HOPE INSPIRED CIC
DATA PROTECTION AND PRIVACY POLICY
Policy Statement
At Hope Inspired, we are committed to respecting and protecting the privacy of all individuals who engage with us, whether they are staff, volunteers, directors, external contractors, customers, or other partners.
Our aim is to ensure all personal data we receive is collected, stored and processed in line with the General Data Protection Regulation (GDPR) which came into effect in May 2018. Processing refers to anything we do with data, including collection, viewing, modification, transfer, archiving, disclosure or destruction.
All of us at Hope Inspired are responsible for data protection and it is imperative we understand the legal requirements placed on us and are clear about what is expected from us.
It also has to be recognised that at the time of writing this policy, Hope Inspired is a small community organisation delivering personal development activities and the volume of personal data that is processed is low. As the organisation grows, and staff are recruited, this policy and associated procedures will be continuously kept under review, and amended where necessary, to ensure we are meeting our legal obligations.
In line with legal requirements, Hope Inspired is registered with the Information Commissioner’s Office (ICO).
Data Protection Lead
The data protection lead for Hope Inspired is Khairun Butt (Founder/Director) who can be contacted directly on 07852 609 191 or at khairun@hopeinspired.co.uk. The Founder/Director has relevant training in GDPR which was updated in 2022. Verification can be provided if needed.
Purpose and Scope
This Data Protection and Privacy Policy outlines how we collect, use, process, store and protect personal data. It encompasses all forms of personal data collected and processed during our activities and services, whether it is in paper or electronic format. This includes photographic and digital images, and video recordings.
This policy must be followed by all staff, volunteers, contractors, board members, students
and third party partners.
Data Protection Principles
Data protection principles state that personal data must be:
- processed lawfully, fairly and in a transparent manner
- collected for specified, explicit and legitimate purposes
- adequate, relevant and limited to what is necessary to fulfil the purpose for which it is collected
- accurate, and where necessary, kept up to date
- kept for no longer than is necessary for the purposes it was collected
- appropriately secured to prevent unauthorised access, processing or destruction.
This policy sets out how we aim to comply with the above principles.
Personal data
Personal data or personal information is anything that can identify someone, and includes, but is not limited to: names, addresses, date of birth, telephone numbers, HR records, email addresses, national insurance numbers, photographs, and NHS numbers.
Certain special categories of information are classified as sensitive personal data and additional safeguards are necessary when processing, storing or sharing this information. These include information about health, race/ethnicity, sexuality, political opinions, criminal history and religious belief.
At Hope Inspired, the most likely reasons for us processing personal data would be if someone:
- applies for a job or volunteering placement with us and completes an application form which requests contact details, education/employment history, a statement about any criminal convictions/cautions
- starts working with us and provides additional information about their health (for example, discloses a disability so we can make reasonable adjustments) or notes are made at a work meeting to discuss their performance and follow-up action
- signs up to attend one of our training events/workshops and provides contact information on the registration form and monitoring information like ethnicity or age, as well as the reasons for wanting to attend the event
- is referred to us by a partner agency and details about personal circumstances are included on the Referral Form, with their consent
- accesses our website which captures data including the IP address of the device used to connect. Cookies may also be used to enhance the user’s experience and for marketing purposes. More information is available on our website on our Cookie Policy.
When we collect an individual’s personal data, we provide them with a Privacy Notice (see Appendix I) which makes clear why we have their data, what we are using it for and what their rights are in respect of their data.
Lawful processing
Under the GDPR, there must be a lawful basis for us to collect personal data. For our purposes, the relevant basis are likely to be:
- processing is necessary for us to fulfil a contract with an individual or organisation to provide a service (eg – deliver a training programme)
- processing is necessary for the compliance of a legal obligation (eg – reporting employee PAYE deductions to HMRC)
- we have a legitimate interest in keeping in touch with the data subject (eg – so they can be informed about and access our services)
- the individual has given their consent for us to use their data in a specific way (eg – introduce them to a third party or contact them to promote an activity or event).
Where we rely on consent as our lawful basis, the consent must be freely given, be specific and must be in the form of affirmative action, rather than implied. We, therefore, have a simple Consent Form that participants on our programmes are asked to read and sign, recording clearly a yes/no response to questions around their personal data.
We inform participants verbally and in writing on the Privacy Notice and Consent Form that they can withdraw consent at any time by informing their main contact at Hope Inspired. Our website includes the Privacy Notice as well as this policy. It also includes a cookie consent banner that informers visitors of the use of cookies and seeks their consent.
Data Storage and Protection
At the time of writing this policy, only the Founder/Director is authorised to access personal data; the only exception is telephone numbers which are shared on a whattsapp chat group for ‘Filling my Cup’ – a monthly meet up organised by Hope Inspired. Consent is sought from each individual attending the sessions before they are added to the chat group.
As the organisation evolves and grows, staff/volunteers are likely to need access to some personal data and this will be shared with each individual as necessary on a ‘need to know’ basis. This policy and any associated procedures will be amended accordingly at the relevant time. All personal data is stored in a way that ensures the information cannot be accessed by unauthorised individuals either deliberately or by accident.
Paper copies of any documents containing personal data (eg - registration forms) are secured in a locked cabinet at our office and the key to the lock is held by the Founder/Director. Access to the office is via a digital code door lock; the keypad combination is known only to the Founder/Director and the Office Manager responsible for the premises.
Some personal data (eg - email addresses, phone numbers, referral forms) is stored electronically. Electronic devices (laptops and smartphones) are password protected and have up-to-date software to protect them from malware and viruses. Where applicable, Two-Factor Authentication (2FA) and security encryption are used.
A checklist is given to all staff/volunteers/contractors which highlights the do’s and don’ts we expect in order to safeguard personal data.
Data Subject Rights
Individuals who engage with us have certain rights in relation to their own personal data:
- the right to be informed
- the right to access their personal data, usually referred to as a subject access request
- the right to have their personal data rectified
- the right to have their personal data erased, usually referred to as the right to be forgotten
- the right to restrict processing of their personal data
- the right to portability of their personal data
- the right to object to processing of their data
- the right to not be subject to a decision made solely by automated data processing.
More detail about these individual rights is contained in the Privacy Notice.
Subject access requests
All individuals whose personal data we hold are entitled to ask us for a copy of their personal data, and other supplementary information. This is commonly referred to as a subject access request or SAR. The individual does not have to specifically use the words SAR or subject access request when requesting their personal information; it just needs to be clear they are asking for their personal data. They do not have to tell us their reason for making the request or what they intend to do with the information.
A SAR can be made verbally or in writing and we are required to respond promptly and at the latest within one month of receipt of the request. A third party (eg – relative, friend, solicitor) can also make a SAR on behalf of an individual, in which case we would need to first satisfy ourselves that the third party is entitled to act on behalf of the data subject. It is the responsibility of the third party to provide us with relevant evidence to confirm this – eg – a letter from the data subject stating they give the third party permission to make a SAR on their behalf or power of attorney documents.
Any staff member, director, volunteer or contractor who receives a SAR is required to promptly notify the Founder/Director verbally and follow that up via email. The Founder/Director will verify the identity of the person making the request and make arrangements to search for and provide the requested information.
We understand our obligation to provide information in the most accessible way and will discuss with the data subject how they want to receive the requested information (eg – electronically, verbally in a meeting).
Before providing any information, we will review and, if necessary, redact information the data subject is not entitled to have. This would normally be information about third parties.
Data breach
A breach of personal data as defined by the GDPR means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. In practical terms, examples of a data breach might include:
- losing a signing in sheet on which attendees at a training event have written their names, telephone numbers and email addresses
- sending an email to a group of people with everyone’s email addresses visible
- loss or theft of a laptop or phone containing personal data
- accidentally emailing a referral form containing sensitive personal information about a data subject to the wrong recipient
- a break-in at the office where personal files have been left unlocked
- attempt by criminal or malicious hackers to steal data.
Data breaches may occur for various reasons, including human error, carelessness, honest mistakes, inadequate processes/procedures and lack of training. Adhering to this policy and associated procedures enables us to take practical steps to protect personal data and minimise the risk of a breach. We cannot, however, ever guarantee that we are safe from a data breach. Therefore, being prepared to deal with a potential breach is essential to minimise risks to individuals and to the organisation.
All staff, volunteers, directors and external contractors are reminded that we need to be able to recognise that a breach has happened and promptly report it to the Founder/Director so a decision can be made about what to do next.
It is mandatory to report certain breaches to the ICO within 72 hours so it is important that the Founder/Director acts quickly to determine the nature of the breach and the potential impact on the data subject/s. Their priority will be to establish what has happened to the data and contain the breach if possible. Depending on what has happened, they will have a number of options at this stage: asking an unauthorised recipient of an email to delete the email; remotely wiping data from a stolen phone; changing all passwords in the case of a cyber-attack. The Founder/Director can also contact the ICO at this point and seek advice.
The next priority is to assess the risk of harm to those affected. In some cases, the breach will create little or no risk of harm to anyone and there is no requirement to inform them of the incident; in other cases, because of the type of data involved, the breach may have the potential to cause harm (eg – identity theft, disclosure of safe house address, damage to reputation) and the Founder/Director will inform the data subject so they can explore what steps they need to take to keep themselves safe. This type of data breach will be reported to the ICO.
The Founder/Director will maintain a detailed log of all data breaches and highlight what remedial action was taken to remedy the breach and prevent recurrence. This will enable us to demonstrate accountability and transparency as well as provide material for organisational training.
Training
Staff and volunteers receive GDPR training during induction, before they process any personal data. Refresher training is expected to be completed every 12 months.
A copy of this policy is given to staff/volunteers during induction and the requirements discussed during supervision sessions. We recognise that the best learning is through the practical application of this policy and annual training events, by themselves, are not sufficient; we ensure, therefore, that matters relating to data protection and privacy are continuously discussed during the course of our work so staff/volunteers are confident about the requirements.
Review
All policies at Hope Inspired are reviewed, and if necessary, updated, annually. This policy is due to be reviewed at the end of March 2024.
Appendix I
Hope Inspired CIC
Privacy Notice
Our contact details
Name: Khairun Butt
Registered Address: iSE Women’s Hub 249a Ladypool Rd Birmingham B12 8LF
Office Address: 140 Alum Rock Road Birmingham B8 1HU
Phone Number: 07852 609 191
E-mail: khairun@hopeinspired.co.uk
This Privacy Notice is for individuals who attend our training events, personal development programmes, walks, coffee mornings, retreats or marketing events.
At Hope Inspired CIC we are committed to respecting and protecting your privacy. We only ask you for personal information which we need to safely deliver our services to you and only seek information you are willing to provide.
We will be happy to go through this Privacy Notice (and our Data Protection and Privacy Policy) with you so you are clear about your rights in respect of your personal information.
The type of personal information we collect
The type of personal information we collect We currently collect and process the following information:
personal identifiers and contacts (for example, name, telephone number, address, email address)
information about your specific circumstances (eg – health), only when this is necessary for us to be able to deliver the service you have registered for
your IP address when you access our website.
How we get the personal information and why we have it
Most of the personal information we process is provided to us directly by you for one
of the following reasons:
you contact us to enquire about our activities and services and agree to us saving your name and telephone number so we can stay in touch with you about our services
you meet us at a marketing event and leave your name, telephone number and/or email address on a Contact Sheet, giving us permission to contact you
you complete a Registration Form to register for a training event or programm and include on it:
- your home address (so we can send you relevant letters or packages relating to the programme you are registering for) or your post code (so we may fulfil our obligation towards any funding bodies who ask us to provide monitoring data about where our customers are located)
- date of birth (relevant because (i) we have public liability insurance only for individuals over the age of 18 and need to confirm your age and (ii) some
- name and contact details of an individual who we can contact in the event of an emergency whilst you are attending our training programme
- initials and date/s of birth of any children for whom we will need to secure childcare whilst you are attending our training programme
- information about your health and/or personal circumstances which you consider is relevant for us to know in order for us to support you during the programme in the best way
- monitoring information – (eg – ethnicity, age)
We may also receive personal information about you indirectly, if:
a third party (eg – social prescriber) completes a Referral Form to refer you to our programme or activity
A partner organisation (eg – DWP) refers you to a training event or programme
We expect a referrer to seek your consent before completing a referral and ask for confirmation of your consent.
How we meet our legal obligations
Under the UK General Data Protection Regulation (UK GDPR), we must have a lawful bases for processing your personal data. The legal basis we will rely on for processing your information are:
(a) Consent - for example, you have given us consent to include your name and telephone number on a whattsapp chat group. You can remove your consent at any time. You can do this by contacting us on 07852 609 191 or emailing khairun@hopeinspired.co.uk
(b) Contractual obligation – for example, you have been referred by a partner organisation (eg – Restart scheme) to attend our programme and we need your personal data (eg – name, telephone number, emergency contact, relevant health condition) to safely deliver our service to you
(c) Legitimate interest - for example, we have your contact details to send you information about forthcoming events and programmes.
Who we share your information with
We recognise how important it is for us to respect your privacy when you have shared personal information with us.
We will only share your personal information with someone under the specific situations described below:
- you would like us to refer you to another agency or service-provider and give us consent to share your information with them
- we are jointly delivering a service in partnership with another organisation, and you give us consent to share your information with them
- we have concerns that you or someone else is at risk of serious harm, in which case we would normally seek your consent and only share information without your consent if we consider we have a duty to share because of the risk, or exceptionally, if there is no time to get your consent, or if we are legally prevented from speaking to you about it
- if we receive information about a terrorist threat, we are legally required to report this to the police.
How we store your personal information
Any paper copies of personal data you share with us (eg – registration form, contact sheet) are securely kept in a locked cabinet at our office, the key to which is held by one individual only – Khairun Butt, Founder/Director and the data protection lead for Hope Inspired. Access to the office is via a security keypad and the passcode is known to Khairun Butt and the Office Manager for the premises.
Digital data contained in laptops or smartphones is secured through password protection, encryption and where possible, two-factor verification (2FA).
How long we keep your data
We keep registration forms and referral forms only while you are actively engaging with us on a programme or attending our coffee morning. Once you are no longer engaging with us, we will retain the forms for a period of 3 months, in case you re-engage, and will then delete the information. Paper copies of forms will be shredded and we will delete emails. If you were part of a WhatsApp chat group we will remove your name from the contacts once you exit the group.
Your data protection rights
Under data protection law, you have rights including:
Your right of access - You have the right to ask us for copies of your personal information.
Your right to rectification - You have the right to ask us to rectify personal information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.
Your right to erasure - You have the right to ask us to erase your personal information in certain circumstances.
Your right to restriction of processing - You have the right to ask us to restrict the processing of your personal information in certain circumstances.
Your right to object to processing - You have the the right to object to the processing of your personal information in certain circumstances.
Your right to data portability - You have the right to ask that we transfer the personal information you gave us to another organisation, or to you, in certain circumstances.
You are not required to pay any charge for exercising your rights. If you make a request, we have one month to respond to you.
Please contact us by email, telephone or post if you wish to make a request in respect of any of these rights. Our contact details are at the top of this document.
How to complain
If you have any concerns about our use of your personal information, you can make a complaint to us by contacting the data protection lead.
You can also complain to the ICO if you are unhappy with how we have used your data.
The ICO’s address:
Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Website: https://www.ico.org.uk
Helpline number – 0303 123 1113