Privacy Policy

Introduction

This privacy notice tells you what we do with your personal information when you make contact with us or use one of our services. We’ll tell you:

• why we are able to process your information
• what purpose we are processing it for
• whether you have to provide it to us
• how long we store it for
• whether there are other recipients of your personal information
• whether we intend to transfer it to another country

Data Controller’s Contact Details

The Middleton Cheney Good Neighbours Scheme is the Data Controller for the personal information we process. You can contact us by:

• emailing dpo@mcgns.org.uk
• ringing 07818 475982 and leaving a message with the Duty Officer for us to call you back
• writing to us: – 41 Stanwell Lea, Middleton Cheney, Banbury, OX17 2RF.

How do we get personal information?

Most of the personal information we process is provided to us directly by you, by phone, email and in the case of volunteers, by completing our volunteer application form. We get your information for one of the following reasons:

• You would like to become a user of our services i.e. a client
• You would like to become a volunteer with us
• You would like your relative to become a user of our services
• You are representing your organisation, for example in social or health care
• You would like to become a “Friend” of our organisation
• You have made a complaint or enquiry to us
• You are providing us with a service We also receive personal information about you indirectly, in the following scenarios:
• A volunteer or client of ours gives your contact details as an emergency contact
• A prospective volunteer gives your contact details as a referee
• A social or healthcare worker, or a relative of yours, makes a referral to us for you to be a user of our services If it is provided indirectly, we’ll contact you to let you know we are processing your personal information, provided it is not disproportionate or prejudicial to do so.

Categories of personal information and who receives it

We process information where necessary to perform our services and to operate as a thriving organisation run entirely by volunteers:

• Client: name, title, address, phone numbers, email address, date of birth, relevant mobility and health issues, details of services you have received from us and correspondence. All or some of this is given to duty officers, the relevant section leader, the board of trustees and the volunteer assigned to work with you
• Volunteer: name, title, address, phone numbers, email address, relevant mobility and health issues, details of services you have provided for clients, correspondence and references. All or some of this is given to the membership secretary, the board of trustees, other volunteers, your assigned client. Your criminal offence data (if relevant) is only given to our DBS officers and, if relevant, the board of trustees
• Client’s relative or next of kin: name, phone numbers, email address, correspondence. All or some of this is given to duty officers, the relevant section leader and the volunteer assigned to work with you
• Social/Healthcare worker: name, phone number, email address, organisation you work for, correspondence. All or some of this is given to duty officers and the relevant section leader
• “Friend”: name, address, phone numbers, email address. All or some of this is given to the board of trustees
• Third Parties: name, phone numbers, email address, organisation you work for, correspondence.All or some of this is given to duty officers and the board of trustees
• Volunteer’s Referee: name, address, phone numbers, email address, correspondence. All or some of this is given to the membership secretary and the relevant section leader

Purposes of processing your personal information

As well as providing individually tailored services for our clients, performed by our volunteers, we engage in other activities that are vital for our successful functioning as an organisation. We may therefore process your personal information for our own legitimate interests provided those interests don’t override yours. We use your personal information for some or all of these:

• To enable us to arrange our AGM and other events
• To administer the collection of donations and payment of expenses
• To maintain necessary records and accounts
• To distribute our newsletters
• To organise volunteer training
• To notify you of changes to our services, events and role holders
• To arrange criminal offence data checks and updates
• To seek your views and comments We may process your personal information for some other purposes with your prior consent, for example putting your photo on our website or social media. You have the right to withdraw your consent.

Data Protection Principles and Lawful Basis

Personal data shall be processed fairly, lawfully and in a transparent manner

Our lawful basis under the GDPR for processing your personal data is that it is necessary for our legitimate interests. We can only provide our driving, befriending, shopping and practical help services appropriately, safely and effectively if we process personal information about our clients, volunteers and associated individuals. In circumstances where processing your information does not fall within our legitimate interests, we will seek your consent. In these cases,we make sure your consent is unambiguous, it is given by an affirmative action and it is recorded as the condition for processing.

Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes

We process personal data for the purpose of providing our services appropriately, safely and effectively, in an individually tailored fashion. We need to be able to communicate with our clients, volunteers and associated individuals, as part of providing our services properly. We won’t process personal data for purposes incompatible with the original purpose it was collected for.

Personal data shall be adequate, relevant and not excessive in relation to the purpose for which it is processed

We collect personal data necessary for the relevant purposes and ensure it is not excessive. The information we process is necessary for and proportionate to our purposes. Where personal data is provided to us or obtained by us but is not relevant to our stated purposes, we will erase it.

Personal data shall be accurate and, where necessary, kept up to date

Where we become aware that personal data is inaccurate or out of date, having regard to the purpose for which it is being processed, we will take every reasonable step to ensure that data is erased or rectified without delay. If we decide not to either erase or rectify it, we will document our decision.

Personal data shall not be kept for longer than is necessary

We retain your data for six years after you last make contact with us. We keep it for six years so we can (i) ensure continuity of service, or continuity of our relationship, should you contact us during this period, and (ii) deal with legal or insurance claims. We will retain your data for longer than six years if there is an on-going legal claim, or if we are required by law to do so.

Personal data shall be processed in a manner that ensures appropriate security, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage

Hard copy information that is subject to the GDPR is stored in our secure “portable office” with lockable hard-sided cases and a strict process followed by our Duty Officers to ensure maximum security. Electronic information is processed securely with appropriate access controls applied.The systems we use to process personal data allow us to erase or update personal data at any point in time.

Special Category Data (i.e. sensitive data) and Criminal Offence Data

In order to provide our services appropriately, safely and effectively for both our clients and our volunteers, we process special category data, and as part of our statutory duty we process criminal offence data.

• The special category data that we process, defined at Article 9 of the GDPR, is data concerning an individual’s health. Our lawful basis for processing this information is legitimate interests. The specific condition for processing this data that applies to us is listed in Article 9(2)(c) as “necessary to protect the vital interests” of the individual. This is because it is essential that we are aware of our clients’ and volunteers’ health needs for our services to be performed appropriately, safely and effectively
• We have legal authority under the Data Protection Act 2018 to process criminal offence data, asit is a requirement to conduct the government’s Disclosure and Barring Service checks for certain categories of our volunteers; namely, Befrienders, Shoppers and Drivers. Our lawful basis for processing this data is legitimate interests as it is vital that we and our clients are confident that our volunteers do not pose a risk to the vulnerable adults they provide services for.

Your Data Protection Rights

• The GDPR provides certain rights for individuals, which are set out in this Privacy Notice. If you choose to exercise your rights, we may need to verify your identity for security reasons.If we reasonably need more information to help us find your data or identify you, we will ask you for the information we need. In such cases we will need you to respond with this information, or with proof of your identity, before we can comply with your request.
• We Can refuse to comply with your request if we believe that it is what the law calls “manifestly unfounded or excessive”. All of your rights listed below are subject to this. In reaching this decision, we can take into account whether your request is repetitive.In such circumstances we can charge a reasonable fee to deal with your request, or refuse to deal with it.In either case we will tell you and justify your decision. Provided your request is not “manifestly unfounded or excessive” you are not required to pay any charge for exercising your rights. We have one month to respond to you, although in certain circumstances this timescale can be extended by two months.

Your right of access

You have the right to ask us for copies of your personal information. As there are some exemptions, you may not always receive all the information we process. We may refuse your access request if your data includes information about another individual, except where the other individual has agreed to the disclosure, or it is reasonable to provide you with this information without the other individual’s consent. Subject to the proviso above about repetitive requests,you can request access more than once. You are also entitled to be told the following things:

• What we are using your data for
• Who we are sharing your data with
• How long we will store your data
• Information on your rights to challenge the accuracy of your data, to have it deleted, or to object to its use
• Your right to complain to the Information CommissionerInformation on where your data came from
• If there is automated decision making
• If we have transferred your data to a third country or an international organisation, what security measures we took

Your right to rectification

You have the right to ask us to rectify information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete. If you ask us to correct data, we will take reasonable steps to investigate whether the data is accurate.We willconsider your arguments and any evidence you provide.We will then contact you and either (i)confirm we have corrected, deleted or added to the data, or (ii)inform you we will not correct the data, and explain why we believe the data is accurate.

Your right to erasure

You have the right to ask us to erase your personal information in certain circumstances. The right to erasure is not absolute.The right only applies in the following circumstances:

• We no longer need your data
• You initially consented to the use of your data, but have now withdrawn your consent
• You have objected to the use of your data, and your interests outweigh ours
• We have collected or used your data unlawfully, or
• We have a legal obligation to erase your data We can refuse to erase your data in the following circumstances:
• Keeping your data is necessary for reasons of freedom of expression and information
• We are legally obliged to keep hold of your data, or
• Keeping your data is necessary for establishing, exercising or defending legal claims

Your right to restriction of processing

You have the right to ask us to restrict the processing of your information in certain circumstances.You can ask us to temporarily limit the use of your data when we are considering either (i) a challenge you have made to the accuracy of your data, or (ii) an objection you have made to the use of your data.You may also ask us to limit the use of your data rather than delete it if either (a) we have processed your data unlawfully but you do not want it deleted, or (b) we no longer need your data but you want us to keep it in order to create, exercise or defend legal claims. We will take appropriate steps to restrict the use of your data,including, if relevant:

• Temporarily moving your data to another system
• Making it unavailable to users, or
• Temporarily removing it from ourwebsite, if it has been published If we have shared the data with others, we will contact each recipient and inform them of the restriction – unless this is impossible or involves a disproportionate effort. We will store the restricted data securely and will not use the data unless:
• We have your consent to do so
• The data is needed for legal claims
• Its use is to protect another person’s rights, or
• Its use is for reasons of important public interest

Your right to object to processing

You have the right to object to us processing your data if you give us specific reasons based on your particular situation.If your objection is successful, we will stop processing your personal data for the use you have objected to. However, we may still be able to continue using your data legitimately for other purposes. We can refuse to comply with your objection if we can prove we have compelling legitimate grounds to continue processing your data that overrides your objection. We can also refuse if the processing of your data is for a legal claim.We will inform you of our decision and why.

Your right to data portability

This only applies to information you have given us, and if we are processing your information based on your consent or performance of a contract. As our processing is mainly based on legitimate interests, it is unlikely that this right will be relevant. If it does apply, you have the right to ask that we transfer the information you gave us to another organisation, or give it to you.

Complaints

We try our hardest to get it right when it comes to processing your personal information. If you have queries or concerns, please contact us atdpo@sagns.org.ukand we’ll respond. If you remain dissatisfied, you can make a complaint about the way we process your personal information, to the Information Commissioner, by visiting www.ico.org.uk or calling their helpline on 0303 123 1113.

Data Sharing

• We will not share your information with any third parties for the purposes of direct marketing. We occasionally use data processors who are third parties and we have contracts in place with them. This means that they cannot do anything with your personal information unless we have instructed them to do it. They will not share your personal information with any organisation apart from us. They will hold it securely and retain it for the period we instruct.
• In some circumstances we might be legally obliged to share information, for example under a court order or with statutory or regulatory bodies.In any scenario, we’ll satisfy ourselves that we have a lawful basis on which to share the information and document our decision making and satisfy ourselves we have a legal basis on which to share the information.

Links to other Organisations

Where we provide links to websites of other organisations, this Privacy Notice does not cover how that organisation processes personal information. We encourage you to read the privacy notices on the other websites you visit.

Transfer of Data Abroad

We won’t transfer your personal data to countries or territories abroad, including outside the EEA (European Economic Area) unless we have an agreement with the relevant data processor giving equivalent protections and rights as under the UK Data Protection Act 2018. Please note: our website is accessible from overseas, so on occasion your personal data may appear on our website and be accessed from overseas, however we would seek your consent before putting your personal information on our website.