Privacy Policy

Who we are

Our website address is: https://zayna.net.

What personal data we collect and why we collect it

Comments

When visitors leave comments on the site we collect the data shown in the comments form, and also the visitor’s IP address and browser user agent string to help spam detection.

An anonymised string created from your email address (also called a hash) may be provided to the Gravatar service to see if you are using it. The Gravatar service Privacy Policy is available here: https://automattic.com/privacy/. After approval of your comment, your profile picture is visible to the public in the context of your comment.

Media

If you upload images to the website, you should avoid uploading images with embedded location data (EXIF GPS) included. Visitors to the website can download and extract any location data from images on the website.

Contact forms

Cookies

If you leave a comment on our site you may opt in to saving your name, email address and website in cookies. These are for your convenience so that you do not have to fill in your details again when you leave another comment. These cookies will last for one year.

If you visit our login page, we will set a temporary cookie to determine if your browser accepts cookies. This cookie contains no personal data and is discarded when you close your browser.

When you log in, we will also set up several cookies to save your login information and your screen display choices. Login cookies last for two days, and screen options cookies last for a year. If you select “Remember Me”, your login will persist for two weeks. If you log out of your account, the login cookies will be removed.

If you edit or publish an article, an additional cookie will be saved in your browser. This cookie includes no personal data and simply indicates the post ID of the article you just edited. It expires after 1 day.

Embedded content from other websites

Articles on this site may include embedded content (e.g. videos, images, articles, etc.). Embedded content from other websites behaves in the exact same way as if the visitor has visited the other website.

These websites may collect data about you, use cookies, embed additional third-party tracking, and monitor your interaction with that embedded content, including tracking your interaction with the embedded content if you have an account and are logged in to that website.

Analytics

How long we retain your data

If you leave a comment, the comment and its metadata are retained indefinitely. This is so we can recognise and approve any follow-up comments automatically instead of holding them in a moderation queue.

For users that register on our website (if any), we also store the personal information they provide in their user profile. All users can see, edit, or delete their personal information at any time (except they cannot change their username). Website administrators can also see and edit that information.

What rights you have over your data

If you have an account on this site, or have left comments, you can request to receive an exported file of the personal data we hold about you, including any data you have provided to us. You can also request that we erase any personal data we hold about you. This does not include any data we are obliged to keep for administrative, legal, or security purposes.

Where we send your data

Visitor comments may be checked through an automated spam detection service.

Your contact information

Zayna Ratty @ ZRTherapy [email protected]

I am committed to encouraging equality and diversity among our workforce, and eliminating unlawful discrimination.

I am also committed against unlawful discrimination of clients.

The policy’s purpose is to:

Not unlawfully discriminate because of the Equality Act 2010 protected characteristics of status, age, disability, gender alignment, marriage and civil partnership, pregnancy and maternity, race (including colour, nationality, and ethnic or national origin), religion or belief, gender, sex or sexual orientation.

I oppose and avoid all forms of unlawful discrimination. This includes in terms and conditions, dealing with grievances and discipline, commencing and terminating therapy.

Within my profession I want to create a working environment free of bullying, harassment, victimisation and unlawful discrimination, promoting dignity and respect for all, and where individual differences and all contributions are recognised and valued.

Everyone should understand they, as well as their employer, can be held liable for acts of bullying, harassment, victimisation and unlawful discrimination, in the course of their employment, against fellow employees, customers, suppliers and the public

I take seriously complaints of bullying, harassment,

victimisation and unlawful discrimination by fellow employees, customers, suppliers, visitors, the public and any others in the course of the organisation’s work activities

Further, sexual harassment may amount to both an employment rights matter and a criminal matter, such as in sexual assault allegations. In addition, harassment under the Protection from Harassment Act 1997 – which is not limited to circumstances where harassment relates to a protected characteristic – is a criminal offence

To regularly review my practices and procedures when necessary to ensure fairness, and also update them and the policy to take account of changes in the law

Monitoring will include assessing how the equality policy, and any sporting action plan, are working in practice, reviewing them annually, and considering and taking

action to address any issues

I am committed to uphold an individual’s access to courses of training when providing any CPD.

I am committed to running an ethical nonexploitative and antidiscriminatory practice.

I aim to treat everyone with integrity, impartiality and respect.

They must recognise and work in ways that respect the values and dignity of my clients with due regard to issues such as

I have a responsibility to be aware of my own issues of prejudice and stereotyping and particularly to consider ways in which these may be affecting any relationship.

I am committed to working through these issues in my own personal life so they do not effect my professional life.

I need to be alert to any prejudices and assumptions that clients reveal in our work and to raise awareness of these so that the needs of clients may be met with sensitive recognition and appreciation of difference.

Data protection policy Key details

Policy prepared by:
Policy became operational on:

Next review date:

Introduction

Zayna Ratty 01/01/2020 01/01/2021

Zayna Ratty and ZRTherapy will be herby referred to as ZRT throughout the document. ZRT needs to gather and use certain information about individuals.

These can include clients, suppliers, business contacts, employees and other people the organisation has a relationship with or may need to contact.

This policy describes how this personal data must be collected, handled and stored to meet the company’s data protection standards — and to comply with the law.

Why this policy exists

This data protection policy ensures ZRT:

Complies with data protection law and follow good practice Protects the rights of staff, clients and partners
Is open about how it stores and processes individuals’ data

Protects itself from the risks of a data breach

Data protection law

The Data Protection Act 1998 describes how organisations — including ZRT— must collect, handle and store personal information.

These rules apply regardless of whether data is stored electronically, on paper or on other materials.

To comply with the law, personal information must be collected and used fairly, stored safely and not disclosed unlawfully.

The Data Protection Act is underpinned by eight important principles. These say that personal data must:

  1. Be processed fairly and lawfully

  2. Be obtained only for specific, lawful purposes

  3. Be adequate, relevant and not excessive

  4. Be accurate and kept up to date

  5. Not be held for any longer than necessary

  6. Processed in accordance with the rights of data subjects

Context and overview

  1. Be protected in appropriate ways

  2. Not be transferred outside the European Economic Area (EEA), unless that country or

    territory also ensures an adequate level of protection

Policy scope

This policy applies to:

The primary office of ZRT
All temporary offices used by ZRT All staff and volunteers of ZRT

All contractors, suppliers and other people working on behalf of ZRT

It applies to all data that the company holds relating to identifiable individuals, even if that information technically falls outside of the Data Protection Act 1998. This can include:

Names of individuals Postal addresses Email addresses Telephone numbers Therapy notes

…plus any other information relating to individuals

Data protection risks

This policy helps to protect ZRT from some very real data security risks, including:

Breaches of confidentiality. For instance, information being given out inappropriately.
Failing to offer choice. For instance, all individuals should be free to choose how the company

uses data relating to them.
Reputational damage. For instance, the company could suffer if hackers successfully gained access to sensitive data.

Responsibilities

Everyone who works for or with ZRT has some responsibility for ensuring data is collected, stored and handled appropriately.

Each team that handles personal data must ensure that it is handled and processed in line with this policy and data protection principles.

However, these people have key areas of responsibility:
I am ultimately responsible for ensuring that [ZRT meets its legal obligations. ZRT, is responsible for:

o Keepingtheboardupdatedaboutdataprotectionresponsibilities,risksandissues.

People, risks and responsibilities

o Reviewingalldataprotectionproceduresandrelatedpolicies,inlinewithanagreed schedule.

o Arrangingdataprotectiontrainingandadviceforthepeoplecoveredbythispolicy. o Handlingdataprotectionquestionsfromstaffandanyoneelsecoveredbythis

policy.
o Dealingwithrequestsfromindividualstoseethedata[companyname]holdsabout

them (also called ‘subject access requests’).
o Checkingandapprovinganycontractsoragreementswiththirdpartiesthatmay

handle the company’s sensitive data.

o Ensuring all systems, services and equipment used for storing data meet acceptable security standards.

o Performing regular checks and scans to ensure security hardware and software is functioning properly.

o Evaluating any third-party services the company is considering using to store or process data. For instance, cloud computing services.

o Approving any data protection statements attached to communications such as emails and letters.

o Addressing any data protection queries from journalists or media outlets like newspapers.

o Where necessary, working with other staff to ensure marketing initiatives abide by data protection principles.

The only people able to access data covered by this policy should be those who need it for their work.

Data should not be shared informally. When access to confidential information is required, employees can request it from their line managers.

ZRT will provide training to all employees to help them understand their responsibilities when handling data.

Employees should keep all data secure, by taking sensible precautions and following the guidelines below.

In particular, strong passwords must be used and they should never be shared.
Personal data should not be disclosed to unauthorised people, either within the company or

externally.

Data should be regularly reviewed and updated if it is found to be out of date. If no longer required, it should be deleted and disposed of.

These rules describe how and where data should be safely stored. I should be registered with the

page3image38576960

General staff guidelines

Data storage

ICO.

When data is stored on paper, it should be kept in a secure place where unauthorised people cannot see it.

These guidelines also apply to data that is usually stored electronically but has been printed out for some reason:

When not required, the paper or files should be kept in a locked drawer or filing cabinet.
I should make sure paper and printouts are not left where unauthorised people could see them,

like on a printer.
Data printouts should be shredded and disposed of securely when no longer required.

When data is stored electronically, it must be protected from unauthorised access, accidental deletion and malicious hacking attempts:

Data should be protected by strong passwords that are changed regularly and never shared.
If data is stored on removable media (like a CD or DVD), these should be kept locked away securely

when not being used.
Data should only be stored on designated drives and servers, and should only be uploaded to an

approved cloud computing services.
Servers containing personal data should be sited in a secure location, away from general office

space.

Data should be backed up frequently. Those backups should be tested regularly, in line with the company’s standard backup procedures.

Data should never be saved directly to laptops or other mobile devices like tablets or smart phones.

All servers and computers containing data should be protected by approved security software and a firewall.

When personal data is accessed and used that it can be at the greatest risk of loss, corruption or theft:

When working with personal data, I should ensure the screens of their computers are always locked when left unattended.

Personal data should not be shared informally. In particular, it should never be sent by email, as this form of communication is not secure.

Data must be encrypted before being transferred electronically.
Personal data should never be transferred outside of the European Economic Area.

Data use

Data accuracy

The law requires ZRT to take reasonable steps to ensure data is kept accurate and up to date.

The more important it is that the personal data is accurate, the greater the effort ZRT should put into ensuring its accuracy.

It is my responsibility when I work with data to take reasonable steps to ensure it is kept as accurate and up to date as possible.

Data will be held in as few places as necessary.

No individual client should be identifiable to anyone other myself.

Client contact details and notes should be stored together.

Staff should take every opportunity to ensure data is updated. For instance, by confirming a customer’s details when they call.

ZRT will make it easy for data subjects to update the information ZRT holds about them. For instance, via the company website.

Data should be updated as inaccuracies are discovered. For instance, if a client can no longer be reached on their stored telephone number, it should be removed.

All individuals who are the subject of personal data held byZRT are entitled to: Ask what information I hold about them and why.
Ask how to gain access to it.
Be informed how to keep it up to date.

Be informed how I am meeting my data protection obligations.
If an individual contacts me requesting this information, this is called a subject access request.

Subject access requests from individuals should be made by email, addressed to the [email protected]. The data controller can supply a standard request form, although individuals do not have to use this.

The data controller will always verify the identity of anyone making a subject access request before handing over any information.

In certain circumstances, the Data Protection Act allows personal data to be disclosed to law enforcement agencies without the consent of the data subject.

Subject access requests

Disclosing data for other reasons

Under these circumstances, ZRT will disclose requested data. However I will ensure the request is legitimate, seeking assistance from my supervisor and legal advice where necessary.

ZRT aims to ensure that individuals are aware that their data is being processed, and that they understand:

How the data is being used How to exercise their rights

To these ends, I have informed the client of my privacy statement, setting out how data is kept and in which circumstances it can be assessed.

Social media policy Key details

Policy prepared by:
Policy became operational on:

Next review date:

Introduction

Zayna Ratty 01/01/2020 01/01/2021

Zayna Ratty may be able to access social media services and social networking websites while in a place of work, either through cloud systems or via their own personal equipment.

This social media policy describes the rules governing use of social media at ZRTherapy.

It sets out how staff must behave when using the ZRTherapys social media accounts. It also explains the rules about using personal social media accounts at work and describes what staff may say about the company on their personal accounts.

This policy should be read alongside other key policies. ZRTherapy internet use policy is particularly relevant to staff using social media.

Why this policy exists

Social media can bring significant benefits to ZRTherapy, particularly for building relationships with current and potential clients.However, it’s important that I am aware of who uses social media within ZRTherapy and that I do so in a way that enhances the ZRTherapy prospects.

A misjudged status update can generate complaints or damage the ZRTherapys reputation. There are also security and data protection issues to consider.

This policy explains how I can use social media safely and effectively.

Policy scope

This policy applies to all staff, contractors and volunteers at ZRTherapy who use social media while working — no matter whether for business or personal reasons.

It applies no matter whether that social media use takes place on company premises, while travelling for business or while working from home.

Social media sites and services include (but are not limited to):

Popular social networks like Twitter and Facebook
Online review websites like Reevoo and Trustpilot
Sharing and discussion sites like Delicious and Reddit
Photographic social networks like Flickr and Instagram
Question and answer social networks like Quora and Yahoo Answers

Professional social networks like LinkedIn and Sunzu

Context and overview

Responsibilities

Everyone who operates a company social media account or who uses their personal social media accounts at work has some responsibility for implementing this policy.

My key responsibilities:

I am ultimately responsible for ensuring that ZRTherapy uses social media safely, appropriately and in line with the UKCP ethics and objectives. I am also responsible for proactively monitoring for social media security threats. I am also responsible for ensuring requests for assistance and support made via social media are followed up.

The power of social media

I recognise that social media offers a platform for ZRT to perform marketing, stay connected with customers and build its profile online.

The company therefore encourages employees to use social media to support the company’s goals and objectives.

Basic advice

Regardless of which social networks employees are using, or whether they’re using business or personal accounts on company time, following these simple rules helps avoid the most common pitfalls:

Know the social network. Employees should spend time becoming familiar with the social network before contributing. It’s important to read any FAQs and understand what is and is not acceptable on a network before posting messages or updates.

If unsure, don’t post it. Staff should err on the side of caution when posting to social networks. If an employee feels an update or message might cause complaints or offence — or be otherwise unsuitable — they should not post it. Staff members can always consult the [social media manager] for advice.

Be thoughtful and polite. Many social media users have got into trouble simply by failing to observe basic good manners online.

Look out for security threats. I should be on guard for social engineering and phishing attempts. Social networks are also used to distribute spam and malware. Further details below.

Keep personal use reasonable. Although I believe that being active on social media can be valuable both to those employees and to the business, I should exercise restraint in how much personal use of social media they make during working hours.

Don’t make promises without checking. Some social networks are very public, so I should not make any commitments or promises without checking that I can deliver on the promises.

General social media guidelines

Handle complex queries via other channels. Social networks are not a good place to resolve complicated enquiries and customer issues. Once a customer has made contact, I should handle further communications via the most appropriate channel — usually email or telephone.

Don’t escalate things. It’s easy to post a quick response to a contentious status update and then regret it. I should always take the time to think before responding, and hold back if they are in any doubt at all.

This part of the social media policy covers all use of social media accounts owned and run by the company.

Authorised users

Only people who have been authorised to use the company’s social networking accounts may do so.

Authorisation is usually provided by myself. It is typically granted when social media-related tasks form a core part of an employee’s job.

Allowing only designated people to use the accounts ensures that my social media presence is consistent and cohesive.

Creating social media accounts

The company operates its social media presence in line with a strategy that focuses on the most- appropriate social networks, given available resources.

Purpose of company social media accounts

ZRT’s social media accounts may be used for many different purposes.

In general, I should only post updates, messages or otherwise use these accounts when that use is clearly in line with the company’s overall objectives.

For instance, employees may use company social media accounts to:

Respond to client enquiries and requests for help
Share blog posts, articles and other content created by myself
Share insightful articles, videos, media and other content relevant to the business, but created

by others
Promote marketing campaigns and special offers

Support new product launches and other initiatives Social media is a powerful tool that changes quickly.

Inappropriate content and uses

Company social media accounts must not be used to share or spread inappropriate content, or to take part in any activities that could bring the company into disrepute.

Use of company social media accounts

When sharing an interesting blog post, article or piece of content, employees should always review the content thoroughly, and should not post a link based solely on a headline.

I do not personally accept Facebook ‘friend’ requests from anyone who has seen me in a therapeutic capacity. The only incidence where I may be ‘friends’ with a service user is if there were a preexisting ‘friend’.

This is to avoid a blurring of therapeutic/friend lines as per my boundaries statement.

The value of social media

ZRT recognises that my personal social media accounts can generate a number of benefits. For instance:

I can make industry contacts that may be useful in their jobs

I can discover content to help them learn and develop in their role By posting about the ZRT, I can help to build the business’ profile online

Personal social media rules Acceptable use:

I may use their personal social media accounts for work-related purposes during regular hours, but must ensure this is for a specific reason (e.g. competitor research). Social media should not affect my ability to perform their regular duties.

Use of social media accounts for non-work purposes is restricted to non-work times, such as breaks and during lunch.

Talking about the ZRT:
Employees should ensure it is clear that their social media account does not represent ZRT’s views

or opinions.

I may wish to include a disclaimer in social media profiles: ‘The views expressed are my own and do not reflect the views of my employer.’

The rules in this section apply to:

Any employees using company social media accounts
Employees using personal social media accounts during company time

Users must not:
Create or transmit material that might be defamatory or incur liability for ZRT. Post message, status updates or links to material or content that is inappropriate.

Use of personal social media accounts at work

Safe, responsible social media use

Inappropriate content includes: pornography, racial or religious slurs, gender-specific comments, information encouraging criminal skills or terrorism, or materials relating to cults, gambling and illegal drugs.

This definition of inappropriate content or material also covers any text, images or other media that could reasonably offend someone on the basis of race, age, sex, religious or political beliefs, national origin, disability, sexual orientation, or any other characteristic protected by law.

Use social media for any illegal or criminal activities.

Send offensive or harassing material to others via social media.

Broadcast unsolicited views on social, political, religious or other non-business related matters.

Send or post messages or material that could damage ZRT’s image or reputation.

Interact with ZRT’s competitors in any ways which could be interpreted as being offensive, disrespectful or rude. (Communication with direct competitors should be kept to a minimum.)

Discuss fellow therapists competitors, clients both present past and future or suppliers without their approval.

Post, upload, forward or link to spam, junk email or chain emails and messages.

Copyright

ZRT respects and operates within copyright laws. Users may not use social media to:

Publish or share any copyrighted software, media or materials owned by third parties, unless permitted by that third party.

If I wish to share content published on another website, they are free to do so if that website has obvious sharing buttons or functions on it.

Share links to illegal copies of music, films, games or other software.

Security and data protection

Employees should be aware of the security and data protection issues that can arise from using social networks.

Maintain confidentiality

Users must not:
Share or link to any content or information owned by the company that could be considered

confidential or commercially sensitive.
This might include sales figures, details of past, present or future clients, or information

about future strategy or marketing campaigns.

Share or link to any content or information owned by another company or person that could be considered confidential or commercially sensitive.

For example, if a competitor’s marketing strategy was leaked online, employees of ZRT should not mention it on social media.

Share or link to data in any way that could breach the company’s data protection policy. Protect social accounts

My social media accounts should be protected by strong passwords that are changed regularly and shared only with authorised users.

Wherever possible, employees should use two-factor authentication (often called mobile phone verification) to safeguard company accounts.

Staff must not use a new piece of software, app or service with any of the company’s social media accounts without receiving approval.

Avoid social scams
I should watch for phishing attempts, where scammers may attempt to use deception to obtain

information relating to either the company or its clients.

I should never reveal sensitive details through social media channels. Clients identities must always be verified in the usual way before any account information is shared or discussed.

I should avoid clicking links in posts, updates and direct messages that look suspicious. In particular, users should look out for URLs contained in generic or vague-sounding direct messages.

Monitoring social media use

Company IT and internet resources — including computers, smart phones and internet connections — are provided for legitimate business use.

ZRT therefore reserves the right to monitor how social networks are used and accessed through these resources.

Any such examinations or monitoring will only be carried out by myself.

Additionally, all data relating to social networks written, sent or received through the company’s computer systems is part of official ZRT records.

The company can be legally compelled to show that information to law enforcement agencies or other parties.

Potential sanctions

Knowingly breaching this social media policy is a serious matter. Users who do so will be subject to disciplinary action, up to and including termination of employment.

Policy enforcement

Employees, contractors and other users may also be held personally liable for violating this policy.

Where appropriate, the company will involve the police or other law enforcement agencies in relation to breaches of this policy.