Holloway Neighbourhood Group - Privacy Notice
1. AIM & INTRODUCTION
This Data Protection and Privacy Policy aims to support Holloway Neighbourhood Group’s (HNG) commitment to maintaining the confidence and trust of our service users, partners and other stakeholders. We protect the privacy of information in line with the principles and rights below.
HNG’s privacy policy is compliant with UK General Data Protection (UK GDPR) from 2021, tailored by the Data Protection Act 2018 (DPA 2018) and the Privacy & Electronic Communications Regulations (PECR). For the purpose of this policy, HNG is the Data Controller and is entered on the Data Protection Register (certificate number Z1056966).
People about which we hold information are referred to in this policy as Data Subjects. Organisations that store our information are called Data Processors.
2. WHAT INFORMATION DO WE COLLECT?
We collect certain information to provide services and/or support. The type of information we collect can vary depending on which Data Group the Data Subject is part of and which service they are enquiring about/accessing. We only collect data that is relevant.
The information that we collect sometimes includes special categories or sensitive personal information (including ethnicity, gender and health). This kind of information is vital to the service we’re providing, and asked for by funders. For more information see Section 3.1.
In some certain circumstances we receive information about a person from other sources, such as referrers. In those circumstances we will contact that person within 30 days to tell them what information we have and from whom we got it.
3. OUR LEGAL BASIS FOR PROCESSING DATA
There are six legal grounds for processing data. We only need to apply one of these principles. These are:
We use a variety of these legal grounds and record what legal ground we’ve used to process data. These are, but not limited to:
- Where there might be a reasonable expectation that the data might be processed;
- Where we have measured the risk and where we believe the fundamental rights and freedoms of those that may be identified by the personal data can be upheld.
We use this lawful condition in the absence of explicit consent to process special category data.
Data Subjects have a right to remove their consent at any time.
3.1 LEGITIMATE INTEREST AND SPECIAL CATEGORY DATA
Holloway Neighbourhood Group operates solely for the public benefit and its organisational aims are to provide services and support to individuals or communities that are socially and economically deprived within the local area.
The type of work we conduct and the requirements of funders often mean that we hold data that is classified as ‘special category’. Special category data is personal data that needs more protection because it is sensitive.
The categories are:
We only keep the special category data that we require to achieve our organisational aims and only for the period outlined in Section 5.
We will, in all circumstances, keep data safe. See Section 7 for more information regarding this.
4. HOW DATA WILL BE USED
We collect information about Data Subjects when they enquire or engage with our services to ensure that they receive a good & safe service. For example, we may use the information we have collected to contact people to remind them to attend an activity and provide details of how to find us. We use information about use of our services so we can feed back to our funders, or prospective funders, and demonstrate the impact of our services.
The information we keep also helps us to decide how well our services are working and what new ones we need to deliver. The reasons outlined here may also reflect our legitimate interest to process data.
5. HOW LONG INFORMATION WILL BE KEPT
Data will be kept for seven years, unless we deem it unnecessary to keep in which case we will delete or destroy it. For example, if people register to use our services, but never actually access them within one year, we delete their information from our database. We conduct this review every two years.
We’ve chosen the seven-year period as it is the length of time commonly required by funders, and we are legally obliged to keep transactional data for six years after the end of the year in which the transaction occurred for Her Majesty’s Revenue & Customs (HMRC) and the Charity Commission. Following that period data will be deleted or anonymised – meaning information that would identify an individual to the data is removed.
6. HOW WE SHARE INFORMATION
We will only share information in rare circumstances. These are:
7. SECURITY OF INFORMATION
An individual’s personal information is stored with very controlled restricted access on secure third party servers, or in manual filing systems under lock & key. Internally, access to HNG’s IT databases is very restricted and is treated as confidential. Our passwords are regularly changed to minimise any risks. The people who have access to individual’s information have undergone an enhanced DBS.
We regularly check, on average once a year, the security standards and their GDPR compliance of the third parties (Data Processors) that process our data to ensure our Data Subject’s privacy. This information is recorded.
Should we suspect there has been a breach of security, and it is likely to risk an individual’s rights and freedoms, we will inform the Information Commissioners Office and affected individuals within 72 hours, where feasible. All breaches, or suspected breaches are recorded.
8. MARKETING
At times we want to let our Data Subjects know about our services and other HNG related news. We will never pass their information for marketing purposes to any third party.
Our Data Subjects have the right, at any time, to stop us contacting them for marketing purposes.
9. ACCESS TO INFORMATION AND CORRECTION
Individuals have the right to request a copy of all the information that we hold about them. We will complete such requests within one month. We will keep a record of all requests and how quickly we respond to them.
We want to make sure that personal information we keep is accurate and up to date. Data Subjects may ask us to correct or remove information that they think is inaccurate.
10. COOKIES & OTHER WEBSITES
When using our website, cookies will track the pages visited. Cookies are standard text files placed on the visitor’s computer to collect standard Internet log information and behaviour. The information is used to track visitor usage of our websites and to compile statistical reports on website activity.
Visitors can set their browser to not accept cookies. For more information visit www.aboutcookies.org
Our website links to other websites. This privacy policy only applies to our websites (www.hng.org.uk & www.stressproject.org.uk).
11. CHANGES TO OUR PRIVACY NOTICE
When changes to this Policy are made, they will be reflected in changes to our Privacy Notice. A revised version of the Privacy Notice will be posted on our websites. The revised version will be effective on the date of publication at www.hng.org.uk/privacy. Continued use of our services constitutes acceptance of any changes to the Privacy Notice.
12. HOW TO CONTACT US OR TO MAKE A COMPLAINT
Data Subjects should be advised that they can contact us with any questions or issues regarding our Privacy Notice or make a complaint to the ICO: https://ico.org.uk/make-a-complaint/ or call 0303 123 1113
13. ORGANISATIONAL AWARENESS
In order for the organisation to maintain knowledge and awareness of its legal requirements staff regularly attend external training courses on GDPR and Data Protection. GDPR and Data Protection are regular agenda items at Team Meetings and at Board Meetings to help ensure compliance and to pass on information.
14. OTHER RESOURCES
https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/
This Data Protection and Privacy Policy aims to support Holloway Neighbourhood Group’s (HNG) commitment to maintaining the confidence and trust of our service users, partners and other stakeholders. We protect the privacy of information in line with the principles and rights below.
HNG’s privacy policy is compliant with UK General Data Protection (UK GDPR) from 2021, tailored by the Data Protection Act 2018 (DPA 2018) and the Privacy & Electronic Communications Regulations (PECR). For the purpose of this policy, HNG is the Data Controller and is entered on the Data Protection Register (certificate number Z1056966).
People about which we hold information are referred to in this policy as Data Subjects. Organisations that store our information are called Data Processors.
2. WHAT INFORMATION DO WE COLLECT?
We collect certain information to provide services and/or support. The type of information we collect can vary depending on which Data Group the Data Subject is part of and which service they are enquiring about/accessing. We only collect data that is relevant.
The information that we collect sometimes includes special categories or sensitive personal information (including ethnicity, gender and health). This kind of information is vital to the service we’re providing, and asked for by funders. For more information see Section 3.1.
In some certain circumstances we receive information about a person from other sources, such as referrers. In those circumstances we will contact that person within 30 days to tell them what information we have and from whom we got it.
3. OUR LEGAL BASIS FOR PROCESSING DATA
There are six legal grounds for processing data. We only need to apply one of these principles. These are:
- Consent
- Performance of a contract
- Complying with legal obligations
- Legitimate interest
- Performing a task in the public interest
- Protecting your vital interest
We use a variety of these legal grounds and record what legal ground we’ve used to process data. These are, but not limited to:
- Performance of a contract: We use this when people are paying to use our services or buildings.
- Complying with legal obligations: We use this to hold employees’ and some volunteers’ information.
- Legitimate Interest: We use this lawful basis to process data where it is appropriate and in particular;
- Where there might be a reasonable expectation that the data might be processed;
- Where we have measured the risk and where we believe the fundamental rights and freedoms of those that may be identified by the personal data can be upheld.
We use this lawful condition in the absence of explicit consent to process special category data.
Data Subjects have a right to remove their consent at any time.
3.1 LEGITIMATE INTEREST AND SPECIAL CATEGORY DATA
Holloway Neighbourhood Group operates solely for the public benefit and its organisational aims are to provide services and support to individuals or communities that are socially and economically deprived within the local area.
The type of work we conduct and the requirements of funders often mean that we hold data that is classified as ‘special category’. Special category data is personal data that needs more protection because it is sensitive.
The categories are:
- Personal data revealing racial or ethnic origin
- Personal data revealing political opinions
- Personal data revealing religious or philosophical beliefs
- Personal data revealing trade union membership
- Genetic data
- Biometric data
- Data concerning health
- Data concerning a person’s sex life
- Data concerning a person’s sexual orientation
We only keep the special category data that we require to achieve our organisational aims and only for the period outlined in Section 5.
We will, in all circumstances, keep data safe. See Section 7 for more information regarding this.
4. HOW DATA WILL BE USED
We collect information about Data Subjects when they enquire or engage with our services to ensure that they receive a good & safe service. For example, we may use the information we have collected to contact people to remind them to attend an activity and provide details of how to find us. We use information about use of our services so we can feed back to our funders, or prospective funders, and demonstrate the impact of our services.
The information we keep also helps us to decide how well our services are working and what new ones we need to deliver. The reasons outlined here may also reflect our legitimate interest to process data.
5. HOW LONG INFORMATION WILL BE KEPT
Data will be kept for seven years, unless we deem it unnecessary to keep in which case we will delete or destroy it. For example, if people register to use our services, but never actually access them within one year, we delete their information from our database. We conduct this review every two years.
We’ve chosen the seven-year period as it is the length of time commonly required by funders, and we are legally obliged to keep transactional data for six years after the end of the year in which the transaction occurred for Her Majesty’s Revenue & Customs (HMRC) and the Charity Commission. Following that period data will be deleted or anonymised – meaning information that would identify an individual to the data is removed.
6. HOW WE SHARE INFORMATION
We will only share information in rare circumstances. These are:
- In some circumstances we will share data with certain partners. In those circumstances, we will have checked that those organisations are GDPR compliant. We will provide Data Subjects with the data we have shared, if they request it.
- We may have a legal obligation to share some information about some people with the Charity Commission, Companies House, HMRC and other agencies such as the Police.
- In some circumstances, to protect the vital interests of our service users, we will share special category health information. We will have checked the GDPR compliance of the organisation the information is passed to.
7. SECURITY OF INFORMATION
An individual’s personal information is stored with very controlled restricted access on secure third party servers, or in manual filing systems under lock & key. Internally, access to HNG’s IT databases is very restricted and is treated as confidential. Our passwords are regularly changed to minimise any risks. The people who have access to individual’s information have undergone an enhanced DBS.
We regularly check, on average once a year, the security standards and their GDPR compliance of the third parties (Data Processors) that process our data to ensure our Data Subject’s privacy. This information is recorded.
Should we suspect there has been a breach of security, and it is likely to risk an individual’s rights and freedoms, we will inform the Information Commissioners Office and affected individuals within 72 hours, where feasible. All breaches, or suspected breaches are recorded.
8. MARKETING
At times we want to let our Data Subjects know about our services and other HNG related news. We will never pass their information for marketing purposes to any third party.
Our Data Subjects have the right, at any time, to stop us contacting them for marketing purposes.
9. ACCESS TO INFORMATION AND CORRECTION
Individuals have the right to request a copy of all the information that we hold about them. We will complete such requests within one month. We will keep a record of all requests and how quickly we respond to them.
We want to make sure that personal information we keep is accurate and up to date. Data Subjects may ask us to correct or remove information that they think is inaccurate.
10. COOKIES & OTHER WEBSITES
When using our website, cookies will track the pages visited. Cookies are standard text files placed on the visitor’s computer to collect standard Internet log information and behaviour. The information is used to track visitor usage of our websites and to compile statistical reports on website activity.
Visitors can set their browser to not accept cookies. For more information visit www.aboutcookies.org
Our website links to other websites. This privacy policy only applies to our websites (www.hng.org.uk & www.stressproject.org.uk).
11. CHANGES TO OUR PRIVACY NOTICE
When changes to this Policy are made, they will be reflected in changes to our Privacy Notice. A revised version of the Privacy Notice will be posted on our websites. The revised version will be effective on the date of publication at www.hng.org.uk/privacy. Continued use of our services constitutes acceptance of any changes to the Privacy Notice.
12. HOW TO CONTACT US OR TO MAKE A COMPLAINT
Data Subjects should be advised that they can contact us with any questions or issues regarding our Privacy Notice or make a complaint to the ICO: https://ico.org.uk/make-a-complaint/ or call 0303 123 1113
13. ORGANISATIONAL AWARENESS
In order for the organisation to maintain knowledge and awareness of its legal requirements staff regularly attend external training courses on GDPR and Data Protection. GDPR and Data Protection are regular agenda items at Team Meetings and at Board Meetings to help ensure compliance and to pass on information.
14. OTHER RESOURCES
https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/