), these should be kept locked away securely

when not being used.
Data should only be stored on designated drives and servers, and should only be uploaded to an

approved cloud computing services.
Servers containing personal data should be sited in a secure location, away from general office


Data should be backed up frequently. Those backups should be tested regularly, in line with the company’s standard backup procedures.

Data should never be saved directly to laptops or other mobile devices like tablets or smart phones.

All servers and computers containing data should be protected by approved security software and a firewall.

When personal data is accessed and used that it can be at the greatest risk of loss, corruption or theft:

When working with personal data, I should ensure the screens of their computers are always locked when left unattended.

Personal data should not be shared informally. In particular, it should never be sent by email, as this form of communication is not secure.

Data must be encrypted before being transferred electronically.
Personal data should never be transferred outside of the European Economic Area.

Data use

Data accuracy

The law requires ZRT to take reasonable steps to ensure data is kept accurate and up to date.

The more important it is that the personal data is accurate, the greater the effort ZRT should put into ensuring its accuracy.

It is my responsibility when I work with data to take reasonable steps to ensure it is kept as accurate and up to date as possible.

Data will be held in as few places as necessary.

No individual client should be identifiable to anyone other myself.

Client contact details and notes should be stored together.

Staff should take every opportunity to ensure data is updated. For instance, by confirming a customer’s details when they call.

ZRT will make it easy for data subjects to update the information ZRT holds about them. For instance, via the company website.

Data should be updated as inaccuracies are discovered. For instance, if a client can no longer be reached on their stored telephone number, it should be removed.

AllindividualswhoarethesubjectofpersonaldataheldbyZRT areentitledto: Ask what information I hold about them and why.
Ask how to gain access to it.
Be informed how to keep it up to date.

Be informed how I am meeting my data protection obligations.
If an individual contacts me requesting this information, this is called a subject access request.

Subject access requests from individuals should be made by email, addressed to the [email protected]. The data controller can supply a standard request form, although individuals do not have to use this.

The data controller will always verify the identity of anyone making a subject access request before handing over any information.

In certain circumstances, the Data Protection Act allows personal data to be disclosed to law enforcement agencies without the consent of the data subject.

Subject access requests

Disclosing data for other reasons

Under these circumstances, ZRT will disclose requested data. However I will ensure the request is legitimate, seeking assistance from my supervisor and legal advice where necessary.

ZRT aims to ensure that individuals are aware that their data is being processed, and that they understand:

How the data is being used How to exercise their rights

To these ends, I have informed the client of my privacy statement, setting out how data is kept and in which circumstances it can be assessed.

Policy prepared by:
Policy became operational on:


Zayna Ratty 01/01/2020

Review on 01/01/2021

Zayna Ratty may be able to access social media services and social networ ing websites while in a place of wor , either through cloud systems or via their own personal equipment.

This social media policy describes the rules governing use of social media at ZRTherapy.

It sets out how staf must behave when using the ZRTherapys social media accounts. It also explains the rules about using personal social media accounts at wor and describes what staf may say about the company on their personal accounts.

This policy should be read alongside other ey policies. ZRTherapy internet use policy is partcularly relevant to staf using social media.

Why this policy exists

Social media can bring signifcant benefts to ZRTherapy, partcularly for building relatonships with current and potental clients.However, it’s important that I am aware of who uses social media within ZRTherapy and that I do so in a way that enhances the ZRTherapy prospects.

A misjudged status update can generate complaints or damage the ZRTherapys reputaton. There are also security and data protecton issues to consider.

This policy explains how I can use social media safely and efectvely.

Policy scope

This policy applies to all staf, contractors and volunteers at ZRTherapy who use social media while wor ing — no mater whether for business or personal reasons.

It applies no mater whether that social media use ta es place on company premises, while travelling for business or while wor ing from home.

Social media sites and services include (but are not limited to):

Popular social networ s li e Twiter and Facebook
Online review websites li e Reevoo and Trustpilot
Sharing and discussion sites li e Delicious and Reddit
Photographic social networ s li e Flickr and Instagram
Queston and answer social networ s li e Quora and Yahoo Answers

Professional social networ s li e LinkedIn and Sunzu

Context and overview


Everyone who operates a company social media account or who uses their personal social media accounts at wor has some responsibility for implementng this policy.

My ey responsibilites:

I am ultmately responsible for ensuring that ZRTherapy uses social media safely, appropriately and in line with the UKCP ethics and objectves. I am also responsible for proactvely monitoring for social media security threats. I am also responsible for ensuring requests for assistance and support made via social media are followed up.

The power of social media

I recognise that social media ofers a platorm for ZRT to perform mar etng, stay connected with customers and build its profle online.

The company therefore encourages employees to use social media to support the company’s goals and objectves.

Basic advice

Regardless of which social networ s employees are using, or whether they’re using business or personal accounts on company tme, following these simple rules helps avoid the most common pitalls:

Know the social network. Employees should spend tme becoming familiar with the social networ before contributng. It’s important to read any FAQs and understand what is and is not acceptable on a networ before postng messages or updates.

If unsure, don’t post it. Staf should err on the side of cauton when postng to social networ s. If an employee feels an update or message might cause complaints or ofence — or be otherwise unsuitable — they should not post it. Staf members can always consult the [social media manager] for advice.

Be thoughtul and polite. Many social media users have got into trouble simply by failing to observe basic good manners online.

Look out for security threats. I should be on guard for social engineering and phishing atempts. Social networ s are also used to distribute spam and malware. Further details below.

Keep personal use reasonable. Although I believe that being actve on social media can be valuable both to those employees and to the business, I should exercise restraint in how much personal use of social media they ma e during wor ing hours.

Don’t make promises without checking. Some social networ s are very public, so I should not ma e any commitments or promises without chec ing that I can deliver on the promises.

General social media guidelines

Handle complex queries via other channels. Social networ s are not a good place to resolve complicated enquiries and customer issues. Once a customer has made contact, I should handle further communicatons via the most appropriate channel — usually email or telephone.

Don’t escalate things. It’s easy to post a quic response to a contentous status update and then regret it. I should always ta e the tme to thin before responding, and hold bac if they are in any doubt at all.

This part of the social media policy covers all use of social media accounts owned and run by the company.

Authorised users

Only people who have been authorised to use the company’s social networ ing accounts may do so.

Authorisaton is usually provided by myself. It is typically granted when social media-related tas s form a core part of an employee’s job.

Allowing only designated people to use the accounts ensures that my social media presence is consistent and cohesive.

Creatng social media accounts

The company operates its social media presence in line with a strategy that focuses on the most- appropriate social networ s, given available resources.

Purpose of company social media accounts

ZRT’s social media accounts may be used for many diferent purposes.

In general, I should only post updates, messages or otherwise use these accounts when that use is clearly in line with the company’s overall objectves.

For instance, employees may use company social media accounts to:

Respond to client enquiries and requests for help
Share blog posts, artcles and other content created by myself
Share insightul artcles, videos, media and other content relevant to the business, but created

by others
Promote marketng campaigns and special ofers

Support new product launches and other initatves Social media is a powerful tool that changes quic ly.

Inappropriate content and uses

Company social media accounts must not be used to share or spread inappropriate content, or to ta e part in any actvites that could bring the company into disrepute.

Use of company social media accounts

When sharing an interestng blog post, artcle or piece of content, employees should always review the content thoroughly, and should not post a lin based solely on a headline.

I do not personally accept Faceboo ‘friend’ requests from anyone who has seen me in a therapeutc capacity. The only incidence where I may be ‘friends’ with a service user is if there were a preexistng ‘friend’.
This is to avoid a blurring of therapeutc/friend lines as per my boundaries statement.

The value of social media

ZRT recognises that my personal social media accounts can generate a number of benefts. For instance:

I can ma e industry contacts that may be useful in their jobs

I can discover content to help them learn and develop in their role By postng about the ZRT, I can help to build the business’ profle online

Personal social media rules Acceptable use:

I may use their personal social media accounts for work-related purposes during regular hours, but must ensure this is for a specifc reason (e.g. compettor research). Social media should not afect my ability to perform their regular dutes.

Use of social media accounts for non-wor purposes is restricted to non-work tmes, such as brea s and during lunch.

Talking about the ZRT:
Employees should ensure it is clear that their social media account does not represent ZRT’s views

or opinions.

Imaywishtoincludeadisclaimerinsocialmediaprofles: Theviewsexpressedaremyownand do not refect the views of my employer.’

The rules in this secton apply to:

Any employees using company social media accounts
Employees using personal social media accounts during company tme

Users must not:
Create or transmit material that might be defamatory or incur liability for ZRT. Post message, status updates or lin s to material or content that is inappropriate.

Use of personal social media accounts at work

Safe, responsible social media use

Inappropriate content includes: pornography, racial or religious slurs, gender-specifc

comments, informaton encouraging criminal s ills or terrorism, or materials relatng to cults, gambling and illegal drugs.

This defniton of inappropriate content or material also covers any text, images or other media that could reasonably ofend someone on the basis of race, age, sex, religious or politcal beliefs, natonal origin, disability, sexual orientaton, or any other characteristc protected by law.

Use social media for any illegal or criminal actvites.

Send offensive or harassing material to others via social media.

Broadcast unsolicited views on social, politcal, religious or other non-business related maters.

Send or post messages or material that could damage ZRT’s image or reputaton.

Interact with ZRT’s compettors in any ways which could be interpreted as being offensive, disrespectul or rude. (Communicaton with direct compettors should be ept to a minimum.)

Discuss fellow therapists compettors, clients both present past and future or suppliers without their approval.

Post, upload, forward or lin to spam, junk email or chain emails and messages.


ZRT respects and operates within copyright laws. Users may not use social media to:

Publish or share any copyrighted sofware, media or materials owned by third partes, unless permited by that third party.

If I wish to share content published on another website, they are free to do so if that website has obvious sharing butons or functons on it.

Share lin s to illegal copies of music, flms, games or other sofware. Security and data protecton

Employees should be aware of the security and data protecton issues that can arise from using social networ s.

Maintain confdentality

Users must not:
Share or lin to any content or informaton owned by the company that could be considered

confdental or commercially sensitve.
This might include sales fgures, details of past, present or future clients, or informaton

about future strategy or mar etng campaigns.
Share or lin to any content or informaton owned by another company or person that could be

considered confdental or commercially sensitve.
For example, if a compettor’s mar etng strategy was lea ed online, employees of ZRT should not

menton it on social media.

Share or lin to data in any way that could breach the company’s data protecton policy.

Protect social accounts

My social media accounts should be protected by strong passwords that are changed regularly and shared only with authorised users.

Wherever possible, employees should use two-factor authentcaton (ofen called mobile phone verifcaton) to safeguard company accounts.

Staf must not use a new piece of sofware, app or service with any of the company’s social media accounts without receiving approval.

Avoid social scams
I should watch for phishing atempts, where scammers may atempt to use decepton to obtain

informaton relatng to either the company or its clients.

I should never reveal sensitve details through social media channels. Clients identtes must always be verifed in the usual way before any account informaton is shared or discussed.

I should avoid clicking links in posts, updates and direct messages that loo suspicious. In partcular, users should loo out for URLs contained in generic or vague-sounding direct messages.

Monitoring social media use

Company IT and internet resources — including computers, smart phones and internet connectons — are provided for legitmate business use.

ZRT therefore reserves the right to monitor how social networ s are used and accessed through these resources.

Any such examinatons or monitoring will only be carried out by myself.

Additonally, all data relatng to social networ s writen, sent or received through the company’s computer systems is part of ofcial ZRT records.

The company can be legally compelled to show that informaton to law enforcement agencies or other partes.

Potental sanctons

Knowingly breaching this social media policy is a serious mater. Users who do so will be subject to disciplinary acton, up to and including terminaton of employment.

Employees, contractors and other users may also be held personally liable for violatng this policy.

Policy enforcement

Where appropriate, the company will involve the police or other law enforcement agencies in relaton to breaches of this policy.