Age UK Shropshire Telford & Wrekin is an independent charity. Charity registration no.1090445 and registered company number 4292896.
Age UK Shropshire Telford & Wrekin is registered with the Information Commissioner's Office as a Data Controller: registration no. Z7508286.
Privacy, confidentiality and data protection
Your privacy matters to us and we are committed to the highest data privacy standards, confidentiality and meeting the obligations placed on us by the Data Protection Act 2018 and other relevant UK laws.
We shall protect your personal data and adopt the six core principles of data protection law which are:
- Lawfulness, fairness and transparency: we process personal data lawfully, fairly and in a transparent manner in relation to you, the data subject.
- Purpose limitation: we only collect personal data for a specific, explicit and legitimate purpose. We clearly state what this purpose is in this Privacy Notice, and we only collect data for as long as necessary to complete that purpose.
- Data minimisation: we ensure that personal data we process is adequate, relevant and limited to what is necessary in relation to the processing purpose.
- Accuracy: we take every reasonable step to update or remove data that is inaccurate or incomplete. You have the right to request that we erase or rectify erroneous data that relates to you, and we will complete this task as soon as possible but guarantee to do so within a month.
- Storage limitation: we delete personal data when we no longer need it. Whilst the timescales in most cases aren't set, we outline our retention strategy within this Privacy Notice.
- Integrity and confidentiality: we keep personal data safe and protected against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
How we collect your data
We collect your personal information via disclosure directly from you or may receive limited information by referral from another support agency with whom you have contact. This might be via our website, email, telephone, post or face to face engagement. When we collect this information from you, we will explain our reasons for its collection and use.
What data do we collect?
We will collect information from you relevant to the services being provided or the support you give to us. The amount of information collected by us will be kept to the minimum needed to provide or receive support and meet any contractual or legal requirements we have. The following main types of information may be collected and dependent on our engagement with you:
- Basic contact and personal details
- General marital, living and social information
- Financial details: banking, payments, income, social support
- Medical, health and wellbeing information
- Equality and diversity information
Our legal basis for processing your personal data
We are required to identify one of six possible legal grounds for processing. These are:
- Legitimate interests
- Vital interests
- Public task
- Legal obligation
We will seek agreement from you to process your personal data and will ensure you are informed of our intentions for its use. In situations where we provide you with a service or support, we will process your data on a contractual basis.
In situations where we process ‘special category’ data, such as medical and health data we do so on the basis of providing long term services or with your explicit consent where necessary.
When we ask for equality and diversity information, this is optional and will not affect the provision of services or support to anyone who is not comfortable providing such information and will be on a consensual basis. We may also seek your consent to take and use photographs to help promote our services or the support you have provided us. We will also ensure we have your consent before sending you any form of marketing or promotional information.
We also process your data on the basis of legitimate interests, in cases where the processing is required to enable us to efficiently provide our services and support or maintain the records we are required to keep.
Processing will also be conducted on the basis of meeting our legal obligations, such as any personal data collected for purposes of financial record keeping.
We will seek your consent where we need to allow access to your personal data to external auditors, such as those of Age UK or other bodies who audit us against recognised standards.
How we use your data
In order to help, support and/or keep in contact with you; we need to store your information and use it for the specific purposes for which you provided it to us. Some of this information, such as details about your health, is deemed sensitive under current data protection law and will be handled accordingly.
In providing some of our support services to you, we may need to share some information with other internal departments or external organisations who can assist with this. We will inform you when we intend to share your personal data, except in exceptional circumstances where your welfare is at stake, or there is a legal requirement for us to do so. We will ensure that external organisations are contractually required to implement the same levels of confidentiality and protection as we employ ourselves.
We may allow access to other parties who provide essential support services for IT and communications and will do so under our legitimate interests in providing efficient support services.
As a charity, we rely on the invaluable support of our many volunteers to provide services to you and your information will be shared with them on a need-to-know basis, relevant to the support they are providing.
As a client or supporter of Age UK Shropshire Telford & Wrekin, we would like to offer you the opportunity to receive information from us about other products and services we provide or contact you about fundraising or sponsorship activities. We will only do this if you have consented to receive such information and you will have the option to withdraw this consent at any time.
We may also ask for your consent to use your information and/or photographs to help us promote the valuable work we do and report on our achievements to relevant interested parties.
It is important that we keep the information we hold about you as accurate and up to date as possible. If you have a change to your circumstances or wish to change any information, please contact us.
How we store and protect your data
We have appointed a senior director as being responsible for the security and protection of your data. In support of this director, we have also appointed an external qualified Data Protection Officer (DPO). It is their responsibility to ensure that the charity deploys adequate levels of technical and organisational measures which maintain the integrity and confidentiality of your data.
All our staff and volunteers receive policy training in data protection, security and confidentiality. They are also given awareness training on data protection legal requirements and required to sign confidentiality agreements.
Personal data in electronic format will be securely stored on encrypted databases, which are password protected and only allow authorised staff access. We employ both software and hardware protection against viruses, malware and hacking exploits.
Personal data held on paper records will be stored in secure cabinets and access to them restricted.
Personal data will not be accessed except to manage support services, handle your enquiries, update you on service offerings or fundraising activities or receive support from you.
When we share your data with other parties, we will do so under contractual agreement with them; that they also apply adequate technical and organisational measures to maintain the protection of your data.
In the unlikely event that we lose your data, or a device on which your data resides, or it is accessed by someone unauthorised, we have a duty to inform you immediately. If the loss or unauthorised access of your data has potential to cause you harm, we will also report this to the Information Commissioner's Office, who are responsible for regulating data protection legislation in the UK: https://ico.org.uk/
How long do we keep your data?
We are required by law to keep some personal data, even after we have finished providing services to you, or after you have stopped being a supporter of our work. Records will also be maintained for a period of time to enable us to respond to any subsequent enquiries or complaints.
Our current policy is to retain the majority of your records for a period of seven years following our last engagement with you. After this, we will only keep a very limited, anonymised amount of data limited to the service you used and the length of time you were a client or supporter. This is to assist us in planning and developing future services.
Where personal data is identified as not essential for the records we have to maintain, we will not keep them longer than they are needed.
All personal data no longer needed to be retained is cleansed from our systems and/or securely destroyed.
Your rights in relation to personal data
Under the Data Protection Law, you have rights to access and control your personal data. These rights include:
- Access to personal information
- Correction and deletion
- Withdrawal of consent (if processing data on condition of consent)
- Data portability
- Restriction of processing and objection
- Lodging a complaint with the Information Commissioner’s Office
You can exercise your rights by contacting our Data Protection Officer via email: email@example.com or by telephone: 0203 411 2848.
If you are unhappy with anything we have done with your data, you have the right to complain to the Information Commissioner's Office. To make a complaint to the Information Commissioner's Office use this link: ico.org.uk/make-a-complaint or call their hotline on 0303 123 1113.
How to contact us for general information
For all data protection matters or questions relating to how we manage your data, please contact our Data Protection Officer with the above contact details. In the event that your request is a subject access request (SAR) we will pass this information on to our Data Protection Officer to manage.