Changing Lives' Privacy Notice
This Privacy Notice sets out how Changing Lives uses and protects any information you give us. We regularly update our Privacy Notice and this version was last updated in April 2019. It is designed to be as comprehensive as possible, but it does not include an exhaustive list of every occasion where we collect and process personal information or data. However, we would be happy to provide any further information or explanation about our practices if you contact us directly.
CONFIDENTIALITY AND SECURITY
We take our duty to protect your information very seriously and work to ensure that it is kept confidential at all times. We ensure that the confidentiality and security of personal data both computerised and on paper, is protected and that the most appropriate people have access to it.
At Changing Lives, we have a Caldicott Guardian, who is responsible for protecting your confidentiality and healthcare information, making sure it is appropriately used. We receive advice on data protection from an external Data Protection Specialist, Hope & May.
Our Caldicott Guardian is Becky Elton.
Our point of contact for all data protection matters is Erika De Filippo.
COLLECTING PERSONAL DATA
To help us deliver the right services to you CHANGING LIVES needs certain information about you. This means that we have a “legitimate interest” in collecting some of your information.
In certain cases we may use your data to carry out a contract that we have with you or with another service provider. It is often necessary to process your data in order to deliver a service. Processing can mean updating our IT systems or files. This is also covered by ‘legitimate interest’. In certain cases where we need to seek your consent to process your personal data, we will contact you directly. When using personal data, CHANGING LIVES complies with the Data Protection Act (2018), and is the registered ‘data controller’. Our data protection notification is registered with the Information Commissioner’s Office (ICO), reference: Z9183381. To make it clear how we collect and use your personal data, and to help you understand your rights, our privacy notice is divided into the following areas:
- personal data
- why we collect your data
- information we collect
- collecting personal data
- using your personal data
- transferring personal data abroad
- further processing of personal data
- your rights relating to personal data
- visiting our website and links to other websites
- unsolicited mail
- third parties
If you have questions about this privacy notice, want to exercise any of your legal rights, or you have a complaint about how your personal data has been used, please:
- Email: email@example.com
- Phone: 0191 2738891
- Write to: Data Protection Point of Contact, CHANGING LIVES Central Office, H26 The Avenues, Eleventh Avenue North, Team Valley, Gateshead NE11 0NJ
‘Personal data’ is any information that relates to an identifiable living person; this can be a name, identification number (e.g. a National Insurance Number) or Date of Birth.
For the purposes of data protection law the term ‘personal data’ also includes personal information that has been “pseudonymised”. This means data that has been changed so that it cannot be directly connected to you.
WHY WE COLLECT YOUR DATA
We collect personal data for many reasons, including to provide you with services, communicate with you and send you information you have requested. Depending on your relationship with us we may process data for the following reasons:
- to provide you with advice, support that you have requested or been referred to
- to record and contact you regarding payments you make to us or our partners
- to administer services CHANGING LIVES provides to you
- to communicate with you regarding our work, fundraising, and campaigning activities
- to process donations and administer Gift Aid information for any donation you make to CHANGING LIVES
- to process a purchase via one of our charity shops
- to provide you with information about and to administer events
- for our own internal administrative purposes, and to keep a record of your relationship with us
- to manage your communication preferences
- to process job applications or volunteer placements
- to conduct surveys, research and gather feedback
- to obtain information to improve our services and user experiences
- to address and resolve complaints about CHANGING LIVES and our services
- to comply with applicable laws and regulations, and requests from statutory agencies
- to comply with our contractual obligations to our funders
INFORMATION WE COLLECT
Here are some examples of the type of personal information we collect depending on your relationship with us.
- your full name and date of birth
- contact details – including your postal address, telephone number(s), and email address
- National Insurance number
- details of your case when providing you with advice or services
- your bank details
- records of your correspondence and engagement with us
- donation history and Gift Aid details
- photographs, video or audio recordings
- biographical information
- other information you share with us
This information may be collected via:
- any paper forms you complete
- information from IT systems we and our contractors have
- telephone, email conversations, or face-to-face interactions
- digital forms completed via our website, or online surveys
- third-party companies and websites such as Just Giving
- publicly available sources
- communication via social media
COLLECTING PERSONAL DATA
When we collect your personal data we will:
- ensure you know and understand why we need it
- only ask for what is necessary for the service we’re providing to you
- protect it and make sure nobody has access to it who shouldn’t have
- ensure you know if you have a choice about giving us information
- make sure we don’t keep it for longer than is necessary
We ask that you give us accurate information, tell us about any mistakes e.g. a name which is spelt wrongly and to tell us as soon as possible of any changes.
USING PERSONAL DATA
The amount and type of personal data we collect depends on how and why you contact us, as well as the service you’re requesting and in some cases we’ll need to collect sensitive personal data. For some services we’ll use your data under a contract. Where we do not directly provide a service, we may need to share your personal data with our contractors. Where we do this, we have received confirmation from them that they also keep your data secure in line with the Data Protection Act (2018). These providers must therefore keep your details safe and secure, and use them only to provide the service. We may be required or permitted, under data protection legislation, to disclose your personal data without your explicit consent. For example, if we have a legal obligation to do so, such as law enforcement, regulation and licensing, criminal prosecutions and court proceedings. We’ll keep your personal data for as long as we are legally obliged to do so or in line with our document retention policy and when we no longer need to keep it, we will delete it or destroy it securely.
FURTHER PROCESSING OF PERSONAL DATA
Before we use personal data for a new purpose for example if we need to share it with somebody who we haven’t already told you about we’ll contact you to set out the reason for this and tell you about how we will process your personal data. Where necessary, we’ll ask for your consent before any new processing of your personal data, for example if we ask someone else to deliver a service for us.
We would love to keep you up to date with our fundraising, marketing and campaign activity. We use a range of marketing activities and channels to contact our supporters – including our website, face-to-face fundraising, direct mail, SMS/text campaigns, email, and telephone. We will seek to obtain your consent to contact you by email and text message for marketing purposes. We will also obtain consent from all new supporters to make marketing calls.
We will send you marketing by post, on the basis of it being within our legitimate interests to do so, unless you specifically opt out. We will also contact existing supporters by phone on this basis (unless they are registered with the Telephone Preference Service or have opted out of receiving marketing communications from CHANGING LIVES).
OUR ETHICAL FUNDRAISING PROMISE
We will never sell or rent your data, and we promise to keep your details safe and secure. We will treat your details with utmost care and respect, we will not pass on your details, cold-call you, or ask for donations on the high street (known as ‘chugging’).
We send the following marketing materials:
- Updates about Changing Lives’ work – including newsletters, magazines, and other publications informing you about our work
- Campaigns – information about our campaigning activities, including how you can support such campaigns, (for example by lobbying influential figures or signing a petition), and updates about the progress of our campaigns
appeals and fundraising activities – including requests for donations, information about how you can leave us a gift in your will, how you can raise money on our behalf, attend or take part in a fundraising event, communications relating to our lottery and raffles, and updates on the impact that your fundraising activities have had on our work
- Events – including details of our events such as our Recovery Relay or other sponsored activities. Please note that if you sign up to a CHANGING LIVES event, we will also send you administrative communications about how you can take part. On occasion we will also send you a reminder about the same event in future years, in case you want to participate in it again
- Volunteering – information about how you can help support CHANGING LIVES by giving up your time or using your influence to help us, along with updates on the impact of your work.
- Professional services – including details of the professional services that we offer, such as training.
We will never share or sell your personal data to a third-party organisation for its marketing, fundraising or campaigning purposes. You can withdraw your consent, unsubscribe from or update your marketing preferences at any point using the details in the ‘Contact us’ section of our website. Any electronic communications, such as emails we send to you, will have a link to unsubscribe from future electronic communications, so you can manage your own communication preferences.
If you make any changes to your consent, we will update your record without undue delay and at the latest within one month of receipt. It may take 60 days for our systems to update and stop any postal communications from being sent to you. Email communications will, however, be stopped immediately. If you tell us you do not wish to receive marketing, fundraising or campaign communications, you may still receive transactional and service-based communications confirming and servicing other relationships you have with us (as described below). You can also opt out of receiving marketing communications from us by signing up to the Fundraising Preference Service.
ADDITIONAL ADMINISTRATIVE COMMUNICATIONS TO OUR SUPPORTERS
In addition to the fundraising and marketing communications that you receive from CHANGING LIVES, we will also communicate with you by post, telephone, and email about any administrative and transactional matters. For example, we may call you after you have set up a Direct Debit to confirm your details, and also upon cancellation. There may also be other occasions where we need to contact you about your donation – for example, if there is a problem with a payment or in relation to your gift aid declaration.
On occasion, we will also contact you about an event that you have signed up to participate in, for example, to check that fundraising pages have been set up and to provide any other necessary information.
APPLYING FOR A JOB WITH CHANGING LIVES
When you apply for a job with us, your personal data will be collated to monitor the progress of your application, and the effectiveness of the recruitment process through the statistics collected. Where we need to share your data – such as for gathering references, obtaining a Disclosure and Barring Services check (depending on the role), or a prison clearance (depending on the role) – you will be informed beforehand, unless the disclosure is required by law. These checks are only done after a position has been offered only to the successful candidate. On the application form, you are asked to complete the referee details, and can tick permission to contact referee. If you tick yes, once offered a role, we will automatically send out reference requests. If you tick no, we will contact successful candidates for permission first.
Personal data about unsuccessful applicants is held for 12 months after the recruitment exercise for that vacancy is complete. You, as an applicant, can ask us to remove your data before this time if you do not want us to keep it.
Once you have taken up employment with Changing Lives, we will compile a file relating to your employment. The information contained in this will be kept secure and will only be used for purposes directly relevant to your employment. Once your employment with us has ended, we will retain the file in accordance with our retention and disposal procedure and any relevant employment legislation and then disposed of securely.
TRANSFERRING PERSONAL DATA ABROAD
If we process your personal data using Information Technology (IT) services hosted outside the European Economic Area, we will only use those services which have a data processing agreement to make sure that any organisation we share data with complies with the General Data Protection Regulation/Data Protection Act (2018).
YOUR RIGHTS RELATING TO YOUR PERSONAL DATA
You have a number of rights under data protection law depending on the basis for collecting your data. Full details of your rights can be found on the Information Commissioners Office website at www.ico.org.uk
THE RIGHT TO BE INFORMED
You have the right to be told how your personal data is processed. This applies whether or not you supply your personal data to us, or whether we obtain your data from a third party. We’ll inform you how we’re processing your data using privacy or consent notices to explain what we are doing with your personal data and why we are using it.
THE RIGHT TO ACCESS TO YOUR PERSONAL DATA
You have the right to request access to personal data held about you; this is known as making a ‘Subject Access Request’ (SAR). If you want to do this please contact us for a form to complete which will help us to process your request. Forms will also be available on our website.
THE RIGHT TO RECTIFICATION OF YOUR PERSONAL DATA
If your personal data isn’t accurate or complete, you have the right to ask for this to be rectified. We’ll always comply with a request, unless there is a legal reason why we can’t. Where we can’t rectify your information we’ll give you an explanation.
THE RIGHT TO HAVE YOUR PERSONAL DATA ERASED (THE “RIGHT TO BE FORGOTTEN”)
In certain circumstances you have the right to ask for any information held about you to be erased. We must legally erase any information where there is no compelling reason for us to be processing it. Where we cannot comply with a request to erase your information we’ll provide an explanation.
THE RIGHT TO RESTRICT THE PROCESSING OF YOUR PERSONAL DATA
In certain circumstances you have the right to ask for the processing of your personal data to be restricted. This is similar to asking for your data to be erased, but in this instance, it means that we can only store/hold your information and can’t process it in any other way. For example,
- where you have asked a question about the accuracy of your information and processing is restricted until this is verified
- where you have objected to processing and we are considering the legal implications of complying with your request
We’ll provide an explanation to you where we cannot comply with a request for restriction of processing because there is a legal reason not to.
THE RIGHT TO OBJECT TO CERTAIN TYPES OF PROCESSING
You have the right to object to certain types of processing of your personal data. If you object to the processing of your information and there is a legal reason why we cannot comply we’ll provide an explanation.
THE RIGHT TO ASK FOR YOUR DATA TO BE SENT TO ANOTHER ORGANISATION (DATA PORTABILITY)
There are some limited circumstances where you have the right to ask us to transfer your personal data to another organisation. However, to exercise this right:
- you must have given your information to us directly
- we must only be processing your data on the basis that you have given your consent or we are processing it to fulfil a contract.
- the processing of the data is carried out by automatic means
In such cases we’ll always comply with requests to provide your data where possible, and if we cannot we’ll explain why we can’t.
THE RIGHT TO OBJECT TO AUTOMATED DECISION MAKING
CHANGING LIVES does not use automated decision making, but for clarity automated decision making is where a decision has been carried out by a computer system with no human intervention. If this ever was the case you have the right to object to this and have a member of staff look at the decision that had been made. We’ll tell you where we are making automated decisions about you and how to get us to look at any decisions again.
THE RIGHT TO RAISE A COMPLAINT WITH THE INFORMATION COMMISSIONER’S OFFICE (ICO)
If you have a concern about the way we handle your personal data, you can contact the Information Commissioner’s Office.
If the Information Commissioner’s Office (ICO) thinks we have not complied with legal obligations they can give us advice and ask us to solve the problem. The ICO cannot award you compensation, their main aim is to improve the information rights practices of organisations. The ICO will not usually investigate concerns where there has been an undue delay in bringing it to their attention and so you should raise your concerns with them within 3 months of your last contact with us about your issue. There are some circumstances where other laws prevent us from complying with some of your rights and where this is the case, we’ll provide an explanation. Find out more about your legal rights from the Information Commissioners Office (ICO).
EXERCISE YOUR LEGAL RIGHTS
If you want to exercise any of your legal rights, or if you have a complaint about how your personal data has been used contact us first to see if we can resolve your issue.
- Email: firstname.lastname@example.org
- Phone: 0191 2738891
- Write to: Data Protection Officer, CHANGING LIVES Central Office, Unit D13 Marquis Court, Tenth Avenue West, Team Valley, Gateshead, NE11 0RU
WHEN VISITING OUR WEBSITE
VISITING OUR WEBSITE AND LINKS TO OTHER WEBSITES
We are the sole owner of the information collected via our website. It does not store or capture personal data of users with general public access, (but does log the IP address of a visitor). This enables us to see which pages people look at and helps us to improve our services.
Our website privacy notice does not cover external websites and we encourage you to read the privacy notices on any other websites you visit.
Our website also lists email addresses for external organisations. Please note that CHANGING LIVES cannot guarantee what will happen to your personal data if you email an external organisation.
By using our website you are consenting to certain types of cookie being placed on your device. See our cookies policy.
Where our website links to external resources or websites, these may add their own cookies and this is outside of our control. Cookies can be disabled by changing the settings in your browser, but you may need to re-enter information at times.
Emails that we send to you or you send to us, may be retained as a record of contact and your email address stored for future use in accordance with our record retention policy and procedures. If we need to email sensitive or confidential information to you, we may perform checks to verify the correct email address and may take additional security measures.
You will not receive unsolicited paper or electronic mail as a result of sending us any personal data while using our website, unless you have given us permission to do this, for example, by signing up to receive our newsletter. You can unsubscribe from the newsletter at any time and details of how to unsubscribe are in the newsletter.
We do not pass personal data to third parties for marketing, sales or any other commercial purposes without your explicit consent. If we have to share your personal data with another organisation, we make sure that they comply with the principles of data protection legislation, and our procedures and instructions, when they use your information on our behalf.
We have installed CCTV systems in some of our premises for the purposes of public and staff safety and also crime prevention and detection. CCTV is also installed on the outside of some of our buildings for the purposes of monitoring building security and crime prevention and detection. The purpose for processing this information is for security and safety reasons. The lawful basis we rely on to process your personal data is article 6(1)(f) of the GDPR, which allows us to process personal data when it’s necessary for the purposes of our legitimate interests.
WHY WE GATHER INFORMATION AND HOW WE USE IT
The main purpose of the CCTV system is to provide a safe environment for anyone on the premises. However, if necessary it will be used to
- detect, deter and prevent crime and disorder
- to help identify, apprehend and prosecute anyone committing a criminal offence;
- to provide the Police/Changing Lives with evidence to enable criminal and/or civil proceedings to be brought in the courts.
Some examples of how we use your data are provided below (please note this is not an exhaustive list):
- monitoring for Health and Safety purposes
- detection and prevention of anti-social behaviour
- the investigation and detection of crime
- providing evidence in criminal proceedings (police and criminal evidence act 1984 and criminal procedure and investigation act 1996)
- the prevention and reduction of crime and disorder
- Performance management including the investigation of any staff performance or disciplinary issues
MONITORING OF FOOTAGE
CCTV footage is monitored by Changing Lives staff based in Project Offices
POSITIONING OF CCTV CAMERAS
Whilst each project has its own requirements for the positioning of cameras, Changing Lives will ensure that no cameras impact on an individual’s personal privacy.
For this reason, CCTV cameras are only located in shared and communal areas which are accessed by all clients, visitors and staff. These include places such as entrances, exits, corridors, communal rooms and staff offices.
Appropriate signage is displayed to inform people that CCTV is in operation on the premises
THE TYPE OF INFORMATION COLLECTED
Video recording images of an identifiable individual.
WHO YOUR INFORMATION MAY BE SHARED WITH
Information may be shared with other agencies such as the police, ambulance, fire service, and other relevant agencies as required in the event of an emergency and the prevention or detection of crime.
CHANGING LIVES STAFF
Information may also be shared with specific teams within Changing Lives for the purposes of staff training, performance management and the investigation of any disciplinary issues.
HOW LONG WE KEEP YOUR INFORMATION
On average we will keep footage for between 21 and 28 days although evidence supplied to the police for criminal cases may be retained for longer.
HOW YOU CAN ACCESS YOUR INFORMATION
Recorded material is not provided to members of the public or media organisations for profit, gain or commercial exploitation.
This does not affect the right of individuals to access any personal data under the provisions of the Data Protection Act 2018. Any request for personal data is known as a ‘Subject Access request’.
All requests for CCTV material will be in writing, logged and subject to a signed handover detailing the basis for the request and authorising officer. This process is subject to regular review.