This Privacy Statement sets out the data processing practices carried out by Suffolk User Forum (SUF). We retain and use personal data (information that relates to and identifies living people) to help us carry out our role working with mental health service users, patients and family carers. Our role is to listen to, and value peoples lived experience of services and support, anonymously sharing feedback to support commissioners and service providers, to make developments that enable positive change and improvements to emotional wellbeing, mental health services and support community resilience.
This privacy statement has been revised in May 2020 as part of our compliance with the requirements under the General Data Protection Regulation (GDPR) legislation. It is revised on a regular basis.
SUF has complied an Information Asset Register in accordance with GDPR to specify the lawful basis for SUF to store and keep personally identifiable information. This also provides a full analysis of how data within SUF is managed and kept secure. We also have updated our retention schedule (details of how long we will retain specific types of information).
SUF is strongly committed to data security and we take all reasonable and appropriate steps to protect personal information from unauthorised access, loss, misuse, alteration or corruption.
We have put in place physical, electronic, and managerial procedures to safeguard and secure the information you provide to us. Only authorised employees and staff under strict controls will have access to your personal information.
1. About the information we collect
We collect personal information from visitors to this website through the use of online forms (e.g. our community membership sign-up form and Times Ten Together support role for COVID-19) also through emails that you send to us. We also collect feedback and views from people about the emotional wellbeing and mental health care that they or a family member access.
In addition, we receive information about our own staff, volunteers and trustees, plus those people who apply to work for us.
Examples of the information we collect include:
- Information submitted when you use any of our on-line forms and receive peer support from SUF, including Times Ten Together COVID-19 support.
- Information you share when feeding back about emotional wellbeing and mental health care online or directly with our staff in a community setting or inpatient setting (for mental health advocacy).
- Emails people send to SUF contact email address including (firstname.lastname@example.org) or those of our staff members.
- Information we record when you contact us for information and signposting.
We have included much more detail about each of the above and other various types of information we process under each of the headings listed within this statement. They are:
- Information about people who use our website.
- Information about people who share their experiences with us by other means.
- Information about people who contact us for Information and Signposting.
- Information about our staff, volunteers, trustees and anybody applying to work for us.
- Information recorded to enable our peer support role for people with mental health care needs during COVID-19.
- How we will use your personal information.
Personal information about you can be used for the following purposes:
- In our day-to-day work.
- To ensure adequate records during our COVID-19 support role, risk management and safeguarding responsibilities.
- Regular summary reports (if you are supported through Times Ten Together) are provided to your registered GP, who retain a duty of care for your physical and mental health.
- To identify you as a community member of Suffolk User Forum.
- To send you our newsletter where you have requested it.
- To contact you about our work, mental health information, surveys, events or SUF forums.
- Where we respond to any queries you have about services, there may be personal information that you choose to share with us, to help us support you. We will treat such information as confidential and protect it accordingly.
- We will never include your personal information in any feedback reports or published reports without a clear and recorded positive confirmation of your consent.
2. How we share information with other organisations
We only share personal information with other organisations where it is lawful to do so and in accordance with GDPR.
Information is shared in order to fulfil our various roles, which includes Times Ten Together peer support; passing on your experiences of mental health care and support, and to help improve services in partnership with you or on your behalf.
We will only disclose your personal information where we have your consent to do so, or where there is another very good reason to make the disclosure – for example:
- To fulfil commissioning requirements such as keeping your GP informed of support provided.
- We may disclose information to CQC or a local authority where we think it is necessary to do so in order to protect a vulnerable person from abuse or harm. Such a disclosure will be made in accordance with the requirements of GDPR and safeguarding.
We always ensure that any information that we share or disclose, for example to commissioners or service providers is anonymised so that you cannot be identified from it.
We occasionally use other organisations to process personal data on our behalf, such as MailChimp. Where we do this, those companies are required to follow the same rules and information security requirements as us. We will seek assurances from such organisations that they are compliant with the GDPR and this will be outlined in a Data Processing Contract. They are not permitted to use reuse the data for other purposes.
3. Withdrawing your consent to SUF
You can withdraw all, or any part of the consent you have given us in SUF at any time by calling us on:
or by emailing us at email@example.com
SUF will make the change without delay and within one month.
4. SUF Newsletters
The following paragraphs set out why the data processing required for our newsletter distribution is necessary for us to perform a task in the public interest.
We are required under the GDPR to identify a clear basis in either statute or common law for the relevant task, function or power for which we are using your personal data. We have several statutory duties under The Local Government and Public Involvement in Health Act 2007.
These include (amongst others):
- Working with mental health service users, patients and family carers.
- Listening to and valuing peoples lived experience of services and support, anonymously sharing feedback to support commissioners and service providers, to make developments that enable positive change and improvements to emotional wellbeing, mental health services and support community resilience.
- Promoting and supporting the involvement of local people in the redesign or emotional well-being and mental health services.
- Marketing our work through our newsletter is an important part of meeting these requirements in law. This is because it encourages people and other stakeholders to share stories about local care services. It also keeps you informed about key developments in emotional wellbeing and mental health care locally so that you can critically assess changes.
It is in the interests of the public to hear about any opportunities through which they may influence, shape, challenge or improve their local NHS and social care service provision.
Our Newsletter mailing list is not used for profiling or other marketing activity. Participants can unsubscribe at any time. You can withdraw your consent to receive SUF newsletters at any time by calling us on;
or by emailing us at firstname.lastname@example.org
SUF will make the change without delay and within one month.
5. Information about people who use our website
Please note: This statement does not cover external links within the SUF website. Therefore, we cannot be responsible for the protection and privacy of any information which you provide whilst visiting external sites and such sites are not governed by this privacy statement. You should exercise caution and look at the privacy statement applicable to the website in question.
When you browse through the information on the SUF website, it does not store or capture your personal information. We do log your IP address (as it is automatically recognised by the web server) but this is only, so you can download this website onto your device. We do not access or review any IP addresses.
The Suffolk User Forum website is provided and hosted by Siteground (https://www.siteground.co.uk/privacy.htm) Siteground does not own, control or direct the use of any of the data we store or process.
All data is stored securely and protected using an antivirus and firewall for Suffolk User Forum. This is monitored 24 hours a day, seven days a week for security incidents and ensures operational continuity.
6. Information we collect through our website
6.1 User provided information
When you use our website, as a user or as a visitor, you may provide, and we may collect Personal Data. Examples of Personal Data include your name and email address. We will only collect personal information provided by you.
6.2 Automatically Collected Information
When you visit our website or interact with our electronic mailings, we may automatically record certain information from your devices by using various types of technology, including cookies. This “automatically collected” information may include:
- IP address or other device address or ID
- Web browser and/or device type
- The web pages or sites visited just before or just after using our service
- The pages or other content you view or interact with
- The dates and times of your visit, access, or use of our communication platforms
- We also may use these technologies to collect information regarding a visitor or user’s interaction with email messages, such as whether you have opened, clicked on, or forwarded our electronic messages, or how long you have visited our website for This information is gathered from all users and visitors. These reports are anonymous and would only show your IP address.
We use Google Analytics to measure and evaluate access to and traffic on the Public Area of the website and create user navigation reports for our site administrators.
The data collected will only be used on a need to know basis to resolve technical issues, administer the Site and identify visitor preferences; but in this case, the data will be in non-identifiable form. We do not use any of this information to identify Visitors or Users.
A cookie is a small file which asks permission to be placed on your computer’s hard drive. Once you agree, the file is added, and the cookie helps analyse web traffic Cookies allow web applications to respond to you as an individual. The web application can tailor its operations to your needs, likes and dislikes by gathering and remembering information about your preferences.
We use traffic log cookies to identify which pages are being used. This helps us analyse data about webpage traffic and improve our website in order to tailor it to customer needs. We only use this information for statistical analysis purposes and then the data is removed from the system.
Overall, cookies help us provide you with a better experience by enabling us to monitor which web pages you find useful and which you do not. A cookie does not let us access to your computer or any information about you, other than the data you choose to share with us.
You can choose to accept or decline cookies. Most web browsers automatically accept cookies, but you can usually modify your browser setting to decline cookies if you prefer, however this may prevent you from taking full advantage of the website.
9. Information about people who share their experiences with us by other means
There are a number of ways that we collect feedback from people about their experiences of emotional wellbeing and mental health services day to day. This includes:
- When people complete and submit information about services and care on our website.
- Direct to our staff working in the community.
- Direct to staff working on mental health inpatient wards.
- When people submit information in response to one of our surveys or projects.
- When people share their experience with us by post (letters may be sent using our Freepost address).
- People may also share their experience electronically direct to our staff.
- People may comment on our posts on social media
- We also receive phone calls and requests for information directly from members of the public.
- Where personally identifiable information is collected, we will ensure that we have your consent to keep it and we will be clear on how we intend to use your information. We anonymise all information where we can but very occasionally there may be instances where this is not possible or where you have asked us to share your personal information. There may be exceptional circumstances where we can and will keep the data without consent, but we must have a lawful basis for doing so.
We ensure that, where consent is required, it will be clearly requested from you, used only for agreed specific and unambiguous purposes and that you are well informed about how the information will be kept. This includes where it will be stored, details on security and for how long it will be kept. We will always comply with GDPR legislation.
On occasion we will receive information from the families, friends and carers of people who access emotional wellbeing and mental health care services. We use this data to inform providers and commissioners to help them deliver services that work for you. Where it is practically possible, we will make sure that we have your consent to use information that is about you. We will only process your personal data without your consent? where there is a lawful basis to do so under current GDPR legislation.
10. Publishing information
When publishing information, we anonymise our data to ensure that a person cannot be identified, unless this has been otherwise agreed and consent has been given.
11. Information about people who contact our Information and Signposting Service
In addition to ensuring that the voices of service users and family carers are heard by decision makers, we also provide information and signposting about emotional wellbeing and mental health support in East and West Suffolk.
- A free, friendly and confidential service that is independent from the NHS and social care services.
- Signposting – This means that we will give the you the contact details for a range of services that best support your request. You will then need to contact those organisations yourself.
- We can give you information regarding the choices you have; about where you might get help in relation to your health, social care and wellbeing needs.
- We can put you in touch with sources of information on NHS and social care services in East and West Suffolk.
- We can give you information about what to do when things go wrong, and you don’t understand how to make a complaint.
- Information about advocacy services.
- We will not record personal information for signposting in SUF., unless the signposting issue is more complex, and we need to make enquiries on your behalf. This would not be done without your consent and would be explained in detail with you before any details are shared with a 3rd party.
In these instances, we will process the following information.
- Email address – By sharing your email address with us, we will not add you to our mailing list or contact you for any other purpose than to share information about local and national sources of support appropriate to your needs (related to your signposting request).
- A telephone number – Your telephone number will be used only in connection with your particular query and not for any other purpose. We might contact you with further suggestions or to clarify details about why you are contacting our service.
- A summary of the circumstances surrounding the purpose of the call – We record this information to assist our staff in providing you with relevant information and to check that we have not missed opportunities to suggest possible sources of support. We also use it to share information with our commissioners (our funder) and other stakeholders about the types of queries we receive.
- A record of where we signposted (names of organisations and groups). This information is recorded in order that we can demonstrate the breadth of signposting delivered by our service to our commissioner and also to the public to which we are accountable.
Please note: If there is a safeguarding concern, Suffolk User Forum will take immediate steps to safeguard people from harm in accordance with our safeguarding policies (available on request). We will not share your personal information with other bodies unless we feel it is necessary to protect your vital interests or the interests of another person. This might include information sharing with the Suffolk Multi Agency Safeguarding Hub (MASH) if we believe somebody to be at risk of abuse or harm.
12. Information about our own staff, volunteers, trustees and people applying to work with us
We need to process personal data about our own staff (and people applying to work for us) so that we can carry out our role and meet our legal and contractual responsibilities as an employer. We also process information about people who are applying to volunteer for us, including work experience students. The personal data that we process includes information about racial or ethnic origin, religion, disability, gender and sexuality. We use this information to check we are promoting and ensuring diversity in our workforce and to make sure we are complying with equalities legislation.
It is their choice to decide whether or not to share this monitoring data with us and can choose to withdraw their consent for this at any time. Those who wish to withdraw their consent can do at any time.
We check that people who work for us are fit and suitable for their roles. This may include asking people to undertake Disclosure and Barring Service (DBS) checks.
People joining Suffolk User Forum will be asked to complete a ‘declaration of interests’ form to identify any services with which they have close links (for example, because they have previously worked there or because the service is run by a close relative) or any other issues which could cause a perceived conflict of interest. Staff are regularly asked to update these forms.
We have a legal obligation to comply with the Freedom of Information Act 2000 and this may include the requirement to disclose some information about our employees – especially those in senior or public facing roles. We also publish some information about our staff, including the names and work contact details of people in some roles.
13. Information about people who receive COVID-19 support phone calls as a shielded person (Two Rivers Medical Centre and Felixstowe Road Medical Practice); SUF members telephone support and Times Ten Together peer support.
During COVID-19 SUF is providing the following support.
- Telephone ‘check in’s’ to shielded patients from Two Rivers Medical Centre and Felixstowe Road Medical Practice.
- Ongoing weekly telephone wellbeing support during the pandemic to more isolated shielded patients and SUF members. This support is called Times Ten Together.
- Weekly telephone peer support for SUF members.
The data collected about you for this support (including your name, address, date of birth, contact details, information about your wellbeing and mental health, your GP’s contact details, diversity monitoring) are all held securely on the SUF data base in accordance with GDPR.
The information is used to contact you and to deliver support. Records are maintained of the support given, to ensure compliance with risk management and recording requirements. This information is held securely and is kept confidential in line with this privacy notice.
For those people receiving support on behalf of Two Rivers Medical Centre and Felixstowe Road Medical Practice, as we are delivering the support on behalf of your GP, we are required to inform your GP on a regular basis that you are receiving this support role, and to provide summary information to your GP, as they retain a duty of care for your physical and mental health.
Anonymised statistical information from all support during COVID-19 may be published to provide accountability and information about these services to commissioners, for monitoring and review processes. No personal information will be shared in these anonymous reports and your identity will be keep confidential, unless you have explicitly given permission and consent to sharing your information, for example a quotation about the quality of the service you have received.
To deliver support we will process the following information.
- Name, address date of birth – this enable us to confirm identity and to comply with commissioners’ requirements, and our duty to update your GP on a monthly basis. We only share personal information with your GP, where it is lawful to do so and in accordance with our data protection policy.
- Diversity monitoring. We are committed to promoting equality and diversity, both in carrying out our charitable functions and as an employer. We use this information anonymously to measure our performance and share anonymised information and findings in reports, to ensure our charitable objectives are provided in a way that avoids discrimination, is inclusive and made available in such a way as to meet individual needs.
- Email address – By sharing your email address with us, we will not add you to our mailing list or contact you for any other purpose than to share information about local and national sources of support appropriate to your peer support needs and requests.
- A telephone number – Your telephone number will be used only in connection with your support needs and not for any other purpose. We might contact you with further suggestions or to clarify details about why you are contacting our service.
- A summary record of our telephone contacts, including the agreed frequency of contacts, dates and length of call; a summary record of support given, and self-care tips provided, goals and any concerns identified, for example about your welfare or mental health. We record this information to assist our staff in providing you with relevant information and to check that we have not missed opportunities to suggest possible sources of support.
- A record of which virtual support options we signpost you to (names of organisations and groups) – This information is recorded in order that we can demonstrate the breadth of signposting delivered by our service to our commissioner and also to the public to which we are accountable.
- Contact received by text or social media comments, or messages.
Please note: If we have a welfare or safeguarding concern about you or another person, we will wherever possible discuss this with you, so we can plan together how we can support you to be safe. However, in exceptional circumstances, we may need to take immediate steps to safeguard you or others from harm in accordance with our safeguarding policies (available on request). We will not share your personal information with other bodies unless we feel it is necessary to protect your vital interests or the interests of another person. This might include information sharing with your GP, the Suffolk Multi Agency Safeguarding Hub (MASH) if we believe you or someone else may be at risk of abuse or harm.
14. Information about people that take part in our research projects
The information we collate when conducting research may vary for a number of reasons that might include the type of research conducted or the subject matter. We might ask for your name and contact details (in case we need to get in touch about your participation in the research), anonymised demographical/diversity information (e.g. your age, gender and ethnicity) and other details if relevant.
Suffolk User Forum will only collate information that is relevant to the research and we will never publish your name, or other information about you, without your consent (e.g. case studies). You will have the right to withdraw your consent at any time.
15. Retention and disposal of personal data
SUF has a retention and disposal schedule which explains how long we keep different types of records and documents for, including records and documents containing personal data. Personal data is deleted or securely destroyed at the end of its retention period.
16. GDPR and your rights
16.1 Who in SUF takes the lead for Data Protection?
The person with day-to-day responsibility for data protection is the SUF CEO who leads on:
- reviewing SUF’s data protection policy and procedures
- implementing the policy across SUF
- monitoring staff compliance to the policy and procedures
- overseeing all subject access requests and consent changes.
16.2 Can I have access to the information that SUF holds about me?
Under the General Data Protection Regulations (GDPR), you have the right to receive:
- confirmation that your data is being processed by SUF
- access to the personal data that SUF holds about you
- and information about SUF’s privacy notices.
16.3 Why might I ask for this information?
You might ask for this information so that you can check what information SUF holds about you, so you can check it’s correct.
You might want to know more about how SUF uses your information and to check that SUF is operating lawfully.
If you ask for this information you will be making what is known as a subject access request.
16.4 Will SUF charge a fee if I make a subject access request?
SUF will provide a copy of the information free of charge.
In very rare cases we may charge a ‘reasonable fee’ (based on the administrative cost of providing the information) if any request is seen to be unfounded or excessive, or repetitive.
We may also charge a reasonable fee to comply with requests for further copies of the same information.
16.5 How long will I have to wait to receive the information from a subject access request?
In most cases SUF will provide the information to you without delay and at the latest within one month of receipt of your subject access request.
If your request is complex, we promise to let you know that we will need two months to provide the information. At the same time, we will also explain why your information will take longer to provide.
16.6 How do I make a subject access request?
You can telephone SUF on 01473 907087 or you can send us an email to; email@example.com
We will let you know we have received your request within seven working days. We will also need to confirm your identity, based on the information you have already provided to us.
16.7 How will I receive the information I have requested?
Where possible SUF will provide your information electronically, as a PDF document, as this is a commonly used electronic format.
If you request paper copies, these will be sent by recorded delivery.
16.8 If the information you have about me is wrong, will you change it?
You have a right to have the information that SUF holds about you amended so that it is correct and complete.
You can do this by telephoning SUF on 01473 907087 or by emailing us at firstname.lastname@example.org
SUF will make the amendments without delay and within one month. In very rare cases this may take two months where the request is complex.
16.9 Is the personal information I give SUF ever used for marketing?
16.10 Can I withdraw my consent?
You can withdraw all, or your any part of the consent you have given us in SUF at any time by calling SUF on;
or by emailing us at email@example.com
SUF will make the change without delay and within one month.
16.11 What happens if I wish to temporarily stop SUF from using my data?
You can tell us that you wish for your data to be removed or amended. However, if you think SUF has inaccurate personal information about you, you can ask us to stop using your information until this is corrected, this is called restricting processing of your information.
You can also ask us to stop processing your information if you wish to check out whether we are processing your information lawfully. All membership information is given by consent, so you are in control of how we use your information at all times.
16.12 Will you ever share my personal information without my consent?
In very rare situations we would have a legal duty to share your personal information without your consent. This would only be in very serious situations where we may have to respond to a police enquiry, or if a member of SUF staff had safeguarding concerns about you or your family, your mental health needs or your situation.
For more information please read the SUF Safeguarding Policy. You can ask us to send you a copy by telephoning SUF on 01473 907087.
16.13 What happens if something goes wrong with the information, I have given SUF?
SUF has put in place security measures to try to ensure that your information that is held by us is kept safely and securely. However sometimes things can go wrong, this is called an information breach. This may arise from a theft, a deliberate attack on SUF systems, from the unauthorised use of or from accidental loss or equipment failure.
SUF has a plan to deal with this, which means that we try to understand what has happened and identify who has been affected and how serious the matter is. We will be clear about who has been affected and who needs to be informed. This may include the individuals concerned, the SUF Board, the SUF commissioners, and other regulatory authorities.
16.14 How do I complain if I am concerned about SUF’s data protection practices?
If you are concerned about SUF’s data protection practices, SUF will deal with this under our Complaints procedure, responding to any information rights concerns we receive, clarifying how we have processed the individual’s personal information in that case and explaining how we will put right anything that’s gone wrong.
Please see the SUF complaints procedure which is available on the SUf website www.suffolkuserforum.co.uk or you can ask us to send you a copy by telephoning SUF on 01473 907087.
16.15 What happens if I am very unhappy and dissatisfied with SUF’s reply to my complaint?
If after SUF has replied to your complaint you remain dissatisfied with SUF’s response, you may report your concern to the Information Commissioners Office (ICO).
Tel: 0303 123 1113
Information Commissioner’s Office, Wycliffe House Water Lane Wilmslow Cheshire SK9 5AF
16.16 What do I do if I have any other questions?
Please contact SUF if you have any other questions. We are committed to ensuring that you have as much control as possible over the information you share with us and will be very happy to help you with any questions you may have.
16.17 How to contact SUF
Telephone us on 01473 907087 (Monday to Thursday 9.30-3pm).
Email us: firstname.lastname@example.org
Send a message through our website: https://www.suffolkuserforum.co.uk/contact-us/
Write to us at our postal address:
Suffolk User Forum
The New Hollies,
Unit 3a, Grange Business Centre,
Kesgrave, Ipswich, IP5 2BY
This policy was last reviewed and revised on 5th May 2020.