Suffolk User Forum – Your privacy and the General Data Protection Regulations (GDPR) 2018
This Privacy Statement sets out the data processing practices carried out by Suffolk User Forum (SUF). We retain and use personal data (information that relates to and identifies living people) to help us carry out our role as to work with mental health service users, patients and family carers, Our role is to listen to and value peoples lived experience of services and support, anonymously sharing feedback to support commissioners and service providers, to make developments that enable positive change and improvements to emotional well-being, mental health services and support community resilience.
This privacy statement has been revised as of May 2018 as part of our compliance with new requirements under the General Data Protection Regulation (GDPR) legislation, which will replace the Data Protection Act 1998 and become law from 25th May 2018.
SUF will always make sure that your information is protected and treated securely. Any information that you give will be held in accordance with:
- Data Protection Act 1998
- From 25th May 2018, the new data protection legislation introduced under the General Data Protection Regulation (GDPR) and Data Protection Bill.
SUF has complied an Information Asset Register in accordance with the GDPR to specify the lawful basis for SUF to store and keep personally identifiable information. This also provides a full analysis of how data within SUF is managed and kept secure. We also have updated our retention schedule (details of how long we will retain specific types of information).
SUF is strongly committed to data security and we take all reasonable and appropriate steps to protect personal information from unauthorised access, loss, misuse, alteration or corruption.
We have put in place physical, electronic, and managerial procedures to safeguard and secure the information you provide to us. Only authorised employees and staff under strict controls will have access to your personal information.
About the information we collect
We collect personal information from visitors to this website through the use of online forms (e.g. our membership sign-up form) and every time you email us your details. We also collect feedback and views from people about the emotional well-being and mental health care that they or a family member access.
In addition, we receive information about our own staff and people who apply to work for us.
Examples of the information we collect include:
- Information submitted when you use our on-line contact form.
- Information you share when feeding back about emotional wellbeing and mental health care on line or directly with our staff in a community setting or inpatient setting (for mental health advocacy).
- Emails people send to contact email address (firstname.lastname@example.org) or those of our staff members.
- Information we record when you contact us for information and signposting.
We have included much more detail about each of the above and other various types of information we process under each of the headings listed within this statement. They are:
- Information about people who use our website
- Information about people who share their experiences with us by other means
- Information about people who contact us for Information and Signposting.
- Information about our own staff, volunteers and anybody applying to work for us
- How we will use your personal information
Personal information about you can be used for the following purposes:
- in our day-to-day work;
- to identify you as a member of Suffolk User Forum
- to send you our newsletter where you have requested it;
- to contact you about our work, mental health information, events or SUF forums.
- to respond to any queries you may have;
- This may include any personal information that you choose to share with us, but we will treat this as confidential and protect it accordingly. We will never include your personal information in any published reports without a clear and recorded positive confirmation of your consent.
Suffolk User Forum will never share information that includes your personal information with a third party unless we have your permission, or we believe somebody may be at risk of harm. We might, for example, believe there is cause to raise a safeguarding alert on the basis of the information you have shared.
How we share information with other organisations
We only share personal information with other organisations where it is lawful to do so and in accordance with our data protection policy. Information is shared in order to fulfil our role, which is to pass on your experiences of mental health care and support, to help improve services in partnership with you or on your behalf.
We will only disclose your personal information where we have your consent to do so, or where there is another very good reason to make the disclosure – for example, we may disclose information to CQC or a local authority where we think it is necessary to do so in order to protect a vulnerable person from abuse or harm. Such a disclosure will be made in accordance with the requirements of the current data protection legislation.
We always ensure that any information that we share or disclose for example to commissioners or service providers is anonymised so that you cannot be identified from it.
We occasionally use other organisations to process personal data on our behalf. Where we do this, those companies are required to follow the same rules and information security requirements as us. We will seek assurances from such organisations that they are compliant with the GDPR and this will be outlined in a Data Processing Contract. They are not permitted to use reuse the data for other purposes.
Withdrawing your consent to SUF
You can withdraw all, or your any part of the consent you have given us in SUF at any time by calling us on;
or by emailing us at email@example.com
SUF will make the change without delay and within one month.
The following paragraphs set out why the data processing required for our newsletter distribution is necessary for us to perform a task in the public interest.
We are required under the GDPR to identify a clear basis in either statute or common law for the relevant task, function or power for which we are using your personal data. We have several statutory duties under The Local Government and Public Involvement in Health Act 2007.
These include (amongst others):
- Working with mental health service users, patients and family carers.
- Listening to and valuing peoples lived experience of services and support, anonymously sharing feedback to support commissioners and service providers, to make developments that enable positive change and improvements to emotional well-being, mental health services and support community resilience.
- Promoting and supporting the involvement of local people in the redesign or emotional well-being and mental health services.
- Marketing our work through our newsletter is an important part of meeting these requirements in law. This is because it encourages people and other stakeholders to share stories about local care services. It also keeps you informed about key developments in emotional well-being and mental health care locally so that you can critically assess changes.
It is in the interests of the public to hear about any opportunities through which they may influence, shape, challenge or improve their local NHS and social care service provision.
The mailing list used to distribute our newsletter is legacy and although consent was achieved on enrollment, these records no longer exist in a form that meets the specific requirements of GDPR. SUF has made the decision to refresh our mailing list and to ask for explicit consent for all existing and new recipients on our newsletter mailing list.
Our Newsletter mailing list is not used for profiling or other marketing activity.
Participants can unsubscribe at any time.
You can withdraw your consent to receive SUF newsletters at any time by calling us on;
or by emailing us at firstname.lastname@example.org
SUF will make the change without delay and within one month.
Information about people who use our website
Please note: This statement does not cover links within the SUF website to other websites. The SUF website may contain links to other websites of interest. However, once you have used these links to leave the SUF site, you should note that we do not have any control over that other website. Therefore, we cannot be responsible for the protection and privacy of any information which you provide whilst visiting such sites and such sites are not governed by this privacy statement. You should exercise caution and look at the privacy statement applicable to the website in question.
When you browse through the information on the SUF website, it does not store or capture your personal information. We do log your IP address (as it is automatically recognised by the web server) but this is only, so you can download this website onto your device rather than for any tracking purpose; it is not used for any other purpose.
The Suffolk User Forum website is provided and hosted by Site Ground (siteground.co.uk). Site Ground does not own, control or direct the use of any of the data we store or process.
All data is stored securely and protected using an antivirus and firewall for Suffolk User Forum. This is monitored 24 hours a day, seven days a week for security incidents and ensures operational continuity.
Information we collect through our website
1.User provided information
When you use our website, as a user or as a visitor, you may provide, and we may collect Personal Data. Examples of Personal Data include your name and email address. We will only collect personal information provided by you.
2. Automatically Collected Information
When you visit our website or interact with our electronic mailings, we may automatically record certain information from your devices by using various types of technology, including cookies. This “automatically collected” information may include:
- IP address or other device address or ID
- Web browser and/or device type
- The web pages or sites visited just before or just after using our service
- The pages or other content you view or interact with
- The dates and times of your visit, access, or use of our communication platforms
- We also may use these technologies to collect information regarding a visitor or user’s interaction with email messages, such as whether you have opened, clicked on, or forwarded our electronic messages. This information is gathered from all users and visitors.
We use Google Analytics to measure and evaluate access to and traffic on the Public Area of the website, and create user navigation reports for our site administrators.
The data collected will only be used on a need to know basis to resolve technical issues, administer the Site and identify visitor preferences; but in this case, the data will be in non-identifiable form. We do not use any of this information to identify Visitors or Users.
A cookie is a small file which asks permission to be placed on your computer’s hard drive. Once you agree, the file is added and the cookie helps analyse web traffic or lets you know when you visit a particular site. Cookies allow web applications to respond to you as an individual. The web application can tailor its operations to your needs, likes and dislikes by gathering and remembering information about your preferences.
We use traffic log cookies to identify which pages are being used. This helps us analyse data about webpage traffic and improve our website in order to tailor it to customer needs. We only use this information for statistical analysis purposes and then the data is removed from the system.
Overall, cookies help us provide you with a better website by enabling us to monitor which pages you find useful and which you do not. A cookie in no way gives us access to your computer or any information about you, other than the data you choose to share with us.
You can choose to accept or decline cookies. Most web browsers automatically accept cookies, but you can usually modify your browser setting to decline cookies if you prefer, however this may prevent you from taking full advantage of the website.
Information about people who share their experiences with us by other means
There are a number of ways that we collect feedback from people about their experiences of emotional well-being and mental health services day to day. This includes:
- When people complete and submit information about services and care on our website.
- Direct to our staff working in the community.
- Direct to staff working on mental health inpatient wards.
- When people submit information in response to one of our surveys or projects.
- When people share their experience with us by post (letters may be sent using our Freepost address).
- People may also share their experience electronically direct to our staff.
- We also receive phone calls and requests for information directly from members of the public.
- Where personally identifiable information is collected, we will ensure that we have your consent to keep it and we will be clear on how we intend to use your information. We anonymise all information where we can but very occassionally there may be instances where this is not possible or where you have asked us to share your personal information. There may be exceptional circumstances where we can and will keep the data without consent but we must have a lawful basis for doing so.
We ensure that, where consent is required, it will be freely given, used only for agreed specific and unambiguous purposes and that you are well informed about how the information will be kept. This includes where it will be stored, details on security and for how long it will be kept. We will comply with current data protection legislation at all times.
On occasion we will receive information from the families, friends and carers of people who access emotional wellbeing and mental health care servcies. We use this data to inform providers and commissioners to help them deliver services that work for you. Where it is practically possible, we will make sure that we have your consent to use information that is about you. We will only process your personal data where there is a lawful basis to do so under current data protection legislation.
When publishing information, we anonymise our data to ensure that a person cannot be identified, unless this has been otherwise agreed and consent has been given.
Information about people who contact our Information and Signposting Service
In addition to ensuring that the voices of service users and family carers are heard by decision makers, we also provide information and signposting about emotional wellbeing and mental health support in East and West Suffolk.
- A free, friendly and confidential service that is independent from the NHS and social care services.
- Signposting – This means that we will give the you the contact details for a range of services that best support your request. You will then need to contact those organisations yourself.
- We can give you information about choices you have with regard to where you might get help in relation to your health, social care and wellbeing needs.
- We can put you in touch with sources of information on NHS and social care services in Suffolk.
- We can give you information about what to do when things go wrong and you don’t understand how to make a complaint.
- Information about advocacy services.
- We will not usually need to record personal information for signposting in SUF. We record daily the number of calls received and the service signposted to, but do not ordinarily record any other information, unless the signposting issue is more complex, and we need to make enquiries on your behalf.
In these instances, we will process the following information;
- Email address – By sharing your email address with us, we will not add you to our mailing list or contact you for any other purpose than to share information about local and national sources of support appropriate to your needs (related to your signposting request).
- A telephone number – Your telephone number will be used only in connection with your particular query and not for any other purpose. We might contact you with further suggestions or to clarify details about why you are contacting our service.
A summary of the circumstances surrounding the purpose of the call – We record this information to assist our staff in providing you with relevant information and to check that we have not missed opportunities to suggest possible sources of support. We also use it to share information with our commissioners (our funder) and other stakeholders about the types of queries we receive.
A record of where we signposted (names of organisations and groups) – This information is recorded in order that we can demonstrate the breadth of signposting delivered by our service to our commissioner and also to the public to which we are accountable.
Please note: If there is a safeguarding concern, Suffolk User Forum will take immediate steps to safeguard people from harm in accordance with our safeguarding policies (available on request). We will not share your personal information with other bodies unless we feel it is necessary to protect your vital interests or the interests of another person. This might include information sharing with the Suffolk Multi Agency Safeguarding Hub (MASH) if we believe somebody to be at risk of abuse or harm.
Information about our own staff, volunteers and people applying to work with us
We need to process personal data about our own staff (and people applying to work for us) so that we can carry out our role and meet our legal and contractual responsibilities as an employer. We also process information about people who are applying to volunteer for us. The personal data that we process includes information about racial or ethnic origin, religion, disability, gender and sexuality. We use this information to check we are promoting and ensuring diversity in our workforce and to make sure we are complying with equalities legislation.
Our employees decide whether or not to share this monitoring data with us, and can choose to withdraw their consent for this at any time. Employees who wish to withdraw their consent for us to process this data can let us know.
Other personal data that we are required to process includes information on qualifications and experience, pay and performance, contact details and bank details.
We check that people who work for us are fit and suitable for their roles. This may include asking people to undertake Disclosure and Barring Service(DBS) checks.
People joining Suffolk User Forum will be asked to complete a ‘declaration of interests’ form to identify any services with which they have close links (for example, because they have previously worked there or because the service is run by a close relative) or any other issues which could cause a perceived conflict of interest. Staff are regularly asked to update these forms.
We have a legal obligation to comply with the Freedom of Information Act 2000 and this may include the requirement to disclose some information about our employees – especially those in senior or public facing roles. We also publish some information about our staff, including the names and work contact details of people in some roles.
Information about people that take part in our research projects
The information we collate when conducting research may vary for a number of reasons that might include the type of research conducted or the subject matter. We might ask for your name and contact details (in case we need to get in touch about your participation in the research), anonymised demographical information (e.g. your age, gender and ethnicity) and other details if relevant.
Suffolk User Forum will only collate information that is relevant to the research and we will never publish your name, or other information about you, without your consent (e.g. case studies). You will have the right to withdraw your consent at any time.
Retention and disposal of personal data
SUF has a retention and disposal schedule which explains how long we keep different types of records and documents for, including records and documents containing personal data. Personal data is deleted or securely destroyed at the end of its retention period.
GDPR and your rights
Who in SUF takes the lead for Data Protection?
The person with day-to-day responsibility for data protection is the SUF Manager who leads on;
- Reviewing SUF’s data protection policy and procedures
- implementing the policy across SUF
- monitoring staff compliance to the policy and procedures
- overseeing all subject access requests and consent changes.
Can I have access to the information that SUF holds about me?
Under the General Data Protection Regulations (GDPR), you have the right to receive:
- confirmation that your data is being processed by SUF
- access to the personal data that SUF holds about you
- and information about SUF’s privacy notices.
Why might I ask for this information?
You might ask for this information so that you can check what information SUF holds about you, so you can check it’s correct.
You might want to know more about how SUF uses your information and to check that SUF is operating lawfully.
If you ask for this information you will be making what is known as a subject access request.
Will SUF charge a fee if I make a subject access request?
SUF will provide a copy of the information free of charge.
In very rare cases we may charge a ‘reasonable fee’ (based on the administrative cost of providing the information) if any request is seen to be unfounded or excessive, or repetitive.
We may also charge a reasonable fee to comply with requests for further copies of the same information.
How long will I have to wait to receive the information from a subject access request?
In most cases SUF will provide the information to you without delay and at the latest within one month of receipt of your subject access request.
If your request is complex, we promise to let you know that we will need two months to provide the information. At the same time, we will also explain why your information will take longer to provide.
How do I make a subject access request?
You can telephone SUF on 01473 907087 or you can send us an email to; email@example.com
We will let you know we have received your request. We will also need to confirm your identity, based on the information you have already provided to us.
How will I receive the information I have requested?
Where possible SUF will provide your information electronically, as a PDF document, as this is a commonly used electronic format.
If you request paper copies, these will be sent by recorded delivery.
If the information you have about me is wrong, will you change it?
You have a right to have the information that SUF holds about you amended so that it is correct and complete.
You can do this by telephoning SUF on 01473 907087 or by emailing us at firstname.lastname@example.org
SUF will make the amendments without delay and within one month. In very rare cases this may take two months where the request is complex.
Is the personal information I give SUF ever used for marketing?
The information you give SUF is never used for marketing. It is never shared with any other organisation. You give your consent for how it is used as you have the opportunity to receive information from SUF such as newsletters, emails, involvement opportunities including research. If you decide you no longer want to receive information you can tell us and ask for your name to be removed from any of our contact methods.
Can I withdraw my consent?
You can withdraw all, or your any part of the consent you have given us in SUF at any time by calling SUF on; 01473 907087
or by emailing us at email@example.com
SUF will make the change without delay and within one month.
What happens if I wish to temporarily stop SUF from using my data?
You can tell us that you wish for your data to be removed or amended. However, If you think SUF has inaccurate personal information about you, you can ask us to stop using your information until this is corrected, this is called restricting processing of your information.
You can also ask us to stop processing your information if you wish to check out whether we are processing your information lawfully. All membership information is given by consent, so you are in control of how we use your information at all times.
Will you ever share my personal information without my consent?
SUF does not share your personal data with any third parties. However, in very rare situations we would have a legal duty to share your personal information without your consent. This would only be in very serious situations where we may have to respond to a police enquiry, or if a member of SUF staff had safeguarding concerns about you or your family, your mental health needs or your situation.
For more information please read the SUF Safeguarding Policy. You can ask us to send you a copy by telephoning SUF on 01473 907087.
What happens if something goes wrong with the information I have given SUF?
SUF has put in place security measures to try to ensure that your information that is held by us is kept safely and securely. However sometimes things can go wrong, this is called an information breach. This may arise from a theft, a deliberate attack on SUF systems, from the unauthorised use or from accidental loss or equipment failure.
SUF has a plan to deal with this, which means that we try to understand what has happened and identify who has been affected and how serious the matter is. We will be clear about who has been affected and decide who needs to be informed. This may include the individuals concerned, the SUF Board, the SUF commissioners, and other regulatory authorities.
How do I complain if I am concerned about SUF’s data protection practices?
If you are concerned about SUF’s information rights practices, SUF will deal with this under our Complaints procedure, responding to any information rights concerns we receive, clarifying how we have processed the individual’s personal information in that case and explaining how we will put right anything that’s gone wrong.
Please see the SUF complaints procedure, or you can ask us to send you a copy by telephoning SUF on 01473 907087.
What happens if I am very unhappy and dissatisfied with SUF’s reply to my complaint?
If after SUF has replied to your complaint you remain dissatisfied with SUF’s response, you may report your concern to the Information Commissioners Office (ICO).
Tel: 0303 123 1113
Information Commissioner’s Office, Wycliffe House Water Lane Wilmslow Cheshire SK9 5AF
What do I do if I have any other questions
Please contact SUF if you have any other questions. We are committed to ensuring that you have as much control as possible over the information you share with us and will be very happy to help you with any questions you may have.How to contact SUF;
Telephone us on 01473 907087 (Monday to Thursday 9.30-3pm)
Email us: firstname.lastname@example.org
Send a message through our website: www.suffolkuserforum.co.uk
Write to us at our postal address:
Suffolk User Forum
The New Hollies,
Unit 3a,Grange Business Centre,
Kesgrave, Ipswich, IP5 2BY