Privacy Notice

The Comfrey Project has a strong commitment to continually improve our levels of service. To help us achieve this we may collect and process information about you.

Summary

We will collect and otherwise use personal information about you to enable us to administer our services (as detailed below), to provide you with other relevant services and to help us continue to manage our relationship with you.

This Privacy Notice describes in detail how we will use your personal information, what your rights are in relation to personal information and how you can exercise those rights.

Introduction

In this Privacy Notice:

we, us or our (or similar words) means The Comfrey Project;
you means the person whose personal information (as defined below);
service means the service within our organisation you are associated with;
third parties means anyone who we may share your personal information with; and
Website means www.thecomfreyproject.org.uk.

We are committed to protecting your privacy. We will only use your personal information in accordance the current Data Protection Act 1998 (the DPA), the forthcoming General Data Protection Regulation (the GDPR) and any other laws that set out how we can use your personal data.

Which services do we offer?

We are a Charitable Incorporated Organisation (CIO) offering services to support the mental and physical wellness and community integration of asylum seekers, refugees and all other members of the community. We provide primarily nature related and creative services (including gardening, bee-keeping environmental awareness projects, nature walks, trips, arts and crafts, cooking).

As part of our service we offer signposting advice and organise participatory community events.

We are also occasionally involved in activities which aim to promote the wellbeing, integration and equal rights of refugees and asylum seekers, including events, campaigns, distribution of relevant information.

Other services may include:

– training;
– volunteering opportunities;
– room hire;
– fundraising; and
– central services (including finance and HR).

Who is responsible for your personal information?

We control the information that is collected by us about you and the purposes for which we use that information. This means that we are the data controller (for the purposes of both the DPA and GDPR) in respect of such personal information.

What is our legal basis for processing your personal information?

At the point we collect your personal information we will advise you of our legal basis for the processing and direct you to this full Privacy Notice. This means we will never process your data without a legal basis to do so.

Our legal basis for processing will differ from service to service, but likely to fall into the following categories:

Wellbeing and Integration Services – processing is necessary for the performance of a contract with you (or to take steps to enter into a contract), or, processing is necessary for compliance with a legal obligation, or, processing is necessary to protect the vital interests of you (or other person), or, necessary legitimate interest pursued by us, or a third party.

Addition (special) category for our legal basis may be; Processing is necessary to protect the vital interests of you or another individual where you are physically or legally incapable of giving consent.

Fundraising, Training, Room Hire, Volunteering Opportunities – necessary legitimate interest pursued by us, or a third party, or through consent by you to process your personal information.

Addition (special) category for our legal basis may be; Processing relates to personal data manifestly made public by you.

Central services – processing is necessary for compliance with a legal obligation, or, processing is necessary for the performance of a contract with you (or to take steps to enter into a contract).

Addition (special) category for our legal basis may be; Processing is necessary for carrying out obligations under employment, social security or social protection law, or a collective agreement.

Organisation wide – necessary legitimate interest pursued by us, or a third party, for instance, the use of CCTV.

If you are unsure about any of these categories, or you are concerned regarding our legal basis for processing your personal information, please contact us via the contact information further on in this Notice.

What information do we collect?

At the point we collect your personal information we will advise you the exact purpose we are collecting your information and direct you to this full Privacy Notice.

This means we will not collect personal information for one purpose and then use it for another, unless the second purpose is implicit.

The collection of information will differ from service to service, but mainly consist of your name, address, contact details (including email address and mobile phone number). When dealing with any vulnerable individual, their ‘appropriate adult’*1 will provide this information.

We may also require your GP’s and emergency contact details. If we are collecting sensitive personal data it is likely we also request medical history and any associated records.

In some instances we may require financially related information, for instance, a credit card number or bank account details.

If we are collecting your data for educational and employability purposes we may also request copies of your qualifications or achievements to date.

During events if you agree to give us your contact details we will input these into our mailing database. We will use your contact details to contact you for the agreed marketing purposes via your preferred method of communication.

We will hold internal records on our staff, including full Disclosure and Barring Service (DBS) checks. More information relating to employee records can be sourced via our internal Data Protection Policy and accompanying procedures by our internal staff.

In addition, we may collect the following personal information about you:

– information contained in and records of communications between us, including emails, letters and text messages. We may also record calls between us for training, monitoring and quality purposes;

– data collected as part of any documents you manually or electronically complete, or online services to which you subscribe;

– CCTV footage in which you may feature if you visit our services;

– Information about your preferences in connection with our Website, for the purposes of enhancing and personalising your experience on the Website;

– details of your visits to our Website, for example traffic data, location data (including the country and telephone area code where the computer is located

– information concerning your marketing preferences.

If you provide us with personal information about another individual (unless legally able to do so), you must ensure that before you provide us with their personal information, you have their agreement to do so and that they are aware of the ways in which we will use their personal information as set out in this Privacy Notice.

How do we use your personal information?

We may use your personal information:

– to carry out our obligations arising from any contracts entered into between you and us;

– to comply with our legal obligations and with instructions from a regulatory bodies such as Care Quality Commission (CQC) and the Charity Governance Code (CGC);

– to manage and administer the relation between you and us;

– to notify you about changes to our services and to otherwise communicate with you, for example, we will use your contact details in order to respond to any queries that you may submit to us;

– to train our staff to continuously improve our services;

– to analyse the efficacy of our services and results to continuously improve our services;

– to carry out marketing activities; and

– to carry out market research relating to similar services.

With whom do we share your personal information?

In connection with the above uses of your personal information, some of our services may share your personal information with third parties in connection with our services. For instance, we may pass your personal information to:

– third party organisations that provide services to us;

– third party organisations that collect data relating to examination results e.g. City & Guilds;

– external agencies and organisations (including the police and other law enforcement agencies) for the purpose of preventing and detecting fraud (including fraudulent transactions) and criminal activity. We may also disclose personal information to the police and other law enforcement agencies in connection with the prevention and detection of crime;

– third parties if we are under a duty to disclose or share your personal information in order to comply with any legal obligation or instructions of a regulatory body, in connection with a court order, or in order to enforce or apply the terms of any agreements we have with or otherwise concerning you (including agreements between you and us); or to protect our rights, property or safety or those of our service users, employees or other third parties.

We may share non-personal aggregate statistics data about visitors to our Website, for instance, traffic patterns with certain third parties to enable us to improve the way we communicate on our Website with you.

If you are concerned or have any questions about who we may share your personal information with, please contact us via the contact information further on in this Notice.

Transfers outside the EEA

We do not currently transfer your personal data outside the EEA, with the exception of our fundraising service that at times uses a third party service provider (Mail Chimp) who are based in the United States (US). We have safeguarding reassurances as Mail Chimp is covered by Privacy Shield, who is recognised by the ICO as providing adequate security in the US.

Protecting your personal information

We regularly review and continually improve our data security measures to reduce any risk of data loss, or data breaches. This includes but is not limited to; the use of fire walls, the use of anti-virus software, regular backups of our data, and the encryption of sensitive personal data. We also have a data breach plan and procedure to follow in the event of any data breach, to minimise any potential impact to you.

Our security procedures mean that we will not disclose your personal information to any unknown third party without first gaining your consent to do so, unless for some legal exemptions. At times we may also need to validate we are speaking to the right person, therefore we may request proof of your identity before are able to disclose personal information to you.

Any payments made by you to us, by credit card will be processed by appropriate staff in accordance with Payment Card Industry (PCI) Data Security Standard (DSS) compliance.

The transmission of information via the internet is not completely secure; this risk is not specific to our Website and is common across the internet. Unfortunately, we cannot guarantee the security of the transmission of the data to which is outside our control; any data you send is at your own risk. However, to reduce this risk our internal procedures requires staff that need to send sensitive personal data outside our network, do so with strict controls on encryption and password protection.

How long will we keep your personal information?

We will not store your personal information for longer than is necessary for the purposes of processing. This means after we process your personal information, we will securely destroy your personal information from our records.

In line with GDPR guidance, we will only further retain your personal information for a regulatory, legal or a specific business purpose, in line with our Data Retention Policy.

Our data retention periods will differ from service to service, dependent on the type of data and the purposes of processing. If you require specific retention schedules for your personal information please contact us using the contact details further on in this Notice.

What rights do you have?

By providing you with this Privacy Notice we are ensuring that you have been fully and clearly informed about our fair processing information, in relation to how we use your personal information.

You have the right to object to our processing of your personal information if you feel that our legal basis for the processing is incorrect.

If you think any of the personal information we hold about you is inaccurate or incorrect, you can request that we correct this information.

If you feel there is no compelling reason for the continued processing of your personal information. You can request that it is erased (through deletion or removal) from our systems.

In certain circumstances you may wish to request that we restrict processing of your personal information, we will usually do this through suppressing the information we hold.

For any of the above concerns please use the contact information below, we will respond to you within 1 month from the date of receiving your query. If your request is more complex in nature we may extend our response to 2 months.

If you wish to obtain and be able to reuse any of the personal information we hold about you (data portability) please contact us to discuss further.

Due to the nature of the work we do, we do not currently automate decision making or profile your personal information without human intervention. If however you have any concerns regarding this you may contact us to discuss further.

Access to your personal information

Both the current DPA and future GDPR gives you the right to access your personal information, subject to certain exemptions. To request access to your personal information, please contact us using the contact information below, including a completed Request for Access to Personal Information Form.

In line with the new GDPR legislation there will be no fee for any subject access request we receive, however, we will require identification to verify your identity; please view our ID Checklist.

We will respond to you within 1 month from the date of receiving your query. If your request is more complex in nature we may extend our response by a further 2 months, but will keep you informed.

While we are mindful that the GDPR has introduced a new best practice recommendation that, where possible, organisations should provide remote access to a secure self-service system which would provide you with direct access to your personal information, unfortunately due to the nature of the varied information we hold across our services at this time we are unable to offer this service.

How to contact us

If you have any questions, comments or requests regarding this Privacy Notice, please contact Development Officer, Eleni Venaki in either of the following ways:

– by writing to The Comfrey Project, Windmill Hills centre, Chester Place, Gateshead, NE8 1QB, marked to the attention of Eleni Venaki, or

– by emailing at eleni@thecomfreyproject.org.uk

Please mark correspondence with the title; Data Protection Query.

How to complain

In the first instance any un-satisfaction relating to our handling of your personal information should be brought to our attention using the contact information above.

If you have already contacted us about any of the above rights and you are still unsatisfied with our response or the outcome you can escalate the matter to the ICO using the following contact details:

The Information Commission’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Please note: you may wish to seek legal independent advice to progress resolution of your concerns. In all cases, wherever possible, local resolution should be sought.

However, you have the right to pursue any of these channels at any time and may wish to pursue several actions simultaneously.

Changes

We will regularly review this Privacy Notice. If we decide to change this Privacy Notice, we will post the updated version on our Website so that you are always aware of what personal information we collect, how we use it and under what circumstances we disclose it. The updated Privacy Notice will take effect as soon as it is posted on our Website.

This Notice was last updated in May 2018.

The next review date is November 2018.

Footnotes

*1 In English law, an appropriate adult is a parent, guardian or social worker; or if no person matching this is available, any responsible person over 18. The term was introduced as part of the policing reforms in the Police and Criminal Evidence Act 1984 and applies in England and Wales.