St Elizabeth’s Privacy Notice – Donors and Supporters
At St Elizabeth’s, we are committed to protecting your data and privacy and complying with relevant legislation and codes of practice while we carry out our essential work of raising funds for, and awareness of, our working supporting those with epilepsy and other complex needs.
This notice sets out St Elizabeth’s data processing practices, which will govern the processing of data that you provide to us and which we may obtain about you from other sources.
If you have any queries about this notice please contact St Elizabeth’s, Perry Green, Much Hadham, Hertfordshire, SG10 6EW or email firstname.lastname@example.org or telephone us on 01279 844355.
We are registered as a company in England (Company No. 11087989) and as a charity (Charity No. 1176777). The Officer with responsibility for Data Protection is the Director of Finance and IT.
How do we collect data?
We obtain personal data from you in a variety of ways, including when you:
- enquire about our activities,
- request one of our publications,
- make a donation to us,
- make a donation of stock to one of our shops
- tell us your stories, or
- attend one of our events.
What data do we collect?
The types of data collected may include:
- your name,
- e-mail address,
- postal address,
- telephone number,
- payment details if you make a donation or payment.
We will only collect personal data to the extent that it is required for the specific purpose notified to you or for the purpose that is clearly apparent from the circumstances in which you provide your data.
We will not carry out any data-matching exercises to obtain information about you that you have not provided directly to us nor carry out any wealth screening. We do, however, analyse general trends and demographics of our supporters in order to ensure our communications and events are relevant and informative and we use our resources effectively. We also try to ensure that individual supporters receive a personalised response from us in acknowledgment of their support or donations.
How do we use this data?
Data processing will only take place where we are permitted to do so by the relevant data protection or privacy legislation or where you have given your consent to the processing.
We may use your personal data for the following purposes:
- To provide you with the services, products or information you have requested;
- To contact you about our future events and services where you have agreed that we may do so;
- To contact you about fundraising initiatives where you have agreed that we may do so;
- To process payment details if you make one or more donations;
- To contact HMRC in order to claim Gift Aid on a donation (where appropriate);
- To plan future activities; and
- To further our legitimate charitable aims such as sending you information about how your donations are being spent or sending you an annual report or newsletter.
Will we disclose the information we collect to third parties?
We may need to share your data with organisations that provide us with data processing services, such as marketing fulfillment businesses, IT service providers, event organisers and payment processing suppliers. We have agreements in place to make sure these organisations only process your data according to our instructions, securely and in-line with relevant legislation.
We will not share your data with other organisations, unless you have specifically agreed that we may do so.
We may also need to disclose your data if required to do so by law, where we are enforcing our legal rights or where we merge with another entity.
We only use your personal data for direct marketing purposes if we are allowed to do this by law or if we have your consent.
If we already have an accurate record of your marketing preferences that complies with applicable legislation, we will assume that you are happy to continue to receive marketing information from us in line with those preferences if you do not indicate otherwise when we contact you or you contact us. However, you can change your direct marketing preferences at any time by contacting us using the details above or via any other unsubscribe mechanism we offer from time to time.
If you have not worked with us or supported us previously, please ensure you indicate your preferences in the relevant sections of the form when information is being collected otherwise we may not be able to keep you up to date with our activities and fundraising initiatives.
We produce a twice-yearly Newsletter which provides details of activities at St Elizabeth’s for individuals and organisations who are interested in the work of the charity. This is sent to people and organisations who have requested information on our activities, local individuals or organisations, or people and organisations we have sent it to in the past and they have not indicated that they do not wish to receive it. This is done on the basis that the charity has a legitimate interest in ensuring people and organisations are aware of developments at St Elizabeth’s and are able to support St Elizabeth’s work with donations so that the activities can continue. This mailing is only sent twice a year, has a minimal impact on individual privacy, contains information which the recipients find valuable and there is a clear way in which recipients can ensure that they do not receive future newsletters.
How do we protect personal data?
We have in place appropriate procedures and technologies to maintain the security of all personal data from the point of collection to the point of destruction. Personal data will only be transferred to a data processor if it agrees to comply with those procedures and policies, or if it puts in place adequate measures itself.
Card payment details are not retained by St Elizabeth’s.
We require our data/payment processors to conform to PCI DSS standards for data security.
We also take appropriate measures to ensure that the data disclosed to us is kept secure, accurate and up to date and kept only for so long as is necessary for the purposes for which it is used. We will take all reasonable steps to destroy or suppress, or erase from our systems, all data which is no longer required. We may also contact you from time to time in order to ensure that our records are correct and up-to-date including your marketing preferences.
We will not transfer your data to countries or jurisdictions outside the EEA.
You have the right to ask for a copy of the data we hold about you and to have any inaccuracies in your data corrected.
You have the right to ask us to stop using your data for direct marketing purposes or prevent processing that is likely to cause you damage or distress.
We shall also comply with any additional rights given to data subjects under new or modified legislation.
If you have any queries or complaints about the way we process your personal data, please contact us using the details above. Alternatively you may contact the Information Commissioner's Office at https://ico.org.uk/
We reserve the right to amend this privacy notice from time to time. If we do so, we will post notice of the changes on our website and/or advise you of them by email. By continuing to use our website or services after any notification, you will be deemed to have accepted such changes.
We respect your wishes
If your personal details change and you want to continue to work with us and hear from us, please help us to keep your data up to date by notifying us using the details above.
If, for any reason, you wish to advise us that you no longer require our services or do not want us to contact you or do not want us to share your data with specified third parties for marketing purposes, please let us know by contacting us using the details above.
Privacy Notice – HR Department: Personal Data Statement
1 Employer Details
This is the privacy notice of the St Elizabeth’s Centre, relating to the Human Resources (HR) Department.
The Centre’s registered office is South End, Much Hadham, Herts, SG10 6EW.
St Elizabeth’s operates/provides the following services: a School, Children’s Home, College, Domiciliary Care; Adult Care (with Nursing) and Health Agency.
St Elizabeth’s operates the majority of its services from its site based in Perry Green, just outside Much Hadham, Hertfordshire. It also operates a service at Windhill, Bishop’s Stortford.
St Elizabeth’s Centre is strongly committed to protecting personal data. This privacy notice describes why and how we collect and use personal data within the HR Department, and provides information about individuals’ rights with respect to their personal data. Within this notice, “we” refers to the HR Department, to include that held by the Centre’s Learning and Development Department.
The notice relates to personal data provided to us, both by individuals themselves, or by others. We may use personal data provided to us for any of the purposes described in this privacy statement, or as otherwise stated at the point of collection.
We have a range of policies and procedures in place to ensure that any personal information supplied to us is held securely and treated confidentially in line with the General Data Protection Regulations (GDPR).
The Centre’s Data Protection Officer (DPO)/appointed data protection person is the Director of Finance. Within HR, the Director of HR and Staff Development is responsible for data protection within the HR and Learning and Development Departments.
Under the direction of the HR Director, we regularly review our “Information Asset Register”, which details what personal data we collect, why we collect it, where it is stored, who has access to it, how it is processed and who is responsible for it. If you would like to view our current Information Asset Register please contact: Hrpersonaldata@stelizabeths.org.uk
4 Our Promise to You
We are committed to the General Data Protect Regulation (GDPR) principles. We aim to ensure:
- transparency with regard to the use of personal data
- that any processing is lawful, fair, transparent and necessary for a specific purpose
- that personal data is accurate, kept up to date and removed when no longer necessary
- that personal data is kept and processed safely and securely, protected against accidental loss, destruction or damage.
We are committed to the principles of data protection by design and by default.
If you believe that any of your personal data is inaccurate or untrue, or if you are dissatisfied with the way the information is being stored, processed or destroyed, please inform the HR Director at the earliest opportunity.
5 Why do we collect and hold your personal information?
Personal information which is collected and processed by us is required to enable the recruitment process, or for the management of your employment or work with us.
Further information with respect to recruitment is given as appendix A.
6 What personal information we collect
We hold personal data relating to applicants for employment, employees and workers and former employees or workers.
The HR department holds personal data which is defined as data relating to a person who can be identified, directly or indirectly, by this data “identifier” – for example, name.
We also hold some sensitive personal data which is defined as including: racial or ethnic origin, health, sexual orientation or criminal records.
Data may be collected, held or processed as a “hard copy” document or on an IT system,
We hold and process personal data for numerous purposes, for example in relation to our recruitment decisions and ongoing employment, to include learning and development, pay etc, and for health and safety / security purposes. All personal information obtained and held by HR from employees, bank or agency workers is as is necessary to ensure that the Centre provides a service, which is consistent with our purpose of providing a person-centred care service, which meets all regulatory standards and statutory requirements.
Personal information that is held includes:-
- details of your qualifications, skills, experience and employment history, including start and end dates, with previous employers and with the Centre;
- details of your bank account and national insurance number;
- information about your marital status, next of kin and emergency contacts;
- information about your nationality and entitlement to work in the UK;
- information from your DBS check;
- details of your schedule (days of work and working hours) and attendance at work;
- details of periods of leave taken by you, including holiday, sickness absence, family leave, and the reasons for the leave;
- details of any disciplinary or grievance procedures in which you have been involved, including any warnings issued to you and related correspondence;
- assessments of your performance, including appraisals, supervisions, training you have participated in, performance improvement plans and related correspondence;
- information about medical or health conditions, including whether or not you have a disability for which the organisation needs to make reasonable adjustments;
- ID (identification) / security photograph which is held on the Select HR IT system, CCTV images, and also biometric data (the “finger photo” used for rostering/attendance recording on the STARS IT system).
The means of collection, lawful basis of processing, use, disclosure, and retention periods for each purpose may differ.
7 What is the legal basis for handling personal information?
Data protection laws require that, to process your personal data, we must meet at least one prescribed basis for it. We rely on one of the following basis for the activities we carry out.
- Consent - to obtain, hold or process some personal information we may ask for your consent first. Consent in these circumstances must be freely given, informed and may be withdrawn.
However, the majority of the personal data we collect and hold is not subject to consent. The legal basis for collecting, holding and processing this specific data is:-
- For the performance of a contract with you, or to take steps to enter into a contract;
- To enable us to meet our statutory or legal obligations, to include auditing and regulatory purposes;
- For employer’s legitimate Interests - in the United Kingdom, organisations can use personal information where the benefits of doing so are not outweighed by the interests or fundamental rights or freedoms of individuals. The law calls this the “Legitimate Interests” basis for processing.
For example, we may rely on legitimate interests for processing personal data for:
- Helping to prevent and detect crime, to include safeguarding matters;
- Protecting individual’s vital interests – for example, protecting the children and vulnerable adults in our care by carrying out regular checks on employees/workers through the Disclosure and Barring Service;
- Complying with legal and regulatory requirements;
- Reporting and analytical purposes;
- Maintaining our records, and other administrative purposes.
8 How we collect and use information
The bulk of the personal information held by St Elizabeth’s is collected directly from each employee, worker or applicant for employment. However, an agency worker’s personal information may be provided to the Centre by the worker’s agency. Similarly, as part of an introduction process for employment made by an agency, personal information may be provided to us by the agency. Agencies that provide data to the Centre for employment /introduction purposes are responsible for ensuring that permissions have been obtained from the agency worker/applicant for employment. We may also process information about you that is provided to us by a third party (such as our Occupational Health service), and/or hold information about you provided to us from within the Centre, for example your line manager.
Where you supply another person’s personal data to us, for example emergency contact details / next of kin details, you must ensure that you have their consent and that you keep this information up to date.
Information is provided to us in hard copy/paper copy eg documents needed for the pre-employment checking processes, or electronically eg via the Centre’s recruitment applicant tracker system (ATS).
For the safety and security of our service users, employees and visitors, the Centre operates CCTV monitoring/recording. CCTV is used responsibly with proper safeguards in place. Its use at the Centre is informed by the Information Commissioner’s Office Data Protection guidance “In the Picture: a data protection code of practice for surveillance cameras and personal information”. For further information please see the Centre’s “Statement on the Use of CCTV” which is available on the intranet.
Within the recruitment process, we may use automated decision making. Applicants for employment will be expressly advised when this is part of the selection process.
All personal information obtained to meet our regulatory requirements will always be treated in line with our data protection and confidentiality policies.
9 How we store your personal information and keep it safe
The Centre has a range of policies that enable us to comply with all data protection requirements.
We store personal information securely within the HR Department, for example in hard copy within HR files which are kept securely in locked filing cabinets. It is also held on secure IT systems such as Select HR (the HR IT record system), St Elizabeth’s Time and Rostering System (STARS) and some personal data is provided to the St Elizabeth’s payroll department, and held and processed on ERNIE (the payroll system). Personal information (eg emails, spreadsheets, letters) may also be held on the St Elizabeth’s IT system (local servers). Where personal information is stored on an externally hosted or managed IT system on behalf of the Centre, the provider is expressly required to confirm compliance with GDPR. No personal data is held outside the EEU.
10 With whom we might share information outside St Elizabeth’s Centre
We will only disclose information about you to third parties:
- where we need to comply with our contractual duties to you. For instance we may need to pass on certain information to our external payroll provider or pension provider, or to obtain pre employment references, obtain employment background checks, or obtain necessary criminal records checks from the Disclosure and Barring Service;
- if we are legally obliged to do so, for example to public bodies, law enforcement or regulators with authority to obtain disclosure of personal data.
Please note, we are not required to seek your consent to release your personal data in these situations.
Where we provide information for statistical purposes, for example for the National Minimum Data Set, the information is aggregated and provided anonymously so that there is no privacy risk involved in its use.
11 How you can access your own personal information held by St Elizabeth’s HR department
There are procedures in place to enable any employee, bank or agency worker whose personal information we possess to have access to that information on request. The right to access includes both the information and any uses which we might have made of the information.
In the interests of openness and fairness, the Centre allows all employees and bank workers to access the information held about them on Select HR at any time using the self service facility. Personal data is also held on STARS and is available via the self service function.
Additionally, employees and workers have the right to access personal data held about them on other IT systems, or in hard copy form, at reasonable intervals. This is known as a “data subject access request”. As a general rule, a copy of the requested information will be provided free of charge, although the Centre reserves the right to charge a reasonable fee when providing the data will incur disproportionate administrative cost, or where a request is manifestly unfounded or excessive, particularly if it is repetitive. If this proves necessary, the person concerned will be informed of their right to contest our decision with the supervisory authority (the Information Commissioner's Office (ICO)).
If you wish to request access to your personal data from us please email: email@example.com.
In the event of a disagreement regarding personal data, the matter should be taken up under the Centre’s grievance procedure. This does not prevent you from exercising your right under the GDPR to complain to the supervisory authority (the Information Commissioner's Office (ICO)).
12 How long we keep information
There are protocols in place that determine how long St Elizabeth’s will keep information held or managed by HR which are in line with the relevant legislation and regulations. A copy of the record retention protocol is available on the intranet.
13 Right to be forgotten
The Centre recognises the right to erasure, also known as the right to be forgotten, as laid down in the GDPR. Individuals should contact the HR department with any requests for the deletion or removal of personal data. Please email: firstname.lastname@example.org
Requests will be acted on provided there is no compelling reason for continued retention/processing and that the exemptions set out in the GDPR do not apply. These exemptions include where the personal data is processed for the exercise or defence of legal claims and to comply with a legal obligation for the performance of a public interest task or exercise of official authority.
14 Data Security/Data Loss
We have put in place data security measures that are appropriate to the risk involved in processing the data we hold.
If a data breach occurs that is likely to result in a risk to the rights and freedoms of individuals, the people affected will be informed as soon as possible, and the Information Commissioner’s Office (ICO) will be notified within 72 hours.
15 How we keep our privacy policies up to date
We will assess privacy risks continuously as part of our day to day activities. We will also carry out a wider review of policy and practice at regular and appropriate intervals.
16 Changes to this privacy statement
We recognise that collecting, holding, processing and destroying personal information within HR is an on-going responsibility and will therefore keep this privacy statement under regular review.
If you have any feedback on this privacy statement to help us improve it please contact the HR Director.
This privacy statement was last updated on:- 1 May 2018.
- Data Protection Policy
- HR – Data Retention Protocol
- Statement on the Use of CCTV
Appendix A – further information regarding recruitment
As part of our recruitment process we need to collect and use personal information to include CV, application form, references, records of qualifications/skills/training along with verification documents and those needed to carry out checks with the Disclosure and Barring (DBS) service.
These enable us to:-
- Assess your suitability to work for St Elizabeth’s Centre;
- Conduct screening, assessments and interviews;
- Make offers, and provide contracts of employment/worker contracts;
- Carry out pre-employment checks, such as DBS and medical assessment.
Some information is held and managed on line using our Applicant Tracker System (ATS). Some is held and managed as hard copies.
Unsuccessful applications will be destroyed/removed from IT system after 12 months from the date the application was received/the outcome was notified to the applicant/post was filled (whichever is the later).