Information Security and Data Protection Policy
Metanoeo live life well logo

Information Security and Data Protection Policy Statement and Commitment


I, Dr Dave Wood, as the sole proprietor and Data Controller of Metanoeo, am committed to ensuring the confidentiality, integrity, and availability of all information assets, particularly client and trainee personal data.


I acknowledge my legal obligations under the UK General Data Protection Regulation (GDPR) and the Data Protection Act 2018 and will implement appropriate security measures to protect against unlawful processing, accidental loss, destruction, or damage.


Scope and Responsibility


This policy covers all information held by the business, including:


  • Client/Trainee session notes and progress records.
  • Contact details, contracts, and payment information.
  • Digital files, emails, and cloud storage.
  • Physical files (if any) stored in the home office.


As the sole trader, I am the Data Controller and am personally responsible for the implementation and adherence to this policy.


Data Protection Principles (GDPR Compliance)


All processing of personal data will adhere to the seven GDPR principles:


  1. Lawfulness, Fairness, and Transparency: Processing is based on a lawful basis (usually client consent or legitimate interest) and clearly communicated.
  2. Purpose Limitation: Data is collected only for specified, explicit, and legitimate purposes (i.e., providing coaching/training).
  3. Data Minimisation: Only necessary data is collected, limited to what is relevant for the purpose.
  4. Accuracy: Data is kept accurate and up to date, and inaccurate data is corrected or deleted.
  5. Storage Limitation: Data is kept only for as long as necessary (see below).
  6. Integrity and Confidentiality (Security): Data is processed securely, protecting against unauthorised access, loss, or damage (see below).
  7. Accountability: I maintain documentation to demonstrate compliance with these principles.


Technical and Organisational Security Measures


Digital Data Security


  • Storage: All client data is stored on secure, password-protected computers/devices or reputable, encrypted cloud services (e.g., Google Drive, Dropbox, specifically chosen for GDPR compliance).
  • Access Control: All devices (laptops, phones) are protected by strong passwords, biometrics, or PINs, with automatic screen lock enabled.
  • Encryption: Sensitive coaching notes, if stored digitally, are further protected by encryption (e.g., folder encryption or encrypted note-taking apps).
  • Software: Operating systems and applications are kept up to date to ensure the latest security patches are installed. Anti-virus/anti-malware software is used and regularly updated.
  • Backup: Data is backed up regularly to a secure, separate storage medium (e.g., external drive or encrypted cloud) to prevent loss.


Virtual Session Security


  • Platforms: Only reputable, secure video conferencing platforms (e.g., Zoom, Google Meet) will be used, with passwords/waiting rooms enabled.
  • Recording: Sessions will only be recorded with the explicit, informed consent of the client/trainee, and recordings will be deleted promptly after their purpose is fulfilled.


Physical Data Security


  • Storage: Any physical files (e.g., paper notes, printed contracts) are stored in a locked filing cabinet or container within the private home office.
  • Destruction: Unnecessary paper records are securely destroyed using a cross-shredder before disposal.


Data Retention and Destruction


I will retain personal data only for as long as is necessary to fulfil the business purpose, plus a minimum period required by legal or professional indemnity insurance obligations (usually 5-7 years after the termination of the service).


  • Destruction: Once the retention period is met, all personal data will be securely destroyed: digital files will be permanently deleted, and physical files will be cross-shredded.


Data Breach Management


Despite best efforts, a data breach (e.g., lost laptop, hacking, accidental email to the wrong person) may occur.


Procedure:


  1. Containment: Immediately take steps to stop the breach (e.g., changing passwords, isolating the affected device).
  2. Assessment: Assess the severity and risk to the rights and freedoms of the individuals whose data was compromised.
  3. Notification (ICO): If the breach poses a risk to individuals, I will report the breach to the Information Commissioner's Office (ICO) within 72 hours of becoming aware of it.
  4. Notification (Data Subject): If the breach results in a high risk to the individual's rights and freedoms, I will inform the affected client(s)/trainee(s) without undue delay.
  5. Documentation: I will keep a detailed record of the breach, the assessment, and all actions taken.


Policy Review


This Information Security and Data Protection Policy will be reviewed and updated at least annually, or whenever there are significant changes in legislation, technology, or business operations.

HOME > ABOUT US > LEGAL AND COMPLIANCE > INFORMATION SECURITY & DATA PROTECTION POLICY

MEMBERSHIPS AND AWARDS

UK Register of Learning Providers
SEUK Certified - business for good badge
Member Association for Coaching
Member iTOL institute of training and occupational learning
good-market-approved-logo
People and Planet First Verified Social Enterprise Logo
Fellow of the School for Social Entrepreneurs
UnLtd award winner
mishto banner

CONNECT WITH US

READ OUR REVIEWS

link to trustpilot reviews

About us


Legal and compliance


Latest news

Copyright © 2014-2026. All Rights Reserved. Dr Dave Wood