Home    /    Privacy Policy

Privacy Policy

GDPR Policy

The General Data Protection Regulations (GDPR) came into effect as of 25th May 2018, much of which replicates the principles of the existing Data Protection Act. The Regulations are extensive but below is a brief guide and summary which Can-SurviveUK commits to following in practice. Issues around GDPR will form part of the induction and training of all staff and volunteers and be revisited at regular supervisions.

Responsibility for monitoring the policy and its implementation is the responsibility of the Board of Trustees which is then devolved to the Chief Executive. Day to day responsibility for managing data resides with the Administrator. A named Trustee is responsible for reviewing the policy on an annual basis.

If you wish to know more, please ask the Administrator.

Data Controller

A data controller determines the purposes and means of processing personal data. Can- SurviveUK is a data controller and our funding partners are also data controllers. A data controller determines what information is collected.

Data Processor

A processor is responsible for processing personal data on behalf of a controller. Can-SurviveUK is a data processor.

Data Audit

Can-SurviveUK has carried out a data audit to record all the types of personal information we hold and process to demonstrate how we comply with current legislation. The audit must state the:

  • Purposes of Processing
  • Categories of Individuals
  • Categories of Personal Data
  • The Recipients of Personal Data
  • The Data Source
  • The Location of Data
  • Duration of Data Retention
  • Data Security Measures
  • Lawful Basis / Legitimate Interest for Processing
The Purposes of Processing Personal Data

We process data at Can-SurviveUK for a variety of reasons, this includes

  • keeping contact details (phone numbers, email and home addresses) so we can communicate with people
    bank details to pay staff and suppliers
  • to determine what help an individual may need
  • to monitor well-being
  • to record meetings
  • to write funding bids / report back to funding providers
  • for the management of financial records and information.
Categories of Individuals

At Can-SurviveUK the categories of individuals are staff, clients, volunteers or trustees.

Categories of Personal Data

Personal data includes names, contact information, family and lifestyle details, education and training records, medical records, employment details, financial details, photographs – in fact anything that can directly or indirectly identify an individual. At Can-SurviveUK the types of data held and processed are likely to be:

  • Contact details (name, address, email, telephone number etc)
  • Bank details and payroll data (employees only)
  • Personal details (NI number, gender, date of birth, health conditions, care plans, ethnicity)
  • Eligibility / documentation for certain funding streams, which may or may not include:
    ➢ evidence of employment status
    ➢ proof of identity such as passports, birth certificates
    ➢ qualifications or skills you may have
    ➢ your household and economic circumstances
    ➢ notes of discussions with our support workers/volunteers
    ➢ records of your attendance.
  • Applications, references and DBS checks for staff and volunteers.
The Recipients of Personal Data
  • Can-SurviveUK is obliged to share personal data with a number of other organisations, these include:
  • Partner Agencies (those who refer or work with clients including health visitors, GP’s, Supported Housing, local authorities)
  • Can-SurviveUK Trustees and accountant.
  • Our funding partners
  • Our Bank (employees only).
  • HMRC, Charity Commission, NHS

This list is not exhaustive.

The Data Source

Can-SurviveUK receives data in a number of ways, these include client referrals or a GP/Health Visitor letter, employment applications, volunteer application forms, contract monitoring information, funding agreements, invoices, newsletters, feedback forms, statutory bodies (HMRC, Charity Commission, local authority, NHS). These can be paper or electronic.

The Location of Data and Data Security Measures

At Can-SurviveUK data is held either as hard copy on files which are kept securely in locked filing cabinets or is held electronically on Can-SurviveUK shared network which is password protected and also has restricted levels of access.

Some contracts require us to supply information back to the funders. Each funder has different requirements. If you wish to know more about the funding stream you are on and how they process your data, please ask the Administrator, who should be able to obtain a copy of the relevant funding body’s Privacy Notice or Policy for you to read.

Duration of Data Retention

The retention of data depends very much on its type and who requires it. For instance, Can- SurviveUK Trustee Minutes must be kept for the duration of the charity’s existence. Financial information for HMRC must be kept for seven years.

In general, Can-SurviveUK will hold personal data for the duration of your period of employment or time spent as a client or volunteer at Can-SurviveUK. Information such as names, contact details and project monitoring records may be kept for a further two years (or longer depending on the funding contract, audit or statutory / legislative requirements). After that time your paperwork at Can-SurviveUK will be destroyed by being shredded and/or deleted permanently from computer records.

Please refer to the Data Audit for further information on data retention for the categories of data held at Can-SurviveUK .

The Lawful Basis and Legitimate Interest for Processing Data

In order to process and hold your personal data, Can-SurviveUK needs to ensure it complies with one of the six ‘lawful processing conditions’

  1. Consent: you have given your consent for Can-SurviveUK to process your personal data for a specific purpose.
  2. Contract: the processing is necessary for a contract you have with Can-SurviveUK .
  3. Legal obligation: the processing is necessary for Can-SurviveUK to comply with the law.
  4. Vital interests: the processing is necessary to protect someone’s life.
  5. Public task: the processing is necessary for Can-SurviveUK to perform a task in the public interest or official function.
  6. Legitimate interests: the processing is necessary for Can-SurviveUK’s legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.

For certain categories of sensitive data, Can-SurviveUK must also meet at least one of the ‘legitimate interest conditions’.

Details of Transfers to Third Country and Safeguards

This legislation applies to all EU countries and Can-SurviveUK does not share data outside of the European Union. Brexit will not affect this.

The Data Subject’s Rights (Your Rights)

You have certain rights regarding your personal data. These are:

  • a right of access to a copy of the information Can-SurviveUK holds about you
  • a right to object to processing that is likely to cause or is causing damage or distress
  • a right to prevent processing for direct marketing
  • a right to object to decisions being taken by automated means
  • a right in certain circumstances to have inaccurate personal data rectified, blocked, erased or destroyed
  • a right to claim compensation for damages caused by a breach of the Act.

To access a copy of the information Can-SurviveUK holds about you, you must submit a valid access request in writing. There must be a valid reason for you making such a request, you are not entitled to information simply because you may be interested in it.

Can-SurviveUK has 40 calendar days from receipt of any valid request to respond and we must supply the information in a legible and portable format.

Some types of personal data are exempt from the right of subject access and so cannot be obtained even by a valid request. Information may be exempt because of its nature or because of the effect its disclosure is likely to have. There are also some restrictions on disclosing information which would involve another individual.

The Right to Withdraw Your Consent

You have the right to object to the processing of your personal data only if it causes you unwarranted and substantial damage or distress. If it does, you have the right to require Can-SurviveUK to stop (or not to begin) processing your data.

Substantial damage would be financial loss or physical harm and substantial distress would be a level of upset, or emotional or mental pain, that goes beyond annoyance or irritation.

Data Breach

A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes. It can also mean that a breach is more than just about losing personal data.

The GDPR makes clear that when a security incident takes place Can-SurviveUK must quickly establish whether a personal data breach has occurred and, if so, promptly take steps to address it, including telling the Information Commissioner’s Office if necessary.

Consequences of Failing to Provide Your Personal Data

Can-SurviveUK is contractually obliged by our funding partners to obtain personal data. This means that you may not be eligible or funded to attend Can-SurviveUK without agreeing to comply with the funding partner’s requirements and give consent for your personal data to be collected and processed.

Automated Decision Making and Profiling

Automated decisions are those made by automatic (usually electronic) means and with no involvement of a human being, such as applying for a loan online. Can-SurviveUK does not undertake any automated decision making or profiling.

This policy should be read in conjunction with Can-SurviveUK’s Data Protection Policy and Internet, Media and Social Media Policy.