This Privacy Policy explains how Your Emotional Support Service (YESS) protect the privacy of personal information. YESS is a mental health charity, providing a range of treatment options to people of all ages across Staffordshire.  We are firmly committed to protecting the privacy and confidentiality of personal information, and we maintain robust physical, electronic and procedural safeguards to protect personal information in our care. 

We are a “data controller” for the purposes of the Data Protection Act 2018 and the EU General Data Protection Regulation 2016 (“Data Protection Law”). This means that we are responsible for the processing of your personal information. 

For further information about our privacy practices, please contact our Data Protection Officer by: 

• Writing to YESS, 23 Carter Street, Uttoxeter, Staffs, ST14 8EY 
• Calling us on 01889 567 756 
• Emailing to hello@yess.uk 

Definitions 

To make sure it’s clear what we are talking about, here are some definitions: 

• Personal Data 
  Personal Data means data about a living individual that allows them to be identified from that data. It may be provided directly by a user or provided indirectly by a user about their client (for example a health practitioner entering data about their patient). Personal information does not include “aggregate” information, which is data we collect about a group or category of products, services or people, from which individual identities have been removed. 
   
• Data Processor 
  Data Processor means the person or entity that processes data on behalf of a data controller. We may use the services of various Data Processors in order to provide a range of services more effectively. 
   
• Data Controller 
  Data Controller means a person or entity who determines the purposes for which and the manner in which any personal data are or are to be, processed.  

How we collect your data 

Personal Data 

While using our service, we may ask individuals to provide us with certain personally identifiable information that can be used to contact or identify an individual (“Personal Data”). Personally identifiable information may include, but is not limited to: name, email address, telephone numbers, address, and information about that individual’s mental health. Personal information can also include demographic information such as date of birth, gender, geographic area and preferences when such information is linked to other personal information that identifies an individual. 
 
Sensitive Personal Information 

If you share your personal experience or the experiences of a friend or relative, we may also collect this health information. If you provide us with any Sensitive Personal Information by telephone, email or by other means, we will treat that information with extra care and confidentiality and always in accordance with this Privacy Policy. 

Data Protection Law recognises that some categories of personal information are more sensitive. Sensitive Personal Information can include information about a person’s health, race, ethnic origin, political opinions, sex life, sexual orientation or religious beliefs. 

We will only use this information: 

• For the purposes of dealing with your enquiry, training, and quality monitoring or evaluating the services we provide. 
• We will not pass on your details to anyone else without your explicit consent except in exceptional circumstances. Examples of this might include anyone reporting serious self-harm or posing a threat to others or children contacting us and sharing serious issues such as physical abuse or exploitation. 
• Where you have given us your explicit consent or otherwise clearly indicated to us that you are happy for us to share your story, then we may publish it on our blog or in other media. 

How we use your data 

We treat all information we collect as strictly confidential.  We will only share information where we have express consent to do so (such as making referrals to other organisations), or under the circumstances set out in this policy.  We do not reveal, disclose, sell, rent, lease nor make available any information to third parties. 

Service Provision 

First and foremost we use the personal data we collect and hold to operate our service, to provide therapeutic interventions to people of all ages across Staffordshire.  We also hold information to allow us to fulfil contractual obligations and complete activities in line with the aims of the charity.   

Communication 

We may use personal data to contact users with information about new projects, YESS service developments and fundraising activity.  We may also contact individuals to complete research, seek feedback, or communicate other information that may be relevant. 

Human Resources Data 

We collect and process your personal data for the purposes of managing employment applications and recruitment-related activities.  We may use your personal data in relation to the evaluation and selection of applicants for recruitment purposes including scheduling and conducting interviews, tests, evaluations, and assessing results for candidate selection. The legal basis for this processing is our legitimate interests. 

Legal Basis for Processing (under GDPR) 

YESS’ legal basis for collecting and using the personal information described in this Privacy Policy depends on the Personal Data we collect and the specific context in which we collect it. 

YESS may process your Personal Data because: 

• We need to perform a contract with you; 
• You have given us permission to do so; 
• The processing is in our legitimate interests and it’s not overridden by your rights; 
• For payment processing purposes; 

• To comply with the law. 

Location of Your Data 

Your data will be stored within the UK and EEA. Should it be necessary to process your data outside of the EEA we will ensure the required safeguards are in place to do so. 

How your data might be shared 

YESS will not disclose any personal data to anyone else without permission, except for the following reasons; 

Legal or Moral Requirement 

In rare circumstances, where permitted or required by law, requested and needed for a client’s emergency treatment in exceptional circumstances, or for the prevention of immediate risk of loss of life or serious harm; to various regulatory bodies and law enforcement officials and agencies to protect against fraud and for related security purposes, we will share the personal data necessary. 

Third Party Data Processors 

In order to provide our services YESS employs various third parties to perform various functions.  Where necessary, we share a limited amount of personal data with our third-party data processors.  In all cases, we provide only the minimum amount of personal data that is needed to perform the service and take reasonable steps to ensure these parties have appropriate data protection safeguards in place. 

A list of our data processors is as follows: 

• Power Diary 
• Microsoft Office 
• Accountant 
• Payroll 
• My Concern 

Keeping your data secure 
 

• YESS will take reasonable steps to protect the personal information we hold from any misuse, interference, loss, and unauthorised access, modification or deletion.  We have an extensive range of security measures in place to protect personal information from unauthorised access, use, or loss. 

How we retain your data 

We will retain Personal Data only for as long as is necessary for the purposes set out in this Privacy Policy. We will also retain and use Personal Data to the extent necessary to comply with our legal obligations.