{"id":16292,"date":"2021-05-01T01:01:26","date_gmt":"2021-05-01T00:01:26","guid":{"rendered":"https:\/\/bant.org.uk\/?page_id=16292"},"modified":"2026-02-04T21:26:46","modified_gmt":"2026-02-04T21:26:46","slug":"general-data-protection-regulation-gdpr","status":"publish","type":"page","link":"https:\/\/bant.org.uk\/bant-professional-practice-handbook\/general-data-protection-regulation-gdpr\/","title":{"rendered":"GENERAL DATA PROTECTION REGULATION (UK GDPR)"},"content":{"rendered":"<p>[vc_row css_animation=&#8221;&#8221; row_type=&#8221;row&#8221; use_row_as_full_screen_section=&#8221;no&#8221; type=&#8221;full_width&#8221; angled_section=&#8221;no&#8221; text_align=&#8221;left&#8221; background_image_as_pattern=&#8221;without_pattern&#8221; el_id=&#8221;top-section&#8221; z_index=&#8221;&#8221; css=&#8221;.vc_custom_1619337773730{padding-bottom: 45px !important;}&#8221;][vc_column][vc_raw_html]JTVCcHJpbnRmcmllbmRseSU1RA==[\/vc_raw_html][vc_column_text]Information on the UK General Data Protection Regulation (UK GDPR), tailored by the Data Protection Act 2018.\u00a0 It explains each of the data protection principals, rights and obligations and includes templates for a typical nutritional therapy business.\u00a0 Everyone who handles personal data needs to be aware of and trained in UK GDPR and members need to ensure they comply with the legislation.[\/vc_column_text][\/vc_column][\/vc_row][vc_row css_animation=&#8221;&#8221; row_type=&#8221;row&#8221; use_row_as_full_screen_section=&#8221;no&#8221; type=&#8221;full_width&#8221; angled_section=&#8221;no&#8221; text_align=&#8221;left&#8221; background_image_as_pattern=&#8221;without_pattern&#8221; z_index=&#8221;&#8221; anchor=&#8221;main_anchor1&#8243;][vc_column]\n\n\t<a href=\"#introduction-and-templates\" target=\"_self\"  class=\"qode-btn qode-btn-medium qode-btn-solid qode-btn-icon anchor qode-btn-with-shadow qode-btn-default-hover\"  >\n\t    <span class=\"qode-btn-text\">Introduction and Templates<\/span><span class=\"qode-button-v2-icon-holder\"  ><i class=\"qode_icon_font_awesome fa fa-arrow-circle-down qode-button-v2-icon-holder-inner\" ><\/i><\/span>\t<\/a>\n\n[vc_separator type=&#8221;transparent&#8221; thickness=&#8221;5&#8243; up=&#8221;2&#8243; down=&#8221;2&#8243;]\n\n\t<a href=\"#processing-data\" target=\"_self\"  class=\"qode-btn qode-btn-medium qode-btn-solid qode-btn-icon anchor qode-btn-default-hover\"  >\n\t    <span class=\"qode-btn-text\">Processing Data<\/span><span class=\"qode-button-v2-icon-holder\"  ><i class=\"qode_icon_font_awesome fa fa-arrow-circle-down qode-button-v2-icon-holder-inner\" ><\/i><\/span>\t<\/a>\n\n[vc_separator type=&#8221;transparent&#8221; thickness=&#8221;5&#8243; up=&#8221;2&#8243; down=&#8221;2&#8243;]\n\n\t<a href=\"#privacy-notices\" target=\"_self\"  class=\"qode-btn qode-btn-medium qode-btn-solid qode-btn-icon anchor qode-btn-default-hover\"  >\n\t    <span class=\"qode-btn-text\">Privacy Notices<\/span><span class=\"qode-button-v2-icon-holder\"  ><i class=\"qode_icon_font_awesome fa fa-arrow-circle-down qode-button-v2-icon-holder-inner\" ><\/i><\/span>\t<\/a>\n\n[vc_separator type=&#8221;transparent&#8221; thickness=&#8221;5&#8243; up=&#8221;2&#8243; down=&#8221;2&#8243;]\n\n\t<a href=\"#consent\" target=\"_self\"  class=\"qode-btn qode-btn-medium qode-btn-solid qode-btn-icon anchor qode-btn-default-hover\"  >\n\t    <span class=\"qode-btn-text\">Consent<\/span><span class=\"qode-button-v2-icon-holder\"  ><i class=\"qode_icon_font_awesome fa fa-arrow-circle-down qode-button-v2-icon-holder-inner\" ><\/i><\/span>\t<\/a>\n\n[vc_separator type=&#8221;transparent&#8221; thickness=&#8221;5&#8243; up=&#8221;2&#8243; down=&#8221;2&#8243;]\n\n\t<a href=\"#data-protection-policy\" target=\"_self\"  class=\"qode-btn qode-btn-medium qode-btn-solid qode-btn-icon anchor qode-btn-default-hover\"  >\n\t    <span class=\"qode-btn-text\">Data Protection Policy<\/span><span class=\"qode-button-v2-icon-holder\"  ><i class=\"qode_icon_font_awesome fa fa-arrow-circle-down qode-button-v2-icon-holder-inner\" ><\/i><\/span>\t<\/a>\n\n[vc_separator type=&#8221;transparent&#8221; thickness=&#8221;5&#8243; up=&#8221;2&#8243; down=&#8221;2&#8243;]\n\n\t<a href=\"#subject-access-requests\" target=\"_self\"  class=\"qode-btn qode-btn-medium qode-btn-solid qode-btn-icon anchor qode-btn-default-hover\"  >\n\t    <span class=\"qode-btn-text\">Subject Access Requests<\/span><span class=\"qode-button-v2-icon-holder\"  ><i class=\"qode_icon_font_awesome fa fa-arrow-circle-down qode-button-v2-icon-holder-inner\" ><\/i><\/span>\t<\/a>\n\n[vc_separator type=&#8221;transparent&#8221; thickness=&#8221;5&#8243; up=&#8221;2&#8243; down=&#8221;2&#8243;]\n\n\t<a href=\"#information-security\" target=\"_self\"  class=\"qode-btn qode-btn-medium qode-btn-solid qode-btn-icon anchor qode-btn-default-hover\"  >\n\t    <span class=\"qode-btn-text\">Information Security<\/span><span class=\"qode-button-v2-icon-holder\"  ><i class=\"qode_icon_font_awesome fa fa-arrow-circle-down qode-button-v2-icon-holder-inner\" ><\/i><\/span>\t<\/a>\n\n[vc_separator type=&#8221;transparent&#8221; thickness=&#8221;5&#8243; up=&#8221;2&#8243; down=&#8221;2&#8243;]\n\n\t<a href=\"#legitimate-interests-assessment\" target=\"_self\"  class=\"qode-btn qode-btn-medium qode-btn-solid qode-btn-icon anchor qode-btn-default-hover\"  >\n\t    <span class=\"qode-btn-text\">Legitimate Interests Assessment<\/span><span class=\"qode-button-v2-icon-holder\"  ><i class=\"qode_icon_font_awesome fa fa-arrow-circle-down qode-button-v2-icon-holder-inner\" ><\/i><\/span>\t<\/a>\n\n[vc_separator type=&#8221;transparent&#8221; thickness=&#8221;5&#8243; up=&#8221;2&#8243; down=&#8221;2&#8243;]\n\n\t<a href=\"#data-breaches\" target=\"_self\"  class=\"qode-btn qode-btn-medium qode-btn-solid qode-btn-icon anchor qode-btn-default-hover\"  >\n\t    <span class=\"qode-btn-text\">Data Breaches<\/span><span class=\"qode-button-v2-icon-holder\"  ><i class=\"qode_icon_font_awesome fa fa-arrow-circle-down qode-button-v2-icon-holder-inner\" ><\/i><\/span>\t<\/a>\n\n[vc_separator type=&#8221;transparent&#8221; thickness=&#8221;5&#8243; up=&#8221;2&#8243; down=&#8221;2&#8243;]\n\n\t<a href=\"#faqs\" target=\"_self\"  class=\"qode-btn qode-btn-medium qode-btn-solid qode-btn-icon anchor qode-btn-default-hover\"  >\n\t    <span class=\"qode-btn-text\">FAQs<\/span><span class=\"qode-button-v2-icon-holder\"  ><i class=\"qode_icon_font_awesome fa fa-arrow-circle-down qode-button-v2-icon-holder-inner\" ><\/i><\/span>\t<\/a>\n\n[vc_separator type=&#8221;transparent&#8221; thickness=&#8221;30&#8243;][vc_row_inner row_type=&#8221;row&#8221; type=&#8221;full_width&#8221; text_align=&#8221;left&#8221; css_animation=&#8221;&#8221; anchor=&#8221;introduction-and-templates&#8221; el_class=&#8221;anchordiv&#8221;][vc_column_inner el_class=&#8221;anchor_col&#8221; css=&#8221;.vc_custom_1618397491357{padding-top: 30px !important;padding-right: 30px !important;padding-bottom: 30px !important;padding-left: 30px !important;}&#8221;][vc_column_text]<\/p>\n<h3>Introduction and Templates:<a id=\"\" class=\"hanbooktotop\" href=\"#top-section\"><i class=\"qode_icon_font_awesome fa fa-arrow-circle-up\"><\/i><span class=\"hanbooktotopspan\"> Top<\/span><\/a><\/h3>\n<p>On 25<sup>th<\/sup> May 2018 the European General Data Protection Regulations (GDPR) superseded the Data Protection Act 1998. GDPR updated data protection rules to be more appropriate to the modern digital age. Following the UK&#8217;s departure from the EU, the provisions of the EU GDPR have been incorporated directly into UK law as the\u00a0UK GDPR.<\/p>\n<p>UK GDPR gives more rights to individuals in the processing of their personal data which means that individuals can request access, corrections and removal of their personal information in ways that weren\u2019t available before.\u00a0 The UK GDPR requires clear evidence of consent from individuals and there is also a focus on transparency with <a href=\"https:\/\/bant.org.uk\/bant-professional-practice-handbook\/general-data-protection-regulation-gdpr\/#privacy-notices\" target=\"_blank\" rel=\"noopener noreferrer\">privacy notices<\/a> detailing how data will be used and a requirement for procedures documenting exactly how data will be processed and secured.<\/p>\n<p>Additionally, UK GDPR gives greater powers to the <a href=\"https:\/\/ico.org.uk\/\" target=\"_blank\" rel=\"noopener noreferrer\">ICO (Information Commissioner\u2019s Office)<\/a> to investigate organisations and breaches.\u00a0 The ICO have a\u00a0<a href=\"https:\/\/ico.org.uk\/media\/1624219\/preparing-for-the-gdpr-12-steps.pdf\" target=\"_blank\" rel=\"noopener noreferrer\">12 step plan<\/a>\u00a0to help businesses achieve compliance and also offer an\u00a0<a href=\"https:\/\/ico.org.uk\/global\/contact-us\/advice-service-for-small-organisations\/\" target=\"_blank\" rel=\"noopener noreferrer\">Advice Service<\/a>\u00a0and\u00a0<a href=\"https:\/\/ico.org.uk\/global\/contact-us\/live-chat\/\" target=\"_blank\" rel=\"noopener noreferrer\">Live Chat<\/a>.\u00a0 Anyone that processes personal information (i.e., all NTs) must register with the Information Commission\u2019s Office (ICO) and <a href=\"https:\/\/ico.org.uk\/for-organisations\/data-protection-fee\/\" target=\"_blank\" rel=\"noopener noreferrer\">pay the annual fee<\/a>.<\/p>\n<p>Members are advised to watch the <a href=\"https:\/\/www.youtube.com\/watch?v=7JwGqPQhH94\" target=\"_blank\" rel=\"noopener noreferrer\">BANT GDPR Webinar<\/a><u>,<\/u> which summarises the information provided here and will guide them through the steps they need to take to become UK GDPR compliant.<\/p>\n<p>BANT has produced the following UK GDPR Templates for a typical nutritional therapy business:<\/p>\n<ul>\n<li><a href=\"https:\/\/bant.org.uk\/bant\/content\/member\/pdf\/professionalPractice\/gdpr-documentation-controller-BANT_v3.xlsx\" target=\"_blank\" rel=\"noopener noreferrer\">GDPR Controller Document<\/a><\/li>\n<li><a href=\"https:\/\/bant.org.uk\/bant\/content\/member\/pdf\/professionalPractice\/GDPR_PrivacyNotice_NTBusiness.docx\" target=\"_blank\" rel=\"noopener noreferrer\">Privacy Notice<\/a><\/li>\n<li><a href=\"https:\/\/bant.org.uk\/bant\/content\/member\/pdf\/professionalPractice\/GDPR_ConsentsTemplate.docx\" target=\"_blank\" rel=\"noopener noreferrer\">Consents Form<\/a><\/li>\n<li><a href=\"https:\/\/bant.org.uk\/bant\/content\/member\/pdf\/professionalPractice\/GDPR_DataProtectionPolicy_NTBusiness.docx\" target=\"_blank\" rel=\"noopener noreferrer\">Data Protection Policy<\/a><\/li>\n<li><a href=\"https:\/\/bant.org.uk\/bant\/content\/member\/pdf\/professionalPractice\/GDPR_LIA-Template_v3.docx\" target=\"_blank\" rel=\"noopener noreferrer\">Legitimate Interest Assessment<\/a><\/li>\n<\/ul>\n<p>[\/vc_column_text][\/vc_column_inner][\/vc_row_inner][vc_separator type=&#8221;transparent&#8221; thickness=&#8221;30&#8243;][vc_row_inner row_type=&#8221;row&#8221; type=&#8221;full_width&#8221; text_align=&#8221;left&#8221; css_animation=&#8221;&#8221; anchor=&#8221;processing-data&#8221; el_class=&#8221;anchordiv&#8221;][vc_column_inner el_class=&#8221;anchor_col&#8221; css=&#8221;.vc_custom_1618397536613{padding-top: 30px !important;padding-right: 30px !important;padding-bottom: 30px !important;padding-left: 30px !important;}&#8221;][vc_column_text]<\/p>\n<h3>Processing Data:<a id=\"\" class=\"hanbooktotop\" href=\"#top-section\"><i class=\"qode_icon_font_awesome fa fa-arrow-circle-up\"><\/i><span class=\"hanbooktotopspan\"> Top<\/span><\/a><\/h3>\n<p><strong><b>What is Personal Data?<\/b><\/strong><\/p>\n<p>Personal data is defined as any information relating to a person who can be identified directly or indirectly.\u00a0 For example, name, phone number, email, address, date of birth, photographs and also online identifiers, such as IP addresses and cookies.\u00a0 Indirect information might include physical, physiological, genetic, mental, economic, cultural or social identities that can be linked back to a specific individual.<strong><b>\u00a0<\/b><\/strong><\/p>\n<p>NTs process health records which are classified as sensitive data or special category data and are deemed a higher risk than other personal data.\u00a0 It is therefore essential that appropriate procedures and technology are in place for the processing and securing of it. UK GDPR requires people to demonstrate how they will process and document personal data.<\/p>\n<p><strong><b>What is Anonymised Data?<\/b><\/strong><\/p>\n<p>Data which has been properly anonymised cannot be traced back to an individual in any way but can still be processed by organisations or individuals to conduct research. Fully anonymous data is not covered by UK GDPR as it contains no personal information to protect.<strong><b>\u00a0<\/b><\/strong><\/p>\n<p><strong><b>What is Pseudonymous Data?<\/b><\/strong><\/p>\n<p>Pseudonymisation is the processing of data in a way that it can no longer be linked to a specific data subject without the use of additional information that is held separately, for example by using a specific key or code. This can be an extra layer of security, but the data is still treated as \u2018personal data\u2019 under UK GDPR because of the possibility of personal identification.<\/p>\n<p><strong><b>Key Definitions<\/b><\/strong><\/p>\n<ul>\n<li><strong><b>Data subject<\/b><\/strong> \u2013 This is a term used to refer an individual whose personal information is the data in question.<\/li>\n<li><strong><b>Processing <\/b><\/strong>\u2013 This refers to the collection, storing and transferring of personal data.<\/li>\n<li><strong><b>Profiling <\/b><\/strong>\u2013 This is something that is often done by larger organisations and involves automatic processing of personal information (often in large batches) to evaluate aspects of the individuals\u2019 behaviour and make decisions or take actions.<\/li>\n<li><strong><b>I<\/b><\/strong><strong><b>CO <\/b><\/strong>\u2013 The Information Commissioner\u2019s Officer is the UK\u2019s independent authority set up to uphold information rights in the public interest. In the Republic of Ireland, the Data Protection Commissioner holds a similar position.<\/li>\n<li><strong><b>Data Controller<\/b><\/strong> \u2013 This is the person within an organisation that decides what data is collected, how it is used and who it is shared with. This would be a self-employed NT.<\/li>\n<li><strong><b>Data Protection Officer<\/b><\/strong> \u2013 This role is required in certain circumstances, such as public authorities and those organisations dealing with large scale processing of sensitive data. This won\u2019t typically apply to NTs.<\/li>\n<li><strong><b>Data Processor<\/b><\/strong> \u2013 This refers to anyone, sometimes a third-party organisation or business (e.g., testing company), who processes data on the instruction of a Data Controller.<\/li>\n<\/ul>\n<p><strong><b>Principles of UK GDPR <\/b><\/strong><\/p>\n<p>UK GDPR legislation lays out six principles for the processing of personal data:<\/p>\n<ul>\n<li><strong><b>Lawfulness, fairness and transparency<\/b><\/strong> &#8211; This covers the primary areas of concern that data should be gathered and used in a way that is legal, fair and understandable. The public have the right to know what information is being gathered and have this corrected or removed.<\/li>\n<li><strong><b>Purpose limitation<\/b><\/strong> &#8211; Organisations should only use data for a legitimate purpose specified at the time of collection. This data should not be shared with third parties without permission.<\/li>\n<li><strong><b>Data minimisation<\/b><\/strong> &#8211; The data collected by organisations should be limited only to what is required for the purpose stated. Organisations should not collect data \u2018en masse\u2019 without purpose.<\/li>\n<li><strong><b>Accuracy<\/b><\/strong> &#8211; The personal data held must be accurate and kept up to date. If it is no longer accurate, it should be rectified or erased.<\/li>\n<li><strong><b>Storage limitation<\/b><\/strong> &#8211; Personal data must only be stored for as long as is necessary. Data can be archived securely and used for research purposes in the future. Where possible, the personally identifiable information should be removed to leave anonymous data.<\/li>\n<li><strong><b>Integrity and confidentiality &#8211;<\/b><\/strong> Personal data must be held in a safe and secure way that takes reasonable steps to ensure the security of this information and avoid accidental loss, misuse or destruction.<\/li>\n<\/ul>\n<p><strong>Identify what data is held and where that data came from<\/strong><\/p>\n<p>Members must know what personal data they hold and where it came from, including employees (where relevant) and clients.\u00a0This must be documented, and records kept of the different types of processing activity (i.e., how the personal data for categories of individuals, e.g., clients and employees). If data is shared with any third parties, for example GPs, testing laboratories or supplement companies, this must be recorded.<\/p>\n<p>If recommending a testing company or supplement company to a client, the NT is advised to read the company\u2019s terms of business which should be available on their website.\u00a0 If the NT has any queries with their terms of business and how they work in reference to UK GDPR, they should contact them.\u00a0 Otherwise, their terms of business is deemed to be the contract between themselves and those who choose to use them.<\/p>\n<p>The ICO has produced a <a href=\"https:\/\/ico.org.uk\/media\/for-organisations\/documents\/2172937\/gdpr-documentation-controller-template.xlsx\" target=\"_blank\" rel=\"noopener noreferrer\">spreadsheet template<\/a> that covers this, including:<\/p>\n<ul>\n<li>All types of personal data and special category data held (e.g., health and employment records)<\/li>\n<li>Associated processing activities<\/li>\n<li>Privacy notices<\/li>\n<li>Consents<\/li>\n<li>Access requests<\/li>\n<li>Data breaches<\/li>\n<\/ul>\n<p><em>BANT has developed<\/em>\u00a0<a href=\"https:\/\/bant.org.uk\/bant\/content\/member\/pdf\/professionalPractice\/gdpr-documentation-controller-BANT_v3.xlsx\" target=\"_blank\" rel=\"noopener noreferrer\">an example<\/a>\u00a0<em>of the ICO template for the types of personal data that could be held by a typical nutritional therapy business, which can be adapted to suit the practitioner\u2019s own business arrangements.<\/em><\/p>\n<p><strong>Identify and document the \u2018lawful basis\u2019 for processing data<\/strong><\/p>\n<p>To legally process data under UK GDPR, there must be a \u2018lawful basis\u2019 for doing so.\u00a0 The <a href=\"https:\/\/ico.org.uk\/media\/for-organisations\/documents\/2172937\/gdpr-documentation-controller-template.xlsx\" target=\"_blank\" rel=\"noopener noreferrer\">ICO template<\/a> includes a column to identify the lawful basis for processing each type of personal data listed.\u00a0 Below is an explanation of the 6 available lawful bases and at least one of these must apply when processing personal data.<\/p>\n<p><strong>The 6 Lawful Bases:<\/strong><\/p>\n<ol>\n<li><strong> Consent:\u00a0<\/strong>the individual has given clear consent for their personal data to be processed for a specific purpose.<\/li>\n<li><strong> Contract:\u00a0<\/strong>the processing is necessary for a contract between two parties or because they have asked for specific steps to be taken before entering into a contract.<\/li>\n<li><strong> Legal obligation:\u00a0<\/strong>the processing is necessary to comply with the law (not including contractual obligations).<\/li>\n<li><strong> Vital interests:\u00a0<\/strong>the processing is necessary to protect someone\u2019s life.<\/li>\n<li><strong> Public task:\u00a0<\/strong>the processing is necessary to perform a task in the public interest or for official functions, and the task or function has a clear basis in law.<\/li>\n<li><strong> Legitimate interests:\u00a0<\/strong>the processing is necessary for legitimate interests of one party unless there is a good reason to protect the individual\u2019s personal data which overrides those legitimate interests. For example, the data controller has deemed it is necessary to process the data in order to deliver the service (e.g., health data needed as part of an NT consultation) or it is reasonably expected as part of the service by the data subject (e.g., the client expects the date to be held to be able to do the consultation).<\/li>\n<\/ol>\n<p><strong>Deciding which Lawful Basis to use<\/strong><\/p>\n<p>There are a number of different criteria that provide lawful basis to process and different lawful bases give different rights to individuals. For example, if relying on <strong><b>Consent<\/b><\/strong> as a lawful basis, individuals have stronger rights to have their data deleted.<\/p>\n<p>Processing data for the purposes of <strong><b>Legal Obligation,<\/b><\/strong> <strong><b>Contract, Vital Interests<\/b><\/strong> or <strong><b>Public Task<\/b><\/strong> can be quite clear cut however other lawful bases may be less so. In many cases there is likely to be a choice between using <strong><b>Legitimate Interests<\/b><\/strong> or <strong><b>Consent.<\/b><\/strong><\/p>\n<p>If using\u00a0<strong><b>Legitimate Interests<\/b><\/strong> as the lawful basis for processing the data, then\u00a0<em>the <u>practitioner must have control <\/u><\/em>over the processing, demonstrate that it is in line with people\u2019s reasonable expectations and that it wouldn\u2019t have an unwarranted impact on them.\u00a0 If using\u00a0<strong><b>Legitimate Interests,<\/b><\/strong> members must complete a\u00a0<a href=\"https:\/\/bant.org.uk\/bant-professional-practice-handbook\/general-data-protection-regulation-gdpr\/#legitimate-interests-assessment\" target=\"_blank\" rel=\"noopener noreferrer\">Legitimate Interests Assessment (LIA)<\/a><\/p>\n<p>If using\u00a0<strong>Consent<\/strong>\u00a0as the lawful basis for processing the data, then\u00a0<em><u>individuals have control<\/u><\/em>\u00a0over processing of their data (including changing or deleting it).\u00a0 Members need to keep a record of when and how consent was obtained and refresh it regularly.<\/p>\n<p><strong>A Nutritional Therapy Example for determining Lawful Bases<\/strong><\/p>\n<p>An NT wanting to process personal data will need to consider a variety of lawful bases depending on what they want to do with the data. By requesting clients complete a Nutritional Therapy Questionnaire (NTQ), they will be receiving and processing a lot of personal data.\u00a0 The NT may wish to use different parts of the NTQ for different purposes. For example,<\/p>\n<ul>\n<li>Using the health information as part of the consultation would be a\u00a0<strong>Legitimate<\/strong>\u00a0<strong>Interests<\/strong>\u00a0basis (i.e., needed for the purposes of the consultation).<\/li>\n<li>Using the contact information to send newsletters would be a\u00a0<strong>Consent<\/strong>\u00a0basis (i.e., consent is needed to use this personal data for this reason).<\/li>\n<\/ul>\n<p>An NT and client both sign a <a href=\"https:\/\/bant.org.uk\/bant-professional-practice-handbook\/forms-and-templates\/#terms-of-engagement-agreements\" target=\"_blank\" rel=\"noopener noreferrer\">Terms of Engagement<\/a> and hence this is personal data.\u00a0 This is a contract between the client and NT and therefore the <strong>Contract<\/strong>\u00a0basis would be the most relevant lawful basis for the processing of this data.<\/p>\n<p>How NTs manage the relationship with supplement and testing companies will affect which lawful basis will be used to process data.\u00a0 E.g., if passing on the client\u2019s contact details only then this could be considered <strong>Legitimate Interests <\/strong><strong>basis<\/strong><strong><b>,<\/b><\/strong> (e.g., it could be reasonably expected this would happen for the purpose of ordering supplements or tests as part of a consultation) however <strong>Consent<\/strong>\u00a0might be needed to share special category health data (e.g., would the client expect their data to be shared in this way?)<\/p>\n<p>The NT needs to consider which lawful basis best fits the circumstances. More than one basis may apply but all bases must be identified and documented.<strong>\u00a0 <\/strong>More information on Lawful Basis for Processing can be found on the\u00a0<a href=\"https:\/\/ico.org.uk\/for-organisations\/guide-to-the-general-data-protection-regulation-gdpr\/lawful-basis-for-processing\/?q=best+practice#ib3\" target=\"_blank\" rel=\"noopener noreferrer\">ICO website<\/a>.[\/vc_column_text][\/vc_column_inner][\/vc_row_inner][vc_separator type=&#8221;transparent&#8221; thickness=&#8221;30&#8243;][vc_row_inner row_type=&#8221;row&#8221; type=&#8221;full_width&#8221; text_align=&#8221;left&#8221; css_animation=&#8221;&#8221; anchor=&#8221;privacy-notices&#8221; el_class=&#8221;anchordiv&#8221;][vc_column_inner el_class=&#8221;anchor_col&#8221; css=&#8221;.vc_custom_1618397548620{padding-top: 30px !important;padding-right: 30px !important;padding-bottom: 30px !important;padding-left: 30px !important;}&#8221;][vc_column_text]<\/p>\n<h3>Privacy Notices:<a id=\"\" class=\"hanbooktotop\" href=\"#top-section\"><i class=\"qode_icon_font_awesome fa fa-arrow-circle-up\"><\/i><span class=\"hanbooktotopspan\"> Top<\/span><\/a><\/h3>\n<p>Being transparent and providing accessible information to individuals about how their personal data will be used and protected is a key element of UK GDPR. The most common way to provide this information is in a Privacy Notice.<\/p>\n<p><strong><b>What is a Privacy Notice?<\/b><\/strong><\/p>\n<p>Privacy Notice is a general term used to describe all the privacy information that is made available or provided to individuals when collecting information about them. This should be through a number of channels which the ICO refers to as a blended approach:<\/p>\n<ul>\n<li>A privacy notice page or document on a website<\/li>\n<li>Using website tools such as \u2018just in time\u2019 hover text providing relevant privacy information as the information is being entered<\/li>\n<li>Updating the client verbally at the beginning of the initial NT consultation and handing them a privacy notice document to take away with them.<\/li>\n<li>Verbally communicating privacy information over the phone<\/li>\n<li>Including a privacy statement in an email when sending a Nutritional Therapy Questionnaire for completion by a client<\/li>\n<\/ul>\n<p>NTs need to make sure that their clients have read their privacy notice, perhaps by emailing this to them along with other documents prior to the initial meeting, as well as having it on their website. The NT must give clients an opportunity to discuss any queries they may have with the privacy notice at their first appointment. It is not sufficient to have it on a website and assume clients have read and understood it, they need to be given an opportunity to discuss it.<\/p>\n<p><strong><b>What is Fair Processing? <\/b><\/strong><\/p>\n<p>Fair processing of information is a key UK GDPR principle.\u00a0 Being transparent by providing a privacy notice is an important part of fair processing. Members must be honest and open about who they are and what they are going to do with the personal data they collect, however this is only one element of fairness. Providing a privacy notice does not by itself mean that the processing is necessarily fair and the effect of the processing on the individuals concerned needs to be considered. Therefore, the main elements of fairness include:<\/p>\n<ul>\n<li>using information in a way that people would reasonably expect. For example, it is reasonable to expect that an NT would share contact details with a supplement company for the purposes of ordering supplements for a client, but it might not be expected that they\u2019d share sensitive personal data related to the case. The NT may want to undertake some research to understand a client\u2019s expectations about how their data will be used.<\/li>\n<li>thinking about the impact of the processing. Will it have unjustified adverse effects on them?<\/li>\n<li>being transparent and ensuring that people know how their information will be used. This means providing privacy notices or making them available, using the most appropriate mechanisms. In a digital context this can include all the online platforms used to deliver services.<\/li>\n<\/ul>\n<p><strong><b>What should be included in a Privacy Notice?<\/b><\/strong><\/p>\n<p>To cover all these elements, the NT needs to consider the following issues when planning a privacy notice:<\/p>\n<ul>\n<li>What information is being collected?<\/li>\n<li>Who is collecting it?<\/li>\n<li>How is it collected?<\/li>\n<li>Why is it being collected?<\/li>\n<li>How will it be used?<\/li>\n<li>Who will it be shared with?<\/li>\n<li>What will be the effect of this on the individuals concerned?<\/li>\n<li>Is the intended use likely to cause individuals to object or complain?<\/li>\n<\/ul>\n<p>Further information can be found in the ICO\u2019s guidance on the <a href=\"https:\/\/ico.org.uk\/for-organisations\/guide-to-data-protection\/guide-to-the-general-data-protection-regulation-gdpr\/individual-rights\/right-to-be-informed\/\" target=\"_blank\" rel=\"noopener noreferrer\">right to be informed<\/a>. See also the <a href=\"https:\/\/bant.org.uk\/bant\/content\/member\/pdf\/professionalPractice\/GDPR_PrivacyNotice_NTBusiness.docx\" target=\"_blank\" rel=\"noopener noreferrer\">BANT example Privacy Notice<\/a> for a typical NT business.[\/vc_column_text][\/vc_column_inner][\/vc_row_inner][vc_separator type=&#8221;transparent&#8221; thickness=&#8221;30&#8243;][vc_row_inner row_type=&#8221;row&#8221; type=&#8221;full_width&#8221; text_align=&#8221;left&#8221; css_animation=&#8221;&#8221; anchor=&#8221;consent&#8221; el_class=&#8221;anchordiv&#8221;][vc_column_inner el_class=&#8221;anchor_col&#8221; css=&#8221;.vc_custom_1618397548620{padding-top: 30px !important;padding-right: 30px !important;padding-bottom: 30px !important;padding-left: 30px !important;}&#8221;][vc_column_text]<\/p>\n<h3>Consent:<a id=\"\" class=\"hanbooktotop\" href=\"#top-section\"><i class=\"qode_icon_font_awesome fa fa-arrow-circle-up\"><\/i><span class=\"hanbooktotopspan\"> Top<\/span><\/a><\/h3>\n<p>Consent is one of the six lawful bases that can be used for processing personal data and practitioners must consider when it is appropriate to use consent as the legal basis and how to obtain, manage and refresh consents.<\/p>\n<p><strong><b>When to seek consent<\/b><\/strong><\/p>\n<p>Consent is appropriate if people can be offered real choice and control over how their data is used and to build their trust and engagement. However, if a genuine choice cannot be offered, consent is not appropriate. If consent is made a precondition of a service, it is unlikely to be the most appropriate lawful basis.<\/p>\n<p>For example, if asked for consent to share personal data with biochemical testing companies to be able to order a test or receive test results and this consent was refused, the NT wouldn\u2019t be able to provide this service to the client. Hence consent would be deemed to be a precondition of service and therefore not an appropriate lawful basis.\u00a0 It would be more appropriate to use <strong>Legitimate Interests<\/strong> as the legal basis as biochemical testing is an inherent part of providing nutritional therapy healthcare to the client.\u00a0 However, the NT can offer choice to the client for the sharing of their data with their GP or other healthcare providers and can still provide a service if this consent is refused.<\/p>\n<p>Typically, a NT will be using consent as the legal basis for the following:<\/p>\n<ul>\n<li>sharing sensitive personal data with other healthcare providers<\/li>\n<li>marketing and newsletters<\/li>\n<li>sharing case histories<\/li>\n<\/ul>\n<p>Most other activities will be covered by a different legal basis.<\/p>\n<p><strong>Seeking consent for sharing case histories<\/strong><\/p>\n<p>As part of fair processing, a client must be given a choice over whether their data is collected for the purpose of sharing case histories.\u00a0 This is important for maintaining trust with the client and BANT recommend explicit consent is sought to share clients\u2019 case histories.\u00a0 This applies even if removing the client\u2019s name, address and contact details from the case study.<\/p>\n<p><strong>How to ensure consent is valid<\/strong><\/p>\n<p>Consent must be freely given; this means giving people genuine ongoing choice and control over how their data is used. Consent must be obvious and require a positive action to opt-in.\u00a0 Examples of opt-in mechanism are:<\/p>\n<ul>\n<li>signing a consent statement on a paper form<\/li>\n<li>ticking an opt-in box on paper or electronically<\/li>\n<li>clicking an opt-in button or link online<\/li>\n<li>selecting from equally prominent yes\/no options<\/li>\n<li>choosing technical settings or preference dashboard settings<\/li>\n<li>responding to an email requesting consent<\/li>\n<li>answering yes to a clear oral consent request<\/li>\n<li>volunteering optional information for a specific purpose e.g., filling optional fields in a form (combined with just-in-time notices) or dropping a business card into a box.<\/li>\n<\/ul>\n<p>Consent requests must be prominent, unbundled from other terms and conditions, concise and easy to understand, and user-friendly. Consent must specifically cover the data controller\u2019s name, the purposes of the processing and the types of processing activity. Explicit consent must be expressly confirmed in words, rather than by any other positive action.<\/p>\n<p><strong>Obtaining Consent<\/strong><\/p>\n<p>The following should be included in a consent request:<\/p>\n<ul>\n<li>the name of the organisation<\/li>\n<li>the name of any third-party controllers who will rely on the consent<\/li>\n<li>why the data is required<\/li>\n<li>what it will be used for<\/li>\n<li>that individuals can withdraw consent at any time<\/li>\n<\/ul>\n<p>Members must ask people to actively opt in. Don\u2019t use pre-ticked boxes, opt-out boxes or other default settings. Where possible, give separate (\u2018granular\u2019) options to consent to different purposes and different types of processing.<\/p>\n<p><strong>Managing Consents<\/strong><\/p>\n<p>Members must have an effective audit trail of how and when consent was given, to be able to provide evidence if challenged. For online consent, it may be possible to use an appropriate cryptographic hash function to support data integrity.\u00a0\u00a0 If this functionality isn\u2019t available, BANT recommend that NTs keep a spreadsheet with \u2018consent provided\u2019 against a client\u2019s name. It should include who consented, when, how, what, if and when they withdraw consent and a link to their signed and dated form that shows they ticked to provide their consent to the specific processing.\u00a0 If consent was given online, include the data submitted as well as a timestamp to link it to the relevant version of the data capture form.<\/p>\n<p><strong>Refreshing Consents<\/strong><\/p>\n<p>There is no set time limit for consent and how long it lasts will depend on the context. Consents must be kept under review and refreshed if anything changes. BANT recommend that NTs refresh consents for marketing and newsletters every 2 years.\u00a0 This is also a good opportunity to check that the correct information is held for people as keeping records up to date is an important part of UK GDPR.\u00a0 Consents for sharing with other healthcare providers would typically be expected to last the period of the healthcare.<\/p>\n<p><strong><b>Withdrawing Consent<\/b><\/strong><\/p>\n<p>Make it easy for people to withdraw consent at any time they choose by using preference-management tools, unsubscribe functionality or as a minimum provide an email address.<\/p>\n<p>Further information can be found in the <a href=\"https:\/\/ico.org.uk\/media\/about-the-ico\/consultations\/2013551\/draft-gdpr-consent-guidance-for-consultation-201703.pdf\" target=\"_blank\" rel=\"noopener noreferrer\">ICO\u2019s Draft Consent Guidance.<\/a>\u00a0 See also the <a href=\"https:\/\/bant.org.uk\/bant\/content\/member\/pdf\/professionalPractice\/GDPR_ConsentsTemplate.docx\" target=\"_blank\" rel=\"noopener noreferrer\">BANT example Consents Form<\/a> for a typical NT business.[\/vc_column_text][\/vc_column_inner][\/vc_row_inner][vc_separator type=&#8221;transparent&#8221; thickness=&#8221;30&#8243;][vc_row_inner row_type=&#8221;row&#8221; type=&#8221;full_width&#8221; text_align=&#8221;left&#8221; css_animation=&#8221;&#8221; anchor=&#8221;data-protection-policy&#8221; el_class=&#8221;anchordiv&#8221;][vc_column_inner el_class=&#8221;anchor_col&#8221; css=&#8221;.vc_custom_1618397548620{padding-top: 30px !important;padding-right: 30px !important;padding-bottom: 30px !important;padding-left: 30px !important;}&#8221;][vc_column_text]<\/p>\n<h3>Data Protection Policy:<a id=\"\" class=\"hanbooktotop\" href=\"#top-section\"><i class=\"qode_icon_font_awesome fa fa-arrow-circle-up\"><\/i><span class=\"hanbooktotopspan\"> Top<\/span><\/a><\/h3>\n<p>UK GDPR requires that the \u2018data controller\u2019 has appropriate data protection policies in place.\u00a0 BANT recommend that small NT businesses have a single Data Protection Policy that describes at a high level how UK GDPR is being complied with and who is responsible. It must be updated if business methods change.<\/p>\n<p>It might include sections on:<\/p>\n<ul>\n<li>types of personal data held<\/li>\n<li>responsibilities<\/li>\n<li>recording, storing and securing data<\/li>\n<li>transparency<\/li>\n<li>direct marketing<\/li>\n<li>managing consent<\/li>\n<li>Subject Access Requests<\/li>\n<li>transferring data internationally<\/li>\n<li>managing relationships with third party controllers<\/li>\n<li>reporting data breaches<\/li>\n<\/ul>\n<p>The Data Protection Policy is an internal policy and is not required to be published on websites.<\/p>\n<p>BANT has created an <a href=\"https:\/\/bant.org.uk\/bant\/content\/member\/pdf\/professionalPractice\/GDPR_DataProtectionPolicy_NTBusiness.docx\" target=\"_blank\" rel=\"noopener noreferrer\">example Data Protection Policy<\/a> for a typical NT business that can be adapted for members\u2019 own businesses.[\/vc_column_text][\/vc_column_inner][\/vc_row_inner][vc_separator type=&#8221;transparent&#8221; thickness=&#8221;30&#8243;][vc_row_inner row_type=&#8221;row&#8221; type=&#8221;full_width&#8221; text_align=&#8221;left&#8221; css_animation=&#8221;&#8221; anchor=&#8221;subject-access-requests&#8221; el_class=&#8221;anchordiv&#8221;][vc_column_inner el_class=&#8221;anchor_col&#8221; css=&#8221;.vc_custom_1618397548620{padding-top: 30px !important;padding-right: 30px !important;padding-bottom: 30px !important;padding-left: 30px !important;}&#8221;][vc_column_text]<\/p>\n<h3>Subject Access Requests:<a id=\"\" class=\"hanbooktotop\" href=\"#top-section\"><i class=\"qode_icon_font_awesome fa fa-arrow-circle-up\"><\/i><span class=\"hanbooktotopspan\"> Top<\/span><\/a><\/h3>\n<p><strong><b>What is a subject access request?<\/b><\/strong><\/p>\n<p>An individual has the right to receive confirmation that their data is being processed, access to their personal data and supplementary information (which should be the information provided in the privacy notice).<a name=\"_Toc511202191\"><\/a><\/p>\n<p><strong><b>Individuals Rights<\/b><\/strong><\/p>\n<p>The UK GDPR provides the following rights for individuals:<\/p>\n<ol>\n<li>The right to be informed<\/li>\n<li>The right of access<\/li>\n<li>The right to rectification<\/li>\n<li><a href=\"https:\/\/bant.org.uk\/bant-professional-practice-handbook\/general-data-protection-regulation-gdpr\/#faqs\">The right to erasure<\/a>\u00a0(see DCS8 \u201cWhat is the legal basis for holding health information on individuals?\u201d)<\/li>\n<li>The right to restrict processing<\/li>\n<li>The right to data portability<\/li>\n<li>The right to object<\/li>\n<li>Rights in relation to automated decision making and profiling.<\/li>\n<\/ol>\n<p><strong><b>How to recognise a subject access request<\/b><\/strong><\/p>\n<p>The UK GDPR does not specify how to make a valid request. Therefore, an individual can make a request verbally or in writing and to anyone in an organisation. It does not need to be labelled as a \u2018subject access request\u2019 or refer to UK GDPR. As long as the individual has requested something that falls within one of the eight individual rights above then this is a subject access request. BANT advise members to check with the requester that they have understood the request, to help avoid later disputes about how the request was interpreted. BANT also recommend keeping a log of verbal requests.<\/p>\n<p><strong><b>Charging a fee for dealing with a subject access request<\/b><\/strong><\/p>\n<p>A copy of the information must be provided free of charge. However, a \u2018reasonable fee\u2019 can be charged when a request is manifestly unfounded or excessive, particularly if it is repetitive.<\/p>\n<p>A reasonable fee can also be charged to comply with requests for further copies of the same information. This does not mean that all subsequent access requests can be charged.\u00a0 The fee must be based on the administrative cost of providing the information.<\/p>\n<p><strong><b>Length of time to provide the subject access request<\/b><\/strong><\/p>\n<p>Information must be provided without delay and at the latest within one month of receipt.<\/p>\n<p>The period of compliance can be extended by a further two months where requests are complex or numerous. If this is the case, the individual must be informed within one month of the receipt of the request with an explanation as to why the extension is necessary.<\/p>\n<p><strong><b>How to provide the information<\/b><\/strong><\/p>\n<p>The identity of the person making the request must be verified, using \u2018reasonable means\u2019.<\/p>\n<p>If the request is made electronically, the information should be provided in a commonly used electronic format. Ensure that the data is transmitted in a secure manner.<\/p>\n<p><strong><b>Extract from Data Protection Policy on dealing with subject access requests<\/b><\/strong><\/p>\n<p><em><strong>&lt;MyNTBusiness&gt;<\/strong><\/em> will provide an individual with a copy of the information requested, free of charge. This will occur within one month of receipt. We endeavour to provide data subjects access to their information in commonly used electronic formats.<\/p>\n<p>If complying with the request is complex or numerous, the deadline can be extended by two months, but the individual will be informed within one month.<\/p>\n<p>We can refuse to respond to certain requests, and can, in circumstances of the request being manifestly unfounded or excessive, charge a fee. If the request is for a large quantity of data, we can request the individual specify the information they are requesting.<\/p>\n<p>Once a subject access request has been made, we will not change or amend any of the data that has been requested. Doing so is a criminal offence.[\/vc_column_text][\/vc_column_inner][\/vc_row_inner][vc_separator type=&#8221;transparent&#8221; thickness=&#8221;30&#8243;][vc_row_inner row_type=&#8221;row&#8221; type=&#8221;full_width&#8221; text_align=&#8221;left&#8221; css_animation=&#8221;&#8221; anchor=&#8221;information-security&#8221; el_class=&#8221;anchordiv&#8221;][vc_column_inner el_class=&#8221;anchor_col&#8221; css=&#8221;.vc_custom_1618397548620{padding-top: 30px !important;padding-right: 30px !important;padding-bottom: 30px !important;padding-left: 30px !important;}&#8221;][vc_column_text]<\/p>\n<h3>Information Security:<a id=\"\" class=\"hanbooktotop\" href=\"#top-section\"><i class=\"qode_icon_font_awesome fa fa-arrow-circle-up\"><\/i><span class=\"hanbooktotopspan\"> Top<\/span><\/a><\/h3>\n<p>The UK GDPR requires personal data to be processed securely however this is not a new data protection obligation. It replaces and mirrors the previous requirement to have \u2018appropriate technical and organisational measures\u2019 under the Data Protection Act 1998. \u00a0However, the UK GDPR provides more specifics about the security of the processing, how information risk is assessed and how appropriate security measures are put in place.<\/p>\n<p><strong><b>Security of processing<\/b><\/strong><\/p>\n<p>Members must have appropriate security to prevent the personal data held being accidentally or deliberately compromised.\u00a0 This could be cybersecurity (the protection of networks and information systems from attack) or physical measures.<\/p>\n<p>As well as protecting the way data is transmitted and stored, the security measures must also seek to ensure \u2018confidentiality, integrity and availability\u2019 meaning:<\/p>\n<ul>\n<li>the data can be accessed, altered, disclosed or deleted only by those authorised to do so<\/li>\n<li>the data held is accurate and complete in relation to why it is being processed<\/li>\n<li>the data remains accessible and usable, i.e., if personal data is accidentally lost, altered or destroyed, it can be recovered, therefore preventing any damage or distress to the individuals concerned.<\/li>\n<\/ul>\n<p><strong><b>Assess your information risk<\/b><\/strong><\/p>\n<p>The UK GDPR does not define the security measures that should be in place but requires a level of security that is \u2018appropriate\u2019 to the risks presented by the processing.\u00a0 This must be considered in relation to the state of the art and costs of implementation, as well as the nature, scope, context and purpose of the processing.<\/p>\n<p>Before deciding what measures are appropriate, the information risk must be assessed. The personal data held, and the way it is used, must be reviewed to assess how valuable, sensitive or confidential it is, as well as the damage or distress that may be caused if the data was compromised.<\/p>\n<p>Consider what data the NT business holds and the impact of it if compromised.\u00a0 The contact data used for ordering supplements may be considered low risk, whilst high risk information might be clinical notes and nutritional therapy questionnaires (containing special category health data) which would have much higher impact if compromised.<\/p>\n<p>Other factors must be taken into account such as:<\/p>\n<ul>\n<li>the nature and extent of the organisation\u2019s premises and computer systems<\/li>\n<li>the number of staff and the extent of their access to personal data<\/li>\n<li>any personal data held or used by a data processor acting on behalf of someone else<strong><b>\u00a0<\/b><\/strong><\/li>\n<\/ul>\n<p><strong><b>What technical measures to take (both physical and computer)<\/b><\/strong><\/p>\n<p>Technical measures are sometimes thought of as the protection of personal data held in computers and networks. Whilst these are of obvious importance, many security incidents can be due to the theft or loss of equipment, the abandonment of old computers or hard-copy records being lost, stolen or incorrectly disposed of. Technical measures therefore include both physical and computer or IT security.<\/p>\n<p>When considering physical security, the factors to consider include:<\/p>\n<ul>\n<li>the quality of doors and locks, and the protection of the premises by alarms, security lighting or CCTV<\/li>\n<li>how access to the premises is controlled and how visitors are supervised<\/li>\n<li>how paper and electronic waste is disposed of<\/li>\n<li>how IT equipment, particularly mobile devices, are kept secure.<\/li>\n<\/ul>\n<p>In the IT context, technical measures may sometimes be referred to as \u2018cybersecurity\u2019.\u00a0 When considering cybersecurity, factors to consider include:<\/p>\n<ul>\n<li>system security \u2013 the security of the network and information systems, including those which process personal data<\/li>\n<li>data security \u2013 the security of the data held within the systems, e.g., ensuring appropriate access controls are in place and that data is held securely<\/li>\n<li>online security \u2013 e.g., the security of the website and any other online service or application used<\/li>\n<li>device security \u2013 e.g., the security of mobile phones and tablets<\/li>\n<\/ul>\n<p>The following must be considered:<\/p>\n<ul>\n<li>appropriate cybersecurity measures for the size and use of the network and information systems<\/li>\n<li>the state of technological development, but considering the costs of implementation<\/li>\n<li>appropriate security to the business practices. For example, if working in somebody else\u2019s premises or clinic, measures must be put in place to ensure security is not compromised<\/li>\n<li>measures must be appropriate to the nature of the personal data held and the harm that might result from any compromise.<\/li>\n<\/ul>\n<p>Information security will be specific to each particular set up.\u00a0 Greater security must be provided to special category data and transferring data internationally which would both be deemed high risk.\u00a0<strong><b>\u00a0<\/b><\/strong><\/p>\n<p><strong><b>Practical Hints and Tips for NT businesses<\/b><\/strong><\/p>\n<p>Below are some practical hints and tips for NT businesses when implementing security measures.<\/p>\n<p><strong><b>1. Assess the cybersecurity of systems and devices.<\/b><\/strong><\/p>\n<p>Use the checklist in this cybersecurity guide to assess cybersecurity for things such as firewalls. Malware, anti-virus, security settings, etc: <a href=\"https:\/\/www.cyberessentials.ncsc.gov.uk\/advice\/\" target=\"_blank\" rel=\"noopener noreferrer\">https:\/\/www.cyberessentials.ncsc.gov.uk\/advice\/<\/a>. Protect devices with appropriate security software.<\/p>\n<p><strong><b>2.Protect Data stored on computer(s) by using strong passwords and encryption.<\/b><\/strong><\/p>\n<ul>\n<li><u>Strong passwords<\/u> must be changed regularly. A password manager can be used to create and store passwords. There are many password generators &#8211; <a href=\"https:\/\/identitysafe.norton.com\/password-generator?product=Norton%20360&amp;version=22.12.1.15&amp;plang=sym:EN&amp;layouttype=Retail&amp;buildname=Retail&amp;heartbeatID=C4DEEB4A-584E-4448-9AF7-06EFDD51A1DC&amp;eapenabled=false&amp;env=prod&amp;vendorid=1000350&amp;plid=81&amp;plgid=4&amp;skup=21168297&amp;skum=21376863&amp;skuf=21137994&amp;endpointid=C4DEEB4A-584E-4448-9AF7-06EFDD51A1DC&amp;partnerid=1000350&amp;lic_type=2&amp;lic_attr=17059858&amp;psn=DDJC3C2RV2BG&amp;puid=5060&amp;templatecat=SBU_W_1000_5039_N360_Retail_2&amp;schemacat=SBU_W&amp;schemaver=1.0.0.0&amp;olpchannel=RETAIL&amp;remdays=216&amp;osvers=10.0&amp;oslocale=iso:GBR&amp;oslang=iso:ENG&amp;os=windows\" target=\"_blank\" rel=\"noopener noreferrer\">Norton<\/a> provides a free one.<\/li>\n<li>Special category data (e.g., health records) stored on a computer must be further protected by <u>encryption<\/u>. There is a large number of encryption tools available, which can be used to encrypt data locally. It may be easier to encrypt the entire hard disk using system tools:\n<ul>\n<li>Windows users can use Microsoft\u2019s BitLocker software (Control Panel &gt; System and Security &gt; Bitlocker Drive Encrption)<\/li>\n<li>Mac users can use <a href=\"https:\/\/support.apple.com\/en-us\/HT204837\" target=\"_blank\" rel=\"noopener noreferrer\">File Vault 2<\/a>.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p><strong><b>3. Protect data stored on CDs or USB drives by encryption or password protection and lock away securely when not in use<\/b><\/strong>.<\/p>\n<p>USB drives can be encrypted using Bitlocker and File Vault as above.<\/p>\n<p><strong><b>4. Back up data regularly backed.\u00a0 <\/b><\/strong><\/p>\n<p>Ensure the backup drive is encrypted or password protected as above and locked away securely.<\/p>\n<p><strong><b>5. Check that cloud drives used to store personal data comply with UK GDPR principles and meet security requirements.<\/b><\/strong><\/p>\n<p>Services such as Microsoft OneDrive and Dropbox use encryption software to protect files on the web and in transit.\u00a0 Once downloaded to a computer or device, files are decrypted hence why it is important to separately encrypt a computer hard drive.\u00a0\u00a0 Also consider 2 factor authentication to provide further security for access to special category data on computers or devices.<\/p>\n<p><strong><b>6. Check cloud-based services\/software comply with UK GDPR principles and meet security requirements.<\/b><\/strong><\/p>\n<p>These may include appointment calendars, diet plan software and other apps which store personal data.\u00a0 In terms of UK GDPR, RNTPs will typically be the data controller (i.e., in control of the data) and the cloud service provider will be a processor (i.e., they just provide the tool for use and have no influence on the data itself) and hence it is the NT\u2019s responsibility to ensure that the service used is UK GDPR compliant and has appropriate security, particularly where special category data is involved. This should involve a contract between the data controller and the processor which is usually stated in the providers terms of business.\u00a0 The privacy notice should include details of any cloud-based services used and for what purpose.<\/p>\n<p><strong><b>7. Encrypt emails containing personal data.<\/b><\/strong><\/p>\n<p>If transmitting special category data such as health plans by email, encryption must be considered, either of the file attachment or of the whole email.<\/p>\n<ul>\n<li>Email encryption: Microsoft Outlook enables emails to be encrypted however both parties receiving the email must have set up digital IDs first as explained <a href=\"https:\/\/support.office.com\/en-us\/article\/get-a-digital-id-0eaa0ab9-b8a2-4a7e-828b-9bded6370b7b\" target=\"_blank\" rel=\"noopener noreferrer\">here<\/a>.<\/li>\n<li>File encryption: Microsoft provide an \u2018encrypt with password\u2019 function in the file menu; Adobe Acrobat can also encrypt PDFs with password.\u00a0 Files can also be encrypted separately using an application such <a href=\"https:\/\/www.7-zip.org\/\" target=\"_blank\" rel=\"noopener noreferrer\">7zip<\/a> and <a href=\"https:\/\/www.axcrypt.net\/\" target=\"_blank\" rel=\"noopener noreferrer\">Axcrypt<\/a>.<\/li>\n<li>A cloud service can be used and the client provided with access to the particular folder so that they can login and access their files.<\/li>\n<\/ul>\n<p><strong><b>8. Secure printed documents and shred after use. <\/b><\/strong><\/p>\n<p>Documents must be kept in a secure place where unauthorised personnel cannot access them and shredded when they are no longer needed.[\/vc_column_text][\/vc_column_inner][\/vc_row_inner][vc_separator type=&#8221;transparent&#8221; thickness=&#8221;30&#8243;][vc_row_inner row_type=&#8221;row&#8221; type=&#8221;full_width&#8221; text_align=&#8221;left&#8221; css_animation=&#8221;&#8221; anchor=&#8221;legitimate-interests-assessment&#8221; el_class=&#8221;anchordiv&#8221;][vc_column_inner el_class=&#8221;anchor_col&#8221; css=&#8221;.vc_custom_1618397548620{padding-top: 30px !important;padding-right: 30px !important;padding-bottom: 30px !important;padding-left: 30px !important;}&#8221;][vc_column_text]<\/p>\n<h3>Legitimate Interests Assessment:<a id=\"\" class=\"hanbooktotop\" href=\"#top-section\"><i class=\"qode_icon_font_awesome fa fa-arrow-circle-up\"><\/i><span class=\"hanbooktotopspan\"> Top<\/span><\/a><\/h3>\n<p>Legitimate interests is one of the six lawful bases for processing personal data. The <a href=\"https:\/\/bant.org.uk\/bant\/content\/member\/pdf\/professionalPractice\/gdpr-documentation-controller-BANT_v3.xlsx\" target=\"_blank\" rel=\"noopener noreferrer\">BANT Document Controller spreadsheet example<\/a> for a typical NT business identified a number of types of personal data that would use legitimate interest as the lawful basis for processing.\u00a0 Where legitimate interest is used as the lawful basis, it requires a Legitimate Interest Assessment (LIA) to justify its use.<\/p>\n<p><strong><b>Using Legitimate Interest as the Lawful Basis<\/b><\/strong><\/p>\n<p>Legitimate interests is different to the other lawful bases as it is not centred around a particular purpose (e.g. performing a contract with the individual, complying with a legal obligation, protecting vital interests or carrying out a public task), and it is not processing that the individual has specifically agreed to (consent). Legitimate interests is more flexible and could in principle apply to any type of processing for any reasonable purpose.<\/p>\n<p>If relying on legitimate interests, members need to document their assessment of how it applies to the particular processing and ensure that they can justify their decision if necessary.\u00a0 The key elements of the legitimate interests provision can be broken down into a three-part test.\u00a0 Members must be able to satisfy all three parts of the test prior to commencing their processing.<\/p>\n<ul>\n<li><strong><b>Purpose test<\/b><\/strong>\u00a0\u2013 is there a legitimate interest behind the processing?<\/li>\n<li><strong><b>Necessity test<\/b><\/strong>\u00a0\u2013 is the processing necessary for that purpose?<\/li>\n<li><strong><b>Balancing test<\/b><\/strong>\u00a0\u2013 is the legitimate interest overridden by the individual\u2019s interests, rights or freedoms?<\/li>\n<\/ul>\n<p>Each category of personal data where you have identified legitimate interest as the legal basis needs to be assessed against the three-part test, and the outcome documented to demonstrate that legitimate interests applies. This is referred to as a \u2018Legitimate Interests Assessment\u2019 or LIA.<\/p>\n<p>An LIA is a type of light-touch risk assessment based on the specific context and circumstances of the processing.\u00a0 The LIA and the outcome must be recorded.<\/p>\n<p>BANT has produced a <a href=\"https:\/\/bant.org.uk\/bant\/content\/member\/pdf\/professionalPractice\/GDPR_LIA-Template_v3.docx\" target=\"_blank\" rel=\"noopener noreferrer\">template LIA<\/a> for a typical nutritional therapy business that can be adapted by members and includes further guidance on completing the three tests.\u00a0 BANT has also produced a <a href=\"https:\/\/bant.org.uk\/bant\/content\/member\/pdf\/professionalPractice\/GDPR_LIA-Example_v3.docx\" target=\"_blank\" rel=\"noopener noreferrer\">completed example<\/a> for health records and clinic notes.\u00a0 An LIA must be completed for each category of personal data that uses legitimate interest as the legal basis.<\/p>\n<p><strong><b>Data Protection Impact Assessments (DPIA)<\/b><\/strong><\/p>\n<p>A <a href=\"https:\/\/ico.org.uk\/for-organisations\/guide-to-the-general-data-protection-regulation-gdpr\/accountability-and-governance\/data-protection-impact-assessments\/\" target=\"_blank\" rel=\"noopener noreferrer\">Data Protection Impact Assessment (DPIA)<\/a> is a more in-depth risk assessment than an LIA and will be required for certain listed types of processing, or any other processing that is likely to result in a high risk to individuals\u2019 interests.<\/p>\n<p>Particularly relevant for NTs is the processing of genetic data which will require a complete DPIA for this category of data. The ICO\u2019s <a href=\"https:\/\/ico.org.uk\/for-organisations\/guide-to-the-general-data-protection-regulation-gdpr\/accountability-and-governance\/data-protection-impact-assessments\/\" target=\"_blank\" rel=\"noopener noreferrer\">screening checklist<\/a> can be used to help decide when to do a DPIA.[\/vc_column_text][\/vc_column_inner][\/vc_row_inner][vc_separator type=&#8221;transparent&#8221; thickness=&#8221;30&#8243;][vc_row_inner row_type=&#8221;row&#8221; type=&#8221;full_width&#8221; text_align=&#8221;left&#8221; css_animation=&#8221;&#8221; anchor=&#8221;data-breaches&#8221; el_class=&#8221;anchordiv&#8221;][vc_column_inner el_class=&#8221;anchor_col&#8221; css=&#8221;.vc_custom_1618397548620{padding-top: 30px !important;padding-right: 30px !important;padding-bottom: 30px !important;padding-left: 30px !important;}&#8221;][vc_column_text]<\/p>\n<h3>Data Breaches:<a id=\"\" class=\"hanbooktotop\" href=\"#top-section\"><i class=\"qode_icon_font_awesome fa fa-arrow-circle-up\"><\/i><span class=\"hanbooktotopspan\"> Top<\/span><\/a><\/h3>\n<p>A data breach is a security incident where information is accessed and\/or shared without authorisation, affecting the confidentiality or integrity of that information.\u00a0 For example, this could happen if a computer or email account was hacked. If a data breach occurs (see further examples below) and client\u2019s personal information and data has been compromised, members must immediately contact the Information Commissioner\u2019s Office (ICO) for advice, for further information see the <a href=\"https:\/\/ico.org.uk\/for-organisations\/report-a-breach\/\" target=\"_blank\" rel=\"noopener noreferrer\">ICO website<\/a>. Members are also advised to speak with their insurance company who may be able to offer legal support.<\/p>\n<p>NTs must inform clients of what has happened by emailing them to explain the situation and let them know what personal data has been breached.\u00a0 They should explain how processes for storing client data will be changed moving forward, to demonstrate a full commitment to protecting their data and to try and prevent a similar situation from happening again. The insurance company should be able to advise on this.<\/p>\n<p><strong><b>Examples<\/b><\/strong><\/p>\n<ul>\n<li>Forwarding a standard enquiry response to the wrong client by accidentally clicking on the wrong email address by mistake. No sensitive information was included in the email because it was a standard response, but the email address would have been visible to the other client.<\/li>\n<\/ul>\n<ul>\n<li>Sending a bulk email using \u2018to\u2019 or \u2018cc\u2019, but where \u2018bcc\u2019 (blind carbon-copy) should have been used to prevent email addresses being seen.<\/li>\n<\/ul>\n<ul>\n<li>A virus or malware attack on a computer.<\/li>\n<\/ul>\n<ul>\n<li>Loss or theft of a client\u2019s hardcopy file.<\/li>\n<\/ul>\n<p>[\/vc_column_text][\/vc_column_inner][\/vc_row_inner][vc_separator type=&#8221;transparent&#8221; thickness=&#8221;30&#8243;][vc_row_inner row_type=&#8221;row&#8221; type=&#8221;full_width&#8221; text_align=&#8221;left&#8221; css_animation=&#8221;&#8221; anchor=&#8221;faqs&#8221; el_class=&#8221;anchordiv&#8221;][vc_column_inner el_class=&#8221;anchor_col&#8221; css=&#8221;.vc_custom_1618397548620{padding-top: 30px !important;padding-right: 30px !important;padding-bottom: 30px !important;padding-left: 30px !important;}&#8221;][vc_column_text]<\/p>\n<h3>FAQs:<a id=\"\" class=\"hanbooktotop\" href=\"#top-section\"><i class=\"qode_icon_font_awesome fa fa-arrow-circle-up\"><\/i><span class=\"hanbooktotopspan\"> Top<\/span><\/a><\/h3>\n<p><strong>GDPR DOCUMENTATION CONTROLLER SPREADSHEET (DCS)<\/strong><\/p>\n<p><strong>DCS1.\u00a0In the \u201clink to retention and erasure policy document\u201d, should I include this policy in my privacy notice document, or do I need a separate document to specify this?<\/strong><\/p>\n<p>Your policy should mirror the <a href=\"https:\/\/bant.org.uk\/bant-professional-practice-handbook\/consultation-documentation-and-practices\/#storing-and-deleting-client-records\" target=\"_blank\" rel=\"noopener\">requirements for file retention<\/a>\u00a0and any special measures you put in place to meet these requirements.\u00a0 It doesn\u2019t need to be included in your privacy notice but could theoretically be requested.<\/p>\n<p><strong>DCS2. In the \u201clink to record of consent\u201d column, would agreeing to the Terms of Engagement suffice as \u201cconsent to share with health practitioner\u201d?<\/strong><\/p>\n<p>No, this would not be appropriate, please see the information on <a href=\"https:\/\/bant.org.uk\/bant-professional-practice-handbook\/general-data-protection-regulation-gdpr\/#consent\" target=\"_blank\" rel=\"noopener noreferrer\">Consent<\/a>. Consent needs to be explicit not embedded in terms.\u00a0 The BANT Terms of Engagement has had the consent to contact a GP removed.<\/p>\n<p><strong>DCS3.\u00a0The BANT NT example row 23 makes reference to cookies (column E) and in column G that there should be a contract between the NT and the web service provider \u2013 by a contract is it suggesting that we need wording from the web provider how they use cookies and IP address information and that personal data is not collected (column J)?<\/strong><strong><b>\u00a0<\/b><\/strong><\/p>\n<p>With regard to a web provider (service provide), they should have a terms of business on their website which you should review and contact them if any queries.\u00a0 This terms of business is deemed to be a contract.\u00a0 This should include reference to cookies and IP addresses.<\/p>\n<p>A web provider\/service provider is different to a web developer who is someone you would enter into a contract with to develop your website.<\/p>\n<p><strong>DCS4. When a new client comes along do we fill in the spreadsheet given by BANT to breakdown how we\u2019re using their information \u2013 and this is legitimate interest \u2013 so we don\u2019t need to tell the client we\u2019re doing this?<\/strong><\/p>\n<p>The spreadsheet needs to be filled in for each category of data, it is not something you do per client.\u00a0 Please refer to the BANT template on this.\u00a0 No, not all data you process will be Legitimate Interest, some will need Consent, and others are Contract (as the Terms of Engagement is).\u00a0 \u00a0\u00a0The BANT template spreadsheet is a good example to follow to enhance your understanding. \u00a0\u00a0Please note, even if you use legitimate interest as your legal basis, you must still tell your client how you will process their data.<\/p>\n<p><strong>DCS5. Do we have to keep one spreadsheet per client or we add all clients to the spreadsheet?<\/strong><\/p>\n<p>The spreadsheet should be completed with details of the different categories of data that you hold. It is not a requirement to complete with any individual names.\u00a0 We suggest you refer to the BANT template\u00a0<a href=\"https:\/\/bant.org.uk\/bant\/content\/member\/pdf\/professionalPractice\/gdpr-documentation-controller-BANT_v3.xlsx\" target=\"_blank\" rel=\"noopener noreferrer\">GDPR Controller Document<\/a>.<\/p>\n<p><strong>DCS6. My question is about the suppliers we all use and provide client details to \u2013 supplement and health testing companies. I\u2019m wondering whether we need to get assurance from them that they are storing\/using data in line with UK GDPR?<\/strong><\/p>\n<p>When you recommend the use of a testing company or supplement company to a client, whether you order the tests\/supplements on behalf of the client or they order themselves, you should first read the company\u2019s terms of business which you should find on their website.\u00a0 If you have any queries with their terms of business and how they work in reference to UK GDPR, you should contact them.\u00a0 Otherwise their terms of business is deemed to be the contract between themselves and those who choose to use them.<\/p>\n<p><strong>DCS7. Have you developed a Processing Agreement template to be used with our suppliers like supplement companies, invoicing subcontractors etc. I can\u2019t seem to find it.<\/strong><\/p>\n<p>When you work with a testing company or other third party, you should first read the company\u2019s terms of business which you should find on their website.\u00a0 If you have any queries with their terms of business and how they work in reference to UK GDPR, you should contact them.\u00a0 Otherwise their terms of business is deemed to be the contract between themselves and those who choose to use them.<\/p>\n<p><strong>DCS8. What is the legal basis for holding health information on individuals?<\/strong><\/p>\n<p>BANT has discussed this with their insurers and have concluded that the most appropriate legal basis for the holding of the client\u2019s files for the required retention period is legitimate interest.<\/p>\n<p>There are provisions under the UK GDPR with regards to keeping records to defend yourself in a claim situation (when you can refuse to comply with the <a href=\"https:\/\/ico.org.uk\/for-organisations\/guide-to-data-protection\/guide-to-the-general-data-protection-regulation-gdpr\/individual-rights\/right-to-erasure\/\" target=\"_blank\" rel=\"noopener noreferrer\">right to erasure<\/a>) which clearly give you the right to hold your client records within the guidance period of your registrant and professional association.\u00a0 Therefore, the legal basis for you to retain the files is legitimate interest in order for you to defend yourself.<\/p>\n<p>&nbsp;<\/p>\n<p><strong><b>DATA PROTECTION POLICY (DP)<\/b><\/strong><\/p>\n<p><strong>DP1.\u00a0Do I give my Data Protection Policy to my clients or can I just put it on my website?<\/strong><\/p>\n<p>The Data Protection Policy is an internal document, not one that you would share with clients.\u00a0 A Data Protection Policy defines you\/your company\u2019s policy to ensure that you are UK GDPR compliant.\u00a0 This policy, once written needs to be fully implemented.\u00a0 It should be regularly reviewed to ensure that any changes to the company have been reviewed with regard to UK GDPR compliance.<\/p>\n<p><strong>DP2. As a sole trader should I use my name or business name in the data protection policy?<\/strong><\/p>\n<p>You can use either your business name or personal name (if you have both) whichever is most relevant for the particular documentation in question.<\/p>\n<p><strong>DP3. Looking at the Data Protection Document, can I delete references that don\u2019t apply to my business?<\/strong><\/p>\n<p>The Policy needs to reflect your own business.\u00a0 If certain parts are not relevant to your business that it is fine to delete them.<\/p>\n<p><strong>DP4. I have had a request from a client to shred her file.\u00a0 Her last appointment was in 2017, so not outside the eight-year period.\u00a0 I would appreciate your guidance.<\/strong><\/p>\n<p>You cannot shred client files within the guideline period, i.e., within 8 years after the date of her\/his last appointment if the client was an adult at the time of the initial consultation. Guidelines differ for children and young adults.<\/p>\n<p>Please explain to your client that the <a href=\"https:\/\/bant.org.uk\/bant-professional-practice-handbook\/consultation-documentation-and-practices\/#storing-and-deleting-client-records\" target=\"_blank\" rel=\"noopener\">guidelines relating to file retention<\/a> that our members follow with regard to Data Protection are as detailed in the BANT Professional Practice Handbook and that these are the same guidelines as detailed in the Complementary and Natural Healthcare Council\u2019s Codes of Conduct, Ethics and Performance, the Registrant body of NTs which can be accessed via the <a href=\"https:\/\/www.cnhc.org.uk\/\" target=\"_blank\" rel=\"noopener\">CNHC website<\/a>.\u00a0 These are set as per professional standards.\u00a0 You may also state that it is a requirement of your insurance that records are kept for 7 years following the last consultation.\u00a0 This is related to the time when an individual can bring about a claim in the UK which is six years (Statute of Limitations).\u00a0\u00a0 Retention details vary if the client is a minor at the start of the consultation process.<\/p>\n<p>There are provisions under UK GDPR with regards to keeping records to defend yourself in a claim situation which clearly give you the right to hold your client records within the guidance period of your registrant and professional association.\u00a0 \u00a0Please refer to the <a href=\"https:\/\/ico.org.uk\/for-organisations\/guide-to-data-protection\/guide-to-the-general-data-protection-regulation-gdpr\/individual-rights\/right-to-erasure\/\" target=\"_blank\" rel=\"noopener\">right to erasure<\/a>.<\/p>\n<p><strong>DP5. I work in a number of different healthcare professions; do I need to have different paperwork for each one?<\/strong><\/p>\n<p>No, your UK GDPR paperwork is related to your business as a whole.<\/p>\n<p><strong>DP6. Do we need to register with the ICO and pay a \u00a340 fee?<\/strong><\/p>\n<p>Yes, you do need to register with the ICO as you are processing personal and special category data.<\/p>\n<p>&nbsp;<\/p>\n<p><strong><b>CONSENT (C)<\/b><\/strong><\/p>\n<p><strong>C1. Would it suffice to have the consent form built into my website and make reference to it in the initial email client request\/booking. Do I physically need a signature?<\/strong><\/p>\n<p>Any consents you need should be on the Consents Form or on a Terms of Engagement.\u00a0 The BANT Terms of Engagement is a Contract (Legal Basis) between the NT and client.<\/p>\n<p>It is not enough to just refer your client to the website. Clients need to fully understand how their data will be used (Privacy Notice) and what they are consenting to (Consent Form). \u00a0 You must have a clear reference to anything the client is consenting to where consent is used as the Legal Basis for that specific use of their data, it must not be just \u2018assumed\u2019.\u00a0 There are various methods that can be used re obtaining consent as explained in the Consent section.<\/p>\n<p><strong>C2. Do I need consent in order to send out regular mailings by email to individuals?<\/strong><\/p>\n<p>You have two options regarding consent:<\/p>\n<ul>\n<li>You seek specific consent. You need to have a record for anyone you send a newsletter to that has given you specific consent to do so.\u00a0 \u00a0You need an effective audit trail if challenged. We also recommend that consents for newsletters are refreshed every two years.<\/li>\n<li>An exception to the above is available for existing customers, known as the \u2018soft opt-in\u2019. This means you can send marketing texts or emails if:<\/li>\n<li style=\"list-style-type: none;\">\n<ul>\n<li>You have obtained the contact details in the course of a sale (or negotiations for a sale) of a product or service to that person<\/li>\n<li>You are only marketing your own similar products or services and<\/li>\n<li>You gave the person a simple opportunity to refuse or opt out of the marketing, both when first collecting the details and in every message after that.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p><strong>C3. Do we have to get the Consents Form signed by existing clients, is there an option for the existing client to reply just saying yes they agree?<\/strong><\/p>\n<p>Consent should be obvious and require a positive action to opt-in.\u00a0 Examples of opt-in mechanism are:<\/p>\n<ul>\n<li>signing a consent statement on a paper form<\/li>\n<li>ticking an opt-in box on paper or electronically<\/li>\n<li>clicking an opt-in button or link online<\/li>\n<li>selecting from equally prominent yes\/no options<\/li>\n<li>choosing technical settings or preference dashboard settings<\/li>\n<li>responding to an email requesting consent<\/li>\n<li>answering yes to a clear oral consent request<\/li>\n<li>volunteering optional information for a specific purpose \u2013 e.g. filling optional fields in a form (combined with just-in-time notices) or dropping a business card into a box.<\/li>\n<\/ul>\n<p><strong>C4. Does UK GDPR affect us having nutrition students sitting in for their course experience. Would they have to sign anything?<\/strong><\/p>\n<p>We suggest that, as clients need to consent to allowing a student to observe their consultation, then this is added to your consent form or Terms of Engagement.\u00a0 The client can then indicate whether they are happy to be observed or not.\u00a0 The student would sign the <a href=\"https:\/\/bant.org.uk\/bant\/content\/member\/pdf\/professionalPractice\/STUDENT_OBSERVATION_CODE_OF_CONDUCT_FORM.pdf\" target=\"_blank\" rel=\"noopener\">Student Observation Code of Conduct form<\/a>.<\/p>\n<p><strong>C5. Is it an agreement that by signing the NTQ, consent is given to share health related data with the GP? \u00a0<\/strong><\/p>\n<p>A client would be required to confirm via the consents form if they were in agreement that you could contact their GP.\u00a0 This should not be included in the NTQ.<\/p>\n<p><strong>C6. I understand that NTs need express permission from a client\/prospect to be able to email them for marketing purposes.\u00a0 Does this include replying to an email from them where they are asking for information or to book an appointment?<\/strong><\/p>\n<p>No, consent is not required to communicate with a prospective client regarding booking an appointment or requesting information. This would be considered to be Legitimate Interest.<\/p>\n<p><strong>C7. I have received emails from businesses that don\u2019t opt-in or opt-out. If my email requires my clients to opt-in to continue to hear from me I suspect 90% won\u2019t as it\u2019s not a priority. It\u2019s taken a lot of work to build up the prospective client base so I am reluctant to use opt-in. Surely a GDPR email with link to privacy notice and an unsubscribe button would suffice?<\/strong><\/p>\n<p>Consent should be obvious and require a positive action to opt-in.\u00a0 Examples of opt-in mechanism are:<\/p>\n<ul>\n<li>signing a consent statement on a paper form<\/li>\n<li>ticking an opt-in box on paper or electronically<\/li>\n<li>clicking an opt-in button or link online<\/li>\n<li>selecting from equally prominent yes\/no options<\/li>\n<li>choosing technical settings or preference dashboard settings<\/li>\n<li>responding to an email requesting consent<\/li>\n<li>answering yes to a clear oral consent request<\/li>\n<li>volunteering optional information for a specific purpose \u2013 eg filling optional fields in a form (combined with just-in-time notices) or dropping a business card into a box.<\/li>\n<\/ul>\n<p>You must ensure that you maintain an audit of all consents obtained for it to be valid and you should seek to refresh consents regularly, e.g., every two years.\u00a0 You also need to ensure that the information you hold is accurate and up to date.<\/p>\n<p><strong>C8. I do not send out newsletters, so I presume I do not need to contact all my past clients to tell them anything, (I just hold their data securely)?<\/strong><\/p>\n<p>You don\u2019t need to contact all the clients you hold records for. You should ensure that those who are still consulting with you are aware of your privacy policy and given the opportunity to ask any questions.\u00a0 You could do this at their next consultation. You should also discuss your consents form with any ongoing clients as well as new ones and ask then to sign and opt-in as per their preferences.\u00a0 We have issued an updated BANT terms of engagement which has had the consent to contact a GP removed as this will be on the consents form going forward.<\/p>\n<p>If any previous client contacts you with regard to retention of their files you can confirm that you are holding them in line with UK GDPR guidelines and will be retaining them as per the guidelines set by your registrant body and professional association.\u00a0 The guidelines in the BANT Professional Practice Handbook have not changed and client files still need to be retained as per current guidelines.<\/p>\n<p><strong>C9. What do I need to be aware of regarding children, verification of age and parental responsibility<\/strong><strong>?\u00a0<\/strong><\/p>\n<p>Please refer to <a href=\"https:\/\/bant.org.uk\/bant-professional-practice-handbook\/children\/\" target=\"_blank\" rel=\"noopener\">Children<\/a> and also read the <a href=\"https:\/\/ico.org.uk\/for-organisations\/guide-to-the-general-data-protection-regulation-gdpr\/children-and-the-gdpr\/about-this-guidance\/\" target=\"_blank\" rel=\"noopener noreferrer\">ICO Guidance<\/a> on working with children.<\/p>\n<p><strong>C10. If I were to discuss a set of test results with a testing company over the phone or via email\u00a0and include in this discussion pertinent details from the client\u2019s case (symptoms, health history) would I need the client to have signed a consent for this, or would this be covered under \u201clegitimate interest\u201d? If I need a signed consent, would you recommend placing this on the NTQ (in a way that was clear and included a specific opt-in box, for example)?<\/strong><\/p>\n<p>You have to assess if you thought the client would consider it reasonable for you to share their data in this way.\u00a0 You could do some research with your clients to help you decide this and also do a Legitimacy Impact Assessment to assess the risk of this approach.\u00a0 If you\u2019re still not sure then request explicit consent using the consents form and explain it to the client at the consultation.\u00a0 You will also need to include a statement in your privacy notice about how you will use this data.<\/p>\n<p><strong>C11. My understanding is that sharing health related data (or any data) with GP or other HCP one would need consent as the lawful basis. However, if there was a red flag and no consent was given \u2013 what lawful basis would be applicable to remain transparent, in the best interest of the client and in line with best practice?<\/strong><\/p>\n<p>There are a number of areas, though rare, that may necessitate an NT needing to contact a healthcare professional, member of social services or the police given specific circumstances, without consent.\u00a0 These are covered in <a href=\"https:\/\/bant.org.uk\/bant-professional-practice-handbook\/confidentiality-and-consent\/#disclosing-confidential-information\" target=\"_blank\" rel=\"noopener\">Disclosing Confidential Information<\/a>.\u00a0 We would recommend that if any such circumstances arise then the NT contacts the PPP and\/or their insurance company immediately to discuss.\u00a0 In such circumstances the legal basis would either be legal obligation or vital interest depending on the circumstances.<\/p>\n<p><strong>C12. I do work with clients overseas via Skype quite a bit so I am wondering if I need to action anything specifically.\u00a0<\/strong><\/p>\n<p>This is the UK General Data Protection Regulation, so applies to all those based and working in the UK.\u00a0 If you are working outside of this area, you will need to follow the Data Protection laws where you are working.\u00a0 If you are based outside the UK but have clients based in the UK you will need to be UK GDPR compliant.<\/p>\n<p><strong>C13. What restrictions are there going forward for us to \u201ccold call\u201d \/ lead generation in the light of UK GDPR? I\u2019m assuming it\u2019s still OK to approach people through LinkedIn, and perhaps also phoning people, but not OK to email without their consent?<\/strong><strong><b>\u00a0<\/b><\/strong><\/p>\n<p>Direct marketing requires one of the two criteria to be met when targeting an individual for marketing purposes:<\/p>\n<ol>\n<li>You must be able to demonstrate that you have obtained valid consent, which means that you must keep records of who consented, when, how, and what you told people.<\/li>\n<li>You are able to use the soft opt-in for existing customers if:<\/li>\n<\/ol>\n<ul>\n<li>the contact details have been obtained in the course of a sale (or negotiations for a sale) of a product or service to that person<\/li>\n<li>you are only marketing your own similar products or services; and<\/li>\n<li>you gave the person a simple opportunity to refuse or opt out of the marketing, both when first collecting the details and in every message after that.<\/li>\n<\/ul>\n<p>A message on LinkedIn would be direct marketing and unless one of the two criteria above are met then the LinkedIn contact cannot be directly marketed to.\u00a0 \u00a0This is unlikely to comply with the fairness principle of UK GDPR as generally a connection on LinkedIn would not reasonably expect a message or call for marketing purposes.\u00a0 It would be more reasonable to have marketing content as a post on LinkedIn. \u00a0\u00a0Further information on lead generation can be found in the ICO\u2019s <a href=\"https:\/\/ico.org.uk\/media\/for-organisations\/documents\/1555\/direct-marketing-guidance.pdf\" target=\"_blank\" rel=\"noopener noreferrer\">Direct Marketing Guide.<\/a><\/p>\n<p>&nbsp;<\/p>\n<p><strong><b>PRIVACY NOTICE (PN)<\/b><\/strong><\/p>\n<p><strong>PN1.\u00a0Please could you clarify the paragraph below from the BANT Privacy Notice template. \u00a0<\/strong><strong><b>\u00a0<\/b><\/strong><\/p>\n<p><em><strong><b>\u2018We may share your case history in an anonymised form with our peers for the purpose of professional development.\u00a0 This may be at clinical supervision meetings, conferences, online forums, and through publishing in medical journals, trade magazines or online professional sites.\u00a0 We will seek your explicit consent before processing your data in this way.\u2019<\/b><\/strong><\/em><\/p>\n<p><strong>Is it recommended by BANT that this paragraph is included, or not?<\/strong><\/p>\n<p>We included this paragraph in the template Privacy Notice as we felt it was relevant to a typical NT business, so therefore yes, we do recommend that this is included. \u00a0\u00a0The Consents template includes how you might ask for consent for the sharing of client data in these matters.<\/p>\n<p><strong>PN2.\u00a0I have a question with the Privacy Notice, Point 4 which says:<\/strong><\/p>\n<p><em><strong><b>Any contractors and advisors that provide a service to us or act as our agents on the understanding that they keep the information confidential<\/b><\/strong><\/em><\/p>\n<p><em><strong><b>Anyone to whom we may transfer our rights and duties under any agreement we have with you.\u00a0<\/b><\/strong><\/em><strong><b>\u00a0<\/b><\/strong><em><strong><b>Who is this referring to? Supplement companies, testing companies?<\/b><\/strong><\/em><\/p>\n<p>This could be a sub-contracted service such as PR company where the PR company would need access to certain personal data to perform PR on your behalf.\u00a0 Transfer of rights could be if you close the business and transfer any duties onto another company in agreement with the client.<\/p>\n<p><strong>PN3. I have another question with the Privacy Notice, Point 4 which says:<\/strong><\/p>\n<p><em><strong><b>I may share your case history in an anonymised form with our peers for the purpose of professional development.\u00a0 This may be at clinical supervision meetings, conferences, online forums, and through publishing in medical journals, trade magazines or online professional sites.\u00a0 We will seek your explicit consent before processing your data in this way.<\/b><\/strong><\/em><\/p>\n<p><strong>Do I need to seek explicit consent before sharing any anonymised case history?<\/strong><\/p>\n<p>Yes, you do need explicit consent to share case histories.\u00a0 Data which has been anonymised properly cannot be traced back to the original individuals in any way but can still be processed by organisations\/individuals to conduct research. Fully anonymous data is not covered by UK GDPR as it contains no personal information to protect.\u00a0\u00a0 However, removing personal details such as name, date of birth, address does not anonymise data.\u00a0 In the case of health records, it could still be traced back to the individual via health details.<\/p>\n<p><strong>PN4. I have a question with the Privacy Notice<\/strong><strong><b>\u00a0<\/b><\/strong><strong>Point 9. Are cookies active on all websites? How about Facebook and social media pages \u2013 there isn\u2019t any mention of these in the BANT example Privacy Notice.<\/strong><\/p>\n<p>We would expect that Facebook and Twitter would act as embedded software in a website feed and would collect their own data using their own cookies, none of which would be collected by the hosting website.\u00a0 We provided a generic set of cookies in the Privacy Policy but you will need to do your own checks on what cookies you collect.<\/p>\n<p><strong>PN5. Is it ok to just put my Privacy Notice on my website or do I need to give a hard copy to each of my clients who sign my consent form?\u00a0 Should I put a link to this in the initial email I send to my clients?<\/strong><\/p>\n<p>You don\u2019t need to give your clients a hard copy of your privacy notice but you do need to give them the opportunity to ask any questions they may have about it and assure yourself that they have understood it.\u00a0 We suggest putting this on your website and also emailing it to them, not just a link, when you send your questionnaire or other communications before their first appointment. Please revisit our information on privacy notices which discusses a blended approach which you should find useful.<\/p>\n<p><strong>PN6.\u00a0When a new client comes along we get them to sign a terms of engagement, to which there is a privacy notice attached.\u00a0 Does this give a contract consent to us using their information?<\/strong><\/p>\n<p>The Privacy Notice is not attached to the Terms of Engagement, these are two separate documents.\u00a0 The Terms of Engagement is a contract between yourself and the client and needs to be signed by both yourself and the client. \u00a0The Privacy Policy details the data you will be holding and what you will be doing with this.\u00a0 This could be on your website and we also recommend attaching this to an email you send to the client in advance of the initial consultation.\u00a0 The client needs to be given an opportunity to discuss any aspects of the Privacy Policy before the consultation starts.\u00a0 Please refer to the information on Privacy Notices and the blended approach. \u00a0\u00a0It is not appropriate to just refer your clients to your Privacy Notice.<\/p>\n<p><strong>PN7. In the Privacy Notice, there is a section where we are required to enter the registrant body \u2013 is this CNHC?<\/strong><\/p>\n<p>You need to insert the Complementary and Healthcare Council (CNHC) or Healthcare Professions Council (HCPC) depending on who you are registered with<strong>.<\/strong><\/p>\n<p><strong>PN8. I do not understand the section in the Privacy Notice about the website technical details (and cookies) \u2013 this is pt 8.\u00a0 Is there an e-blast about this or who should I contact about it?\u00a0 The ICO?\u00a0 I have tried to find my cookies (I found a section on google chrome and all it asked me was whether I wasn\u2019t to delete all my history), but I don\u2019t know how to list them.<\/strong><\/p>\n<p>We would suggest that you contact your website host to ask them about cookies.<\/p>\n<p><strong>PN9. I\u2019d be grateful if you could advise if we should use the Privacy Notice on our websites or if we are meant to use a shortened version?<\/strong><\/p>\n<p>We do recommend that the Privacy Notice in full is on your website, as well as you emailing it (in full) to clients prior to their first consultation and then giving them an opportunity to discuss any queries they have with you at their first appointment.\u00a0 It is not just enough though to have it on your website and assume they have read and understood it.\u00a0 They do need to be given an opportunity to discuss.<\/p>\n<p><strong>PN10. I am a practicing RNTP. Moving forward I will give all my clients the privacy notice and consent form when i see them for a consultation. With regard to existing clients I have seen for consultations do I also need to send them a copy of these? \u00a0I only contact them on an individual basis.<\/strong><\/p>\n<p>No, you don\u2019t need to contact all the clients you hold records for. You should ensure that those who are still consulting with you are aware of and understand your privacy notice and given the opportunity to ask any questions.\u00a0 You could do this at their next consultation. You should also discuss your consents form with any ongoing clients as well as new ones and ask then to sign and opt-in as per their preferences. Anyone receiving any marketing materials also needs to positively opt-in.\u00a0\u00a0 We have issued an updated BANT terms of engagement which has had the consent to contact a GP removed as this will be on the consents form going forward.<\/p>\n<p><strong>PN11. Nutritional Therapy Practitioners often give supplement companies\/laboratories anonymised sensitive information in order to deliver healthcare. If we need to get explicit consent this may hold-up \/ add a barrier that makes delivery of healthcare more difficult.<\/strong><\/p>\n<p>If you want to discuss clients\u2019 cases with supplement\/laboratories you could decide to use legitimate interest as the legal basis, but if you do this you must do a risk assessment using the LIA to confirm that it meets the necessary requirements.\u00a0 If you then decide that it does, then you would need to update your privacy notice accordingly.\u00a0 If you decide that it doesn\u2019t then you could consider consent as the legal basis.<\/p>\n<p>&nbsp;<\/p>\n<p><strong><b>INFORMATION SECURITY (IS)<\/b><\/strong><strong>\u00a0<\/strong><\/p>\n<p><strong>IS1.\u00a0I would like some clarification if possible on the sending of nutrition plans via email attachments\u2026in the absence of encryption email software, is it permissible to send a health optimisation nutrition plan via email with the client\u2019s express consent on the consent form?<\/strong><\/p>\n<p>Unfortunately, what you are suggesting is not an appropriate way to use consent.\u00a0 You do need to send encrypted files, password protect them or give the clients access to files held on the cloud. \u00a0\u00a0Depending on the way your email is set up, this may already be encrypted but it would also require the clients email set up to be encrypted too.\u00a0 So, you need to either encrypt the attachments using a software package such as .zip or encrypt with password in Word or Adobe.\u00a0 Or you can provide access to the client to an online folder such as Dropbox or OneDrive.<\/p>\n<p><strong>IS2.\u00a0We use an on-line booking system, recording client names on a private online booking calendar which is also used for other practitioners\u2019 bookings. \u00a0Would recording first names only or initials be acceptable, if not full names? And what about full names recorded historically? \u00a0<\/strong><\/p>\n<p>If you are using an online booking system then this would be known as Software as a Service (SaaS) cloud computing, i.e., a SaaS cloud offers access to a complete software application which the cloud user accesses through a web browser.<\/p>\n<p>The NT would be the data controller for any personal information stored on this system and the system provider is the data processor.\u00a0 The NT\u00a0as the data controller must ensure that the system is UK GDPR compliant.\u00a0 This means for example being able to delete people\u2019s data on request and in line with the records retention policy.\u00a0 If you cannot verify the UK GDPR compliance and appropriate security of the booking system software then you cannot use that system.\u00a0 Further information on cloud-based software can be found <a href=\"https:\/\/ico.org.uk\/media\/for-organisations\/documents\/1540\/cloud_computing_guidance_for_organisations.pdf\" target=\"_blank\" rel=\"noopener noreferrer\">here<\/a><u>.<\/u><\/p>\n<p><strong>IS3. I\u2019m trying to move my client questionnaire online so that new clients can go onto my website and complete it there, rather than having to do a paper copy or having to email it back to me. Is this acceptable? If not, what is the best alternative that is secure?<\/strong><\/p>\n<p>You can use an on-line questionnaire but as this will contain special category data you do need to ensure that the data is appropriately secure.\u00a0 We are unable to advise specifics with regard to data security but would recommend that you consider the factors as discussed in our guidelines on <a href=\"https:\/\/bant.org.uk\/bant-professional-practice-handbook\/general-data-protection-regulation-gdpr\/#information-security\" target=\"_blank\" rel=\"noopener noreferrer\">Information Security<\/a>. You should discuss this your web designer and website host.\u00a0 Your website host should have a Terms of Business on their website which is deemed to be the contract.\u00a0 You need to read this to ensure it satisfies your requirements re data security.\u00a0 If you have any concerns you should speak to them.<\/p>\n<p><strong>IS4. Do emails or email attachments containing personal details need to be encrypted or if we ask for client\u2019s permission (Consent) can we continue to send documents in regular email?<\/strong><\/p>\n<p>You need to encrypt any emails or attachments that contain special category data. You can either just encrypt the attachment, or you can encrypt the email and attachment. Please refer to our guidelines on <a href=\"https:\/\/bant.org.uk\/bant-professional-practice-handbook\/general-data-protection-regulation-gdpr\/#information-security\" target=\"_blank\" rel=\"noopener\">Information Security<\/a>.<\/p>\n<p><strong>IS5. Is email encryption mandatory or just advised?<\/strong><\/p>\n<p>It would depend on the content of the email.\u00a0 If the email just said, \u2018please see attached\u2019 for example then it wouldn\u2019t necessarily need to be encrypted but if it contained sensitive or special category data then it probably should.\u00a0 You should assess the risk and make appropriate arrangements to ensure that the data, especially special category data, is transmitted securely.\u00a0 Please refer to our guidelines on<strong><u><b>\u00a0<\/b><\/u><\/strong><\/p>\n<p><strong>IS6. Can you tell me, does UK GDPR mean that my diary will have to have reference numbers rather than client names in it in future?<\/strong><\/p>\n<p>The definition of Personal Data under UK GDPR includes the following: UK GDPR applies to both automated (e.g., on a computer) personal data and to manual filing systems (e.g., paper files) where personal data are accessible according to specific criteria. This could include chronologically ordered sets of manual records containing personal data (or paper health records ordered by client name).\u00a0\u00a0 Personal data that has been pseudonymised e.g., key-coded, can fall within the scope of the UK GDPR depending on how difficult it is to attribute the pseudonym to a particular individual.<\/p>\n<p>So under the Data Protection Act (DPA), NTs\u2019 paper files were classified as personal data as they are part of a structured filing system that is readily accessible \u2013 usually catalogued by the client name or reference number.\u00a0 The same applies to UK GDPR which replaces DPA, so under UK GDPR, NTs\u2019 paper files are still classified as personal data and therefore must comply with UK GDPR.<\/p>\n<p>Whereas for diaries, our interpretation of this is that typically a diary is not part of a structured filing system and so won\u2019t be considered personal data.\u00a0 However, if the diary was more structured, for example, compartmentalised by client then that would be considered a structured filing system and would be personal data.\u00a0 Pseudonymising the client name by replacing it with a reference number wouldn\u2019t change the fact that it would be personal data.<\/p>\n<p><strong>IS7. When I work with Eating Disorder clients, I work alongside a psychotherapist. I often share my notes with the psychotherapist so that she can support my work from a\u00a0psychotherapy aspect.\u00a0 The therapist has asked me to email them. I feel a password protected attached PDF is okay.\u00a0 What is the most appropriate way to share this information?\u00a0<\/strong><\/p>\n<p>The password protected PDF should also be encrypted.\u00a0 Adobe Acrobat does this, if you are using another PDF writer then you would need to check for yourself.<\/p>\n<p>If you are including any special category personal data in the email then you will need to encrypt the email too.\u00a0 This requires both participants to have a\u00a0<a href=\"https:\/\/support.office.com\/en-us\/article\/get-a-digital-id-0eaa0ab9-b8a2-4a7e-828b-9bded6370b7b\" target=\"_blank\" rel=\"noopener noreferrer\">digital ID<\/a>.<\/p>\n<p><strong>IS8. I am a sole trader but my IT support has access to my files. As far as I understand, he would be considered as a data processor. Do I have to make him sign an NDA document or something similar, and if yes, does BANT have a template for this or would you know where to find one? I couldn\u2019t find anything on the ICO website, but I might have not been looking in the right places.<\/strong><strong><b>\u00a0<\/b><\/strong><\/p>\n<p>If your IT support is managing your IT platform and enabling you to manage the data, then yes, he would be a Data Processor. The ICO have only recently shared content for a template relating to this.<\/p>\n<p><strong>IS9.\u00a0All my current client files are paper files and are kept in filing cabinets in my locked office.\u00a0 The clients that I have not seen for more than two years go into my archive filing box which are cardboard boxes up in my unlocked loft.\u00a0 How important is it to put a filing cabinet up in my loft to store these files (there is not room in my office)?<\/strong><\/p>\n<p>All your paper files should be secure. There are no definitive instructions about this, you need to assess your security yourself and ensure this is adequate to prevent the personal data you hold accidentally or deliberately being compromised.\u00a0 Please refer to the guidelines on <a href=\"https:\/\/bant.org.uk\/bant-professional-practice-handbook\/general-data-protection-regulation-gdpr\/#information-security\" target=\"_blank\" rel=\"noopener noreferrer\">Information Security<\/a>\u00a0as this also refers to paper files.<\/p>\n<p><strong>IS10. I work at a shop as one of their NTs. I take the client files home with me and lock them in a file and locked office. Since they are the shop\u2019s clients whom I see on behalf of the shop, is it ok for me to store their information at home? I do all my preparation for clients from home as well as my follow up emails etc, hence why I need their paperwork. Is there any safeguarding I need to put in place when I am transporting their files home?<\/strong><strong><b>\u00a0<\/b><\/strong><\/p>\n<p>If you are employed by the shop, then they are the Data Controller and you are a Data Processor within the company.\u00a0 Your processing of clients\u2019 personal data should therefore be in accordance with the shops Data Protection Policy.<\/p>\n<p>If you are self-employed, then you, as data controller, need to assess the risk of your carrying the client files home and put appropriate security measures in place. You might consider that having all their information held securely on the Cloud, so you can access it whether you are in the shop or at home via your laptop, to reduce the security risk.\u00a0\u00a0 If the files were lost whilst you were transferring them between your workplace and home this would still be classed as a reportable <a href=\"https:\/\/bant.org.uk\/bant-professional-practice-handbook\/general-data-protection-regulation-gdpr\/#data-breaches\" target=\"_blank\" rel=\"noopener noreferrer\">data breach<\/a>.<\/p>\n<p><strong>IS11. I need some guidelines around the transfer of data internationally. I regularly spend some months of the year outside of Europe. For those clients who do not want to wait until I return, I hold consultations with them via Skype. I always hold the consultations on my own computer. None of my other processes change. The data is stored in the same way.<\/strong><\/p>\n<p>The international restriction within UK GDPR applies to the transfer of data <em>to<\/em>\u00a0other countries as they may have a lower standard of data protection regulation thereby importing a potential risk to the data subject.\u00a0 You need to consider whether the data on your laptop is a physical transfer of data to a third country, which is a possible interpretation.<\/p>\n<p>If this is the case, you would be better saving everything on the cloud and removing it from your laptop otherwise you would need to seek consent from everyone whose data is on the laptop irrelevant of whether you will be in contact with them whilst in a third country.\u00a0 This could refer to all present and past clients depending on your data set-up.<\/p>\n<p>This may be the best approach anyway from an information security perspective.\u00a0 You will need to take a risk-based approach.\u00a0\u00a0 Information security is the biggest risk.<\/p>\n<p>You should consider adding a paragraph to your Privacy Notice about how you work whilst abroad, the measures you have in place and that you are not transferring any data to a third country. \u00a0If you request that clients send you data then you should provide an appropriate mechanism to protect that data (e.g., via a cloud-based system). \u00a0\u00a0You could still seek consent as a belt and braces approach, you need to take a risk-based approach.<\/p>\n<p>Regarding Skype or other means to communicate with clients in this set-up, we understand that all\u00a0Skype-to-Skype\u00a0voice, video, file transfers and instant messages are\u00a0encrypted. This protects you from potential eavesdropping by malicious users. If you make a call from\u00a0Skype\u00a0to mobile and landline phones, the part of your call that takes place over the PSTN (the ordinary phone network) is not\u00a0encrypted.\u00a0 You should therefore check that whatever communication means you are using are fully and appropriately encrypted.\u00a0 This would be the same when you are working in the UK as well as any work you carry out when not in the UK.<\/p>\n<p><strong>IS12. A question regarding sending health questionnaires to clients. I usually email a blank questionnaire (which includes questions about sensitive personal data) to the client prior to their appointment for them to complete and return to me by email in advance of their appointment. Going forward, how do I ensure the client encrypts and password protects this questionnaire when they return it to me by email?<\/strong><strong><b>\u00a0<\/b><\/strong><\/p>\n<p>A cloud service would seem the most appropriate for the situation you describe.\u00a0 Google Drive and Dropbox are two such services, there are others.\u00a0 You need to check the cloud-based services\/software you use comply with UK GDPR principles and meet your security requirements.\u00a0 With Dropbox for example, you need your clients to have a Dropbox account and then invite them to share a folder with you using the email address they have registered with Dropbox.\u00a0 \u00a0 We would suggest that when you share the folder with the client, whichever cloud service you are using, you could include instructions on how they can set up an account if they don\u2019t have one and how they would upload their form.\u00a0 The folder could include their questionnaire, health programmes and other relevant forms and handouts.<\/p>\n<p>If the client doesn\u2019t have Dropbox or other cloud service that you use, then you will need to encrypt any personal or special category data you sent as an email attachment or encrypt the email.\u00a0 You could also include instructions on saving the word file with an encrypted password and agree a password with them.\u00a0 No specialist software is needed for this.<\/p>\n<p>To be UK GDPR compliant, you need to ensure that there are measures in place to enable clients to submit data securely.\u00a0 However, if they choose to send their data insecurely after you have explained the security risk on sending their Health Questionnaire back, or other documents containing personal and\/or special category data not encrypted, then it is up to the individual client.<\/p>\n<p><strong>IS13. Presumably if I physically post a report it would need to be recorded delivery?<\/strong><\/p>\n<p>If you choose to choose to send reports back to clients by post, you need to access the security risk of posting using ordinary mail as opposed to using registered mail.<\/p>\n<p><strong>IS14. How do I understand what cookies I have on my website if my web designer is not responding?<\/strong><\/p>\n<p>There are various tools that do cookie audits.\u00a0 This is a free\u00a0<a href=\"https:\/\/www.attacat.co.uk\/resources\/cookies#axzz1soO8Ht2I\" target=\"_blank\" rel=\"noopener noreferrer\">cookie audit tool<\/a>.<\/p>\n<h4><strong>\u00a0<\/strong><\/h4>\n<p><strong><b>LEGITIMATE INTERESTS ASSESSMENT (LIA)<\/b><\/strong><\/p>\n<p><strong>\u00a0<\/strong><strong>LIA1.\u00a0The LIA Balancing test seems to exclude existing relationships for the data to fall under the LI category. Does this mean that friends, colleagues or family members cannot become clients?<\/strong><\/p>\n<p>No, relationships with family, friends etc are not considered to be pre-existing with regard to the LIA.\u00a0 The relationships considered in the LIA refer to client \u2013 NT relationships.<\/p>\n<p><strong>LIA2. Legitimate Interest Assessment (LIA) \u2013<\/strong><strong><b>\u00a0<\/b><\/strong><strong>does this need to go on my website?\u00a0 Will that be adequate?<\/strong><\/p>\n<p>The LIA does not need to go on your website. You need to do this in order to justify your use of the legal basis legitimate interest where you have used it. If you were to be challenged, then your LIA is evidence that you have appropriately assessed legitimate interest as being the most appropriate legal basis.<\/p>\n<p><strong>LIA3. Can you please confirm that the LIA is only used to assess whether or not I have an LIA when working with my clients and that I do not have to fill it out.\u00a0 I will always obtain their permission before writing to their GP\/ordering tests for them etc. and I will use the Consent Form for this.<\/strong><\/p>\n<p>You need to complete an LIA (Legitimate Interests Assessment) for any type of data where you have identified \u2018Legitimate Interest\u2019 as the legal basis in your GDPR Documentation Controller. \u00a0It is a risk assessment tool to help you assess and evidence the appropriateness of this legal basis.\u00a0 It is not about permission or consent which would be a different legal basis.<\/p>\n<p>&nbsp;<\/p>\n<p><strong><b>DATA PROTECTION IMPACT ASSESSMENTS (DPIA)<\/b><\/strong><\/p>\n<p><strong>DPIA1.\u00a0As an NT are we required to do Data Protection Impact Assessments?<\/strong><\/p>\n<p>A\u00a0<a href=\"http:\/\/admin.peamailer.com\/t\/r-l-jyiudldt-klithjutyk-b\/\" target=\"_blank\" rel=\"noopener noreferrer\">Data Protection Impact Assessment (DPIA)<\/a>\u00a0is a more in-depth risk assessment than an LIA and will be required for certain listed types of processing, or any other processing that is likely to result in a high risk to individuals\u2019 interests.<\/p>\n<p>Particularly relevant for NTs is the processing of genetic data which will require you to complete a DPIA for this category of data.\u00a0 \u00a0\u00a0You can use the ICO\u2019s <a href=\"http:\/\/admin.peamailer.com\/t\/r-l-jyiudldt-klithjutyk-n\/\" target=\"_blank\" rel=\"noopener noreferrer\">screening checklist<\/a>\u00a0to help you decide when to do a DPIA.[\/vc_column_text][\/vc_column_inner][\/vc_row_inner][\/vc_column][\/vc_row]<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Information on the UK General Data Protection Regulation (UK GDPR), tailored by the Data Protection Act 2018.\u00a0 It explains each of the data protection principals, rights and obligations and includes templates for a typical nutritional therapy business.\u00a0 Everyone who handles personal data needs to be aware of and trained in UK GDPR and members need to ensure they comply with the legislation.<\/p>\n<p\/><span style=\"color: #ff0000; font-size: 80%\"><b>(LAST UPDATED &#8211; 12 NOVEMBER 2024)<b\/><\/span><\/p>\n","protected":false},"author":12,"featured_media":16293,"parent":4059,"menu_order":1,"comment_status":"closed","ping_status":"closed","template":"page-handbook-child.php","meta":{"footnotes":""},"tags":[418,419,420,421,422,423,424,425,426,427,428,429,430,431,432,433,434,356,435,282,436,437,438,439,440,441,442,444,445,446,443,447,448,449,450,451,452,453,454,455,456,457,372,387,458,459,460],"class_list":["post-16292","page","type-page","status-publish","has-post-thumbnail","hentry","tag-anonymised","tag-anonymising","tag-audit-trail","tag-breached","tag-case-histories","tag-case-studies","tag-case-study","tag-consent","tag-cybersecurity","tag-data-breach","tag-data-controller","tag-data-integrity","tag-data-processor","tag-data-protection-act","tag-data-protection-impact-assessment","tag-data-protection-policy","tag-dpia","tag-encryption","tag-fair-processing","tag-gdpr","tag-ico-fee","tag-information-security","tag-lawful-bases","tag-lawful-basis","tag-lawfulness","tag-legitimate-interests-assessment","tag-lia","tag-loss","tag-opt-in","tag-passwords","tag-personal-data","tag-privacy-notices","tag-privacy-policy","tag-processing-data","tag-pseudonymisation","tag-risk","tag-security","tag-shred","tag-special-category-data","tag-subject-access-requests","tag-templates","tag-theft","tag-tick-box","tag-transferring-data","tag-transparency","tag-unsubscribe","tag-withdrawing-consent"],"rankMath":{"parentDomain":"bant.org.uk","noFollowDomains":[],"noFollowExcludeDomains":[],"noFollowExternalLinks":false,"featuredImageNotice":"The featured image should be at least 200 by 200 pixels to be picked up by Facebook and other social media sites.","pluginReviewed":false,"postSettings":{"linkSuggestions":true,"useFocusKeyword":false},"frontEndScore":false,"postName":"general-data-protection-regulation-gdpr","permalinkFormat":"https:\/\/bant.org.uk\/%pagename%\/","showLockModifiedDate":true,"assessor":{"focusKeywordLink":"https:\/\/bant.org.uk\/wp-admin\/edit.php?focus_keyword=%focus_keyword%&post_type=%post_type%","hasTOCPlugin":false,"primaryTaxonomy":false,"serpData":{"title":"","description":"","focusKeywords":"BANT Professional Practice Handbook","pillarContent":false,"canonicalUrl":"","breadcrumbTitle":"","advancedRobots":{"max-snippet":"-1","max-video-preview":"-1","max-image-preview":"large"},"facebookTitle":"","facebookDescription":"","facebookImage":"","facebookImageID":"","facebookHasOverlay":false,"facebookImageOverlay":"play","facebookAuthor":"","twitterCardType":"summary_large_image","twitterUseFacebook":true,"twitterTitle":"","twitterDescription":"","twitterImage":"","twitterImageID":"","twitterHasOverlay":false,"twitterImageOverlay":"play","twitterPlayerUrl":"","twitterPlayerSize":"","twitterPlayerStream":"","twitterPlayerStreamCtype":"","twitterAppDescription":"","twitterAppIphoneName":"","twitterAppIphoneID":"","twitterAppIphoneUrl":"","twitterAppIpadName":"","twitterAppIpadID":"","twitterAppIpadUrl":"","twitterAppGoogleplayName":"","twitterAppGoogleplayID":"","twitterAppGoogleplayUrl":"","twitterAppCountry":"","robots":{"index":true},"twitterAuthor":"BANTonline","primaryTerm":0,"authorName":"Melanie de Grooth","titleTemplate":"%title% %sep% %sitename%","descriptionTemplate":"%excerpt%","showScoreFrontend":true,"lockModifiedDate":false},"powerWords":["a cut above","absolute","absolutely","absolutely lowest","absurd","abuse","accurate","accuse","achieve","actionable","adaptable","adequate","admit","adorable","advantage","advice","affordable","aggravate","aggressive","agitated","agonizing","agony","alarmed","alarming","alienated","aligned","alive","all-inclusive","alluring","always","amazing","amp","animated","annihilate","announcing","anonymous","antagonistic","anxious","apocalypse","appalled","approved","approving","argumentative","armageddon","arrogant","ass kicking","assault","assured","astonishing","astounded","astounding","at ease","atrocious","attack","attractive","audacity","authentic","authoritative","authority","avoid","aware","awe-inspiring","awesome","awkward","backbone","backdoor","backed","backlash","backstabbing","badass","balanced","banned","bargain","barrage","basic","battle","beaming","beat down","beating","beautiful","beauty","begging","behind the scenes","belief","belong","best","best-selling","better","beware","big","billion","black market","blacklisted","blast","blessed","blinded","blissful","blood","bloodbath","bloodcurdling","bloody","blunder","blushing","bold","bomb","bona","bona fide","bonanza","bonus","bootleg","bottom line","bountiful","brave","bravery","brazen","break","breaking","breakthrough","breathtaking","bright","brilliant","broke","brutal","budget","buffoon","bullshit","bully","bumbling","buy","cadaver","calm","cancel anytime","capable","captivate","captivating","carefree","case study","cash","cataclysmic","catapult","catastrophe","caution","censored","centered","certain","certainly","certified","challenge","charming","cheap","cheat","cheat-sheet","cheer","cheerful","child-like","clarity","classified","clear","clueless","collapse","colorful","colossal","comfortable","compare","competitive","complete","completely","completeness","comprehensive","compromise","compulsive","concealed","conclusive","condemning","condescending","confess","confession","confessions","confident","confidential","conquer","conscientious","constructive","content","contrary","controlling","controversial","convenient","convert","cool","cooperative","copy","corpse","corrupt","corrupting","courage","courageous","cover-up","covert","coward","cowardly","crammed","crave","crazy","create","creative","cringeworthy","cripple","crisis","critical","crooked","crush","crushing","damaging","danger","dangerous","daring","dazzling","dead","deadline","deadly","death","decadent","deceived","deceptive","deep","defiance","definitely","definitive","defying","dejected","delicious","delight","delighted","delightful","delirious","delivered","demoralizing","deplorable","depraved","desire","desperate","despicable","destiny","destroy","detailed","devastating","devoted","diagnosed","direct","dirty","disadvantages","disastrous","discount","discover","disdainful","disempowered","disgusted","disgusting","dishonest","disillusioned","disoriented","distracted","distraught","distressed","distrustful","divulge","document","dollar","dominate","doomed","double","doubtful","download","dreadful","dreamy","drive","drowning","dumb","dynamic","eager","earnest","easily","easy","economical","ecstatic","edge","effective","efficient","effortless","elated","eliminate","elite","embarrass","embarrassed","embarrassing","emergency","emerging","emphasize","empowered","enchant","encouraged","endorsed","energetic","energy","enormous","enraged","enthusiastic","envy","epic","epidemic","essential","ethical","euphoric","evil","exactly","exasperated","excellent","excited","excitement","exciting","exclusive","exclusivity","excruciating","exhilarated","expensive","expert","explode","exploit","explosive","exposed","exquisite","extra","extraordinary","extremely","exuberant","eye-opening","fail","fail-proof","failure","faith","famous","fantasy","fascinating","fatigued","faux","faux pas","fearless","feast","feeble","festive","fide","fierce","fight","final","fine","fired","first","first ever","flirt","fluid","focus","focused","fool","fooled","foolish","forbidden","force-fed","forever","forgiving","forgotten","formula","fortune","foul","frantic","free","freebie","freedom","frenzied","frenzy","frightening","frisky","frugal","frustrated","fulfill","fulfilled","full","fully","fun","fun-loving","fundamentals","funniest","funny","furious","gambling","gargantuan","genius","genuine","gift","gigantic","giveaway","glamorous","gleeful","glorious","glowing","goddamn","gorgeous","graceful","grateful","gratified","gravity","great","greatest","greatness","greed","greedy","gripping","grit","grounded","growth","guaranteed","guilt","guilt-free","gullible","guts","hack","happiness","happy","harmful","harsh","hate","have you heard","havoc","hazardous","healthy","heart","heartbreaking","heartwarming","heavenly","hell","helpful","helplessness","hero","hesitant","hidden","high tech","highest","highly effective","hilarious","hoak","hoax","honest","honored","hope","hopeful","horribly","horrific","horrifying","horror","hostile","how to","huge","humility","humor","hurricane","hurry","hypnotic","idiot","ignite","illegal","illusive","imagination","immediately","imminently","impatience","impatient","impenetrable","important","impressive","improved","in the zone","incapable","incapacitated","incompetent","inconsiderate","increase","incredible","indecisive","indulgence","indulgent","inexpensive","inferior","informative","infuriated","ingredients","innocent","innovative","insane","insecure","insider","insidious","inspired","inspiring","instant savings","instantly","instructive","insult","intel","intelligent","intense","interesting","intriguing","introducing","invasion","investment","iron-clad","ironclad","irresistible","irs","is here","jackpot","jail","jaw-dropping","jealous","jeopardy","jittery","jovial","joyous","jubilant","judgmental","jumpstart","just arrived","keen","kickass","kickstart","kill","killed","killing","kills","know it all","lame","largest","lascivious","last","last chance","last minute","latest","laugh","laughing","launch","launching","lavishly","lawsuit","lazy","left behind","legendary","legitimate","liberal","liberated","lick","lies","life-changing","lifetime","light","lighthearted","likely","limited","literally","little-known","loathsome","lonely","looming","loser","lost","love","lucrative","lunatic","lurking","lust","luxurious","luxury","lying","magic","magical","magnificent","mainstream","malicious","mammoth","manipulative","marked down","massive","master","masterclass","maul","mediocre","meditative","meltdown","memorability","memorable","menacing","mesmerizing","meticulous","mind-blowing","minimalist","miracle","mired","mischievous","misgiving","missing out","mistake","monetize","money","moneyback","moneygrubbing","monumental","most important","motivated","mouth-watering","murder","mystery","nail","naked","natural","naughty","nazi","nest egg","never","new","nightmare","no good","no obligation","no one talks about","no questions asked","no risk","no strings attached","non-controlling","noted","novelty","now","obnoxious","obsessed","obsession","obvious","odd","off-kilter","off-limits","off-the record","offensive","official","okay","on-demand","open-minded","opportunities","optimistic","ordeal","outlawed","outrageousness","outstanding","overcome","overjoyed","overnight","overwhelmed","packed","painful","painless","painstaking","pale","panic","panicked","paralyzed","pas","passionate","pathetic","pay zero","payback","perfect","peril","perplexed","perspective","pessimistic","pioneering","piranha","pitfall","pitiful","placid","plague","played","playful","pleased","pluck","plummet","plunge","poison","poisonous","polarizing","poor","popular","portfolio","pound","powerful","powerless","practical","preposterous","prestige","price","priceless","pride","prison","privacy","private","privileged","prize","problem","productive","professional","profit","profitable","profound","promiscuous","promising","promote","protect","protected","proven","provocative","provoke","psychological","pummel","punch","punish","pus","quadruple","quality","quarrelsome","quick","quick-start","quickly","quiet","radiant","rare","ravenous","rebellious","recession-proof","reckoning","recognized","recommend","recreate","reduced","reflective","refugee","refund","refundable","reject","relaxed","release","relentless","reliable","remarkable","replicate","report","reprimanding","repulsed","repulsive","research","resentful","resourceful","responsible","responsive","rested","restricted","results","retaliating","reveal","revealing","revenge","revengeful","revisited","revolting","revolutionary","reward","rich","ridiculous","risky","riveting","rookie","rowdy","ruin","rules","ruthless","sabotaging","sacred","sadistic","sadly","sadness","safe","safety","sale","sampler","sarcastic","satisfied","savage","savagery","save","savings","savvy","scam","scandal","scandalous","scarce","scared","scary","scornful","scream","searing","secret","secret agenda","secret plot","secrets","secure","security","seductive","seething","seize","selected","self-hating","self-sufficient","sensational","senseless","sensual","serene","seriously","severe","sex","sexy","shaking","shameful","shameless","shaming","shatter","shellacking","shocking","should","shrewd","sick and tired","signs","silly","simple","simplicity","simplified","simplistic","sincere","sinful","sins","six-figure","sizable","sizzle","sizzled","sizzles","sizzling","sizzlingly","skill","skyrocket","slaughter","slave","sleazy","sleeping","sly","smash","smiling","smug","smuggle","smuggled","sneak-peek","sneaky","sniveling","snob","snooty","snotty","soar","soaring","solid","solution","spank","special","spectacular","speedy","spell-binding","spine","spirit","spirited","spiteful","spoiler","spontaneous","spotlight","spunky","squirming","stable","staggering","startling","steady","steal","stealthy","steamy","step-by-step","still","stoic","stop","strange","strangle","strategy","stressed","strong","strongly suggest","struggle","stuck up","studies","stunning","stupid","stupid-simple","sturdy","sublime","succeed","success","successful","suck","suddenly","suffer","sunny","super","super-human","superb","supercharge","superior","supported","supportive","sure","sure fire","surefire","surge","surging","surprise","surprised","surprising","survival","survive","suspicious","sweaty","swoon","swoon-worthy","tailspin","tank","tantalizing","targeted","tawdry","tease","technology","teetering","tempting","tenacious","tense","terrible","terrific","terrified","terrifying","terror","terrorist","tested","thankful","the truth","threaten","threatened","thrilled","thrilling","thug","ticked off","tickled","timely","today","torture","toxic","track record","trade secret","tragedy","tragic","transform","transparency","trap","trapped","trauma","traumatized","treacherous","treasure","tremendous","trend","tricks","triggers","triple","triumph","truly","trusting","trustworthy","truth","truthful","turbo-charge","turbocharges","tweaks","twitching","ultimate","unadulterated","unassuming","unauthorized","unbelievable","unburdened","uncaring","uncensored","uncertain","uncomfortable","unconditional","uncontrollable","unconventional","uncovered","undeniable","under priced","undercover","underground","underhanded","underused","unexpected","unforgettable","unheard of","unhurried","uninterested","unique","unjustified","unknowingly","unleashed","unlimited","unlock","unparalleled","unpopular","unreliable","unresponsive","unseen","unstable","unstoppable","unsure","unsurpassed","untapped","unusual","up-sell","upbeat","uplifted","uplifting","urge","urgent","useful","useless","validate","valor","valuable","value","vanquish","vaporize","venomous","verify","vibrant","vicious","victim","victory","vigorous","vilified","vindictive","violated","violent","volatile","vulnerable","waiting","wanted","wanton","warning","waste","weak","wealth","weird","what no one tells you","whip","whopping","wicked","wild","willpower","withheld","wonderful","wondrous","woozy","world","worry","worst","worthwhile","wounded","wreaking","youthful","zen","zinger"],"diacritics":{"A":"[\\u0041\\u24B6\\uFF21\\u00C0\\u00C1\\u00C2\\u1EA6\\u1EA4\\u1EAA\\u1EA8\\u00C3\\u0100\\u0102\\u1EB0\\u1EAE\\u1EB4\\u1EB2\\u0226\\u01E0\\u00C4\\u01DE\\u1EA2\\u00C5\\u01FA\\u01CD\\u0200\\u0202\\u1EA0\\u1EAC\\u1EB6\\u1E00\\u0104\\u023A\\u2C6F]","AA":"[\\uA732]","AE":"[\\u00C6\\u01FC\\u01E2]","AO":"[\\uA734]","AU":"[\\uA736]","AV":"[\\uA738\\uA73A]","AY":"[\\uA73C]","B":"[\\u0042\\u24B7\\uFF22\\u1E02\\u1E04\\u1E06\\u0243\\u0182\\u0181]","C":"[\\u0043\\u24B8\\uFF23\\u0106\\u0108\\u010A\\u010C\\u00C7\\u1E08\\u0187\\u023B\\uA73E]","D":"[\\u0044\\u24B9\\uFF24\\u1E0A\\u010E\\u1E0C\\u1E10\\u1E12\\u1E0E\\u0110\\u018B\\u018A\\u0189\\uA779]","DZ":"[\\u01F1\\u01C4]","Dz":"[\\u01F2\\u01C5]","E":"[\\u0045\\u24BA\\uFF25\\u00C8\\u00C9\\u00CA\\u1EC0\\u1EBE\\u1EC4\\u1EC2\\u1EBC\\u0112\\u1E14\\u1E16\\u0114\\u0116\\u00CB\\u1EBA\\u011A\\u0204\\u0206\\u1EB8\\u1EC6\\u0228\\u1E1C\\u0118\\u1E18\\u1E1A\\u0190\\u018E]","F":"[\\u0046\\u24BB\\uFF26\\u1E1E\\u0191\\uA77B]","G":"[\\u0047\\u24BC\\uFF27\\u01F4\\u011C\\u1E20\\u011E\\u0120\\u01E6\\u0122\\u01E4\\u0193\\uA7A0\\uA77D\\uA77E]","H":"[\\u0048\\u24BD\\uFF28\\u0124\\u1E22\\u1E26\\u021E\\u1E24\\u1E28\\u1E2A\\u0126\\u2C67\\u2C75\\uA78D]","I":"[\\u0049\\u24BE\\uFF29\\u00CC\\u00CD\\u00CE\\u0128\\u012A\\u012C\\u0130\\u00CF\\u1E2E\\u1EC8\\u01CF\\u0208\\u020A\\u1ECA\\u012E\\u1E2C\\u0197]","J":"[\\u004A\\u24BF\\uFF2A\\u0134\\u0248]","K":"[\\u004B\\u24C0\\uFF2B\\u1E30\\u01E8\\u1E32\\u0136\\u1E34\\u0198\\u2C69\\uA740\\uA742\\uA744\\uA7A2]","L":"[\\u004C\\u24C1\\uFF2C\\u013F\\u0139\\u013D\\u1E36\\u1E38\\u013B\\u1E3C\\u1E3A\\u0141\\u023D\\u2C62\\u2C60\\uA748\\uA746\\uA780]","LJ":"[\\u01C7]","Lj":"[\\u01C8]","M":"[\\u004D\\u24C2\\uFF2D\\u1E3E\\u1E40\\u1E42\\u2C6E\\u019C]","N":"[\\u004E\\u24C3\\uFF2E\\u01F8\\u0143\\u00D1\\u1E44\\u0147\\u1E46\\u0145\\u1E4A\\u1E48\\u0220\\u019D\\uA790\\uA7A4]","NJ":"[\\u01CA]","Nj":"[\\u01CB]","O":"[\\u004F\\u24C4\\uFF2F\\u00D2\\u00D3\\u00D4\\u1ED2\\u1ED0\\u1ED6\\u1ED4\\u00D5\\u1E4C\\u022C\\u1E4E\\u014C\\u1E50\\u1E52\\u014E\\u022E\\u0230\\u00D6\\u022A\\u1ECE\\u0150\\u01D1\\u020C\\u020E\\u01A0\\u1EDC\\u1EDA\\u1EE0\\u1EDE\\u1EE2\\u1ECC\\u1ED8\\u01EA\\u01EC\\u00D8\\u01FE\\u0186\\u019F\\uA74A\\uA74C]","OI":"[\\u01A2]","OO":"[\\uA74E]","OU":"[\\u0222]","P":"[\\u0050\\u24C5\\uFF30\\u1E54\\u1E56\\u01A4\\u2C63\\uA750\\uA752\\uA754]","Q":"[\\u0051\\u24C6\\uFF31\\uA756\\uA758\\u024A]","R":"[\\u0052\\u24C7\\uFF32\\u0154\\u1E58\\u0158\\u0210\\u0212\\u1E5A\\u1E5C\\u0156\\u1E5E\\u024C\\u2C64\\uA75A\\uA7A6\\uA782]","S":"[\\u0053\\u24C8\\uFF33\\u1E9E\\u015A\\u1E64\\u015C\\u1E60\\u0160\\u1E66\\u1E62\\u1E68\\u0218\\u015E\\u2C7E\\uA7A8\\uA784]","T":"[\\u0054\\u24C9\\uFF34\\u1E6A\\u0164\\u1E6C\\u021A\\u0162\\u1E70\\u1E6E\\u0166\\u01AC\\u01AE\\u023E\\uA786]","TZ":"[\\uA728]","U":"[\\u0055\\u24CA\\uFF35\\u00D9\\u00DA\\u00DB\\u0168\\u1E78\\u016A\\u1E7A\\u016C\\u00DC\\u01DB\\u01D7\\u01D5\\u01D9\\u1EE6\\u016E\\u0170\\u01D3\\u0214\\u0216\\u01AF\\u1EEA\\u1EE8\\u1EEE\\u1EEC\\u1EF0\\u1EE4\\u1E72\\u0172\\u1E76\\u1E74\\u0244]","V":"[\\u0056\\u24CB\\uFF36\\u1E7C\\u1E7E\\u01B2\\uA75E\\u0245]","VY":"[\\uA760]","W":"[\\u0057\\u24CC\\uFF37\\u1E80\\u1E82\\u0174\\u1E86\\u1E84\\u1E88\\u2C72]","X":"[\\u0058\\u24CD\\uFF38\\u1E8A\\u1E8C]","Y":"[\\u0059\\u24CE\\uFF39\\u1EF2\\u00DD\\u0176\\u1EF8\\u0232\\u1E8E\\u0178\\u1EF6\\u1EF4\\u01B3\\u024E\\u1EFE]","Z":"[\\u005A\\u24CF\\uFF3A\\u0179\\u1E90\\u017B\\u017D\\u1E92\\u1E94\\u01B5\\u0224\\u2C7F\\u2C6B\\uA762]","a":"[\\u0061\\u24D0\\uFF41\\u1E9A\\u00E0\\u00E1\\u00E2\\u1EA7\\u1EA5\\u1EAB\\u1EA9\\u00E3\\u0101\\u0103\\u1EB1\\u1EAF\\u1EB5\\u1EB3\\u0227\\u01E1\\u00E4\\u01DF\\u1EA3\\u00E5\\u01FB\\u01CE\\u0201\\u0203\\u1EA1\\u1EAD\\u1EB7\\u1E01\\u0105\\u2C65\\u0250]","aa":"[\\uA733]","ae":"[\\u00E6\\u01FD\\u01E3]","ao":"[\\uA735]","au":"[\\uA737]","av":"[\\uA739\\uA73B]","ay":"[\\uA73D]","b":"[\\u0062\\u24D1\\uFF42\\u1E03\\u1E05\\u1E07\\u0180\\u0183\\u0253]","c":"[\\u0063\\u24D2\\uFF43\\u0107\\u0109\\u010B\\u010D\\u00E7\\u1E09\\u0188\\u023C\\uA73F\\u2184]","d":"[\\u0064\\u24D3\\uFF44\\u1E0B\\u010F\\u1E0D\\u1E11\\u1E13\\u1E0F\\u0111\\u018C\\u0256\\u0257\\uA77A]","dz":"[\\u01F3\\u01C6]","e":"[\\u0065\\u24D4\\uFF45\\u00E8\\u00E9\\u00EA\\u1EC1\\u1EBF\\u1EC5\\u1EC3\\u1EBD\\u0113\\u1E15\\u1E17\\u0115\\u0117\\u00EB\\u1EBB\\u011B\\u0205\\u0207\\u1EB9\\u1EC7\\u0229\\u1E1D\\u0119\\u1E19\\u1E1B\\u0247\\u025B\\u01DD]","f":"[\\u0066\\u24D5\\uFF46\\u1E1F\\u0192\\uA77C]","g":"[\\u0067\\u24D6\\uFF47\\u01F5\\u011D\\u1E21\\u011F\\u0121\\u01E7\\u0123\\u01E5\\u0260\\uA7A1\\u1D79\\uA77F]","h":"[\\u0068\\u24D7\\uFF48\\u0125\\u1E23\\u1E27\\u021F\\u1E25\\u1E29\\u1E2B\\u1E96\\u0127\\u2C68\\u2C76\\u0265]","hv":"[\\u0195]","i":"[\\u0069\\u24D8\\uFF49\\u00EC\\u00ED\\u00EE\\u0129\\u012B\\u012D\\u00EF\\u1E2F\\u1EC9\\u01D0\\u0209\\u020B\\u1ECB\\u012F\\u1E2D\\u0268\\u0131]","j":"[\\u006A\\u24D9\\uFF4A\\u0135\\u01F0\\u0249]","k":"[\\u006B\\u24DA\\uFF4B\\u1E31\\u01E9\\u1E33\\u0137\\u1E35\\u0199\\u2C6A\\uA741\\uA743\\uA745\\uA7A3]","l":"[\\u006C\\u24DB\\uFF4C\\u0140\\u013A\\u013E\\u1E37\\u1E39\\u013C\\u1E3D\\u1E3B\\u017F\\u0142\\u019A\\u026B\\u2C61\\uA749\\uA781\\uA747]","lj":"[\\u01C9]","m":"[\\u006D\\u24DC\\uFF4D\\u1E3F\\u1E41\\u1E43\\u0271\\u026F]","n":"[\\u006E\\u24DD\\uFF4E\\u01F9\\u0144\\u00F1\\u1E45\\u0148\\u1E47\\u0146\\u1E4B\\u1E49\\u019E\\u0272\\u0149\\uA791\\uA7A5]","nj":"[\\u01CC]","o":"[\\u006F\\u24DE\\uFF4F\\u00F2\\u00F3\\u00F4\\u1ED3\\u1ED1\\u1ED7\\u1ED5\\u00F5\\u1E4D\\u022D\\u1E4F\\u014D\\u1E51\\u1E53\\u014F\\u022F\\u0231\\u00F6\\u022B\\u1ECF\\u0151\\u01D2\\u020D\\u020F\\u01A1\\u1EDD\\u1EDB\\u1EE1\\u1EDF\\u1EE3\\u1ECD\\u1ED9\\u01EB\\u01ED\\u00F8\\u01FF\\u0254\\uA74B\\uA74D\\u0275]","oi":"[\\u01A3]","ou":"[\\u0223]","oo":"[\\uA74F]","p":"[\\u0070\\u24DF\\uFF50\\u1E55\\u1E57\\u01A5\\u1D7D\\uA751\\uA753\\uA755]","q":"[\\u0071\\u24E0\\uFF51\\u024B\\uA757\\uA759]","r":"[\\u0072\\u24E1\\uFF52\\u0155\\u1E59\\u0159\\u0211\\u0213\\u1E5B\\u1E5D\\u0157\\u1E5F\\u024D\\u027D\\uA75B\\uA7A7\\uA783]","s":"[\\u0073\\u24E2\\uFF53\\u015B\\u1E65\\u015D\\u1E61\\u0161\\u1E67\\u1E63\\u1E69\\u0219\\u015F\\u023F\\uA7A9\\uA785\\u1E9B]","ss":"[\\u00DF]","t":"[\\u0074\\u24E3\\uFF54\\u1E6B\\u1E97\\u0165\\u1E6D\\u021B\\u0163\\u1E71\\u1E6F\\u0167\\u01AD\\u0288\\u2C66\\uA787]","tz":"[\\uA729]","u":"[\\u0075\\u24E4\\uFF55\\u00F9\\u00FA\\u00FB\\u0169\\u1E79\\u016B\\u1E7B\\u016D\\u00FC\\u01DC\\u01D8\\u01D6\\u01DA\\u1EE7\\u016F\\u0171\\u01D4\\u0215\\u0217\\u01B0\\u1EEB\\u1EE9\\u1EEF\\u1EED\\u1EF1\\u1EE5\\u1E73\\u0173\\u1E77\\u1E75\\u0289]","v":"[\\u0076\\u24E5\\uFF56\\u1E7D\\u1E7F\\u028B\\uA75F\\u028C]","vy":"[\\uA761]","w":"[\\u0077\\u24E6\\uFF57\\u1E81\\u1E83\\u0175\\u1E87\\u1E85\\u1E98\\u1E89\\u2C73]","x":"[\\u0078\\u24E7\\uFF58\\u1E8B\\u1E8D]","y":"[\\u0079\\u24E8\\uFF59\\u1EF3\\u00FD\\u0177\\u1EF9\\u0233\\u1E8F\\u00FF\\u1EF7\\u1E99\\u1EF5\\u01B4\\u024F\\u1EFF]","z":"[\\u007A\\u24E9\\uFF5A\\u017A\\u1E91\\u017C\\u017E\\u1E93\\u1E95\\u01B6\\u0225\\u0240\\u2C6C\\uA763]"},"researchesTests":["contentHasTOC","contentHasShortParagraphs","contentHasAssets","keywordInTitle","keywordInMetaDescription","keywordInPermalink","keywordIn10Percent","keywordInContent","keywordInSubheadings","keywordInImageAlt","keywordDensity","keywordNotUsed","lengthContent","lengthPermalink","linksHasInternal","linksHasExternals","linksNotAllExternals","titleStartWithKeyword","titleSentiment","titleHasPowerWords","titleHasNumber","hasContentAI"],"hasRedirection":false,"hasBreadcrumb":false},"homeUrl":"https:\/\/bant.org.uk","objectID":16292,"objectType":"post","locale":"en","localeFull":"en_GB","overlayImages":{"play":{"name":"Play icon","url":"https:\/\/bant.org.uk\/wp-content\/plugins\/seo-by-rank-math\/assets\/admin\/img\/icon-play.png","path":"D:\\wordpress\\wp-content\\plugins\\seo-by-rank-math\/assets\/admin\/img\/icon-play.png","position":"middle_center"},"gif":{"name":"GIF icon","url":"https:\/\/bant.org.uk\/wp-content\/plugins\/seo-by-rank-math\/assets\/admin\/img\/icon-gif.png","path":"D:\\wordpress\\wp-content\\plugins\\seo-by-rank-math\/assets\/admin\/img\/icon-gif.png","position":"middle_center"}},"defautOgImage":"https:\/\/bant.org.uk\/wp-content\/uploads\/2022\/11\/BANT-Circle_300-x-300.jpg","customPermalinks":true,"isUserRegistered":false,"autoSuggestKeywords":false,"connectSiteUrl":"https:\/\/rankmath.com\/auth?site=https%3A%2F%2Fbant.org.uk&r=https%3A%2F%2Fbant.org.uk%2Fcall%2Fwp%2Fv2%2Fpages%2F16292%3Fnonce%3D2d2a5891d5&pro=1","maxTags":100,"trendsIcon":"<svg width=\"100%\" height=\"100%\" viewBox=\"0 0 36 36\" version=\"1.1\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" xmlns:xlink=\"http:\/\/www.w3.org\/1999\/xlink\" fit=\"\" preserveAspectRatio=\"xMidYMid meet\" focusable=\"false\">\n\t\t<g id=\"Page-1\" stroke=\"none\" stroke-width=\"1\" fill=\"none\" fill-rule=\"evenodd\">\n\t\t\t<g id=\"Trends-Arrow\">\n\t\t\t\t<g id=\"TrendsArrow\">\n\t\t\t\t\t<path d=\"M1.11227159,26.3181534 L10.2875029,17.1429221 L13.7152617,20.5706809 L4.5400304,29.7459122 C4.20518633,30.0807563 3.66229681,30.0807562 3.32745277,29.7459122 L1.11136262,27.529822 C0.776518575,27.194978 0.776518548,26.6520885 1.11136262,26.3172444 L1.11227159,26.3181534 Z\" id=\"Shape\" fill=\"#4285F4\" fill-rule=\"nonzero\"><\/path>\n\t\t\t\t\t<path d=\"M14.3201543,14.3211528 L22.283717,22.2847155 L19.4658829,25.1025495 C19.1310388,25.4373936 18.5881494,25.4373937 18.2533053,25.1025495 L10.2906516,17.1398959 L13.1084857,14.3220618 C13.4429747,13.987572 13.9851638,13.9871653 14.3201543,14.3211528 Z\" id=\"Shape\" fill=\"#EA4335\" fill-rule=\"nonzero\"><\/path>\n\t\t\t\t\t<polygon id=\"Rectangle-path\" fill=\"#FABB05\" fill-rule=\"nonzero\" points=\"18.8573051 18.8577571 28.2843236 9.43073862 31.7120824 12.8584974 22.2850639 22.2855159\"><\/polygon>\n\t\t\t\t\t<path d=\"M35.0711567,15.5054713 L35.0711567,7 L35.0711567,7 C35.0711567,6.44771525 34.6234415,6 34.0711567,6 L25.5656854,6 L25.5656854,6 C25.0134007,6 24.5656854,6.44771525 24.5656854,7 C24.5656854,7.26521649 24.6710423,7.5195704 24.8585786,7.70710678 L33.3640499,16.2125781 L33.3640499,16.2125781 C33.7545742,16.6031024 34.3877392,16.6031024 34.7782635,16.2125781 C34.9657999,16.0250417 35.0711567,15.7706878 35.0711567,15.5054713 Z\" id=\"Shape\" fill=\"#34A853\" fill-rule=\"nonzero\"><\/path>\n\t\t\t\t\t<rect id=\"Rectangle-path\" x=\"0\" y=\"0\" width=\"36\" height=\"36\"><\/rect>\n\t\t\t\t<\/g>\n\t\t\t<\/g>\n\t\t<\/g>\n\t<\/svg>","showScore":true,"siteFavIcon":"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAYAAAAf8\/9hAAABs0lEQVR4AWL4\/\/8\/RRjO8Iucx+noO0MWUDo16FYABMGP6ZfUcRnWtm27jVPbtm3bttuH2t3eFPcY9pLz7NxiLjCyVd87pKnHyqXyxtCs8APd0rnyxiu4qSeA3QEDrAwBDrT1s1Rc\/OrjLZwqVmOSu6+Lamcpp2KKMA9PH1BYXMe1mUP5qotvXTywsOEEYHXxrY+3cqk6TMkYpNr2FeoY3KIr0RPtn9wQ2unlA+GMkRw6+9TFw4YTwDUzx\/JVvARj9KaedXRO8P5B1Du2S32smzqUrcKGEyA+uAgQjKX7zf0boWHGfn71jIKj2689gxp7OAGShNcBUmLMPVjZuiKcA2vuWHHDCQxMCz629kXAIU4ApY15QwggAFbfOP9DhgBJ+nWVJ1AZAfICAj1pAlY6hCADZnveQf7bQIwzVONGJonhLIlS9gr5mFg44Xd+4S3XHoGNPdJl1INIwKyEgHckEhgTe1bGiFY9GSFBYUwLh1IkiJUbY407E7syBSFxKTszEoiE\/YdrgCEayDmtaJwCI9uu8TKMuZSVfSa4BpGgzvomBR\/INhLGzrqDotp01ZR8pn\/1L0JN9d9XNyx0AAAAAElFTkSuQmCC","canUser":{"general":false,"advanced":false,"snippet":false,"social":false,"analysis":false,"analytics":false,"content_ai":false},"showKeywordIntent":true,"isPro":true,"is_front_page":false,"trendsUpgradeLink":"https:\/\/bant.org.uk\/wp-admin\/admin.php?page=rank-math&view=help","trendsUpgradeLabel":"Activate now","trendsPreviewImage":"https:\/\/bant.org.uk\/wp-content\/plugins\/seo-by-rank-math\/assets\/admin\/img\/trends-preview.jpg","currentEditor":false,"homepageData":{"assessor":{"powerWords":["a cut above","absolute","absolutely","absolutely lowest","absurd","abuse","accurate","accuse","achieve","actionable","adaptable","adequate","admit","adorable","advantage","advice","affordable","aggravate","aggressive","agitated","agonizing","agony","alarmed","alarming","alienated","aligned","alive","all-inclusive","alluring","always","amazing","amp","animated","annihilate","announcing","anonymous","antagonistic","anxious","apocalypse","appalled","approved","approving","argumentative","armageddon","arrogant","ass kicking","assault","assured","astonishing","astounded","astounding","at ease","atrocious","attack","attractive","audacity","authentic","authoritative","authority","avoid","aware","awe-inspiring","awesome","awkward","backbone","backdoor","backed","backlash","backstabbing","badass","balanced","banned","bargain","barrage","basic","battle","beaming","beat down","beating","beautiful","beauty","begging","behind the scenes","belief","belong","best","best-selling","better","beware","big","billion","black market","blacklisted","blast","blessed","blinded","blissful","blood","bloodbath","bloodcurdling","bloody","blunder","blushing","bold","bomb","bona","bona fide","bonanza","bonus","bootleg","bottom line","bountiful","brave","bravery","brazen","break","breaking","breakthrough","breathtaking","bright","brilliant","broke","brutal","budget","buffoon","bullshit","bully","bumbling","buy","cadaver","calm","cancel anytime","capable","captivate","captivating","carefree","case study","cash","cataclysmic","catapult","catastrophe","caution","censored","centered","certain","certainly","certified","challenge","charming","cheap","cheat","cheat-sheet","cheer","cheerful","child-like","clarity","classified","clear","clueless","collapse","colorful","colossal","comfortable","compare","competitive","complete","completely","completeness","comprehensive","compromise","compulsive","concealed","conclusive","condemning","condescending","confess","confession","confessions","confident","confidential","conquer","conscientious","constructive","content","contrary","controlling","controversial","convenient","convert","cool","cooperative","copy","corpse","corrupt","corrupting","courage","courageous","cover-up","covert","coward","cowardly","crammed","crave","crazy","create","creative","cringeworthy","cripple","crisis","critical","crooked","crush","crushing","damaging","danger","dangerous","daring","dazzling","dead","deadline","deadly","death","decadent","deceived","deceptive","deep","defiance","definitely","definitive","defying","dejected","delicious","delight","delighted","delightful","delirious","delivered","demoralizing","deplorable","depraved","desire","desperate","despicable","destiny","destroy","detailed","devastating","devoted","diagnosed","direct","dirty","disadvantages","disastrous","discount","discover","disdainful","disempowered","disgusted","disgusting","dishonest","disillusioned","disoriented","distracted","distraught","distressed","distrustful","divulge","document","dollar","dominate","doomed","double","doubtful","download","dreadful","dreamy","drive","drowning","dumb","dynamic","eager","earnest","easily","easy","economical","ecstatic","edge","effective","efficient","effortless","elated","eliminate","elite","embarrass","embarrassed","embarrassing","emergency","emerging","emphasize","empowered","enchant","encouraged","endorsed","energetic","energy","enormous","enraged","enthusiastic","envy","epic","epidemic","essential","ethical","euphoric","evil","exactly","exasperated","excellent","excited","excitement","exciting","exclusive","exclusivity","excruciating","exhilarated","expensive","expert","explode","exploit","explosive","exposed","exquisite","extra","extraordinary","extremely","exuberant","eye-opening","fail","fail-proof","failure","faith","famous","fantasy","fascinating","fatigued","faux","faux pas","fearless","feast","feeble","festive","fide","fierce","fight","final","fine","fired","first","first ever","flirt","fluid","focus","focused","fool","fooled","foolish","forbidden","force-fed","forever","forgiving","forgotten","formula","fortune","foul","frantic","free","freebie","freedom","frenzied","frenzy","frightening","frisky","frugal","frustrated","fulfill","fulfilled","full","fully","fun","fun-loving","fundamentals","funniest","funny","furious","gambling","gargantuan","genius","genuine","gift","gigantic","giveaway","glamorous","gleeful","glorious","glowing","goddamn","gorgeous","graceful","grateful","gratified","gravity","great","greatest","greatness","greed","greedy","gripping","grit","grounded","growth","guaranteed","guilt","guilt-free","gullible","guts","hack","happiness","happy","harmful","harsh","hate","have you heard","havoc","hazardous","healthy","heart","heartbreaking","heartwarming","heavenly","hell","helpful","helplessness","hero","hesitant","hidden","high tech","highest","highly effective","hilarious","hoak","hoax","honest","honored","hope","hopeful","horribly","horrific","horrifying","horror","hostile","how to","huge","humility","humor","hurricane","hurry","hypnotic","idiot","ignite","illegal","illusive","imagination","immediately","imminently","impatience","impatient","impenetrable","important","impressive","improved","in the zone","incapable","incapacitated","incompetent","inconsiderate","increase","incredible","indecisive","indulgence","indulgent","inexpensive","inferior","informative","infuriated","ingredients","innocent","innovative","insane","insecure","insider","insidious","inspired","inspiring","instant savings","instantly","instructive","insult","intel","intelligent","intense","interesting","intriguing","introducing","invasion","investment","iron-clad","ironclad","irresistible","irs","is here","jackpot","jail","jaw-dropping","jealous","jeopardy","jittery","jovial","joyous","jubilant","judgmental","jumpstart","just arrived","keen","kickass","kickstart","kill","killed","killing","kills","know it all","lame","largest","lascivious","last","last chance","last minute","latest","laugh","laughing","launch","launching","lavishly","lawsuit","lazy","left behind","legendary","legitimate","liberal","liberated","lick","lies","life-changing","lifetime","light","lighthearted","likely","limited","literally","little-known","loathsome","lonely","looming","loser","lost","love","lucrative","lunatic","lurking","lust","luxurious","luxury","lying","magic","magical","magnificent","mainstream","malicious","mammoth","manipulative","marked down","massive","master","masterclass","maul","mediocre","meditative","meltdown","memorability","memorable","menacing","mesmerizing","meticulous","mind-blowing","minimalist","miracle","mired","mischievous","misgiving","missing out","mistake","monetize","money","moneyback","moneygrubbing","monumental","most important","motivated","mouth-watering","murder","mystery","nail","naked","natural","naughty","nazi","nest egg","never","new","nightmare","no good","no obligation","no one talks about","no questions asked","no risk","no strings attached","non-controlling","noted","novelty","now","obnoxious","obsessed","obsession","obvious","odd","off-kilter","off-limits","off-the record","offensive","official","okay","on-demand","open-minded","opportunities","optimistic","ordeal","outlawed","outrageousness","outstanding","overcome","overjoyed","overnight","overwhelmed","packed","painful","painless","painstaking","pale","panic","panicked","paralyzed","pas","passionate","pathetic","pay zero","payback","perfect","peril","perplexed","perspective","pessimistic","pioneering","piranha","pitfall","pitiful","placid","plague","played","playful","pleased","pluck","plummet","plunge","poison","poisonous","polarizing","poor","popular","portfolio","pound","powerful","powerless","practical","preposterous","prestige","price","priceless","pride","prison","privacy","private","privileged","prize","problem","productive","professional","profit","profitable","profound","promiscuous","promising","promote","protect","protected","proven","provocative","provoke","psychological","pummel","punch","punish","pus","quadruple","quality","quarrelsome","quick","quick-start","quickly","quiet","radiant","rare","ravenous","rebellious","recession-proof","reckoning","recognized","recommend","recreate","reduced","reflective","refugee","refund","refundable","reject","relaxed","release","relentless","reliable","remarkable","replicate","report","reprimanding","repulsed","repulsive","research","resentful","resourceful","responsible","responsive","rested","restricted","results","retaliating","reveal","revealing","revenge","revengeful","revisited","revolting","revolutionary","reward","rich","ridiculous","risky","riveting","rookie","rowdy","ruin","rules","ruthless","sabotaging","sacred","sadistic","sadly","sadness","safe","safety","sale","sampler","sarcastic","satisfied","savage","savagery","save","savings","savvy","scam","scandal","scandalous","scarce","scared","scary","scornful","scream","searing","secret","secret agenda","secret plot","secrets","secure","security","seductive","seething","seize","selected","self-hating","self-sufficient","sensational","senseless","sensual","serene","seriously","severe","sex","sexy","shaking","shameful","shameless","shaming","shatter","shellacking","shocking","should","shrewd","sick and tired","signs","silly","simple","simplicity","simplified","simplistic","sincere","sinful","sins","six-figure","sizable","sizzle","sizzled","sizzles","sizzling","sizzlingly","skill","skyrocket","slaughter","slave","sleazy","sleeping","sly","smash","smiling","smug","smuggle","smuggled","sneak-peek","sneaky","sniveling","snob","snooty","snotty","soar","soaring","solid","solution","spank","special","spectacular","speedy","spell-binding","spine","spirit","spirited","spiteful","spoiler","spontaneous","spotlight","spunky","squirming","stable","staggering","startling","steady","steal","stealthy","steamy","step-by-step","still","stoic","stop","strange","strangle","strategy","stressed","strong","strongly suggest","struggle","stuck up","studies","stunning","stupid","stupid-simple","sturdy","sublime","succeed","success","successful","suck","suddenly","suffer","sunny","super","super-human","superb","supercharge","superior","supported","supportive","sure","sure fire","surefire","surge","surging","surprise","surprised","surprising","survival","survive","suspicious","sweaty","swoon","swoon-worthy","tailspin","tank","tantalizing","targeted","tawdry","tease","technology","teetering","tempting","tenacious","tense","terrible","terrific","terrified","terrifying","terror","terrorist","tested","thankful","the truth","threaten","threatened","thrilled","thrilling","thug","ticked off","tickled","timely","today","torture","toxic","track record","trade secret","tragedy","tragic","transform","transparency","trap","trapped","trauma","traumatized","treacherous","treasure","tremendous","trend","tricks","triggers","triple","triumph","truly","trusting","trustworthy","truth","truthful","turbo-charge","turbocharges","tweaks","twitching","ultimate","unadulterated","unassuming","unauthorized","unbelievable","unburdened","uncaring","uncensored","uncertain","uncomfortable","unconditional","uncontrollable","unconventional","uncovered","undeniable","under priced","undercover","underground","underhanded","underused","unexpected","unforgettable","unheard of","unhurried","uninterested","unique","unjustified","unknowingly","unleashed","unlimited","unlock","unparalleled","unpopular","unreliable","unresponsive","unseen","unstable","unstoppable","unsure","unsurpassed","untapped","unusual","up-sell","upbeat","uplifted","uplifting","urge","urgent","useful","useless","validate","valor","valuable","value","vanquish","vaporize","venomous","verify","vibrant","vicious","victim","victory","vigorous","vilified","vindictive","violated","violent","volatile","vulnerable","waiting","wanted","wanton","warning","waste","weak","wealth","weird","what no one tells you","whip","whopping","wicked","wild","willpower","withheld","wonderful","wondrous","woozy","world","worry","worst","worthwhile","wounded","wreaking","youthful","zen","zinger"],"diacritics":true,"researchesTests":["contentHasTOC","contentHasShortParagraphs","contentHasAssets","keywordInTitle","keywordInMetaDescription","keywordInPermalink","keywordIn10Percent","keywordInContent","keywordInSubheadings","keywordInImageAlt","keywordDensity","keywordNotUsed","lengthContent","lengthPermalink","linksHasInternal","linksHasExternals","linksNotAllExternals","titleStartWithKeyword","titleSentiment","titleHasPowerWords","titleHasNumber","hasContentAI"],"hasBreadcrumb":false,"serpData":{"title":"%sitename% %page% %sep% %sitedesc%","description":"","titleTemplate":"%sitename% %page% %sep% %sitedesc%","descriptionTemplate":"","focusKeywords":"","breadcrumbTitle":"Home","robots":{"index":true},"advancedRobots":{"max-snippet":"-1","max-video-preview":"-1","max-image-preview":"large"},"facebookTitle":"","facebookDescription":"","facebookImage":"","facebookImageID":""}}},"tocTitle":"Table of Contents","tocExcludeHeadings":[],"listStyle":"ol"},"_links":{"self":[{"href":"https:\/\/bant.org.uk\/call\/wp\/v2\/pages\/16292"}],"collection":[{"href":"https:\/\/bant.org.uk\/call\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/bant.org.uk\/call\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/bant.org.uk\/call\/wp\/v2\/users\/12"}],"replies":[{"embeddable":true,"href":"https:\/\/bant.org.uk\/call\/wp\/v2\/comments?post=16292"}],"version-history":[{"count":2,"href":"https:\/\/bant.org.uk\/call\/wp\/v2\/pages\/16292\/revisions"}],"predecessor-version":[{"id":27378,"href":"https:\/\/bant.org.uk\/call\/wp\/v2\/pages\/16292\/revisions\/27378"}],"up":[{"embeddable":true,"href":"https:\/\/bant.org.uk\/call\/wp\/v2\/pages\/4059"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/bant.org.uk\/call\/wp\/v2\/media\/16293"}],"wp:attachment":[{"href":"https:\/\/bant.org.uk\/call\/wp\/v2\/media?parent=16292"}],"wp:term":[{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/bant.org.uk\/call\/wp\/v2\/tags?post=16292"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}