Privacy and Cookies
Grace House North East has a strong commitment to continually improve our levels of service. To help us achieve this we may collect and process information about you.
We will collect and otherwise use personal information about you to enable us to administer our services (as detailed below), to provide you with other relevant services and to help us continue to manage our relationship with you. The data we collect will be as minimal as possible and only relevant to the relationship with Grace House.
This Privacy Notice describes in detail how we will use your personal information, what your rights are in relation to personal information and how you can exercise those rights.
In this Privacy Notice:
- we, us or our (or similar words) means Grace House North East;
- you means the person whose personal information (as defined below);
- service means the service within our Charity you are associated with;
- third parties means anyone who we may share your personal information with; and
- Website means www.gracehouse.co.uk
We are committed to protecting your privacy. We will only use your personal information in accordance the Data Protection Act 1998 (the DPA), the General Data Protection Regulation (the GDPR) and any other laws that set out how we can use your personal data.
Which services do we offer?
We are a charity offering multiple services to support young children with disabilities (although this data will be collected and stored by our partners Sunderland Care and Support) and adults, which are divided into the following categories. This list may change as our services develop.
- adult services (including therapies and counselling);
- Young people e.g. siblings
- fundraising; and
- central services (including finance and HR).
Who is responsible for your personal information? We control the information that is collected by us about you and the purposes for which we use that information. This means that Grace House is the data controller (for the purposes of both the DPA and GDPR) in respect of such personal information.
What is our legal basis for processing your personal information?
At the point we collect your personal information we will advise you of our legal basis for the processing and direct you to this full Privacy Notice. This means we will never process your data without a legal basis to do so.
Our legal basis for processing will differ from service to service, but likely to fall into the following categories;
Adult Services - processing is necessary for the performance of a contract with you (or to take steps to enter into a contract), or, processing is necessary for compliance with a legal obligation, or, processing is necessary to protect the vital interests of you (or other person), or, necessary legitimate interest pursued by us, or a third party.
Addition (special) category for our legal basis may be; Processing is necessary to protect the vital interests of you or another individual where you are physically or legally incapable of giving consent.
Fundraising - necessary legitimate interest pursued by us, or a third party, or through consent by you to process your personal information.
Addition (special) category for our legal basis may be; Processing relates to personal data manifestly made public by you.
Central services - processing is necessary for compliance with a legal obligation, or, processing is necessary for the performance of a contract with you (or to take steps to enter into a contract).
Addition (special) category for our legal basis may be; Processing is necessary for carrying out obligations under employment, social security or social protection law, or a collective agreement.
Charity wide - necessary legitimate interest pursued by us, or a third party, for instance, the use of CCTV.
16 or under
If you are aged 16 or under, please get your parents/guardians permission beforehand whenever you provide personal information to Grace House. Users without consent are not allowed to provide us with information.
What information does Grace House collect?
If you are unsure about any of these categories, or you are concerned regarding our legal basis for processing your personal information, please contact us via the contact information later in this Notice.
At the point we collect your personal information we will advise you of the exact purpose why we are collecting your information and direct you to this full Privacy Notice. This means we will not collect personal information for one purpose and then use it for another.
The collection of information will differ from service to service, but mainly consist of your name, address, contact details (including email address and mobile phone number). When dealing with any vulnerable individual, their appropriate adult will provide this information.
We may also require other professionals/organisations connected to you and emergency contact details. If we are collecting sensitive personal data, it is likely we also request medical history and any associated records.
In some instances, we may require financially related information, for instance, a credit card number or bank account details.
If we are collecting your data for employment purposes, we may also request copies of your qualifications or achievements to date.
During fundraising events if you consent to give us your contact details we will input these into our fundraising database. We will use your contact details to contact you for the agreed marketing purposes via your preferred method of communication.
We will hold internal records on our staff, including full Disclosure and Barring Service (DBS) checks to be passed on to Sunderland Council for checking. More information relating to employee records can be sourced via our internal Data Protection Policy and accompanying procedures by our internal staff.
In addition, we may collect the following personal information about you:
information contained in and records of communications between us, including emails, letters and text messages. We may also record calls between us for training, monitoring and quality purposes;
- data collected as part of any documents you manually or electronically complete, or online services to which you subscribe;
- CCTV footage in which you may feature if you visit our services/ premises;
- Information about your preferences in connection with our Website, for the purposes of enhancing and personalising your experience on the Website;
- details of your visits to our Website, for example traffic data, location data (including the country and telephone area code where the computer is located) and the resources that you access (including the pages of our Website that you viewed); and
- information concerning your marketing preferences.
If you provide us with personal information about another individual (unless legally able to do so), you must ensure that before you provide us with their personal information, you have their agreement to do so and that they are aware of the ways in which we will use their personal information as set out in this Privacy Notice.
How do we use your personal information?
We may use your personal information:
- to carry out our obligations arising from any contracts entered into between you and us;
- to comply with our legal obligations and with instructions from a regulatory body
- to manage and administer the relation between you and us;
- to notify you about changes to our services and to otherwise communicate with you, for example, we will use your contact details in order to respond to any queries that you may submit to us;
- to train our staff to continuously improve our services;
- to analyse the efficacy of our services/ fundraising and results to continuously improve our services;
- to carry out marketing activities; and
- to carry out market research relating to similar services.
With whom do we share your personal information?
In connection with the above uses of your personal information, some of our services may share your personal information with third parties in connection with our services. For instance, we may pass your personal information to:
- third party organisations that provide services to us eg data processors
- additional organisations who may provide you with additional/ or be involved in your support
- external agencies and organisations (including the police and other law enforcement agencies) for the purpose of preventing and detecting fraud (including fraudulent transactions) and criminal activity. We may also disclose personal information to the police and other law enforcement agencies in connection with the prevention and detection of crime;
- We may share non-personal aggregate statistics data about visitors to our Website, for instance, traffic patterns with certain third parties to enable us to improve the way we communicate on our Website with you.
If you are concerned or have any questions about who we may share your personal information with, please contact us via the contact information further on in this Notice.
Transfers outside the EEA
We do not currently transfer your personal data outside the EEA, with the exception of our fundraising service that at times uses a third-party service provider (Mail Chimp) who are based in the United States (US). We have safeguarding reassurances as Mail Chimp is covered by Privacy Shield, who is recognised by the ICO as providing adequate security in the US.
Protecting your personal information
We regularly review and continually improve our data security measures to reduce any risk of data loss, or data breaches. This includes but is not limited to; the use of fire walls, the use of anti-virus software, regular backups of our data. We also have a data breach plan and procedure to follow in the event of any data breach, to minimise any potential impact to you. – need to do this.
Our security procedures mean that we will not disclose your personal information to any unknown third party without first gaining your consent to do so, unless for some legal exemptions. At times we may also need to validate we are speaking to the right person, therefore we may request proof of your identity before are able to disclose personal information to you.
Any payments made by you to us, by credit card will be processed by appropriate staff in accordance with Payment Card Industry (PCI) Data Security Standard (DSS) compliance.
The transmission of information via the internet is not completely secure; this risk is not specific to our Website and is common across the internet. Unfortunately, we cannot guarantee the security of the transmission of the data to which is outside our control; any data you send is at your own risk. However, to reduce this risk our internal procedures requires staff that need to send sensitive personal data outside our network, do so with strict controls on encryption and password protection.
How long will Grace House keep your information?
We will not store your personal information for longer than is necessary for the purposes of processing. This means after we process your personal information, we will securely destroy your personal information from our records, based on our own internal processes.
In line with GDPR, we will only further retain your personal information for a regulatory, legal or a specific business purpose, in line with our Data Retention Guidance.
Our data retention periods will differ from service to service, dependent on the type of data and the purposes of processing. If you require specific retention schedules for your personal information, please contact us using the contact details further on in this Notice.
What rights do you have?
By providing you with this Privacy Notice we are ensuring that you have been fully and clearly informed about our fair processing information, in relation to how we use your personal information.
You have the right to object to our processing of your personal information if you feel; our legal basis for the processing is incorrect.
If you think any of the personal information we hold about you is inaccurate or incorrect, you can request that we correct this information.
If you feel there is no compelling reason for the continued processing of your personal information. You can request that it is erased (through deletion or removal) from our systems.
In certain circumstances you may wish to request that we restrict processing of your personal information, we will usually do this through supressing the information we hold.
For any of the above concerns please use the contact information below, we will respond to you within 1 month from the date of receiving your query. If your request is more complex in nature we may extend our response to 2 months.
If you wish to obtain and be able to reuse any of the personal information we hold about you (data portability) please contact us to discuss further.
Due to the nature of the work we do, we do not currently automate decision making or profile your personal information without human intervention. If, however you have any concerns regarding this you may contact us to discuss further.
You can also choose to stop receiving direct marketing:
marketing emails or SMS messages from us by following the unsubscribe link and instructions on the respective marketing emails or SMS messages we send you; and
telephone calls or postal communications by notice using the contact information below.
Any request to stop receiving direct marketing will be actioned within 28 days of you request, during this time you may still receive marketing from us.
Access to your personal information
Both the DPA and GDPR give you the right to access your personal information, subject to certain exemptions. To request access to your personal information, please contact us using the contact information below, including a completed Request for Access to Personal Information Form.
In line with the GDPR there will be no fee for any subject access request we receive, however, we will require identification to verify your identity.
We will respond to you within 1 month from the date of receiving your query. If your request is more complex in nature we may extend our response by a further 2 months but will keep you informed.
While we are mindful that the GDPR has introduced a new best practice recommendation that, where possible, organisations should provide remote access to a secure self-service system which would provide you with direct access to your personal information, unfortunately due to the nature of the varied information we hold across our services at this time we are unable to offer this service.
If you have consented us to claim Gift Aid back on your donation(s), it is your responsibility to let us know if your tax status has changed when you make any further donations, or if you wish to cancel the declaration. You can do so by contacting email@example.com telling us your name, address and new status. You must also inform us if any of your details have changed. You must have paid or will pay an amount of income tax and/or capital gains tax for year tax year that is at least equal to the amount of tax that the charity will reclaim on your gifts for that tax year. If you pay less tax than the amount of Gift Aid that is claimed, it is your responsibility to pay the difference. We may hold gift aid declarations for all donations for statutory requirement purposes (required for HMRC gift aid claim).
Cookies These are small files that are widely used in order to make websites work more efficiently. Most web browsers allow some control of cookies through browser settings. To find out more about cookies, including how to see what cookies have been set and how to manage or delete them from your computer, visit www.allaboutcookies.org.
How to contact us
If you have any questions, comments or requests regarding this Privacy Notice, please contact us in either of the following ways:
- by writing to The CEO at Grace House North East, Bardolph Drive, Southwick, Sunderland SR5 2DE
- by emailing us at firstname.lastname@example.org
Please mark correspondence with the title; Data Protection Query.
How to complain
In the first instance any dissatisfaction relating to our handling of your personal information should be brought to our attention using the contact information above.
If you have already contacted us about any of the above rights and you are still unsatisfied with our response or the outcome you can escalate the matter to the ICO using the following contact details:
The Information Commission’s Office
Please note: you may wish to seek legal independent advice to progress resolution of your concerns. In all cases, wherever possible, local resolution should be sought. However, you have the right to purse any of these channels at any time and may wish to pursue serval actions simultaneously.
We will regularly review this Privacy Notice. If we decide to change this Privacy Notice, we will post the updated version on our Website so that you are always aware of what personal information we collect, how we use it and under what circumstances we disclose it. The updated Privacy Notice will take effect as soon as it is posted on our Website.
This Notice was last updated in Feb 2018
The next review date is February 2020.