We are committed to protecting your privacy and we take our responsibilities seriously. We will use your personal information in accordance with the provisions set out in the Data Protection Act 2018, the General Data Protection Regulations 2018 and the Privacy and Electronic Communications ( E C Directive ) Regulations 2003.
We need to process data about the people to whom we provide support and about the people who support us as employees, donors and volunteers. This privacy statement outlines what data is collected, how it will be used, and what your rights are as a data subject.
This statement aims to be as full as possible but it is not an exhaustive list of every aspect of our data collection and processing. We would be happy to provide further information or explanation in any specific instance. Details of how to contact us are given at the end.
Why we collect your data and how we collect it
We will collect only the personal data and sensitive personal data needed both to communicate with you and to provide services to you. The data collected will depend on the specific circumstances.
What data we collect
The data we collect will vary according to the nature of your relationship with us.
We are likely to collect more complete data in respect of users of our services in order to be able to provide a better service and this may include sensitive personal data. You should always be aware that the data you give us will be recorded.
If you are a donor we do not store card payment details and we advise you not to include payment details in any e-mail to us.
We may collect data from members of the public for the purposes of obtaining funding or information about the services that we provide or that may be required; such information will be anonymised.
We may collect data about you in order to send you news and updates about our work, fundraising and events.
The legal basis for processing your data
We will ensure that where we collect and process your data we will do so in accordance with the lawful bases defined by data protection laws. Depending on the purposes for which we use your data one or more of those bases may be relevant:
Consent: where we have obtained your consent to use your information for specific purposes.
Contract: where we enter into a contract with you.
Legal Obligation: where the processing is necessary for us to comply with the law
Vital Interests: where the processing is necessary to protect someone who is at risk of serious harm or abuse.
Legitimate Interests: where the processing is necessary for our legitimate interests or those of a third party, unless there is good reason to protect the individual’s personal data which overrides those legitimate interests.
For donors and administrative volunteers in most cases it is the bases of consent and legal obligation which will be relevant and only unusually shall we rely on the basis of our legitimate interests.
For service users all four bases will be relied upon, in particular that of legitimate interests.
Where legitimate interests have been identified as the lawful basis for processing data we will ensure that its use is fair and not intrusive and is used only in a way or for a purpose that you would reasonably expect. If you do not wish to share your data with us we may be limited in the support or service that we can offer to you and may not be able to provide any service. We are committed to protecting the privacy of any young people with whom we work and where aged under 13 we will always ask for parental or guardian consent.
In respect of special category data we shall record a special category condition for the processing in accordance with Article 9 in order to demonstrate compliance and accountability. We will not process data about criminal convictions or related security measures save in accordance with Article 10.
For employees, service volunteers and applicants the bases of consent, contract, legal obligation and legitimate interests will be relied upon. Your personal data will be collected for administration and for equality and diversity monitoring. The data of unsuccessful applicants will be disposed of securely after 12 months while that of successful applicants will be retained in their personal files both while they remain employees and service volunteers and afterwards. We will need to share the data of successful applicants in order to contact referees or carry out a DBS check.
For website and social media users the bases of consent and legal obligation will be relied upon. Our website contains links to other websites of interest. It is important for you to note that once you have left our site we have no control over any other website or social networking media and we cannot be responsible for the protection and privacy of any information which you provide while visiting such sites.
We may use your personal information to inform relevant third parties such as your internet provider or law enforcement agencies if you post or send any content we believe to be inappropriate, offensive, illegal or in breach of data protection laws.
For our Professional and Organisation Contacts we will normally rely upon the bases of consent, contract and legal obligation. We will collect data on our professional and organisation contacts with whom we work. We may send them information and updates about our work and they may opt out of receiving this information at any time.
Retention of your data
The time for which we keep your data takes into account legal and insurance requirements, regulatory guidance and our legitimate interests. Once the retention period has expired we will dispose of the data securely by confidential waste disposal, anonymisation or permanent deletion.
Service users: We will keep these records for seven years after your last engagement with us. In the case of a person under 18 years we will keep the records for seven years from their 18th birthday. In specific cases we may need to keep the records for a longer period.
Donors and Supporters: We will keep these records for seven years after your last donation or engagement with us. If at any time you request no further contact from us we will keep some information about you on our suppression list to avoid sending you unwanted materials in the future, together with any information required to comply with our legal obligations.
Security of your Data
We have appropriate operational and technical measures in place to protect your personal data and ensure its confidentiality and availability. All information provided to us is stored securely and is accessible only to those who are authorised to have access to it. We will take all reasonable steps and measures to ensure that the information you give us is protected against loss misuse unauthorised access or disclosure.
In the unlikely event that a data breach should occur we will take appropriate steps to mitigate and where possible rectify any breach and report where required to the Information Commissioner’s Office and data subjects.
The personal data of our service users will be stored on the NHS computer systems used by Caen Medical Centre. Any data collected from other persons will be stored as paper records though in the case of names, telephone numbers and e-mail addresses these may also be stored on the individual PCs of committee members. If information relating to an individual other than a service user is held in a cloud storage system their consent to such storage will be obtained. Any information displayed on our website will be held in a cloud storage system outside the EEA.
Disclosure of your Data: We will never share your data with any third parties for the purposes of their own marketing. We will only share your data with third parties where:
- it is to a secure data processor carrying out processing activities on our behalf
- we are required to do so by law
- it is necessary to protect the vital interests of an individual
- we have obtained your consent
We are required to share some information with our funders and for third party monitoring and quality assurance and where possible such information will be anonymised.
Use of data processors: we may use third party organisations for research or for surveys and in these cases the data will be anonymised.
Your Rights and Complaints
You have the full protection of the General Data Protection Regulations 2018 to access rectify erase restrict or object or complain regarding your data. If you wish to exercise any of these rights please write to us detailing your request together with evidence of your identification. We reserve the right to require further identification in our discretion. We may also require further information to help us to locate our records. In certain cases we may refuse to erase information held by us if, for example, it would be contrary to our legal obligations or legitimate interests.
We are registered with the Information Commissioner’s Office as a Data Controller under the registration number: ZA774988
Our registered address is:
Caen Medical Centre
This statement was last updated July 2020. If any significant changes are made to the way in which we use your data we will update this Privacy Statement and make you aware of that in our next communication with you.