Table of Contents
1
Introduction
This Privacy Notice (“Notice”) – together with any other privacy information we may provide on specific occasions – applies to the processing of personal data by us in the course of providing mental health support services and carrying out our business operations. The Notice sets out the types of personal data we collect, explains how we collect and process that data, who we shares it with and certain rights and options that you have in this respect.
We recognise that information privacy is an ongoing responsibility, and so we will from time to time update this Privacy Notice as we undertake new personal data practices or adopt new privacy policies.
2
Data Protection Officer
In order to ensure full ongoing compliance with data protection regulations we have appointed a Data Protection Officer (DPO). Our DPO can be contacted at dpo@lamh.org.uk. When we refer to “us” or “we” in this Notice we mean Lanarkshire Association for Mental Health (LAMH), a company incorporated with registered number SC121139 and charity number SC010404 registered address at 17-19, Cadzow Street, Hamilton, Lanarkshire, ML3 6EE. We are registered with the Information Commissioner’s Office under registration number ZA162320.
3
How we collect and use (process) personal information
The data we collect and process:
· Recruitment Data
· Individuals accessing our services
· Clients and business contacts
· Visitors to our website
· Visitors to our office
· Visitors to our store or cafe
· Marketing data
3.1
Recruitment Data
All of the information you provide during the application process will only be used for the purpose of progressing your application, or to fulfil legal or regulatory requirements if necessary.
We will not share any of the information you provide during the recruitment process with any third parties for marketing purposes or store any of your information outside of the United Kingdom or the EEA The information you provide will be held securely by us whether the information is in electronic or physical format.
We will use the contact details you provide to us to contact you to progress your application. We will use the other information you provide to assess your suitability for the role you have applied for.
We do not collect more information than we need to fulfil our stated purposes and will not retain it for longer than is necessary.
3.1.1
Application Stage
At the application stage, we ask you for
· Contact details- name, address, phone number and email address
· Your previous experience- details of your education, work history, referees and answers to questions relevant to the role you have applied for
· Ability to drive in the UK if relevant for the role
You may also be asked to provide equal opportunities information. This is not mandatory information – if you don’t provide it, it will not affect your application. This information will not be made available to any staff outside of our recruitment and HR team in a way which can identify you. Any information you do provide, will be used only to produce and monitor equal opportunities statistics.
3.1.2
Selection Stage
Our hiring managers shortlist applications for interview. They will not be provided with your equal opportunities information if you have provided it.
We might ask you to complete tests or occupational personality profile questionnaires and/or to attend an interview – or a combination of these. Information will be generated by you and by us. For example, you might complete a written test or we might take interview notes. This information is held by us.
We will also ask you to provide contact details of two references, their details and their answers and/ or opinions will be retained by us. We will also conduct an ID verification and check your right to work in the UK before any offer letters are issued.
3.1.3
How long is the information retained?
If you are unsuccessful at any stage of the process, the information you have provided until that point will be retained for 6 months from the closure of the campaign. Information generated throughout the assessment process, for example interview notes, is retained by us for 6 months following the closure of the campaign.
If you are successful in your application, we will retain your information in accordance with our Privacy Notice for Employees, Workers and Contractors. A copy of this Notice will be provided to you with your offer letter.
3.2
Individuals accessing or using our services
We collect information about individuals who contact us or are referred to us in order that we may provide them with our various services. We may hold the following information about such individuals:
· Contact details – name, address, email address, telephone and mobile numbers
Under data protection legislation the following types of data which we may collect, being more sensitive, require additional safeguards:
· personal data revealing racial or ethnic origin;
· personal data revealing political opinions;
· personal data revealing religious or philosophical beliefs;
· personal data revealing trade union membership;
· genetic data;
· biometric data (where used for identification purposes);
· data concerning health;
· data concerning a person’s sex life; and
· data concerning a person’s sexual orientation.
In some cases we may collect/process data that falls into one or more of these categories. Our lawful bases for processing sensitive ‘special category’ data will be one or more of the following:
· Explicit consent
· Performance of a contract where we have been contracted to provide the service
· Legitimate interest where it is in our interest and also yours for us to process the information
· Vital interest in circumstances where in an emergency consent cannot be given
3.3
Business Contacts
We collect personal information about our suppliers, professional advisors, practitioners, contractors and referral sources, who provide service users with our services. We may hold the following information :
· Contact details- name, business address, business email address, business phone numbers including mobile numbers
· Personal information contained in business communications.
· Transaction data including details about services we have purchased from them.
We may receive personal information from our suppliers about other individuals, e.g. their employees, while providing our services. Any such information provided to us is used solely for providing our services and is handled strictly as per instructions. Our lawful basis for processing this data is performance of a contract.
3.4
If you are a Visitor to our Website
Website
When you visit our website, we use third-party services to collect standard internet log information and details of visitor behaviour patterns. We do this to find out things such as the number of visitors to various parts of the website. The information is only processed in a way which does not identify any individual.
When you complete a contact form on our website or use the email for enquiries, we will use the information provided by you only for the purpose of providing you with an appropriate response.
Where you make a purchase through our website we receive the following data through our payment gateway Stripe:
- Your name and email
- The address you provided
- Your credit card details- name of bank, expiry date but not long card number
- Country of origin of transaction
- Name and address of your organisation as provided by you if it applies
- Your mobile number
If you visit our office
We may collect information about your visit, for example, time of visit and exit, purpose of visit, vehicle registration numbers. This may be collected by reception staff whether employed by us or otherwise. Our landlords may record CCTV images as well as physical access logs. These details may be shared with us from time to time.
3.5
Visitors to our charity store
If you visit our charity shop and make a purchase or donation we may in certain circumstances collect the following information, our lawful basis being performance of a contract. If you agree to hear from us in future about our services we will do so on the basis of your consent or legitimate interest:
- Your name and email
- The address and postcode you provided
- Country of origin of transaction
- Name and address as provided by you if it applies
- Your mobile number
We may need your name and postcode for the purposes of Gift Aid. This is a legal requirement.
3.6
Marketing Data
We hold name and contact details of individuals who have expressed interest in hearing from us about our services or have engaged with us for supply of our services in the past. All direct marketing activities to such individuals shall comply with relevant privacy and regulatory requirements. We will not send you marketing emails or telephone you to market our organisation without your consent which can be withdrawn at any time.
3.6.1
How is your personal data collected?
You may give us your personal data by filling in forms or by corresponding with us by post, phone, email or otherwise. This includes personal data you provide when you:
- engage us to provide services
- subscribe to our publications
- visit our store, office or cafe
- request marketing material to be sent to you such as newsletters
- complete one of our enquiry forms
- provide us with feedback
- from third parties who may refer you to us
Apart from receiving personal data directly from you when you engage us to provide services, we may receive personal data from our partners and associates, for example our accreditation bodies.
4
When and how do we share your personal data
We may share your personal data:
- internally with staff members who require your information to provide our services and who have received training in data protection
- with our professional advisors, including our legal advisors, financial advisors, insurers, accountants, auditors or other consultants to the extent they require this information to provide their services to us
- with sub-contractors, consultants or associates who are asked by us to deliver all or some of the services
- with courts, law enforcement authorities, regulators or government officials where it is legally required
- with third parties providing IT support and maintenance services, marketing and client support services, data storage services, and checks for credit risk reduction and other fraud and crime prevention purposes; and other financial institutions and credit reference agencies providing services to us
- any third parties with whom you require or permit us to correspond
We do not sell personal information to anyone and only share it with third parties who are facilitating the delivery of our services and communications.
5
Transfers of personal data outside the EEA
There may be occasions where we will need to share your data with entities in third countries, such as when we are using cloud software providers or outsourced contractors which enable us to provide you with the services. We verify that any data transfer outside of EEA is subject to UK adequacy requirements, Standard Contractual Clauses or other transfer tools which comply with data protection legislation.
6
Automated decision-making
We do not use automated decision-making in relation to your personal data.
7
Security of your personal information
To help protect the privacy of data and personally identifiable information you provide to us, we maintain physical, technical and organisational controls. We update and test our security technology and controls on an ongoing basis. We restrict access to your personal data to those employees who need to know that information to provide benefits or services to you. In addition, we train our employees about the importance of confidentiality and maintaining the privacy and security of your information. We commit to taking appropriate disciplinary measures to enforce our employees’ privacy responsibilities.
8
Date storage and retention
Your personal data is stored by LAMH on its servers, and on the servers of the cloud-based services and IT service providers we engage, as well as in physical form in our office and at backup and archival facilities. We retain data as per our data retention policy and regulatory data retention requirements.
For more information on where and how long your personal data is stored, and for more information on your rights of erasure and portability, please contact us at dpo@lamh.org.uk
9
Data Subject Rights
This Privacy Notice is intended to provide you with information about what personal data the Firm collects about you and how it is used. If you have any questions, please contact us at dpo@lamh.org.uk
If you wish to confirm that the LAMH is processing your personal data, or to have access to the personal data we may have about you, please contact us at dpo@lamh.org.uk
You have a right to request correction of inaccurate information, deletion of information, and to instruct us to stop processing your information. We are obliged to honour such requests as per the regulatory requirements. If you’d like more information or would like to make such a request, please contact us at dpo@lamh.org.uk
10
Complaints
If you are unhappy about how we process your data or wish to make a complaint you may contact us at dpo@lamh.org.uk. Should you sill be unhappy you can make a complaint to the Information Commissioners Office at Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF. Telephone: 0303 123 1113
We are certified to Cyber Essentials Plus and IASME Gold standards which demonstrates our commitment to security and privacy of your personal information.