We are a “data controller” for the purposes of the Data Protection Act 2018 and the EU General Data Protection Regulation 2016 (“Data Protection Law”). This means that we are responsible for the processing of your personal information.
For further information about our privacy practices, please contact our Data Protection Officer by:
- Writing to YESS, 23 Carter Street, Uttoxeter, Staffs, ST14 8EY
- Calling us on 01889 567 756
- Emailing to email@example.com
To make sure it’s clear what we are talking about, here are some definitions:
- Personal Data
Personal Data means data about a living individual that allows them to be identified from that data. It may be provided directly by a user, or provided indirectly by a user about their client (for example a health practitioner entering data about their patient). Personal information does not include “aggregate” information, which is data we collect about a group or category of products, services or people, from which individual identities have been removed.
- Data Processor
Data Processor means the person or entity that processes data on behalf of a data controller. We may use the services of various Data Processors in order to provide a range of services more effectively.
- Data Controller
Data Controller means a person or entity who determines the purposes for which and the manner in which any personal data are, or are to be, processed.
How we collect your data
While using our service, we may ask individuals to provide us with certain personally identifiable information that can be used to contact or identify an individual (“Personal Data”). Personally identifiable information may include, but is not limited to: name, email address, telephone numbers, address, and information about that individual’s mental health. Personal information can also include demographic information such as date of birth, gender, geographic area and preferences when such information is linked to other personal information that identifies an individual.
Sensitive Personal Information
Data Protection Law recognises that some categories of personal information are more sensitive. Sensitive Personal Information can include information about a person’s health, race, ethnic origin, political opinions, sex life, sexual orientation or religious beliefs.
We will only use this information:
- For the purposes of dealing with your enquiry, training, and quality monitoring or evaluating the services we provide.
- We will not pass on your details to anyone else without your explicit consent except in exceptional circumstances. Examples of this might include anyone reporting serious self-harm or posing a threat to others or children contacting us and sharing serious issues such as physical abuse or exploitation.
- Where you have given us your explicit consent or otherwise clearly indicated to us that you are happy for us to share your story, then we may publish it on our blog or in other media.
How we use your data
We treat all information we collect as strictly confidential. We will only share information where we have express consent to do so (such as making referrals to other organisations), or under the circumstances set out in this policy. We do not reveal, disclose, sell, rent, lease nor make available any information to third parties.
First and foremost we use the personal data we collect and hold to operate our service, to provide therapeutic interventions to people of all ages across Staffordshire. We also hold information to allow us to fulfil contractual obligations and complete activities in line with the aims of the charity.
We may use personal data to contact users with information about new projects, YESS service developments and fundraising activity. We may also contact individuals to complete research, seek feedback, or communicate other information that may be relevant.
Human Resources Data
We collect and process your personal data for the purposes of managing employment applications and recruitment-related activities. We may use your personal data in relation to the evaluation and selection of applicants for recruitment purposes including scheduling and conducting interviews, tests, evaluations, and assessing results for candidate selection. The legal basis for this processing is our legitimate interests.
Legal Basis for Processing (under GDPR)
YESS may process your Personal Data because:
- We need to perform a contract with you;
- You have given us permission to do so;
- The processing is in our legitimate interests and it’s not overridden by your rights;
- For payment processing purposes;
- To comply with the law.
Location of Your Data
Your data will be stored within the UK and EEA. Should it be necessary to process your data outside of the EEA we will ensure the required safeguards are in place to do so.
How your data might be shared
YESS will not disclose any personal data to anyone else without permission, except for the following reasons;
Legal or Moral Requirement
In rare circumstances, where permitted or required by law, requested and needed for a client’s emergency treatment in exceptional circumstances, or for the prevention of immediate risk of loss of life or serious harm; to various regulatory bodies and law enforcement officials and agencies to protect against fraud and for related security purposes, we will share the personal data necessary.
Third Party Data Processors
In order to provide our services YESS employs various third parties to perform various functions. Where necessary, we share a limited amount of personal data with our third-party data processors. In all cases, we provide only the minimum amount of personal data that is needed to perform the service and take reasonable steps to ensure these parties have appropriate data protection safeguards in place.
A list of our data processors is as follows:
- Power Diary
- Microsoft Office
Keeping your data secure
- YESS will take reasonable steps to protect the personal information we hold from any misuse, interference, loss, and unauthorised access, modification or deletion. We have an extensive range of security measures in place to protect personal information from unauthorised access, use, or loss.
How we retain your data
Type of data Retention period
Client information CYP 25th birthday
Client information adults 6 years
Human Resources Information 7 years after leaving employment
Type of Data
Client informantion CYP
Client information adults
Human Resources Information
7 years after leaving employment
Your rights to your data
We aim to take reasonable steps to allow you to correct, amend, delete, or limit the use of your Personal Data. In certain circumstances, you have the following data protection rights:
The right to access, update or to delete the information we have on you.
The right of rectification. You have the right to have your information rectified if that information is inaccurate or incomplete.
The right to object. You have the right to object to our processing of your Personal Data.
The right of restriction. You have the right to request that we restrict the processing of your personal information.
The right to data portability.
You have the right to be provided with a copy of your Personal Data in a structured, machine-readable and commonly used format.
The right to withdraw consent. You also have the right to withdraw your consent at any time where YESS relied on your consent to process your personal information.
If you wish to be informed about what Personal Data we hold about you and if you want it to be removed from our systems, please email firstname.lastname@example.org.
Please note that we may ask you to verify your identity before responding to such requests.
Changes to this policy
How to contact us
Attention: Data Protection Officer
YESS is committed to protecting your privacy and any complaints will be assessed by an appropriate person with the aim of resolving any issue in an efficient and timely manner.
If you are not happy with our handling of your privacy concerns, you can also contact the Information Commissioner’s Office who are independent from YESS and can investigate your complaint.