SUF Privacy Notice

Introduction

This privacy notice includes information for service users, family carers and members of the public who contact us, as well as information for SUF Staff, Trustees and Volunteers. It sets out the data processing practices carried out by SUF.

You can read this notice in full or if you prefer you can read our Easy-To-Read Privacy Notice by clicking on the link below.

We have a named Data Protection Officer, Jayne Stevens, who can be contacted by email jayne@suffolkuserforum.co.uk or by calling 01473 907087.

This privacy notice has been revised in June 2023 as part of our compliance with the requirements under the GDPR legislation. It is revised on a regular basis.

If you would like a paper copy of this policy, or a paper copy in large print. please call us on 01473 907087 and we can arrange to send this to you.

Suffolk User Forum is registered with the Information Commissioners Office (ICO) as we process personal data and information. The ICO is the UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

This privacy notice is set out in five sections.

Section 1 – For service users, family carers and members of the public

Section 2 – Information for people who use our website

Section 3 – Your rights. This section is for everyone, including services, family carers, members of the public and SUF staff, trustees and volunteers.

Section 4 – How to contact SUF

Section 5 – information for SUF staff, trustees and volunteers.

Section 1 – For service users, family carers and members of the public

We retain and use personal data (information that relates to and identifies living people) to help us carry out our role working with mental health service users, patients, and family carers. SUF will always make sure that your information is protected and treated securely. Any information that you give will be held in accordance with the General Data Protection Regulations (GDPR).

1.1 How we receive personal information

We obtain your personal information when you enquire about our activities, become a SUF member and you chose to share it with us or if we ask for information so that we may help you with something. We also receive it when you send an e-mail, ask a question or otherwise when you knowingly provide us with personal information. This may be verbally – either face-to-face or over the phone, by email, by letter, by online form, or by social media.

We may also receive information about you from third parties; for example, from a professional who wants to make a referral to us on your behalf for one of our projects (e.g. SUF peer led advocacy or Healthy Together) or when a family carer/relative or friend asks us to help you. Referrals are only sent to us with your consent. The lawful basis on which we hold your data and this information is Article 6(1)(e) ‘Public Task’ and Article 9(2)(h) ‘Medical Diagnosis / Health & Social Care’.

1.2 Why do we collect personal information?

The main reason we ask for your information is for us;

• To undertake our membership role with you.
• To help us support you.
• To receive and better understand your feedback and lived experience.
• To support you with a problem or with information you need.
• To support your through one of our project activities, for example Advocacy, Peer Telephone Support and/or Healthy Together Peer Support.
• We may ask you to give us feedback about the services we provide. We offer you the choice to give feedback verbally, online using an online form, by audio or by video. Your feedback is only used with your consent.
• We might also use data about the support we give you in an anonymised way. ​“Anonymised” means that no one will be able to identify you. It means that we will not use your name or any other personal details that would make it possible for someone to guess whose data we are using.
• We may use anonymised data to: Create anonymous case studies to raise awareness of our services. Prepare statistical reports, to help us improve or to tell our commissioners and service providers about the work we do and what demographic groups we have supported. To report on the views of the people we serve through our Feedback report called ‘Making Our Voice Count’ and in our Annual Report/Impact Report.

On rare occasions, we may need to access or share your information to protect your life or that of another person, for example in an emergency where we cannot gain your consent or to do so could endanger life. We will only rely on vital interests in extremely limited circumstances when no other legal basis is available.

We may sometimes ask for your consent to do something that involves use of your personal data. We will do this where no other lawful basis applies and where we can give you the highest level of control over how your data is used by us.

1.3 What information do we collect?

We will only ask you for information that we need, because this information is necessary for us to provide a service to you. We hold it under the lawful basis of either consent or ​‘legitimate interests’.

Examples of the personal information we may collect include:

Personal Information

• Your name.
• Address.
• Telephone number.
• Date of birth.
• Gender and Nationality if you choose to share this with us (Optional)
• Email address.
• We may also hold limited information about professionals involved in your care, including your GP, care coordinator for example or family carers, close friends who support you. This is collected, for example, where you name them as an emergency contact.
• The name of your family carer, friend or emergency contact.
• Your feedback about the services we provide; and/or  your feedback about other mental health care services.
• Where relevant, feedback from your family/parent carer about the services we have provided and/or their feedback about other mental health care services.

Financial Information

• Your bank account details when you claim expenses payments from us, to enable us to pay you, as per our expenses claims procedures.
• Details of any assessment and money spent on your behalf through a Personal Health Budget (Healthy Together Beneficiaries only).

Special category data

Some of the data that we may include details about your health. This is a special category of data that requires an even greater level of protection. The additional basis on which we hold this data is that it is necessary for the provision of healthcare support. We may also ask for information related to your protected characteristics. Because we must ask for this to fulfil the Equality Act (2010), our legal basis for processing this information is ​‘legal obligation’. This means we are obliged to ask you for the information; however, this is optional, and you can choose not to give it to us. We ask for this information because we want to be working with people in a way that meets their needs, and we want to be able to identify those people we are not working with so we can take steps to include them. These are protected characteristics data and is called special category data, which means it requires greater protection.

Special category data includes data about:

• Health, medical conditions, or disabilities
• Religion or beliefs (Optional)
• Ethnicity (Optional)
• Political opinions (Optional)
• Sexual orientation (Optional)
• Other – We may ask for your consent to take photographs for use in SUF publications and communication information such as newsletters, social media, SUF website. Your image may be collected with your clear consent.

Your Feedback about the services that SUF provides, and feedback about your experience of other mental health care services.

1.4 How we store your information

Information that you give to us verbally, either face-to-face or over the phone, electronically  or paper form is stored on our own secure, password protected management system. Our server operates on a cloud-based arrangement in the UK. We keep records about the support we have given you. People receiving Healthy Together Peer Support have a personalised care and support plan. This is a word document.

Some of your information may also held be on email, especially if you submit it by this method. Our emails are held on Microsoft Office 365 servers and our email system is encrypted and password protected. Emails are deleted after information has been transferred to the relevant secure database. All service user feedback about services is held anonymously.

If you call us your phone call may be recorded by our answer phone if we are unable to answer the call, this includes mobile phones You will hear a recording when your call starts to tell you this is the case. The audio file will be kept on our server only until the call is dealt with.  

If you use one of our online forms, after submission a copy of your data is temporarily held by email and then securely transferred into the relevant secure and password protected databases.

Where we have received data on paper, we crosscut shred the physical paper after uploading any relevant data to the relevant activity data base.

We take looking after your information very seriously. We have implemented appropriate physical, technical, and organisational measures to protect the personal information we have under our control, both on and off-line, from improper access, use, alteration, destruction, and loss.

1.5 How long we keep your information

We only retain membership information for as long as you are a member of SUF.

Feedback information once transferred to our database is held anonymously.

Where we hold information for the purpose of our services and project activities including Peer Telephone Support, Healthy Together, Times Ten Together Support and Advocacy our standard practice is to delete your information after a full 18 months, from last contact made or after the end or a project, unless we are required to keep data longer due to contractual requirements.

1.6 How we share information with other organisations

We collect your personal information to help us support you. This includes SUF Peer Led Advocacy, Healthy Together Peer Support, Telephone Peer Support; passing on your experiences of mental health care and support, and to help improve services in partnership with you or on your behalf.

We have to provide anonymous reports to the organisations who have awarded us the contracts to deliver these services. The information in these reports is anonymised, which means that you cannot be identified from the report. The councils and other organisations we provide this anonymous information to require us to do this under our contracts so that they can be sure we are supporting all members of the local communities where we work. We may also share anonymous information publicly in our reports, social media and website. If you don’t want to give us this information, you don’t have to.

We will only disclose your personal information where we have your consent to do so, or where there is a very good reason to make the disclosure.

• To fulfil our contractual obligations for delivering Inpatient Peer Led Advocacy, your information is held anonymously on the SUF Advocacy data base. For SUF Peer Led Community Advocacy we record your information on the Suffolk Advocacy Service Customer Relationship Management system owned and operated by POhWER, the lead partner for the advocacy contract. You can view their Privacy Policy HERE
• To fulfil commissioning requirements such as keeping your GP or Norfolk and Suffolk Foundation Trust (NSFT) Suffolk Health Team informed of the peer support provided.
• We may disclose information to Care Quality Commission or a local authority where we think it is necessary to do so to protect a vulnerable person from abuse or harm. Such a disclosure will be made in accordance with the requirements of GDPR and safeguarding and we aim to ensure wherever possible a personalised approach to Safeguarding.
• To process our newsletter, using Mailchimp.

Where we share information, those organisations are required to follow the same rules and information security requirements as us. We seek assurances from such organisations that they are compliant with the GDPR and this will be outlined in a Data Processing Contract. They are not permitted to use reuse the data for other purposes.

1.7 Your information – SUF projects and charitable activities

SUF membership, SUF Newsletters and Making Our Voice Count feedback reports.

It is very important to us that any information we hold about our members is kept lawfully and that our standards on the protection of data are communicated clearly to all. When you chose to become a SUF member you set out how we may contact you. We ask you on our membership form to consent to the type of information you wish to receive. Our lawful basis for processing your information is therefore by consent. Your information is only held for as long as you continue to be a SUF member. It is held in a secure, password protected data base and by hard copy, which is held secure in a locked cupboard. When you cease to be a SUF member your personal information is securely destroyed electronically, and the hard copy destroyed by cross cutting shredder.

The following paragraphs set out the data processing required for SUF to send you news updates and in producing our Making Our Voice Count publication, which is necessary for us to perform a task in the public interest.

We are required under the GDPR to identify a clear basis in either statute or common law for the relevant task, function, or power for which we are using your personal data. We have several statutory duties under The Local Government and Public Involvement in Health Act 2007.

These include (amongst others):

• Working with mental health service users, patients, and family carers.
• Listening to and valuing peoples lived experience of services and support, anonymously sharing feedback to support commissioners and service providers, to make developments that enable positive change and improvements to, mental health and wellbeing services and support community resilience.
• Promoting and supporting the involvement of local people in the redesign mental health and wellbeing services.

Promoting our work through our email newsletter (which is provided in electronic and hard copies), our chairs updates and providing feedback in Making Our Voice Count reports is an important part of meeting our requirements in law. It also keeps you informed about key developments and feedback about mental health and wellbeing care locally so that you can critically assess changes.

It is in the interests of the public to hear about any opportunities through which they may influence, shape, challenge or improve their local NHS and social care service provision.

Our mailing list is not used for profiling or other marketing activity. We use Mailchimp for distribution of our newsletters and email updates to our membership. Mailchimp will process email addresses, which are personal data on our behalf. Mailchimp is required to follow the same rules and information security requirements as us. Their Privacy Policy can be read through the following link https://mailchimp.com/legal/privacy/

You can choose to unsubscribe from our mailing list at any time, by clicking unsubscribe on the bottom of our Mailchimp email; by calling us on 01473 907087 or by emailing us at hello@suffolkuserforum.co.uk SUF will make the change without delay and within one month.

1.8 Information about people who share their experiences with SUF

There are several ways that we collect feedback from people about their experiences of mental health and wellbeing services day to day. This includes:

• When people complete and submit information about services and care on our website.
• Direct to our staff regardless of location i.e., office, community, mental health hospital, groups, meetings, training etc. This can be either electronically, verbally or in paper format.
• When people submit information in response to one of our surveys or projects.
• When people share their experience with us by post (letters may be sent using our Freepost address).
• People may comment on our posts on social media
• We also receive phone calls and requests for information directly from members of the public.
• Where personally identifiable information is collected, we will ensure that we have your consent to keep it and we will be clear on how we intend to use your information. We anonymise all information where we can but very occasionally there may be instances where this is not possible or where you have asked us to share your personal information. There may be exceptional circumstances where we will keep your data without consent, but we must have a lawful basis for doing so.

We ensure that, where consent is required, it will be clearly requested from you, used only for agreed specific and unambiguous purposes and that you are well informed about how the information will be kept. This includes where it will be stored, details on security and for how long it will be kept. We will always comply with GDPR legislation.

On occasion we will receive information from the families, friends and carers of people who access mental health and wellbeing care services. We use this data to inform providers and commissioners to help them deliver services that work for you. Where it is practically possible, we will make sure that we have your consent to use information that is about you. We will only process your personal data with your consent and where there is a lawful basis to do so under current GDPR legislation.

When publishing information, we anonymise our data to ensure that a person cannot be identified, unless this has been otherwise agreed and consent has been freely given.

1.9  Information about people who contact us for information and signposting support

In addition to ensuring that the voices of service users and family carers are heard by decision makers, we also provide information and signposting about mental health and wellbeing support in East and West Suffolk.

This includes:

• A free, friendly, and confidential service that is independent from the NHS and social care services.
• Signposting – This means that we will give you the contact details for a range of services that best support your request. You will then need to contact those organisations yourself.
• We can give you information regarding the choices you have; about where you might get help in relation to your health, social care, and wellbeing needs.
• We can put you in touch with sources of information on NHS and social care services in East and West Suffolk.
• We can give you information about what to do when things go wrong, and you do not understand how to make a complaint.
• Information about advocacy services.
• We will not record personal information for signposting in SUF, unless the signposting issue is more complex, and we need to make enquiries on your behalf. This would not be done without your consent and would be explained in detail with you before any details are shared with a third party.

1.10 Information about people who receive COVID-19 support phone calls as a shielded person called Times Ten Together peer support and SUF members telephone peer support

During COVID-19 SUF has provided the following support.

• Telephone ‘check in’s’ to shielded patients from an agreed Medical Centre/Practice.
• Ongoing weekly telephone wellbeing support during the pandemic to more isolated shielded patients and SUF members. Weekly telephone peer support for SUF members.

Your information is used to contact you and to deliver support. Records are maintained of the support given, to ensure compliance with risk management and recording requirements. This information is held securely and is kept confidential in line with this privacy notice. 

The lawful basis on which we hold your data is Article 6(1)(e) ‘Public Task’ and Article 9(2)(h) ‘Medical Diagnosis / Health & Social Care’.

Where we deliver support on behalf of your GP, we are required to inform your GP on a regular basis that you are receiving this support role, and to provide summary information to your GP, as they retain a duty of care for your physical and mental health.

Anonymised statistical information from all support during COVID-19 may be published to provide accountability and information about these services to commissioners, for monitoring and review processes. No personal information will be shared in these anonymous reports and your identity will be keep confidential, unless you have explicitly given permission and consent to sharing your information, for example a quotation about the quality of the service you have received.

1.11 Healthy Together Peer Support

Your information is used to contact you and to deliver the support set out by Norfolk and Suffolk Foundation Trust, your GP or another clinician from your GP practice, or a voluntary sector organisation that is already working with you. You own goals are discussed with you and agreed with you. Records are maintained of the support we give, to ensure compliance with risk management and recording requirements. This information is held securely on our secure, password protected data base and is kept confidential in line with this privacy notice. 

The lawful basis on which we hold your data is Article 6(1)(e) ‘Public Task’ and Article 9(2)(h) ‘Medical Diagnosis / Health & Social Care’.

We have contractual obligations with commissioners and are required to confirm the outcome of our support to NSFT or your GP surgery on a regular basis and to provide anonymised data summary information to commissioners. This provides statistical information and may be published to provide accountability and information about this project to commissioners, for monitoring and review processes. No personal information will be shared in these anonymous reports and your identity will be keep confidential, unless you have explicitly given permission and consent to sharing your information, for example by providing a quotation about the quality of the service you have received.

1.12 Information about people that take part in our research projects

The information we collate when conducting research may vary for several reasons that might include the type of research conducted or the subject matter. We might ask for your name and contact details (in case we need to get in touch about your participation in the research), anonymised demographical/diversity information (e.g., your age, gender, and ethnicity) and other details if relevant.

SUF will only collate information that is relevant to the research and we will never publish your name, or other information about you, without your consent. You will have the right to withdraw your consent at any time.

1.13 Information for people who donate to us

People usually donate to us by sending a cheque, making BACS transfers, or through online sources such as JustGiving. Any information we receive from JustGiving are kept within those sites and we would only use the information to understand who is fundraising for us and supporting us and not for any other purpose without your express permission.

If you are donating to us directly by cheque, cash or bank transfer, your correspondence about this is treated confidentially. We do not record any of your personal bank details at any time and ask you not to send us these. Cheques are handled securely by our Finance staff.

If you donate to us, we may ask you if you would like to join our mailing list. If you say no or do not reply, we will not add you to your mailing list.

1.14 Information for people who provide feedback to us about SUF activities and support

We welcome all feedback about SUF’s activities and support. We do receive anonymous feedback but also receive personal information when you provide feedback or make a complaint. We use your personal information so that we can reply to you. We may also ask for further information relating to your feedback, comment, question, or complaint, for example to help us resolve a complaint. Feedback, comments, and complaint data is stored in our secure databases using password protection. All our staff are trained on how to keep your information safe.

In the case of information, we have received on paper, we cross cut shred the physical paper after uploading to our data base system. We may use anonymised details of complaints or feedback to:

• Write reports, both internal and public, about how we can improve our services.
• Write reports, both internal and public, about the impact we have achieved.
• Feedback to our funders and commissioners about complaints, compliments and feedback we have received.

In some cases, you may be happy for us to use a quote of your feedback in our publicity with your name on it, but we will only do this if we have your expressed consent. 

1.15 Information for people who claim expenses payments from SUF

SUF expenses payments are made on an expense claim form and are usually made through BACS transfers, which means that we use your name and bank account details to process payments. We ask for your permission and consent to process this information and notify you how we use this information on the expenses claim form. We inform you that a record of your expense’s payment transactions are kept on our financial records and bank statements. It is not shared with third parties, but may be seen by our Independent Examiner, during the preparation of SUF’s Financial Report. All SUF Financial Records are held securely for six years as required by law.

Section 2 – Information for people who use our website

When you browse through the information on the SUF website, it does not store or capture your personal information. We do log your IP address (as it is automatically recognised by the web server) but this is only so you can download this website onto your device. We do not access or review any IP addresses.

The SUF website is provided and hosted by Siteground (https://www.siteground.co.uk/privacy.htm) Siteground does not own, control, or direct the use of any of the data we store or process.

All data is stored securely and protected using an antivirus and firewall. This is automatically monitored 24 hours a day, seven days a week for security incidents and ensures operational continuity.

Please note: This statement does not cover external links within the SUF website as we cannot be responsible for the protection and privacy of any information which you provide whilst visiting external sites and such sites are not governed by this privacy statement. You should exercise caution and look at the privacy statement applicable to the website in question.

2.1 Information we collect through our website

User provided information – When you use our website, as a user or as a visitor, you may provide, and we may collect Personal Data. Examples of Personal Data include your name and email address. We will only collect personal information provided by you.

Automatically Collected Information – When you visit our website or interact with our electronic mailings, we may automatically record certain information from your devices by using various types of technology, including cookies. This “automatically collected” information may include:

• IP address or other device address or ID
• Web browser and/or device type
• The web pages or sites visited just before or just after using our service
• The pages or other content you view or interact with on our website
• The dates and times of your visit, access, or use of our communication platforms
• We also may use these technologies to collect information regarding a visitor or user’s interaction with email messages, such as whether you have opened, clicked on, or forwarded our electronic messages, or how long you have visited our website for This information is gathered from all users and visitors. These reports are anonymous and would only show your IP address.

2.2 Analytics

We use Google Analytics to measure and evaluate access to and traffic on the Public Area of the website and create user navigation reports for our site administrators.

Google operates independently from us and has its own privacy policy which we strongly suggest you review. Google may use the information collected through Google Analytics to evaluate Users’ and Visitors’ activity on our Site (including the number of people who have spent time on our website and other such statistics).

The data collected will only be used on a need-to-know basis to resolve technical issues, administer the Site, and identify visitor preferences; but in this case, the data will be in a non-identifiable form. We do not use any of this information to identify Visitors or Users.

2.3 Cookies

Please be aware that some systems on our website require the use of cookies, but we will always state if this is the case. We will never collect and store information about you without your permission.

A cookie is a small file which asks permission to be placed on your computer’s hard drive. Once you agree, the file is added, and the cookie helps analyse web traffic. Cookies allow web applications to respond to you as an individual. The web application can tailor its operations to your needs, likes and dislikes by gathering and remembering information about your preferences.

We use traffic log cookies to identify which pages are being used. This helps us analyse data about webpage traffic and improve our website to tailor it to customer needs. We only use this information for statistical analysis purposes and then the data is removed from the system.

Overall, cookies help us provide you with a better experience by enabling us to monitor which web pages you find useful and which you do not. A cookie does not let us access to your computer or any information about you, other than the data you choose to share with us.

You can choose to accept or decline cookies. Most web browsers automatically accept cookies, but you can usually modify your browser setting to decline cookies if you prefer, however this may prevent you from taking full advantage of the website.

Section 3 – Your rights

This section is for everyone, including services, family carers, members of the public and SUF staff, trustees and volunteers.

3.1 Your right of access

You have the right to request access to the information that SUF holds about you; this is known as a Subject Access Request.

All individuals who are the subject of personal information held by SUF are entitled to:

• Ask what information SUF holds about them and why.
• Ask how to gain access to it.
• Be informed how to keep it up to date.
• Be informed how SUF is meeting its obligations under GDPR.

You can ask for your information by emailing us at hello@suffolkuserforum.co.uk or by phone call to us on 01473 907087. We will always verify your identity before any information is handed over.

• The information is to be provided free of charge.
• SUF will provide the information to you without delay and at the latest within 28 days of receipt of the subject access request.
• In exceptional cases where information is more complex, SUF must inform the individual that it will take 56 days and provide clear reasons why this is the case.
• Where possible SUF will provide subject access requests information electronically, as a PDF document, as this is a commonly used electronic format. This will be sent via encrypted email to the email address supplied by the requestee If paper copies are requested these will be sent by recorded delivery and stamped with confidential address only.

3.2 Your right of rectification

If SUF holds any incorrect personal information, you have the right to have any personal information corrected without undue delay. The right to rectification also applies where SUF hold incomplete information. You have the right to have that personal information completed in this instance.

3.3 Your right to erasure

You have the right to erasure, often referred to as the ‘right to be forgotten’ if one of the following apply.

• It is no longer necessary for SUF to process the information about youThe information was processed with your consent, and you now withdraw your consent; or
• You have objected to SUF processing your personal information and there are no overriding legitimate grounds in line with the GDPR; or
• Your information has been unlawfully processed; or
• Your personal information has to be erased for compliance with a legal obligation on SUF.

3.4 Your right to restrict processing.

If your personal information that SUF processes is inaccurate, unlawful or is no longer needed for established purposes, you can request that SUF’s processing of your personal information is restricted so that SUF only holds your personal information.  Any further processing shall only be with your consent. SUF is permitted to store the personal information, but not further process it.

3.5 Your right to object.

Where SUF carries out processing on the basis of the processing being necessary for the performance of a task in the public interest, or in order to pursue legitimate interests, you have the right to object to your information being processed.

When such an objection is received, SUF will stop processing this information unless we can demonstrate compelling legitimate or public interest in continuing the processing.

3.6 Your right to data portability.

The right to data portability allows you to obtain and reuse your personal information for your own purposes across different services. It allows you to move, copy or transfer your personal information easily from one IT environment to another in a safe and secure way, without hindrance to usability. It applies at present to more detailed levels of personal information that may for example be used in banking, government gateway checks and following SUF’s information flow review may not apply to SUF as a membership organisation, but may apply in respect of SUF staff, volunteers and Trustees for example in terms of information portability of DBS checks undertaken in SUF.

3.7 Your right related to automated decision making and profiling.

SUF does not carry out any profiling or make decisions about you using an automated basis or personal information.

3.8 Your right to complain about SUF’s data protection practices

If you are concerned about SUF’s data protection practices, SUF will deal with this under our Complaints procedure, responding to any information rights concerns we receive, clarifying how we have processed the individual’s personal information in that case and explaining how we will put right anything that has gone wrong.

Please see the SUF complaints procedure which is available on the SUF website www.suffolkuserforum.co.uk or you can ask us to send you a copy by telephoning SUF on 01473 907087.

What happens if I am dissatisfied with SUF’s reply to my complaint?

If after SUF has replied to your complaint you remain dissatisfied with SUF’s response, you may report your concern to the Information Commissioners Office (ICO).

Tel: 0303 123 1113

www.ico.org.uk

Information Commissioner’s Office, Wycliffe House Water Lane Wilmslow Cheshire SK9 5AF

What if I have any other questions?

Please contact SUF if you have any other questions. We are committed to ensuring that you have as much control as possible over the information you share with us and will be very happy to help you with any questions you may have.

Section 4 – How to contact us

Telephone us on 01473 907087 (Monday to Thursday 9.30-3pm).

Email us: hello@suffolkuserforum.co.uk

Send a message through our website: https://www.suffolkuserforum.co.uk/contact-us/

Write to us at our Freepost address:

FREEPOST

RTHU-UJJS-XZCL

Unit 3A, 

Grange Business Centre,

Tommy Flowers Drive,

Kesgrave, Ipswich, IP5 2BY

Section 5 – Information for SUF Staff, Trustees and Volunteers

This privacy notice is relevant to current and former Staff, Trustees and Volunteers of SUF, including full-time and part-time employees.

The data controller processing your data is Suffolk User Forum.  We have a named Data Protection Officer, Jayne Stevens, who can be contacted by email jayne@suffolkuserforum.co.uk

During your time working or volunteering with SUF, we will collect, obtain, and hold a range of data about you that may be able to identify you directly or indirectly. When you cease to be employed or to volunteer with SUF, we will continue to hold some data about you for a predefined period, to fulfil our remaining tasks and obligations and as set out in our retention schedule.

You should be given the reason why the data is required at  the point you are asked to provide personal information, so that you understand why and what your applicable rights are.

5.1 About the information we hold

The personal data that the SUF holds about staff, trustees and volunteers will include the following:

Personal information

• Your name
• Contact details, including address, telephone number, personal email address.
• Date of birth
• Gender (Optional)
• Nationality (Optional)
• National Insurance (NI) number
• Username
• Employee number
• Your IP address as you access information from a device on the SUF network.
• We also hold limited information about your spouse, partner, or civil partner, or other individuals.  This is collected, for example, where you name them as an emergency contact or where shared parental leave is requested.
• Copies of car insurance, MOT, Driving License.
• Copies of documentation proving your right to work such as your passport or visa
• Job information
• Your job role title – Information about your employment contract such as: Start date/s, Hours, Contract type, Salary.
• Information about any benefits or Student loan you have received or are required to pay back.
• Your bank details for pay and expenses purposes.
• Details of periods of leave taken by you, including: Holiday, Sickness absence, Family leave.
• Performance information, including: Supervision, Appraisals, Performance reviews, Training you have participated in, Performance improvement plans, Promotions.
• Details of any disciplinary or grievance procedures in which you have been involved, including any warnings issued to you and related correspondence.

Education and work history

Details of your: Qualifications, Skills, Experience, Employment history, references given and received. Other – Your image for use in SUF publications and communication information such as newsletters, social media, SUF website.

Special category data

SUF may also process some kinds of more sensitive information about you that is classed as ‘special category’ data, and which receives additional protections under law, and in terms of our processing of it.

This includes data about:

• Health, medical conditions, or disabilities
• Religion or beliefs (Optional)
• Ethnicity (Optional)
• Political opinions (Optional)
• Sexual orientation (Optional)

For all SUF roles we are required to seek information about past criminal convictions, working with children or vulnerable adults, and/or your fitness to practice in certain regulated professions.

5.2 How we collect Staff, Trustees and Volunteer data

Much of this data we will have asked you to provide to us directly when you started your employment or volunteering role with SUF. Alternatively, we may have asked you for it during your recruitment, or you may have provided it to us independently to enable SUF to help you with something.

If we do not receive information directly from you, we either generate it ourselves or we receive it from third parties, such as:

• HM Revenue and Customs (HMRC)
• Pensions scheme providers
• Disclosure and Barring Service
• Individuals or organisations that you named as a referee.

We request data from you when you:

• Apply for a job, trustee or volunteering role with SUF
• Complete your new starter forms
• Complete payroll forms when you started working with us (staff)
• When you provide payment details for expenses payments
• Update your personal records
• Provide emergency contact details – in which case we will assume that the person whose details you give us are happy for these details to be shared with us by you.
• Request shared parental leave, in which case we will receive the spouse/partner’s name and the name of their employer either from you or from your spouse/partner’s employer
• Share it during your employment with SUF, for example, during correspondence with you, during the annual appraisal process, if you need to take sick leave, or if your role changes.

We take our obligations around the handling of data very seriously, and it is therefore important for you to know the various lawful bases that we rely on under data protection law for the processing of your personal data.

To be able to process your data lawfully, we must rely on a specific lawful basis, depending on the main reason why we need the data. Below we will explain these lawful bases and when they might be used.

5.3 Lawful basis

Necessary for Legal obligations – We process data about you under this legal basis when we need to comply with UK legislation, such as in the areas of employment for tax purposes or to comply with the Equality Act, or laws around health and safety in the workplace.

Necessary for SUF to execute a contract of employment or volunteering agreement – We process your data to carry out the contract of employment we have with you, or Volunteering Agreement. This may include for example, to ensure you can work in the UK, pay you a salary and keep records of supervision, appraisal, training, disciplinary, complaint or grievance proceedings.

Necessary for the purposes of SUF’s legitimate interests – Sometimes we will process your data because we have identified a ‘legitimate interest’ in doing so. The legitimate interests we identify are determined through an assessment made by weighing our requirements against the impact of the processing on you. This is done to make sure that our legitimate interests will never override your right to privacy and the freedoms that require the protection of your personal data.

Examples of when we will process your data in our legitimate interests are:

• Providing you with a SUF IT account, access to a SUF email account, and to give you personalised access to buildings, IT applications, resources.
• Monitoring use of IT services to ensure adherence to the SUF’s Acceptable Use Policy and Information Governance Framework.
• Providing you with access to training and development services.
• Enabling effective communications to you about SUFs security or operations and to keep you informed and involved with what is happening in SUF.
• Contacting those people you have named to be notified in the event of an emergency.
• Operating and keeping a record of employee performance and related processes to plan for career development, succession planning and workforce management purposes.
• Using staff information to conduct strategic analysis, modelling, and forecasting to help SUF plan ahead.
• Analysing the effectiveness of a service that we provide, such as our annual staff survey.  This analysis is carried out at an aggregate level so that you are not identifiable from the data.
• Ensuring that we can keep the SUF office safe and secure.

Necessary to protect your vital interests or those of another person – On rare occasions, we may need to access or share your information in order to protect your life or that of another person, for example in an emergency situation where we cannot gain your consent or to do so could endanger life. We will only rely on vital interests in extremely limited circumstances when no other legal basis is available.

Staff, Trustees or Volunteers have given us your consent to process your data for a specific purpose – We may sometimes ask for your consent to do something that involves use of your personal data. We will do this where no other lawful basis applies and where it makes sense to give you the highest level of control over how your data is used by us.

For this reason, we will not ask for your consent very often where your data is being processed for employment reasons because one of the other lawful bases listed above will often be more appropriate.

However, you would be asked to specifically consent to the processing of your data if, for example, we wished to use your image in marketing materials or to process your data where we cannot rely on one of the above bases.

Processing your ‘special category’ personal data – Sensitive personal data, called “special category” data in the legislation, receives extra protection under data protection law. SUF can only process it if we have an additional lawful basis to rely on and meet higher standards for safeguarding it.

Special category data is defined as information which reveals:

• Your race or ethnicity, religious beliefs, sexual life or orientation, or your political opinions.
• A trade union membership.
• Information about your health, including:
  • Any medical condition, health and sickness records
  • Occupational health referrals.
  • Where you leave employment and the reason for leaving is determined to be ill-health, injury or disability, the records relating to that decision.
  • Information required for medical physicians and / or pension providers; and
  • Details of absences from work (other than holidays) including time on sick leave or statutory / family leave.

Of the lawful bases available to us, those SUF is mostly likely to rely on in relation to staff data are the following:

• Processing is necessary for the establishment, exercise, or defence of legal claims against SUF.
• We have asked for and received your explicit consent to process your data for a specific purpose.

Processing is necessary for us to carry out our obligations or exercise our (or your) rights under employment, social security, and social protection law

This would apply when, for example, we:

• Keep a record of reasonable adjustments for a disability to allow us to meet our obligations under the Equality Act
• Ensure that you are physically fit to work in a particular role
• Become aware that a staff member has tested positive for Covid-19 to enable us to trigger our response processes and support the NHS track and trace legislation.

Processing is necessary for occupational health and to assess your working capacity as an employee. This would apply when we obtain advice from medical professionals in Occupational Health with regards to making adjustments to your working practices due to a health condition.

Processing is necessary to protect your life or someone else’s. We will rely on this basis on rare occasions when we cannot reasonably get your consent for whatever reason.

Processing is necessary for statistical purposes. Where this is based on UK law, respects your right to data protection and where measures are taken to safeguard your rights and freedoms, such as through the collection of minimal data.

This includes compiling statistics for SUF equality and diversity commitments.

5.4 How long do we keep Staff, Trustee and Volunteer data?

As a principle, information about you will not be kept for longer than it is needed for the purpose it was collected.

SUF has a record retention schedule (see S9_Information Governance Framework) for how long different information is required. As the retention schedules indicate, we need to keep different data for differing periods of time, and you will always be told how long your personal information will be kept.

If you have any queries regarding how long we keep your data that are not answered in the schedules, please contact the SUF CEO.

Some basic information about our former staff is transferred to the SUF Archives, until the retention period is reached. When it is no longer required in line with its retention period, personal information is securely and permanently destroyed.

5.5 Who do we share Staff, Trustee and Volunteer information with?

Whilst you are working with us, we will need to share certain information both internally and with external parties.

As a principle, only minimal information will be shared as necessary and only where we have identified a lawful basis or exemption for doing so, and the data is proportionate to the need. There is guidance and governance in place to help staff to ensure that only the necessary data is made available to other departments or third parties who would not otherwise have access to it.

Some information must be shared to complete essential tasks related to your employment, such as payroll, occupational health, pensions and arranging access to IT services.

Other purposes for which personal data may need to be shared internally

• Analysis to ensure our compliance with equality of opportunity and diversity legislation
• Allow for line managers to provide staff with sufficient support in their role
• Strategic analysis, planning and forecasting
• Investigating alleged employee misconduct
• Enable us to trigger our internal processes to ensure compliance with our COVID risk assessment, if a staff member tests positive for the virus.

Third parties with whom information about SUF staff/Trustees/Volunteers and service users will or may need to be shared by SUF include.

• Cooperative Bank – The SUF Current Account for the payment of staff/service user expenses, salaries and pensions. https://www.co-operativebank.co.uk/business/online-banking
• H&B Accountancy – SUF Accountants for processing SUF staff payroll, HMRC, Sage, Financial Reporting. http://www.hbaccountancyservices.co.uk/
• Legal & General – The SUF pension provider to administer staff pensions. https://www.legalandgeneral.com/retirement/saving-for-retirement/workplace-pensions/
• Independent Examiner – Lovewell Blake https://www.lovewell-blake.co.uk/contact/offices/bury-st-edmunds-office
• HMRC or Health and Safety Executive (HSE) to meet statutory reporting obligations.
• Occupational Health – provider as agreed with individual staff.
• Disclosure and Barring Service to obtain criminal record checks for certain roles.
• Law enforcement agencies for the prevention or detection of crime.
• Legal advisors to SUF and court of law as necessary.
• Emergency response services as necessary to protect your vital interests or those of another person.
• Public Health England/NHS track and trace or any appropriately designated body, when we are requested to do so.
• Third parties who carry out aspects of processing on our behalf, such as Mailchimp.

We take the security of your data seriously. Details on SUF data and security measures surrounding can be found in the SUF Information Governance Framework, policies, and procedures.  

We have internal policies and controls in place to try to ensure that your data is not lost, accidentally destroyed, misused or disclosed, and is not accessed except by our employees in the performance of their duties.

Where we engage third parties to process personal data on our behalf, they are under a duty of confidentiality and are obliged to implement appropriate technical and organisational measures to ensure the security of data.

5.6 How do we protect Staff, Trustee and Volunteer data?

We take the security of personal data seriously. Details on SUF data and security measures surrounding can be found in the SUF Information Governance Framework, policies, and procedures.  

We have internal policies and controls in place to try to ensure that your data is not lost, accidentally destroyed, misused or disclosed, and is not accessed except by our employees in the performance of their duties.

Where we engage third parties to process personal data on our behalf, they are under a duty of confidentiality and are obliged to implement appropriate technical and organisational measures to ensure the security of data.