Suffolk Young People’s Health Project Privacy Notice

Effective 25 May 2018
 

Suffolk Young People’s Health Project (also referred to as ‘4YP’) believes confidentiality should be taken seriously and is committed to the security of your data and protecting your privacy.

This privacy policy sets out how Suffolk Young People’s Health Project (hereby referred to as ‘SYPHP’, ‘4YP’, or ‘we’) collects and uses personal information (or data) in compliance with the General Data Protection Regulation (GDPR), which comes into effect on 25 May 2018, and the Data Protection Bill (2017).

The Role of SYPHP

SYPHP is a Data Controller.  This means SYPHP is responsible for determining how we gather and store data of individuals (or Data Subjects), and the purposes for and manner in which that personal data is processed.

We define personal information as any information about an individual from which that person can be identified.  It does not include data where the identity has been removed (anonymous data) such as collated statistics from survey responses.

Our Promise to You

Any personal information we hold about you will be:

  • Collected and used only for valid purposes, which you will be informed about
  • Accurate
  • Kept securely and up-to-date (including data stored digitally and in manual filing systems)
  • Retained and used only for as long as necessary for the purposes we tell you about

What Data We Collect

SYPHP may collect, store, and use the following categories of personal information:

  • Contact details, such as name, title, addresses (or approximate location), telephone numbers, fax number, email addresses
  • Emergency contact information – this will be provided by you and stored/used by SYPHP on the understanding that you have informed the individual(s) to whom this data belongs
  • Date of birth, age
  • Gender
  • Photographs
  • Voice recordings (e.g. radio appearances)
  • Appointments
  • Social media handles
  • Website and IP addresses
  • Job title, employer/organisation, registered business/charity number
  • Signature

We may also collect, store and use the following “special categories” of more sensitive personal data which require a higher level of protection:

  • Race, ethnicity, sexual orientation
  • Information about your health, including medical conditions, NHS number
  • Criminal convictions and offences

How We Collect Personal Information

You may provide personal data to SYPHP when you:

  • Complete a consent form
  • Submit a counselling referral form
  • Email, write, or text 4YP
  • Telephone 4YP, and leave a message
  • Sign up for the C-Card
  • Log in to Ask the 4YP Expert
  • Take part in a media (radio, newspaper) appearance
  • Are in a photograph
  • Fill in an evaluation form
  • Interact with 4YP via social media
  • Subscribe to the 4YP (newsletter) mailing list
  • Write a case study or piece for the 4YP newsletter
  • Complete a 4YP survey or poll
  • Submit an application form for employment or to volunteer
  • Provide a testimonial or online review (e.g. on Google)
  • Provide a business card
  • Fund a 4YP service or activity
  • Enter into a partnership agreement with SYPHP as an organisation, business or charity

To fulfill our obligation to funders, we may need to obtain data via observations.

We may also collect data, including the ‘special categories’, with your written consent.

Sometimes we collect data because of our obligation to do so by law, for an individual’s safety (to protect your vital interests), or for our role as an employer.

Where appropriate, we will seek consent of the holder of parental responsibility for any young person below the age of 16 years old.  However, if deemed necessary (e.g. for sake of safeguarding) we may not as per paragraph 38 of the regulation, which states it may “not be necessary in the context of preventive or counselling services offered directly to a child.”

How Suffolk Young People’s Health Project Uses Data About You

We will only use your personal information for the purposes that we collect it for.

SYPHP uses data to carry out our objective to provide young people with an appropriate and supportive service or to help them access one.

Your personal information may be disclosed to any SYPHP employee or volunteer as reasonably necessary for the purposes identified in this policy.

SYPHP also uses data to:

  • Make and confirm appointments
  • Provide support to other people, e.g. advice to parents/carers and professionals
  • Respond to enquiries and complaints
  • Promote 4YP services and activities
  • Contact you with relevant information, such as news, events and activities
  • Fundraise
  • Process payments, including funding and donations
  • Thank supporters
  • Collate information about health and wellbeing, issues, and the impact of 4YP’s services
  • Carry out equal opportunities monitoring

On rare occasions, we may need to use your data for other reasons.  In this case, we will notify you, explain why we are doing this, and tell you the legal basis which allows us to do so.  We may need to use your data to:

  • Fulfill a legal obligation
  • Complete activities of legitimate interests of SYPHP or a third party, where your interests and fundamental rights do not override those interests
  • Protect your, someone else’s, or public interests

Please note that we may process your personal information without your knowledge or consent, in compliance with the above rules, GDPR, and where this is required and permitted by law.

We may anonymise some personal data, for example survey results.  In this case, it can no longer be associated with, or used to identify, an individual.

Third Parties

SYPHP uses some third-party services to assist in our operations.  

We have no control over, and are not responsible for, the privacy policies and practices of third parties.  As such, when using these services, you will be prompted to agree to their Privacy Policy.

SYPHP will act as a Data Controller for the personal data third-party services share with us.

These third-party services include:

Data Sharing

SYPHP may on occasion need to share your data with third parties, including trusted service providers with whom we work.  This will only be done where necessary, and you will be notified.

As with SYPHP, third parties are required to respect the security of your data.  We only permit them to process your data for specified purposes and treat it in accordance with GDPR, the law, and SYPHP policies.

Examples of third parties 4YP works with in partnership or hold contracts with:

SYPHP may share statistical data with third parties, but no information from which individuals can be identified.

We will not, without your consent, supply your personal information to third parties for the purpose of direct marketing.

Data Security

SYPHP uses a range of measures to protect the security of your information and prevent unauthorised access, loss, misuse or inappropriate alteration of your data.

We have put in place reasonable physical, electronic and managerial procedures to safeguard and secure personal information.  For example, we use:

  • Encryption – including portable devices and encrypted emails
  • Locked cabinets
  • Strong passwords
  • Password protected servers, accounts/log-ins, databases, documents, and programmes (e.g. Microsoft Outlook)
  • Restricted areas of server accessible only by authorised personnel
  • Up-to-date virus protection, firewalls, and malware software

SYPHP limits access to your personal information to only the necessary employees and volunteers who need to know.

We have procedures to deal with a suspected data security breach, which may include notifying you and the Information Commissioner’s Office where we are legally required to do so.

Data Retention

We will retain your personal information (including printed and electronic documents) for only as long as necessary to fulfil the purposes for which we collected it, and to fulfill legal, accounting, employment, and reporting requirements.

Different types of data may be retained for different periods, as outlined in the SYPHP Retention Policy.

Your personal data stored by SYPHP will be destroyed or deleted at the point retention expires.

Updating Information

SYPHP has a duty to keep all the information we hold about you up-to-date in line with any amendments you tell us of.

As such, please keep us informed of any changes to your personal information by contacting us in one of the ways described under Your Rights, below.

Your Rights

The GDPR gives you greater control over your data held by a Data Processor like SYPHP.

You may express your rights, in writing or verbally, by addressing your request to the Data Protection Officer, by:

  • Emailing enquiries@syphp.org.uk
  • Writing to, or dropping in at, 14 Lower Brook Street, Ipswich, IP4 1AP
  • Calling 01473 252607

Providing an additional, appropriate security measure, we may need identification or other information to confirm who you are.  This will clarify your right to access the data and exercise your rights and avoid incorrect disclosures.

Valid forms of identification may include a passport, driving licence or birth certificate.

SYPHP will respond to your request within one calendar month.  Normally, no fee will be charged unless the request is excessive.

If we are unable to fulfill your request (for example, a legal obligation), or need to take longer to process your request, we will explain why.

  1. Privacy Information

SYPHP will always inform you about the collection and use of your personal information, outlining the purpose for which we obtain and use your data, the retention periods and who it will be shared with.

  1. Subject Access

You have the right to request access to your personal information.  If you do this, SYPHP will provide you with a copy of the personal information we hold about you to check that:

  • we are processing it lawfully
  • it is up-to-date
  1. Correction

If you consider the personal information we hold about you to be inaccurate or incomplete, you can request for us to correct it.

  1. Restriction

If you have any concerns about the way SYPHP may be using your data, you may request for us to suspend its use while these are investigated.  This is known as ‘restriction’.  Concerns you may have could include:

  • Inaccuracies in the data 
  • Our reason(s) for processing the data
  • Preventing erasure of your information, so that it may be available beyond the time frame established in the SYPHP Retention Policy (available upon request)

You should note that restricted data remains stored (but not erased) and may be restricted only for a limited time period.

  1. Objection

You have the right to prevent SYPHP using your personal data where your particular situation means you object to it being processed.  In this case, we may require specific reasons.

We cannot request reasons for your objection to direct marketing.  This includes contacting you about fundraising.

This data may still be stored, and not erased.

  1. Erasure

As part of your ‘right to be forgotten’, you may ask SYPHP to delete or remove your personal information where:

  • there is no acceptable reason for us to continue processing or to store it
  • you have exercised your right to object (see above).
  1. Transfer (or Data Portability)

This right allows you to request us to move, copy, or transfer your personal data easily from the SYPHP IT network to yourself or another network, service, business, etc.  We will do so without compromising security or the data usability.

This excludes information stored on paper-based files.

Right to Withdraw Consent

Occasionally, we may obtain your consent to collect and process your personal data for a specific purpose.

You have the right to withdraw your consent at any time by contacting the Data Protection Officer (see Changes to the Notice, below).

After SYPHP receives notification that you have withdrawn consent, we will no longer process your information for the stated purpose(s).  There may be exceptions where we have another legitimate, lawful basis for doing so, which we will inform you of.

Report a Concern

If you have a concern about the way your personal information has been handled, complaints can be reported directly to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues, at:

  • Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
  • 0303 123 1113

Further information, including live chat help, is available online at https://ico.org.uk/concerns

Changes to this Notice

Suffolk Young People’s Health Project reserves the right to update and amend this privacy notice at any time.

The correct version will be accessible on the 4YP website at any time.  Copies may also be requested from the Data Protection Officer at: