Advocacy Matters - Privacy Notice (May 2018)
The General Data Protection Regulation (GDPR) (EU) 2016/679 is a regulation in EU law on data protection and privacy for all individuals within the European Union and the European Economic Area. It also addresses the export of personal data outside the EU and EEA. It comes into force on 25th May 2018. The following paragraphs contain information about the GDPR and how it may affect you where there are circumstances that Advocacy Matters collects, holds and processes your personal data.
To understand the General Data Protection Regulation (GDPR) (EU) 2016/679 completely please refer to the following link: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/
At Advocacy Matters we provide independent advocacy support to individuals, adults and children, who require this support in a variety of circumstances. This may be as a result of their being referred for support by a public body such as a local Council. This might be because they are eligible for advocacy support through legislation such as the Care Act 2014, the Mental Capacity Act 2005 or the Mental Health Act 1983.
We also provide independent advoccay support which is not covered by legislation. We call this type of independent advocacy support, non-statutory. In non-statutory circumstances you may refer yourself or be referred by someone else but it is not because of a legal obligation upon someone or some organisation.
We collect, hold and process information, including some personal data about you. This allows us to provide our services to you more effectively.
We understand that your personal data is important to you, and we have a responsibility to you regarding the information we hold about you, to ensure that the information we collect and use is done so proportionately, correctly and safely.
We are committed to safeguarding your privacy and here we explain how we will handle your personal information.
Advocacy Matters is registered as a ‘data controller’ with the Information Commissioner’s Office (ICO). Our registration details are:
Advocacy Matters Ltd
198 Boldmere Road
Our registration No: Z7117402
Advocacy Matters’s Data Protection Officer can be contacted as follows:
Advocacy Matters Ltd
198 Boldmere Road
The reason for processing your data
We collect, hold and use personal data received about you to enable us to provide services to you. This information about you may be shared with us by a public body who has contracted with us to provide you with a service, normally independent advocacy. In some circumstances, we may collect this information from you directly. For example, when you complete a referral form for independent advocacy support.
The amount and type of information we hold on you depends on the services we are providing to you.
What is 'personal data'?
'Personal data' means any information relating to a person who can be identified, directly or indirectly, from that information. This could include your name, your address, some form of identification number such as your National Health Service number, or an online identifier (such as IP address on the Internet)
What data do we collect?
The personal information we collect might include name, e-mail address, postal address, telephone number and the nature of your enquiry. We may also collect sensitive personal information such as date of birth, ethnicity and other information required to allow us to review whether our services reach all sections of the community (which may be due to a contractual obligation under any funding we receive for providing the service), and information about your advocacy need which may include details of a personal nature if this is required for the purpose you have contacted Advocacy Matters.
What do we use the data for?
If you have contacted us for advocacy support directly, or been referred to us by another person, we will only use the information provided to help us work with you and to record information required by the organisation that funds us for the work (such as a local authority). We may also use the information to assist us to monitor the quality of our service.
Data Protection Principles
When we process your personal data we will do so in accordance with the data protection principles. These principles are designed to protect you, and ensure that we:
- process your information lawfully, fairly and in a transparent manner
- use your information for a specified, explicit and legitimate purpose and not further processed in a manner that is incompatible with that purpose
- only obtain adequate, relevant and limited information to allow us to carry-out the purpose for which it was obtained
- ensure the information we hold about you is accurate and, where necessary, kept up to date
- keep any information for no longer than necessary for the purposes for which it was collected and
- process your information in a manner that ensures appropriate security of your personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
What is the legal basis for processing the information?
The processing of 'personal data' needs to be done ‘lawfully’. There needs to be a 'legal basis' for processing the data. There are a number of conditions that, if they apply, means that the data is being processed 'lawfully'. However, there are some exemptions to this. For a more detailed explanation of the 'legal basis' for processing data please refer to the following link: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/
- You have given consent to the processing of your personal data for one or more specific purposes
- Processing is necessary for the performance of a contract to which you are a party, or in order to take steps at your request prior to entering into a contract
- Processing is necessary for compliance with a legal obligation to which we are subject. (For example processing staff personal data to comply with our legal obligation to disclose employee salary details to HMRC)
- Processing is necessary to protect your vital interests or the vital interests of another natural person
- Processing is necessary for the performance of a task carried out in the public interest and
- Processing is necessary for the purposes of legitimate interests.
Obtaining your consent
There are some circumstances where it is necessary for us to obtain your consent to collect, hold and process your personal data. This will be when we need the personal data to help us to deliver a service to you. This will normally be where we are providing independent advocacy support to you. You will normally be asked for your consent at the time that you make a referral or a referral is made on your behalf.
In these circumstances your consent to process your personal data must be 'specific, informed, active and affirmative'. This means that your consent must be clear and freely given by you after we explain what further processing we would like to do with your data. This means that you can make an informed decision about whether you consent to the processing or not.
You are in control and you can withdraw your consent at any stage by contacting the Data Protection Officer at the above address. Please note that any processing that has taken place up to the time that you withdraw consent will be considered lawful.
Recording and managing your consent
Once your consent is obtained we will keep a record of when you gave your consent, the information that was provided to you and how you consented. Your consent will be reviewed periodically to ensure it remains appropriate, and, as previously stated, you have the right to withdraw your consent at any stage.
You have certain rights in relation to the personal information we hold about you. These may include:
- Right to be informed – you have a right to be told how we use your personal data. We communicate the right to be informed via this privacy notice.
- Right of access – you have the right to request a copy of the information that we hold about you.
- Right of rectification – you have a right to correct data that we hold about you that is inaccurate or incomplete.
- Right to erasure (right to be forgotten) – in certain circumstances you can ask for the data we hold about you to be erased from our records.
- Right to restrict processing – where certain conditions apply to have a right to restrict the processing.
- Right of data portability – you have the right to have the data we hold about you transferred to another organisation.
- Right to object – you have the right to object to certain types of processing such as direct marketing, the performance of a legal task and scientific or historical research.
- Right to object to automated processing, including profiling.
- The right to withdraw consent - If the legal basis for our processing of your personal information is consent then you have the right to withdraw that consent at any time.
There are circumstances where your rights will not apply, for example the right to erasure will not apply if your personal data is required for legal proceedings. To fully understand your rights please use the following link: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/
Not all of these rights will necessarily apply to the personal data that Advocacy Matters holds. We do not use your personal data for direct marketing or research. We do not use your personal data for profiling purposes.
How to exercise your rights
You may exercise any of your rights in relation to your personal data by writing to us at the address above by sending a Subject Access Request. You can download a Subject Access Request Form here. It will help us to process your request quicker if you ensure that you confirm which right you wish to exercise along with the reasons why.
Guidance Notes on how to complete the Subject Access Request form are attached as Appendices to the form. We will respond to your request within 30 days.
We will only retain your personal data for as long as necessary and in accordance with our retention schedule. When your personal data is no longer needed it will be securely deleted, except where such retention is necessary for compliance with a legal obligation to which we are subject, or in order to protect your vital interests or the vital interests of another person.
Any information that we collect and process about you is stored and transmitted within the United Kingdom and the European Economic Area only. Your personal information is stored online on a Cloud based secure server systems architecture.
We take the security of your personal data very seriously and have systems in place to make sure that the personal information is kept secure, accurate, and current. We will only hold your personal information for as long as is necessary for the purposes for which it was collected and it will be deleted in accordance with our data retention schedule.
We will not share your information with other parties other than for the purposes of providing the service you have contacted us about, although we may be required to share information with the council or other organisation that is funding us to provide the service.
If we do share your information, we will ensure you have provided consent to enable us to do this, for example when a service transfers to another provider, or if you have agreed specific information can be used for a particular purpose.
We will continually review and update this privacy notice to reflect changes in our services and feedback from service users, as well as to comply with changes in the law. When such changes occur, we will revise the "last updated" date at the top of this notice.
If you wish to make a complaint about how we process your personal data, then in the first instance please contact the Data Protection Officer in the 'Our details' section.
If you are still dissatisfied with how we have handled your complaint then you have the right to complain to the Information Commissioners Office (ICO).The ICO can be contacted as follows:
The Information Commissioner
Telephone: 08456 306060