PRIVACY NOTICE
1. Introduction
The name of the data controller to which this Data Protection Policy refers is Hoo Peninsula Cares (wHoo Cares) (the Organisation). In processing personal data, the Organisation complies with the Data Protection Act 2018 (DPA 2018) and General Data Protection Regulation 2018 (GDPR 2018) in relation to the retention and processing of personal data. This Policy covers all Personal Data and Sensitive Personal Data that the Organisation holds in either electronic or paper format or file system. This policy is intended to ensure that personal information is dealt with properly and securely and in accordance with the UK and EU General Data Protection Regulation (the “GDPR”) and other related legislation. It will apply to information regardless of the way it is used or recorded and applies for as long as the information is held.
2. Our obligation
The Organisation, its representatives, staff and volunteers are committed to ensuring that anyone dealing with personal data shall be always mindful of the individual’s rights under the law. The Organisation is committed to complying with the principles as set out below at all times and therefore will:
a) inform individuals as to the purpose of collecting any information from them, as and when we ask for it;
b) be responsible for checking the quality and accuracy of the information;
c) regularly review the records held to ensure that information is not held longer than is necessary, and that it has been held in accordance with the Data Retention Policy (upon request);
d) ensure that when information is authorised for disposal it is done appropriately;
e) ensure appropriate security measures to safeguard personal information whether it is held in paper files or on our computer system, and follow the relevant security policy requirements at all times;
f) share personal information with others only when it is necessary and legally appropriate to do so;
g) set out clear procedures for responding to requests for access to personal information known as subject access requests; and
h) report any breaches of the GDPR as appropriate.
The six data protection principles as laid down in the GDPR are followed at all times:
Personal data shall be processed fairly, lawfully and in a transparent manner, and processing shall not be lawful unless one of the processing conditions can be met.
Personal data shall be collected for specific, explicit, and legitimate purposes, and shall not be further processed in a manner incompatible with those purposes.
Personal data shall be adequate, relevant, and limited to what is necessary for the purpose(s) for which it is being processed;
Personal data shall be accurate and, where necessary, kept up to date.
Personal data processed for any purpose(s) shall not be kept for longer than is necessary for that purpose/those purposes.
Personal data shall be processed in such a way that ensures appropriate security of the data, including protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organisational measures.
3. The Type of Information We Collect
The Organisation collects and uses certain types of personal information about the following categories of individuals including, but not limited to:
1) Board of Directors;
2) full time and part time employees on a substantive or fixed-term contract and to associated individuals who are retained by the Organisation , including agency staff, contractors and others employed under a contract of service;
3) volunteers of the Organisation;
4) consultants commissioned by the Organisation to enact the management of its affairs on behalf of the Directors;
5) professional advisers and service providers including third party solicitors and auditors and providers of book-keeping, banking and insurance and management services, as well as other suppliers and 3rd party agencies;
6) Partners (clients) and their families; and
7) fundraisers and supporters of the Organisation.
Personal information
The personal information we collect includes details such as name, date of birth, email address, postal address, telephone number and bank details, as well as information provided in any communications with us. This information may have been given in any of the many ways in which we have interacted or communicated, through completed forms (including job or volunteering applications), events attended, general communications or via email or through our website. We may also have collected this information in the course of our work and during work undertaken or through the provision of services. We will mainly use this information:
a) to help us carry our out business, roles and responsibilities to our Partners (clients) and their families, and help us make informed decisions in the governance of the Organisation;
b) to process donations or other payments and verify any financial transactions;
c) to send communications which have been requested and that may be of interest, these may include information about campaigns, appeals or other fundraising activities and events;
d) to carry out our obligations arising from any contracts entered into;
d) to keep a record of supporter and volunteer relationships with the Organisation;
e) to administer the volunteering arrangement with our volunteers;
f) to administer applications voluntarily provided by applicants for positions of employment or volunteering posts, either via our website or by any other method; and
g) to manage contracts of employment and to protect the rights of our employees.
Sensitive Personal Information
There are times when personal experience or the experiences of friends and relatives are shared with the Organisation; we may also collect health information for the purposes of carrying out our duties, responsibilities and services to Partners. If we are provided with any sensitive personal information by telephone, email or by other means (such as home-visits or one-to-one contact), we will treat that information with extra care and confidentiality and always in accordance with this policy. Data Protection Law and the GDPR recognises that some categories of personal information are more sensitive. We will only use this information:
• For the purposes of dealing with any enquiry, training, and quality monitoring or evaluating the services we provide.
• We will not pass details to anyone else without explicit consent except in exceptional circumstances. Examples of this might include anyone reporting serious self-harm or posing a threat to others. Information about Children and Young People We sometimes receive limited data about children if they decide to fundraise for us, enter a competition, attend an event or school visit, or undertake work experience. Wherever possible, we will ask for consent from parents to collect information about children and young people under the age of 16. Informed consent will be sought should we request photographs or video footage in order to promote the Organisation, our events or campaigns.
4. Data Sharing
The personal information we collect will mainly be used by our staff (and volunteers) in order to provide support services to our Partners (clients) and their families. The Organisation does not sell or rent information to third parties, nor does it share information with third parties for marketing purposes. We may pass information to our third-party service providers, agents, subcontractors 5 March 2021 Data Protection Policy Policy No. 010.03 and other associated organisations for the purposes of completing tasks and providing support services on our behalf. However, when we use third party service providers, we disclose only the personal information that is necessary to deliver the service or if we are required to do so by law, for example, by a court order or for the purposes of prevention of fraud or other crime. There are other third-parties for whom it may be necessary to provide personal information:
a) professional advisers including lawyers, bankers, auditors and insurers based in the UK who provide consultancy, banking, legal, insurance and/or accounting services;
b) HM Revenue & Customs, regulators and other authorities based in the UK which require reporting of processing activities in certain circumstances;
c) partner agencies including council or other statutory bodies, including for the processing of DBS checks; and
d) health professionals and other health service providers.
5. Security of personal data
The Organisation has put in place appropriate measures to prevent personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, access to personal data is limited to those employees, volunteers, agents and third-party representatives who have a business need to access to it. They will only process your personal data on specific instructions and undertaking of their duties, roles and responsibilities, and they are subject to a duty of confidentiality. We have put in place procedures to deal with any suspected personal data breach and will notify individuals and any applicable regulator of a breach where we are legally required to do so. 6. Retaining data We will only retain personal data for as long as is necessary to fulfil the purposes for which we collected it, including for the purposes of satisfying any legal, accounting, or reporting requirements.
6. Subject access requests
Anyone requesting to see any personal information held by the Organisation is making a subject access request:
a) Access to personal information: individuals have the right to request access to a copy of the personal information that we hold, along with information on what personal information we use, why we use it, who we share it with and how long we keep it. Request for access can be made free of charge. Requests for access must be made in writing and evidence of identity must be provided.
b) Right to object: individuals can object to our processing of personal information where we are relying on a legitimate interest (or those of a third party). There is also the right to object where we are processing your personal information for direct marketing purposes. Consent: if consent has been given to use personal information (for example, for marketing), it can be withdrawn at any time.
c) Rectification: individuals can request us to change or complete any inaccurate or incomplete personal information held.
d) Erasure: individuals can ask us to delete personal information where it is no longer necessary for us to use it, or if consent has been withdrawn, or where we have no lawful basis for keeping it.
e) Portability: individuals can ask us to provide some or any of the personal information held in a structured, commonly used, electronic form, so it can be easily transferred.
f) Restriction: individuals can ask us to restrict the personal information we use where a request has been made for it to be erased or where objection has been made as to our use of it. Please note, some of these rights only apply in certain circumstances.
Contact details Hoo Peninsula Cares (wHoo Cares) 24 Church Street, Hoo, Rochester, ME3 9AL. Phone: 01634 272138 email: enquiries@whoocares.org.uk
The data protection supervisory authority, the Information Commissioner's Office, can be contacted: https://ico.org.uk