Settled data protection policy
At Settled we respect your privacy and are determined to protect your personal data. This policy explains how we use the information we collect about you. By submitting your information, you agree to the use of that information as set out in this policy.
Settled is fully committed to compliance with the requirements of the General Data Protection Regulation (GDPR), Data Protection Act 1998 and any successor legislation (together, the ‘data protection legislation’). We are also committed to a policy of protecting the rights and freedoms of individuals with respect to the processing of their personal data. Settled will therefore follow procedures which aim to ensure that all employees and volunteers and others who have access to any personal data held by Settled, are fully aware of and responsible for the handling of personal data in line with the data protection legislation.
What information do we collect
In order to operate efficiently, Settled has to collect and use information about people with whom it works. These may include current, past and prospective service users; current, past and prospective employees; current, past and prospective volunteers; and other relevant parties. We will only collect and retain relevant and essential data.
Settled primarily uses legitimate interest to process client personal data. The processing of this data is necessary for Settled’s legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect the individual’s personal data, which overrides those legitimate interests.
How do we collect data about you
We collect and process appropriate information only to the extent that it is needed to fulfil operational needs or to comply with legal and funding requirements.
We collect information which you provide us voluntarily. For example, we collect your name, your nationality, your gender, email address and vulnerability if you attend one of our group or one to one sessions.
You also provide us with your name, email address, phone number and vulnerability when you enter your details through the interactive chat bot and when you ask us to contact you. If we cannot deal with your query we can share this information with third parties, to provide you with the support you need, but will only do so with your explicit permission.
In the case of volunteers, we collect their personal contact details and ID for the purpose of OISC registration.
How we use your personal data
Settled will, through appropriate management and the use of appropriate controls adhere to the following in regard to our use of personal data and special category personal data:
- Collect and process appropriate information only to the extent that it is needed to fulfil operational needs or to comply with legal requirements.
- Ensure the quality and accuracy of information when collected or received and during its use.
- Apply checks to determine the length of time information is retained.
- Take appropriate technical and organisational security measures based on risks to data subjects.
- Ensure that any information incidents are reported to Settled’s designated contact and where appropriate the data subject and the Information Commissioners Office.
- Mitigate risks to the data subjects in the event of an information incident using an appropriate data breach policy.
- Ensure that the rights of our data subjects can be properly exercised.
In addition, we will ensure that:
- There is someone with specific responsibility for data protection in the organisation. The post responsible for data protection is Nicolas Hatton, CEO of Settled.
- Organisational information and in particular privacy risks are risk assessed, documented and controlled.
- Everyone managing and handling personal data and special category personal data understands that they are responsible for following good Information Governance / Assurance practice and for complying with the data protection legislation.
- Everyone managing and handling personal data is appropriately trained and supervised to do so.
- Queries about processing personal data and special category personal data are promptly and courteously dealt with within the requirements of the data protection legislation.
- Methods of handling personal information is assessed and evaluated regularly and;
- Data sharing and processing is carried out under an appropriate written agreement, setting out the scope and limits of the sharing. Any disclosure of personal data will be in compliance with approved procedures.
- Paper files and other records or documents containing personal /sensitive data are kept in a secure environment;
- Personal data held on computers and computer systems is protected by the use of secure passwords; and individual passwords are such that they are not easily compromised.
Who do we share your personal data with
We may have to share your personal data with external third parties, for example the trade union UNISON, when you attend meetings and events at their offices. If we run an event in partnership with another named organisation (e.g. a venue) we will also share information to enable it to report to its funders and inform its audience development strategy. Any data shared for these purposes will be in an anonymised and aggregated form.
We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.
The Trustee Board, the Manager and the Deputy Managers are responsible for leading and monitoring policy implementation. They will also have overall responsibility for:
- The provision of cascade data protection training for staff and volunteers within the Bureau; and
- Carrying out compliance checks to ensure adherence, throughout Settled’s network, with the Data Protection Act.
- All employees and volunteers are to be made fully aware of this policy and their duties and responsibilities under it. All employees and volunteers will take steps to ensure that personal data is kept secure at all times against unauthorised or unlawful loss or disclosure.
Change of purpose
We will only use your personal data for the purposes for which we collected it.
If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.
We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality. We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
How long do we keep your data
We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.
In some circumstances we may anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes in which case we may use this information indefinitely without further notice to you.
Please keep us informed if your personal data changes during your relationship with us. It is important that the personal data we hold about you is accurate and current.
If you would like to access, correct, amend or delete any personal information we have about you, register a complaint, or simply want more information please contact Nicolas Hatton, who is responsible for data protection, as below
Settled, Studio 11, Bath Buildings, Bristol BS6 5PT
Telephone: 0560 385 2688 (weekdays – office hours only)