Privacy and Data Protection Policy (GDPR)

Introduction

This Privacy Policy sets out how we collect, use and store your personal information (this means any information that identifies or could identify you).

At Islington Mind, we are committed to protecting service users, employees and volunteer’s personal information and making every effort to ensure that personal information is processed in a fair, open and transparent manner.

We are a “data controller” for the purposes of the Data Protection Act 1998 and (from May 2018) the EU General Data Protection Regulation 2016/679 (“Data Protection Law”). This means that we are responsible for, and control the processing of, your personal information.

For further information about our privacy practices, please contact our Data Protection Officer – currently Gideon Ahabwe (HR, Finance and Administration Officer) by:
Writing to Islington Mind, Unit 4, Archway Business Centre, 19-23 Wedmore Street, Islington, London, N19 4RU
Calling us on 020 3301 9850
Emailing to: gideon.ahabwe@islingtonmind.org.uk or admin@islingtonmind.org.uk

How we collect information

Islington Mind’s work aims to ensure that we can help people experiencing mental health problems get both support and respect. We want to make sure that our service users and employees receive the communications that are most relevant to them, be it through visiting our website or receiving emails, post or phone calls.

We want to make sure that people receive the best attention when they become a user of our services, access a volunteering placement or employment opportunity or make a donation.

We collect information in the following ways:

When people interact with us directly:

This could be if people ask us about our activities, register with us for services, training or an event, make a donation to us, ask a question about mental health, apply for a job or volunteering opportunity or otherwise provide us with personal information. This includes when people phone us, visit our website, or get in touch through the post, or in person.
We ask every service user, and every volunteer to sign a consent form to keep their personal information (see Appendix 1)

When you interact with us through partners on their behalf:

This could be through being eligible for clinical supervision as a volunteer counsellor which is delivered through trusted individuals working on our behalf and always under our instruction.

When people interact with us through third parties:

This could be people who provide a donation through a third party such as MyDonate or one of the other third parties that we work with and provide your consent for your personal information to be shared with us.

When you visit our website:

We gather general information which might include which pages you visit most often and which services, events or information is of most interest to you.

The information we collect and why we use it

The information we collect is used to achieve our vision that everyone experiencing a Mental Health problem gets support and respect.

Personal information

We collect personal details such as name, date of birth, email address, postal address, telephone number, credit/debit card details (if you are making a purchase or donation), as well as other information provided in any communications with us.

This information is provided to us whilst an individual is registering with our services, making a donation, registering for an event, placing an order on our website or any of the other ways to interact with us.

Sensitive Personal Information

Certain information is classified as Special Category Data or Sensitive Personal Information. For example, racial or ethnic origin, religious or other beliefs of a similar nature, physical or mental health conditions and sexuality. This is classed as special because of its sensitive nature.

Sensitive Personal Information will be treated with extra care and confidentiality and always in accordance with this Privacy Policy.

Why we use Personal Information

We will use the information you provide us with to carry out our work, which will include, amongst others, the following purposes:

  • To plan and deliver services.
  • To create an appropriate person-centred support plan in line with your needs.
  • To liaise effectively with other services for your benefit.
  • To help protect you or others from abuse or harm.
  • To help you arrange and receive services when needed.
  • To ensure our services are accessible to all parts of society.
  • To carry out our responsibilities to staff and volunteers, and to administer, and volunteering and employment arrangements.
  • So that external regulators and inspectors can check and audit our services and ensure they meet the required standards.
  • So that we may review, audit and improve the quality of our services and increase their benefit to you and others.
  • To meet the needs of our funders’ monitoring procedures.
  • To facilitate promotion of our services and fundraising.
  • To keep a record of our work and people / companies’ relationships with us.
  • To process donations or other payments, to claim Gift Aid on donations and verify any financial transactions.
  • To update with important administrative messages e.g. about donation, an event or services or goods requested.
  • To comply with the Charities (Protection and Social Investment) Act 2016 and follow the recommendations of the official regulator of charities, the Charity Commission, which require us to identify and verify the identity of supporters who make major gifts so we can assess any risks associated with accepting their donations.

We may also use personal information:

  • To contact agencies about their work and how they can support Islington Mind (see D. Marketing’ below).
  • To invite people to participate in surveys or research or events.

We will not be able to provide services, process donation, sign people up for a particular event without collecting relevant personal information that allows us to provide the requested service or follow up the requested activity.

Legal basis for using your information

In some cases, we will only use personal information where we have people’s consent to do so or because we need to use it in order to fulfil an agreement or contract. However, there are other lawful reasons that allow us to process personal information and one of those is called ‘legitimate interests’. This means that the reason that we are processing information is because there is a legitimate interest for Islington Mind to process personal information to help us to achieve our vision mentioned above.

Whenever we process individual’s Personal Information under the “legitimate interest” lawful basis we make sure that we take into account the individual’s rights and interests and will not process personal information if we feel that there is an imbalance.

Some examples of where we have a legitimate interest to process personal information include where we contact you via post, phone or email, use personal information for data analytics, conducting research to better understand who our supporters are, improving our services, for our legal purposes (for example, dealing with complaints and claims), or for complying with guidance from the Charity Commission.

Marketing

We may send information about our work and how to support us and about events by phone, email, text message, and postal address, unless we have been told not do so or not to do so in that way.

You can update your choices or stop us sending you these communications at any time by contacting admin@islingtonmind.org.uk

If a service user is happy to share personal details with staff members or if they would like us to share their story with the media or other parties as part of our work telling people’s personal stories about mental health (for example, on our blog) – they can of course decide if they want to remain anonymous.

Sharing information/personal data

The personal information we collect about service users will mainly be used by our staff and volunteers at Islington Mind so that they can provide adequate support. We will never sell or share service users’ personal information with organisations for marketing activities.

Islington Mind may however share information with our trusted partners who work with us or on our behalf to deliver our services when sharing of data is required to safely or effectively provide the service. The processing of this information is always carried out under our instruction. We make sure that these partners store the data securely, delete it when they no longer need it and never use it for any other purposes.

Some examples of where we may share information are with our partners who help us to process donations and claim Gift Aid and our partners who help us to manage our social media accounts. When we enter into contracts with these service providers, we require them to comply with Data Protection Laws and ensure that they have appropriate controls in place to secure your information.

When Working in Partnership With A Third Party Organisation

To ensure good and safe practice when sharing personal data with a third-party organisation, the GDPR officer is responsible to ensure:

  • compliance with data processing principles (lawfulness, fairness and transparency).
  • we also establish a lawful basis for sharing the data (e.g. that sharing of data is required in order to provide the service safely and effectively.)
  • that the data subject is aware and consent to the data sharing
  • that we document the data sharing through an Information and Data sharing agreement.

The GDPR officer is responsible to ensure that the following due diligence checks of the third party are carried out:

  • asking the third-party organisation to confirm they comply with data protection laws, including the General Data Protection Regulation;
  • asking the third-party organisation to forward their Privacy / Data Protection / GDPR policies and procedures, and their data security standards certifications, and to confirm that they carry out personal data processing in accordance with their policies and procedures;
  • clarifying with the third-party organisation that they do not further transfer personal data to another third party and/or transfer the personal data outside of the European Economic Area;
  • establishing with the third-party organisation that they have the technical, physical and organisational security measures in place to protect the personal data. In case of data breach, what is the procedure or recording pathway from the Organisation Management to the data subject.

Legal Disclosure

We may disclose information if required to do so by law (for example, to comply with applicable laws, regulations and codes of practice or in response to a valid request from a competent authority.)

Keeping and storing information

We take looking after personal information very seriously. We have implemented appropriate physical, technical and organisational measures to protect the personal information we have under our control, both on and off-line, from improper access, use, alteration, destruction and loss.

Unfortunately, the transmission of information using the internet is not completely secure. Although we do our best to protect people’s personal information sent to us this way, we cannot guarantee the security of data transmitted to our site. Our websites may contain links to other sites. While we try to link only to sites that share our high standards and respect for privacy, we are not responsible for the content or the privacy practices employed by other sites.

Please be aware that websites that have links on our site may collect personally identifiable information about you. This privacy statement does not cover the information practices of those websites.

Any debit or credit card details which we receive on our website are passed securely to Sage Pay our payment processing partner, according to the Payment Card Industry Security Standards.

How long we hold your information for

We keep personal information only for as long as is reasonable and necessary for the relevant activity, which may be to provide mental health support services or fulfil statutory obligations (for example, the collection of Gift Aid).

We will delete information from our records, following a service user’s discharge from our services, and on their request.

Removing the information we hold on you

If there has been no recorded contact with you for 7 years or more, we will remove all your data from our systems.

It is the responsibility of our Head of Finance and HR to regularly monitor our systems to check the date of data. S/he will then forward and data to be deleted to our Head of Service and Quality who will approve the deletion.

This will mean if you are referred or self-referred to our services again after a seven year or more period we will need to ask you for your personal information again.

Your rights

You have various rights in respect of the personal information Islington Mind holds about you – these are set out in more detail below. If you wish to exercise any of these rights, you can do so by contacting us at Islington Mind, unit 4, Archway Business Centre, 19-23 Wedmore Street, Islington, London,N19 4RU, by email at admin@islingtonmind.org.uk or by phone on 020 3301 9850.

You can also make a complaint to the data protection supervisory authority, the
Information Commissioner’s Office, https://ico.org.uk/

Access to your personal information

You have the right to request access to a copy of the personal information that we hold about you, along with information on what personal information we use. You can make this request for access free of charge. Please make all requests for access in writing and provide us with evidence of your identity.

Right to object

You can object to our processing of your personal information where we
are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. Please contact us as noted above, providing details of your objection.

Consent

If you have given us your consent to use personal information for other than legal or duty of care reasons, for example, for marketing, you can withdraw your consent at any time.

Rectification

You can ask us to change or complete any inaccurate or incomplete
personal information held about you.

Erasure

You can ask us to delete your personal information where it is no longer necessary for us to use it, you have withdrawn consent, or where we have no lawful basis for keeping it.

Portability

You can ask us to provide you or a third party with some of the personal
information that we hold about you in a structured, commonly used, electronic form, so it can be easily transferred.

Restriction

You can ask us to restrict the personal information we use about you where
you have asked for it to be erased or where you have objected to our use of it.

We do not currently carry out any automated decision making.
Please note, some of these rights only apply in certain circumstances and we may not be able to fulfil every request.

Monitoring

We may record your communications with us (including by telephone or email) for training, quality control and compliance purposes to ensure that we continuously improve our customer service standards.

 

Revised November 2023

Click here for a pdf copy