Privacy Statement
Introduction
In compliance with The Data Protection Act 1998 and the E.U. General Data Protection Regulations which came into force on the 25th May 2018 Contact is committed to protecting all personal data
The intention of this policy is to demonstrate in clear and simple terms how and why it collects, uses, stores and disposes of personal information as set out below.
1. Important information about who we are.
2. The personal data collected, how we collect and how we use it in relation to :
Children and young people who use our service.
People who support us.
Job and Role Applicants.
Current and former employees, volunteers and trustees.
Visitors to our website
3.Working with Third Parties.
4.How Contact keeps Personal Data Safe.
5.Where Contact stores and processes information.
6.Legal Rights
7.C.C.T.V.
8.Glossary (In case Contact uses terms which are unfamiliar.)
1.Important Information about who we are.
Contact is a Charitable Incorporated Organisation.
Its charity registration number is 1178557.
The registered address is:
Contact
339 Wilbraham Road
Whalley Range
Manchester
M16.8GL.
The website is owned by Contact
The Data Protection Officer (D.P.O.) is:
Hannah Martin
This person is responsible for answering any questions about this policy or any information Contact may have on individuals. This person is a paid employee.
The D.P.O. may be contacted at the above address or by:
Email at hannah@contacthostel.co.uk
Telephone: 0161 8619806
Complaints
Contact hopes any enquiries or concerns regarding information it may hold can be dealt with and resolved informally.
However formal complaints about data protection issues may be made to:
The Information Commissioners Office (I.C.O.)
Their website address is : WWW.ICO.ORG.UK
Contact will ensure that it is registered with the ICO.
The ICO reference number for Contact is: ZA233943
Review of the Policy
This statement will be reviewed annually and amended in line with legislation.
2. Personal data collected how we collect it and how it is used.
Children and young people who use our service.
This section explains what information Contact collects, keeps and stores about the young people who currently use and have previously used our service. It sets out the rights of the young person in regard to that information.
Information Collected
Contact may obtain and hold the following information about young people it has supported:
· Name
· Date of birth
· Previous addresses
· Next of Kin
· Culture
· Religion
· Sexuality
· G.P.
· Nationality
· National Insurance Number
· Support Evidence
· Risk Assessments
· Assessment/progress/review documents
· State benefit documents
· Referral documents to other agencies
· Housing applications
· Personal images on external CCTV
Why the Information is Collected
Contact needs this information in order to assist young people in accessing the services they require for them to live more independently and safely.
Without this information Contact would struggle to support and provide a service to young people.
Information Sharing.
Within Contact personal information is shared with people who need to know in order to meet the needs of each young person it supports.
Personal information may also be shared with the organisation that funds the support or with outside agencies that monitor and inspect Contact.
Contact may be required to share information for legal reasons and with other organisations if there is risk of harm.
Contact may need to share information when making referrals to other agencies who need to support the young person.
There may be occasions when Contact will request consent to help inform the public about the work it does.
All information sharing will only be done with the written consent of the young person unless there is a risk of injury or harm to the young person or other.
The written consent may be withdrawn at any time.
Responsibility for Information
Contact is responsible for the information it holds on the young people it supports. (Data Controller)
Keeping and Storing Personal Information
Contact will keep personal information on the young people it has supported for a specified period of time once the young has left the service.
Depending on the nature of the service and any legal obligations, Contact will retain only relevant personal data between 2 and 10 years or more if legally required to do so, for example if there has been a safe guarding concern or referral.
Documents to be retained by Contact for a minimum of 10 years
· Review minutes
· Support plans
· Risk assessments
· Assessment of progress
· Safeguarding documents
· Daily record logs
· Immigration status documents
· Licence agreements
Documents to be retained by Contact for a Minimum of 2 years
Admission and discharge details. The national insurance number to be erased after discharge.
All other documents
Personal information retained for safe keeping at the request of the young person (such as birth certificates) must be returned to the young person when leaving the service.
Request to access personal data. (Subject Access Requests)
Young people may request a copy of the information Contact holds on them.
See Section 6 of this policy on how to access personal information.
Contact is unable to release personal information in connection with a historic or current safeguarding or criminal investigation
People who support us.
How information is collected
Contact collects information about its supporters and potential supporters when they make enquiries about its activities, send or receive an email, make a donation or ask about its services.
Contact may also obtain publicly available information such as contact details. Contact may also research information to help it perform due diligence checks to ensure Contact is not being targeted by criminals posing as genuine donors.
Information collected
The personal information collected by Contact may include:
Name
Address
email address
Phone numbers
Data Protection Law recognises that certain categories of personal information are more sensitive. These are known as “special categories” of data and relate to: health, race, religious beliefs and political opinions.
Contact will not collect any special category information about its supporters.
Using personal information
Contact may use supporter information for:
· Dealing with enquiries and requests.
· Processing donations.
· Providing information about Contact.
· Complying with legal obligations, policies and procedures (such as processing gift aid claims).
· Fundraising and marketing.
Communicating with Supporters
Communication with supporters is very important to Contact as their generosity will help transform the lives of the children and young people Contact accommodates and supports and helps shape the service we offer in the future.
Contact believes in being open, honest and transparent with its supporters and want them to feel comfortable and confident when sharing personal information.
Contact will use personal data it holds on supporters to communicate with them about how their generosity has helped to support the children and young people in its care.
Contact may communicate with supporters inviting them to social events through the year.
Supporters may hear from Contact at Easter and Christmas in recognition and appreciation of support that has been given.
Contact will only communicate with supporters in the way they have instructed and will always respect personal privacy.
Storing Information
All personal information will be stored electronically and by paper records.
Electronic Data
All electronic data will have restricted access and be password protected.
Paper Data
All data on paper records will be stored in secure cabinets with restricted access.
Consent
Contact will only communicate with its supporters if it has their written consent. In order to keep supporters wishes updated Contact will periodically contact them to seek consent re “opt out / opt in”.
It is the decision of supporters as to whether they want to receive information about the work Contact does and how it raises funds.
If supporters do not want Contact to use their personal data in this way, they can indicate their preferences on the forms they are periodically sent, or preferences may be submitted to Contact in writing to:
Hannah Martin
Contact Hostel
339 Wilbraham Road
Whalley Range
Manchester
M16.8GL
by email:
by telephone:
0161 861 9806
Personal details will be retained on a “suppression list” to help ensure that no further contact is made with supporters have declined consent.
Disclosures
Contact will never pass personal information about its supporters on to other organisations for them to use for their own marketing purposes.
However, Contact may need to disclose information under the following circumstances:
· To third parties who provide a service to Contact and are data processors. This includes partners that work with Contact in connection with its charitable purposes.
Contact requires these third parties to comply strictly with its instructions and Data Protection Laws.
· Where Contact is under duty to disclose personal information in order to comply with law or the disclosure is necessary for purposes of national security, taxation and criminal investigation.
Marketing to Children
Contact is committed to protecting the privacy of the children and young people that engage with it through our website and fund-raising events.
Contact will never accept individual donations from young people under the age of 18 unless prior written explicit consent from a parent /guardian has been gained.
Young people who are under 18 and wish to take part in fundraising activities must be accompanied by an appropriate adult and have the prior written explicit consent of a parent /guardian.
Where schools and colleges wish to take part in any fund-raising activity it is the responsibility of the school /college to seek consent from parent/guardian.
Keeping Supporter Personal Information
Contact will retain personal data about its supporters for as long as required to operate the charity in accordance with legal requirements and tax and accounting rules.
Where information is no longer required Contact will ensure it is destroyed in a secure manner.
Job Applicants – Paid, Volunteer & Trustee Roles
As part of any recruitment process, Contact collects and processes personal data relating to all job/role applications. Contact will only use the information supplied for the purpose of recruitment.
Information Collected
Contact will collect a range of information about applicants, which may include:
· Name, address, phone numbers, and email address
· Date of Birth
· Qualifications, employment history, skills and experience
· Entitlement to employment in the UK (paid and voluntary)
· Criminal/disciplinary history
· Equal opportunities monitoring information which may include ethnic origin and health. This sensitive information is collected with explicit consent.
· Copies of photographic I.D.
Using Personal Information
Contact collects information about applicants in the following ways:
· Official application
· Applicant in person- such as I.D. and other relevant documents.
· From third parties, such as references from previous employers. References will only be requested once there has been a provisional offer of employment.
Storing Information
All electronic and paper personal information will be stored securely.
Why Personal Data is Needed
Contact needs to process personal data in order to meet its legal recruitment obligations. Therefore, Contact has a legitimate interest in processing personal data during the recruitment process and for retaining records of that process.
It enables Contact to manage the recruitment process, assess and confirm the suitability of the candidate for the role.
Contact processes health information in order to make reasonable adjustments to the recruitment process for candidates who may have a disability. This is to comply with legal obligations in relation to employment.
In Conclusion
Contacts legitimate interest in processing the required personal data demonstrates that it does not override the rights of applicants.
Retaining Personal Information
Personal information about unsuccessful candidates will be held 3 months after the recruitment process has been completed. It will then be securely destroyed; this will include any interview notes for unsuccessful candidates.
Contact does not retain any depersonalized information on unsuccessful candidates.
The data of successful candidates will be transferred to a personal file in line with policies and procedures.
Access to Data
Information will be shared internally with members of the short listing/interview panel, which may include members of the board of trustees and senior managers as appropriate.
As part of the recruitment process Contact will need to share personal information with third parties in order to complete background/ vetting checks such as contacting previous employers and Data and Barring Service.
These checks will only be carried out if there is a provisional offer of the job/role.
Failure to Produce Personal Data
Applicants are under no statutory/contractual obligation to provide data to Contact during the recruitment process. If candidates fail to produce the information required Contact will not be able to consider and progress the application.
Candidates are under no obligation to provide information or equal opportunities monitoring purposes. If candidates wish to withhold such information consideration of their application will not be affected.
Current and Former Employees, Volunteers and Trustees
Contact collects and processes a range of information about its current and former
Employees, volunteers and trustees not only to meet its legal obligations but to provide the best possible working environment and service to the young people it supports.
The information collected and processed by Contact is appropriate to the role which is performed. This will vary depending on whether roles are as employees, casual workers, volunteers or agency workers.
Information Collected
Information collected by Contact may include:
· Date of Birth
· Gender
· Personal image from external CCTV
· Terms and conditions and dates of employment
· Qualifications, previous employment history and information
· Pre-employment references
· DBS results
· Salary information
· Workplace pension data
· Attachment of Earning Demands
· Bank account/N.I. Details
· N.O.K. and emergency contact numbers
· Marital Status
· Nationality and entitlement to work in the U.K.
· Photo I.D.
· Criminal record information
· Non – attendance information
· Annual leave records
· Training Records
· Supervision/appraisal/capability records
· Disciplinary/grievance records
· Medical and health conditions/ethnic monitoring information
· Personal images collected on external CCTV
Information Collected
Information collected will have been gained from the initial recruitment process, using the information on the organisation’s official application forms, C. V’s and documents completed on the commencement of employment.
Other data may be collected post appointment in interviews, supervision/appraisal sessions
And written/electronic correspondence.
Contact may also collect information from third parties which may include pre- employment references and D.B.S. checks as permitted by law.
Storing Personal Information
Personal information will be stored securely together with restricted access.
Why Personal Information is Needed
Contact needs to process personal data in order to enter into a working relationship with its employees and to meet its contractual obligations.
Contact also needs to process data to ensure compliance
Contact has a legitimate interest in processing personal data before throughout and the termination of the working relationship.
Processing staff information enables Contact to:
· Protect children and young people through the use of a safe and robust recruitment process.
· Maintain up to date staff records including records of contractual and statutory rights.
· Keep and maintain records of disciplinary and grievance processes to ensure acceptable professional conduct within the workplace.
· Keep and maintain records of staff performance and related.
· Maintain records of absence and absence management procedures to enable effective management and to ensure employees are receiving the pay and other benefits to which they are entitled.
· Keep and maintain records of other types of leave (including maternity, paternity, adoption, parental and shared parental leave), enabling effective management of the staff workforce. Ensuring that Contact complies with its responsibilities in relation to leave entitlement and that employees are in receipt of pay or other benefits to which they are entitled.
· Ensure effective H.R. administration.
· Provide references on request for current/former employees and volunteers.
· Respond to and defend against legal claims.
· Comply with statutory and legal obligations.
· Promote and maintain equality and diversity in the workplace.
· Produce and maintain CCTV images to ensure the safety and security of the workforce, the children and young people and the property.
In Conclusion
Contact’s legitimate interest in processing the required personal data demonstrates that it does not override the rights of its workforce.
Special Categories of Personal Data
Some special categories of personal data such as information about health conditions are processed in compliance with employment and health and safety legislation.
Information about employee trade union membership is not collected by Contact.
Where other special categories of personal data may be processed, this is done for equal opportunity monitoring and may include ethnic origin and health.
Access to Data
Personal information may be shared with senior managers and when appropriate and required the Chair of Contact’s Board of Trustees or another member of the board with delegated authority.
Contact shares personal data with third parties in order to obtain pre-employment references and checks. It will continue to share personal information with the D.B.S. for rechecking throughout employment.
The service Contact provides to children and young people is subject to external regulation. This may mean that personal data will be shared with inspectors and commissioned service data may be shared with the commissioner (for example – Housing Related Support, Manchester City Council).
Contact also shares data with third parties that process information on its behalf in connection with payroll, pension, benefits and HMRC.
Retaining Personal Information
All personal information will be kept by Contact throughout the duration of employment/working relationship.
After employment/working relationship ceases Contact will retain personal data for 3 years in compliance with employment/financial regulations.
As Contact provides a service to children and young people in order to meet its safeguarding commitments it may need to retain some information until a employee/volunteer has had a 75th birthday.
Visitors to Contact’s Website
Contact’s website may contain links to other websites that are outside of our control so are not covered by this Privacy Notice. If access to other sites is gained using the links the operators of those sites may collect personal information that will be used by them in accordance with their privacy notice which may differ from Contacts.
Contacts website may contain cookies. The website may contain cookies not related to Contact so the third-party website should be checked for information about these.
3. Working with Third Parties
Contact will never sell personal data; however, it may share personal information with third parties in order to provide a service.
Personal data may be accessible to the I.T. company that manages and supports the I.T. system that Contact uses. This access is strictly governed by Contact’s contractual arrangement with them.
Contact does not allow its third-party service providers to use personal information for their own purposes. Contact requires all third parties to respect personal information and deal with it in accordance with data protection legislation.
Contact only permits third parties to process personal information for specified purposes.
Contact may share personal information with selected third parties including the following suppliers, contractors and government agencies:
· Archive and storage systems
· Local Authority/ Health Commissioners
· Printers, Photographers and Film companies
· Insurance companies, solicitors, accountants and pension providers
· I.T. Companies
· Benefits agencies and DBS processors
· HMRC
Contact may also disclose personal information where it is under a duty to comply with any legal obligation in order to protect the rights, property and safety of Contact, its beneficiaries, supporters and others.
Contact will not share personal financial information with third parties unless specific consent is obtained.
When making financial donations via Contact’s website donors are consenting to financial
and personal information being shared with third party organisations necessary for the transaction to take place such as banks and HMRC when claiming gift aid.
Contact is committed to keeping all personal information confidential. When it is shared with third parties it is only done so under contract on conditions of confidentiality and security and strictly for the purpose for which it is intended.
Third Party Websites
Contact’s website may contain links to other third-party websites. This policy only applies to Contact’s website.
If a link has been followed to a third-party website, it is important to read the privacy statement for that site.
Contact does not accept any responsibility for third party websites.
4. Keeping Personal Data Safe
Contact is seriously committed to protecting the security of all personal information. Contact has internal procedures and controls which include:
· Appropriate data collection
· Processing and storage
· Disposal
These safeguards are in place to prevent information being lost, accidently destroyed, misused or inappropriately disclosed.
Personal information is only accessed by employees and/or trustees in the performance of their professional duties.
The I.T. systems that Contact has installed are encrypted.
All emails containing personal information is sent securely.
All hard copies of personal data are stored in secure metal cabinets with restricted access.
5. Storing and Processing Personal Information
The personal information that we collect electronically may be transferred and stored in a location outside of the U.K.
By submitting personal information to Contact, beneficiaries, supporters and employees are consenting to the organisation transferring, storing and processing information in this way.
Contact will take steps reasonably necessary to ensure personal inform is treated securely and in accordance with this privacy notice.
6. Legal Rights
Under the General Data Protection Regulations (GDPR) everyone who has personal information held on them have the following rights:
· The right to be informed
· The right of access
· The right of rectification
· The right to erasure
· The right to restrict processing
· The right to data portability
· The right to object
· Rights in relation to automated decision making and profiling.
If anyone wishes to exercise these rights, please contact the organisation providing as much detail as possible regarding your request. Any changes requested may take up to 30 days to put in place.
The Right of Access to Personal Information
Individuals have the right to access their personal information. This is called a subject access request.
By making a request individuals can find out what personal information Contact holds about them, why it is held and who it is shared with.
Subject access requests must be made in writing to the person below and must include proof of identity. Once the request has been received and identity has been verified Contact will respond within 30 days.
Hannah Martin
Data Protection Officer
Contact Hostel
339 Wilbraham Road
Whalley Range
Manchester
M16 8GL
The Right to Edit and Update Information
The accuracy of personal information is important. Personal information including address and contact details can be edited at any time.
The Right to have Personal Information Deleted
The right to request the deletion of personal data will be considered on a case by case basis.
The Right to Restrict Processing of Personal Information
Individuals have the right to request to block or suppress processing of personal information. However, Contact may continue to store personal information but not further process it. This is done by retaining just enough personal information to ensure the restriction is respected in the future.
This is not an absolute right and only applies in certain circumstances.
The Right to Object
Individuals have the right to object to personal information being processed for marketing and research purposes. Objection requests may be made in writing to the Data Protection Officer- Hannah Martin.
If Contact processes personal information for the exercise or defence of legal claims or it can demonstrate compelling grounds that override rights and freedoms it may not be able to fulfil the request. However, the organisation will contact the individual concerned to have further discussion.
The Right to Make a Complaint to a Supervisory Authority.
If individuals feel unsatisfied with the way Contact has handled their personal information or requests, they may seek advice by contacting:
The Office of the Information Commissioner
Wycliffe House
Water Lane
Wilmslow
Cheshire
Sk9.5AF.
Tele: +44(0) 01625 545745
Website: www.ico.org.uk
7. Use of C.C.T.V.
At Contact we currently have 8 outdoor cameras that all capture different sides of 339 Wilbraham Road and Brigid’s Bungalow. CCTV is there to ensure both the safety of the service users and staff. Contact has all necessary signage outside the property to ensure that people know they are being filmed, in line with legal requirement.
The monitor to the CCTV is placed in the main office which has a locked door that can only be unlocked by putting the correct code into the keypad. No service user is ever to be left alone in the main office without a member of staff. No members of staff are to show service users how to control the CCTV or the passwords that go with logging into the system.
The system is not monitored by a third party, but police are allowed access to the CCTV if ID is shown and there is a reasonable need for them to view it.
In line with our personal information audit, we can keep a copy of the recording for up to 10 years if the recording relates to a service/ex service user.
Service/ex service users do have the right to request any information we hold on them by going to the Information Commissioner's Office Preparing and submitting your subject access request | ICO
Each request will be looked at on a case-by-case basis by Contacts DPO (Hannah Martin & Alison Lievesley)
Images recorded are retained for no longer than 31 days, unless they are required for evidential purposes in legal proceedings; Once the retention period has expired the images are removed or erased.
Log in details to the CCTV can be found in the CCTV cupboard.
In Conclusion
Contact’s legitimate interest in processing the required personal data demonstrates that it does not override the rights of the young people it accommodates and its workforce.
8.Glossary
Anonymisation. This is the process of removing personally identifiable information so that the people who the data describes can stay unknown.
Comply with Legal or Regulatory Obligation. This means producing personal information when the law says it has to be done. Examples may be The Children’s Act, The Leaving Care Act, Health & Safety and Employment Act. Information may need to be provided for the council and other government departments.
Consent. This means that the owner of the personal information understands and freely gives their permission.
The Data Controller. This is the organisation (e.g. Contact Hostel) that is responsible for personal information. They are required to keep it secure, make decisions about what happens to personal information and are accountable if it is lost or not kept confidential.
The Data Processor. This is the natural or legal person or who processes personal information on behalf of an organisation.
Data Protection Act 1998.This is a United Kingdom Act of Parliament designed to protect personal information stored on computers or in an organised paper filing system.
Encryption. This is the method by which plain text or any other type of information is converted from a readable form to an encoded version. Encryption is one of the most important methods for providing information security, especially for end-to-end protection of information transmitted across networks.
General Data Protection Regulations 2018(GDPR). This is the 2018 legal framework that sets out guidelines for the collection and processing of personal information of individuals within the European Union (E.U.).
Legitimate Interest. This means the interests of Contact Hostel conducting and managing its business to enable it to give the best service and the best and most secure experience.
When Contact processes personal information for its legitimate interests, it firstly considers the impact on an individual and their rights under the Data Protection Laws. Contact’s legitimate interests do not automatically override an individual’s interest.
Contact will not use personal data for activities where its interests are overridden by the impact on individuals unless it has consent or is obliged by law.
Personal Data. This means any information relating to an identified or identifiable natural person- known also as the “data subject” Identifiable information may be: name, identification numbers , location information, physical, mental, economic and cultural.
Personal Data Breach. This means a break in the security of personal information leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted or stored.
Profiling. This means any form of automated processing of personal data to evaluate certain personal aspects relating to an individual, in particular to analyse or predict aspects concerning their economic situation, personal preferences, interests and location.
Special Category Data. This means data revealing information which includes racial or ethnic origin, political opinions, religious beliefs, trade union membership, health and sexual orientation.
Subject Access Request. This is an individual’s n right to request a copy of information that is held about them.
Suppression List. This is a list that contains mailing or email addresses that need to be permanently excluded from future correspondence.
Third Party. This means a person, public authority, agency, body or company other than the data subject, controller, processor or persons who, under the direct authority of the controller or processor, are authorised to process personal information.