START treats the privacy of our member’s and volunteer’s personal data seriously. This notice identifies for you some key information about data processing and sets out the type of data we collect from you, why we collect it and how we manage it. Managing data includes identifying the lawful basis for processing data, as well as how we gather, store, process, share, protect and ultimately destroy data.
Our responsibilities relating to data processing are set out the General Data Protection Regulations (GDPR) and Data Protection Act (1998). In line with these provisions, data processing is overseen by our Operations Manager whose principal duties are to inform, advise and monitor START’s compliance with the GDPR.
1. What is Personal and Sensitive Data?
Personal data means any information that may be used to identify you on its own or when combined with other information, will enable identification. Sensitive data is data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership; data concerning health or sex life and sexual orientation. We may collect, use, store and transfer different kinds of personal and sensitive data about you which we have grouped together as follows:
a) Identity Data includes first name, last name, username or similar identifier, date of birth and gender and NHS number.
b) Contact Data includes your address, phone number and email address.
c) Health Data includes any information about your physical or mental health from how you use our Services.
d) Usage Data includes information about how you use our services.
2. Why do we ask for your data?
Your personal data is required to effectively assess you for the appropriate support at START. In addition key data may be used to support our safeguarding / risk responsibilities and other statutory obligations. We also require your data to measure the effectiveness of the services we provide and how they can be improved. This uses aggregated statistics which does not identify you.
3. How do we obtain your data?
We use different methods to collect data from and about you including through:
a) Direct interactions: You may give us any of the categories of data identified in section 2 by filling in forms or by corresponding with us by, phone, email or otherwise.
b) Third Parties: We may receive your personal data from third parties who are referring you to our services. This is typically performed with your explicit consent but could be because there is a legal obligation that applies to the third party.
4. What do we do with your data?
All of the data gathered is processed to effectively assess you for our services and support you accordingly. Our lawful reasons for processing data are available upon request. Note that we may process your personal data for more than one lawful ground depending on the specific purpose for which we are using your data.
We also collect, use and share aggregated data such as statistical or demographic data for performance monitoring purposes. This is not considered personal data in law as this data does not directly or indirectly reveal your identity.
We will not use the personal data you give us or which we collect from you for marketing purposes. We will only use your contact details to correspond with you about your support at START.
We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If you wish to get an explanation as to how the processing for the new purpose is compatible with the original purpose, please contact us. If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.
5. Sharing your Data
Data is shared within the organisation as part of our lawful basis to process and is only shared relevant to the processing requirement. We will not share data with third parties unless there is a lawful / regulatory / legal / contractual requirement or where you have given clear consent. We will aspire to share the minimum amount of data necessary for the purpose and restrict the use of data that directly or indirectly reveals your identify. This can include anonymising your data or producing aggregated statistics or demographic information.
Examples of where we share such information in line with the above include:
a. Contractual reporting
b. Mental Health and Social Care Datasets
c. A referral made on your behalf with your clear consent
d. A referral made for medical purposes including to protect your vital interests
We do not transfer any of your personal data outside of the European Economic Area.
Examples of third parties include but are not restricted to Greater Manchester Police, Local Authorities, Greater Manchester ICS including the Salford Locality Team, Public Health England (PHE), Greater Manchester Mental Health Trust, Salford CVS and other voluntary sector partners.
6. Retaining your data
The length of time we will retain your information depends on who you are and the type of information. In general we will retain the information you provide for the purposes set out in this notice for a period 8 years after the last contact with you. The circumstance where this may be different includes if you are under the age of 18 when you start receiving services from us or if you are subject to the Mental Health Act. CCTV data is reviewed regularly and is retained for a period of 3 months.
7. Data Protection Rights
The following information is intended to help you understand you rights in relation to personal and sensitive data as provided by either the Data Protection Act (1998) or the General Data Protection Regulation 2016.
The right to be informed: This relates to what information we are required to provide you about data processing. This Privacy Notice represents the way in which we inform you of this information.
Right of access: You (i.e. the data subject) have the right to access particular personal and sensitive information that we hold about you. This is known as a Subject Access Request. We shall respond promptly (usually within one month from the point of receiving the request and all necessary information from you.) This provision is usually free of charge, however we retain the right to charge a reasonable fee when we believe a request is unfounded, excessive or repetitive.
Right to rectification: You have the right to obtain from us, without undue delay, the rectification of inaccurate or incomplete personal data that we hold concerning you.
Right to erasure: You have the right to request the deletion or removal of personal data where there is no compelling reason for its continued processing. We have the right to refuse to comply with a request for erasure and if this applies we will tell you the reason why.
Right to restrict processing: Subject to exemptions, you shall have the right to restrict processing where:
· You contest the accuracy of the information we hold and it is restricted until the accuracy is verified,
· You have objected to processing (where it is necessary for the performance of a public interest task / legitimate interest) and we are considering whether our grounds override your rights
· Processing is unlawful and you oppose erasure, requesting restriction instead,
· We no longer need the data, but you require the data to establish, exercise or defend a legal claim.
Right to Data Portability: You have the right to request that we transfer the data that we have collected to another organisation, or directly to you, under certain conditions.
Right to Object: You have the right to object to processing on grounds relating to your personal circumstances. This provision applies to the processing that is undertaken for legitimate interests / the performance of a task in the public interests (includes personal profiling) and processing for purposes of scientific / historical research and statistics. In such cases we will stop processing unless we can demonstrate i) compelling legitimate grounds which override your interests, rights and freedoms ii) the processing is for the establishment , exercise or defence of legal claims. This right extends to processing for the purposes of direct marketing (including profiling) which must be stopped outright.
Right not to be subject to decisions based solely on automated processing: We do not carry out any automated processing which may lead to automated decision making based on your personal data.
Information accuracy: We take all reasonable steps to ensure the accuracy of the personal/ sensitive data that we hold and provide.
8. Website privacy
If you wish to sign up to any login area, order or download materials or get involved with us in any other way you may need to complete a form with your details.
If you register for an account with START, we need your details in order to keep you updated on the work we do, to keep you informed of other services that may be of interest to you and of opportunities to get involved with the organisation. We will only do this if you agree that you wish to be kept updated.
9. How to contact us
If you have any questions or concerns about this privacy notice, the data we hold on you, or you would like to exercise one or more of your data protection rights, please do not hesitate to contact us at:
START, Brunswick House, 62 Broad Street, Salford, M6 5BZ
10. How to contact the appropriate authority
If you feel that we have not addressed your concern in a satisfactory manner or should you wish to report a complaint, you may contact the Information Commissioner’s Office at:
Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF or by telephone on 01625 545 745.