Merton Centre for Independent Living - Privacy Notice
This privacy notice explains how Merton Centre for Independent Living (Merton CIL) (registered charity number 1152825), of Wandle Valley Resource Centre, Church Road, Mitcham, Surrey, CR4 3BE, collects, uses and shares personal data, and your rights in relation to the personal data we hold. For these purposes Merton CIL is the Controller of your personal data under the General Data Protection Regulation and other UK data protection laws.
This Privacy Notice is effective from 25 May 2018. Merton CIL hold the right to change or update this privacy notice at any time.
In line with the General Data Protection Regulations, Merton CIL will ensure that personal data held by us will be accurate, limited to what is necessary, and secure. Merton CIL aims to ensure that all service users, members, volunteers and trustees bare able to trust and have confidence in the way that Merton CIL keeps personal information.
Overall responsibility rests with the governing body. Day to day operational responibility is delegated to the CEO. The CEO is responsible for understanding and communicating obligtions under the GDPR, identifying potential problem areas or risks and producing clear and effective procedures.
How we collect your information
We may collect your personal data in a number of ways, for example:
- When you would like our support we will store information relating to your case
- When you sign up as a member of Merton CIL
- When you register or enter your details on our website, for example sending an enquiry or signing up to our newsletter
- When you communicate with us by post, telephone, fax, email or other forms of electronic communication;
- When you attend an event, meeting or consultation
- When you complete a Merton CIL survey, questionnaire or give us feedback
- From information provided to us by a third party organisation if you were referred by them
The categories of data we collect
We may collect the following categories of personal data about you:
- Your name and contact information such as address, email address and telephone number (and, on an ongoing basis, any change of address details);
- Protected characteristics such as your race, religion, sexuality etc;
- Income and employment details
- Information regarding your disability or health condition;
- To a limited extent and only occasionally, medical information such as dietary requirements where we require this information to provide catering services to you at our events;
- Information about your case with Merton CIL, including records of communications between you and us and your appointments with caseworkers at Merton CIL
- Any feedback in relation to any surveys or questionnaires that you complete
- Photographs from events and consultations.
The basis for processing your data, how we use that data and with whom we share it.
How we store your data
Merton CIL keeps non confidential information using computer and paper files in unlocked filing cabinets with open access to Merton CIL staff.
Confidential information is kept in locked filing cabinets (paper files) or in a secure password protected database (electronic files) by the member of staff directly responsible.
Notes written outside of the office or being taken outside of the office will only use initials or reference numbers in order to anonymous information where possible.
All case notes or identifying paperwork in transit will be kept in a confidential folder and clearly marked with details where to return if found.
Merton CIL staff must not accidentally or deliberatley disclose confidential information. Miantaining confidentiality requires a common sense approach. Merton CIL staff will not exchange personal information or comments about an indiviudal who they have had a professional relationship. Service users protected charecteristics will not be discussed unless consent is given and it is specifically relevant to their support needs. Merton CIL staff will not talk about other organisations or individuals in social settings. When photocopying confidential documents staff must ensure that they are not seen by people in passing. Merton CIL staff will also ensure telephone conversations remain as confidential as possible and use private space where necessary.
We may process your personal data because it is necessary for our legitimate interests. This will always be weighed against your rights, interests and expectations. We record contact details and casework information from everyone accessing our services under legitimate basis. This information is necessary for us to check eligibility, provide advice, and audit our work. People seeking to access our service will be informed of this both verbally and in writing
In this respect, we may also provide your personal data to the following (where this is necessary for our or a third party's legitimate interests):
- Our funders who we will need to report back to regarding the service that we are delivering and to whom. Your data will only be shared anonymously and you won’t be identifiable
- Our websites operator, who may store details such as name and email address to enable you to log in to our websites;
- Professionals who assist us in putting together, printing and directed invitations, and our IT support and data storage provider(s)
In some circumstances Merton CIL will seek your specific consent to process your personal data. This includes sensitive information like sexuality. Consent must be in writing unless this is not possible due to an access need. Consent is also needed for anyone signing up as a member or agreeing to be contacted in other ways, such as to give feedback or to allow third party service providers to assist in auditing or evaluating our work. Consent can be withdrawn and if you wish to do so please use the contact details below.
Where personal information is held by consent, service users have the right to withdraw their consent. We will record when consent is withdrawn.
When sharing information about their case with the service user, we will take steps to be sure we are talking to the right person. We may ask you to confirm personal details, check your ID or signature or meet for an appointment.
Sometimes it is necessary to share information relating to a service user with a third party. The consent of the service user must be obtained in writing before any information is disclosed to a third party. This includes giving contact details to a third party or confirming to a caller that someone is using our service. In all cases the service user should be made aware of to whom the information is being given and the reasons why.
Consent from service users regarding disclosure will be regularly reviewed and records kept showing whether consent has been agreed or not.
Accessing your information
All records will only be avaliable to those with the right to see them. We will take reasonable steps to verify the identity of the person contacting us. This will be on a cae by case basis but could include: have we worked with them before and recognise their face/voice. They are able to provide file reference numbers or a case topic and we have no reason to doubt their identity. Where there are doubts we have the right to ask for more information such as a signature or an ID document.
In the event of the death of an individual there is still a requirement for information to be treated as confidential. Records or casenotes will be made avaliable to the Executor of the estate or someone who has letters of administartion.
Loss of information and Personal Data Breaches
The loss of confidential information will be reported to a line manager immediately and a report will be made. Failure of a member of staff to report will result in a disciplinary matter.
A personal data breach is a security incident that has affected the confidentiality, intergrity or avaliability of personal data. If personal data is lost, destroyed, corrupted, disclosed, shared with an unauthrosied individual or made unavaliable, there will be breach.
When personal data has been breached, Merton CIL will establish the likelihood and severity of the resulting risk to peoples rights and freedoms. If its likely that there will be a risk then we must notify the ICO; if it is unlikely then we do not have to. This decision will be made by a senior manager. We will document all breaches of personal data.
You also have the following rights:
The GDPR provides the following rights for individuals:
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
Please note that the above rights are not absolute, and we may be entitled to refuse requests where exceptions apply: for example if we have reason to believe the personal data we hold is accurate or we can show our processing is necessary for a purpose set out in this Privacy Notice.
You can find out more about your rights under data protection legislation at www.ico.org.uk. If you are not satisfied with how we are processing your personal data, you can raise a concern with the Information Commissioner (www.ico.org.uk).
Individuals can make requests to see the data we hold verbally or in writing. We will provide information without delay and at least within 28 days of receiving it. We can extend this by a further two months for complex or numerous requests. In this case we will inform the individual and give an explanation.
If we refuse to enforce a right, eg the right of erasure, we will inform the individual within 28 days of the request and inform them of:
• The reasons we are not taking action;
• Their right to make a complaint to the ICO or another supervisory authority; and
• Their ability to seek to enforce this right through a judicial remedy
Fees for information requests
We will provide a copy of the information free of charge.
We can charge a ‘reasonable fee’ when a request is:
• Manifestly unfounded or excessive, particularly if it is repetitive, unless we refuse to respond; or
• For further copies of the same information (that’s previously been provided). This does not mean that we can charge for all subsequent access requests.
We will base the fee on the administrative cost of providing the information.
File Archiving and Destruction
All personal data is reviewed annually and any casewokr files that are not active for two years will be archived. All paper casework files are securely archived on closure of the case. If the person whom the case relates to has not been contacted for seven years, the file is destroyed. Electronic information relating to case files are securley archived via password protection on closure of the case. If the person whom the case relates to has not been contacted for seven years, the file is electronically deleted. If permanent deletion is not possible or if files have been deleted but may still exist in the electronic ether the files will be put 'beyond use'. This means that the organisation will not be able, or will not attempt, to use the personal data.
Membership details of individual members is confidential personal data and will be treated as such. Details of ex members will be securely archived as detailed above.
Questions and concerns
If you have any questions or concerns about how we process your personal data, or you wish to exercise any of the rights set out above, you may contact Lyla Adwan-Kamara, CEO or Charlet Wilson, Office Manager:
- By telephone: 0203 397 3119
- By post: Wandle Valley Resource Centre, Church Road, Mitcham, Surrey, CR4 3BE