Privacy Policy

Introduction

Headway East London (HEL) takes our responsibilities regarding the security of personal information very seriously and strives to give individuals greater choice and control over how their personal data is used.

The following includes information on how Headway East London is being transparent and how it provides accessible information to individuals about how we use personal data (this is a key element of the Data Protection Act 1998 and the EU General Data Protection Regulation)

The GDPR applies to any organisation processing and holding personal data. Personal data is any information related to a natural person that can be used to directly or indirectly identify the person.

In Early 2018 Headway East London undertook a comprehensive data protection audit of all projects within the organisation to ensure they are fully compliant with the General Data Protection Regulations (GDPR) which came into force in the UK on the 25th of May 2018.

The Information Commissioners Office (ICO) assists businesses and public bodies to meet the requirements of the GDPR. For more information on the ICO & GDPR please see the following: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/

Since 2003 Headway East London have been registered with the Information Commissioner's Office. This registration is updated yearly.

Headway East London are committed to protecting personal information and to being transparent about the information we are collecting, why we do so and what we do with it.To reflect the newest changes in data protection law and the GDPR, and our commitment to transparency, we have updated this section of our Privacy Policy.

For more information regarding Headway east London and Data Protection, Privacy and GDPR, please contact info@headwayeastlondon.org with your query and request the Data Protection Officer to contact you.


Headway East London - Data Controller

Data Controllers determine how and why personal data is processed. They ultimately decide what data is collected, what it is used for and who it is shared with. The HEL Trustees (Board of Directors) are the Data Controllers for Headway East London.  As per Article 5(2) of the GDPR, HEL adheres to ensuring: “the controller shall be responsible for, and be able to demonstrate, compliance with the principles.”


Headway East London - Data Processors

Data Processors are any persons, or organisations, that process data under instruction of the Data controller. This includes anyone employed by, volunteering with or engaging with HEL who has access to or is provided with Data.  Essentially, all HEL staff are Data Processors.  All organisations that HEL staff send and receive information to/from are also data Processors.

Headway East London - Data Protection Officer

Data Protection Officer (DPO) are required for public authorities, large organisations and for organisations where there is large scale monitoring of special categories (e.g. health/medical data) and in organisations where a high level of transparency is required. HEL's DPO replaces the previous role of "Information Governance Lead" within HEL. The Deputy Director of Service is the Data Protection Officer in HEL and oversees the processing and holding of data within HEL. The DPO is also the point of contact with the ICO.  The DPO has gone through roles and responsibilities regarding GDPR with the Board of Management and all relevant staff. The DPO oversees annual Data Protection training provided to all HEL staff within the organisation. This ensures all staff are aware of their data protection responsibilities.


Headway East London - GDPR Responsibilities

Under the GDPR, the data protection principles set out the main responsibilities for organisations.

HEL adheres to Article 5 of the GDPR, which requires that personal data shall be:

a)      processed lawfully, fairly and in a transparent manner in relation to individuals;

b)      collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;

c)        adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;

d)       accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;

e)      kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals; and

f)        processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.”


What personal data we collect

HEL collects personal data in the following projects/ category headings: Finance, HR, Communications, Fundraising, Administration, Premises & IT, Volunteers, Day Service, Support Work, Therapies, Casework, Family Support, SMT/BOM, Safeguarding, and Member Led Activities.

Depending on what service/project/information you receive from HEL, this will determine what personal data is collected. This will be different for a staff member, a member of a funded service, a member of a non-funded service, a volunteer etc.

For a comprehensive breakdown of the information collected please see the relevant tab on the HEL Data Mapping Excel sheet which can be found at the bottom of this page. (click the "Read More" Button)


What do we use your personal data for, why and for how long?

HEL collects personal data in the following projects/ category headings: Finance, HR, Communications, Fundraising, Administration, Premises & IT, Volunteers, Day Service, Support Work, Therapies, Casework, Family Support, SMT/BOM, Safeguarding, and Member Led Activities.

Depending on what service/project/information you receive from HEL, this will determine what we use your personal data for, why and for how long.

There are 6 “lawful basis” to process personal data, these are: Consent, Contract, Legal Obligation, Vital interests, Public Task and Legitimate Interests.

Predominately HEL utilises Consent, Contract and Legitimate Interests to process personal data. Each basis under which data is processed is made clear to people at the stage when it is relevant and people are required to positively “opt-in”, are provided with sufficient information to make a choice and are provided with information on ways we will process their data.

Some examples of where Headway East London utilises Consent, Contract and Legitimate Interests to process personal data includes:

The personal data collected relating to staff is done so based on the lawful basis of Contract

The personal data collected relating to funded members is done so based on the lawful basis of Contract

The personal data collected relating to non-funded members is done so based on the lawful basis of Consent and/or Legitimate Interests.

As the nature of our work involves medically related conditions, HEL also processes special category data (e.g. health records). The lawful basis used to process this can be; Contract, Consent and/or Legitimate interests, depending on the project(s) accessed. The additional condition required under article 9 of GDPR for processing this type of data is:

“(h) processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3;”

In order to safeguard all those we work with, and who work with us, all Staff, volunteers and other relevant stakeholders are required to undergo a Disclosure and Barring Service (DBS) check. This helps us to make safer recruitment decisions and prevents unsuitable people from working with vulnerable groups.

The lawful basis used to process is Contract (as part of the application process). The additional condition required under article 9 of GDPR for processing this type of data is:

“(b) processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by Union or Member State law or a collective agreement pursuant to Member State law providing for appropriate safeguards for the fundamental rights and the interests of the data subject;”

For a comprehensive breakdown of the information collected please see the relevant tab on the HEL Data Mapping Excel sheet which can be found at the bottom of this page.(click the "Read More" Button)


Security of your personal data

Adhering to the “security principle’, HEL uses appropriate technical and organisational measures including secure paper filing systems, and security tiered software, and cloud based Management systems to collate, manage and hold personal  data. HEL has written contracts in place with all relevant organisations that process personal data on our behalf.

Examples of such systems/ organisations and their GDPR Compliance/ Privacy Policies include:

Charitylog: https://www.charitylog.co.uk/crm-gdpr-compliance  & https://www.charitylog.co.uk/privacy  Charitylog is fully GDPR compliant and has built in procedures and safeguards to ensure data processed adheres to the GDPR.

Microsoft 365 & SharePoint: For information on specifics regarding Microsoft GDPR compliance for each product in 365, please see the following link: https://www.microsoft.com/en-us/TrustCenter/CloudServices/office365/GDPR

HEL also has a Data Mapping process in place which collates all the information regarding what data is collected, stored, how, why etc. This is an ongoing “live” document which is overseen by the DPO and allows for appropriate risk analysis and ensures organisational policies, and physical and technical measures are in place.

 For a comprehensive breakdown of the information collected and the security measures in places please see the relevant tab on the HEL Data Mapping Excel sheet which can be found at the bottom of this page. (click the "Read More" Button)

International Data Transfer

Headway East London does not transfer data internationally.


Sharing your personal data

There may be situations when it is necessary to share personal information with third parties. This may be to allow us to support you, and/or to get other organisation involved in supporting you. 

There may also be situations when there is a legal obligation for us to share your personal data (e.g. to safeguard your, or someone’s safety) For a comprehensive breakdown of why and when we may share your personal data please see the “is this data being shared with third parties” column, on the relevant tab on the HEL Data Mapping Excel sheet.


Your Data Protection Rights

Headway East London (HEL) takes our responsibilities regarding the security of personal information seriously and strives to be open, transparent and proactive in every aspect of how we manage data.

 HEL views  GDPR and Data Protection legislation as an opportunity to ensure we are operating in a best practice manner and fully comply with all relative legislation and guidance and takes a “data protection by design and default” approach.

The GDPR provides the following rights for individuals, and HEL is fully committed adhering to these throughout the organisation:

·         The right to be informed

·         The right of access

·         The right to rectification

·         The right to erasure

·         The right to restrict processing

·         The right to data portability

·         The right to object

·         Rights in relation to automated decision making and profiling. (HEL does not partake in automated decision making or profiling of any kind)

Data Breaches

HEL will report certain types of personal data breach to the relevant supervisory authority (Information Commissioners Office) within 72 hours of becoming aware of the breach, where feasible.

If the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms, HEL will also inform those individuals without undue delay.

HEL have robust breach detection, investigation and internal reporting procedures in place which  facilitates decision-making about whether or not the organisation needs to notify the relevant supervisory authority and the affected individuals.

HEL keeps a record of any personal data breaches, regardless of whether we   are required to notify.


Headway East London – Subject Access Requests

A subject access request is most often used by individuals who want to see a copy of the information an organisation holds about them and individual who makes a written request are entitled to be:

·         told whether any personal data is being processed;

·         given a description of the personal data, the reasons it is being processed, and whether it will be given to any other organisations or people;

·         given a copy of the information comprising the data; and given details of the source of the data (where this is available).

In most cases Headway East London will strive to respond to a subject access request promptly and in any event within 40 calendar days of receiving it.

Headway East London treat any request by an individual asking for their personal information as a subject access request and treat it as either a routine enquiry, or more formally.

Requests that can be easily dealt with, are treated as routine matters, in the normal course of business, and a more formal routine is in place for more formal request.

For more information, or to make a subject access request please email info@headwayeastlondon.org and request the Data Protection Officer to contact you.