Our Privacy Policy
When we work alongside you, we may collect and store information about you. This Privacy Policy tells you what personal data we collect and how we process and look after your data. It is important to us to do this in accordance with our values:
- Honesty – We will be open and accessible about the information that we are collecting and who it might be shared with.
- Courage – We understand that entrusting your personal information to people can be daunting and requires courage.
- Compassion – We know that sharing personal information about yourself can make you feel vulnerable.
- Respect – We respect that your personal information is unique and precious to you. We will keep it safe and not share it with anyone who does not need it.
- Integrity – We will store your data in line with our values and in line with the relevant and current Data Protection legislation.
If you have any comments or questions about this policy, please contact us: Data Protection Officer, Dorset Mental Health Forum, 29-29A Durngate Street, Dorchester, Dorset DT1 1JP.
Telephone: 01305 257172
Email: [email protected]
Charity Number: 1169215
We aim to process people’s data in line with the following six privacy principles:
- Personal data must be processed lawfully, fairly and in a transparent manner.
- Personal data must only be collected for “specified, explicit and legitimate purposes”.
- Data collected must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
- Personal data must be accurate and where necessary kept up to date.
- Personal data that is no longer required should be deleted.
- All personal data should be processed with appropriate technical and organisational security measures in place.
1. How do we collect personal data from you?
Personal data is information that relates to an identified or identifiable individual.
What identifies an individual could be as simple as a name or a number or could include other identifiers such as an IP address or a cookie identifier, or other factors.
We may collect, process and store personal information from you when you:
- Enquire about our activities or ask another question about the Forum.
- Make contact with one of our activities, projects or services for yourself or another person.
- Interact with us directly, through one of our projects, over the phone, via post, over email, through the website, or in person.
- Access one of our activities, projects or services.
- Support our work or donate to us.
- Apply for a job or to get involved with our work and when you become a member, employee, volunteer or trustee.
- Share your story or your experiences with us through the website, in conversation, through projects and focus groups.
- Submit information directly to us via online forms or sign up to be contacted or to receive information from us.
- Access one of our partnership projects with Dorset HealthCare University NHS Foundation Trust such as the Recovery Education Centre, The Retreat, Dorset Work Matters or the Discovery Project. You can read Dorset HealthCare’s Privacy Notice here: Dorset HealthCare :: Privacy Notice
- When you visit our website (this information does not identify people).
In some cases, we may be provided with your personal data by a third-party, for example if you instruct other people to make contact with us on your behalf and to share your personal information with us, such as a relative, friend or health professional.
We will only collect and process personal data from you for a specific and stated purpose. Your data will be stored securely and only utilised for this stated purpose. For more information on this, please see the section below.
2. What types of data do we collect and process?
We collect personal data from you for the activities described in section 1. above. The personal information that we collect and process depends on the nature of these activities and your relationship with us. Information might include your name, address, email address, IP address, telephone numbers, information regarding projects that you have accessed, payment information, websites pages you have visited, your story or your experiences, information about how we are working together and sensitive data.
Sensitive data
Sometimes, if you have shared this information with us for a specific purpose, we may collect and store information that is defined by legislation as Special Category Data:
- Personal data revealing racial or ethnic origin.
- Personal data revealing political opinions.
- Personal data revealing religious or philosophical beliefs.
- Personal data revealing trade union membership (if you are an employee).
- Data concerning health.
- Data concerning sex life and sexual orientation.
- Data concerning criminal convictions and offences.
We also may store information about the following protected characteristics as defined by the Equality Act.
- Age
- Disability
- Gender reassignment
- Marriage and civil partnership
- Pregnancy and maternity
We collect this sensitive data for the following reasons:
- To ensure that we are reaching a cross-section of people across Dorset, as we undertake our activities and fulfil our charitable purposes.
- To support you during the course of our activities, for example:
- Your date of birth if you have asked us to contact services on your behalf.
- Your religion to ensure your personal needs are met in hospital.
- Your first language, so we can ensure your voice is heard and understood.
Lawful basis
The law is specific about how personal data can be processed. We are required to have a lawful basis for processing people’s personal data:
Consent
The person has given clear and active consent for us to process their personal data for a specific purpose. Consent can be withdrawn at any time by contacting [email protected]
Contractual
The processing is necessary for a contract we have with the individual, or because they have asked us to take specific steps before entering into a contract.
Legal obligation
The processing is necessary for us to comply with the law (not including contractual obligations).
Vital Interests
The processing is necessary to protect someone’s life.
Public Interest (Task)
The processing is necessary for us to perform a task in the public interest or for our official functions, and the task or function has a clear basis in law.
Legitimate interests
The processing is necessary for our legitimate business interests, or for the legitimate interests of a third party, unless there is a good reason to protect the person’s data protection rights, which overrides those legitimate interests.
We set out below, in the next section, which lawful basis applies to our different processing purposes.
3. How we use people’s personal data
We will only use your personal data for specific and stated purposes as follows:
Visitors to our website
When you visit our website (https://www.dorsetmentalhealthforum.org.uk/), we automatically collect standard web visitor information, which is non-identifying, meaning we cannot directly identify you from the information. Such data includes:
- Details about which browser you use
- Your domain name
- What pages you visited and how you navigated the website
- The website address of any page that referred you to our website
- The website address of the page you next visit
- Your IP address
- The time and duration of your visits to the Site
- Details about the device you are using (like the type of operating system you use, mobile device model, browser type, domain, and other system settings, the language your system uses and the country and time zone of your device, and mobile phone carrier identification).
We use this information to help us understand how website visitors interact with the site and to help improve and enhance the website.
Website cookies
Like many other websites, our website uses cookies. ‘Cookies’ are small pieces of information sent by an organisation to your computer and stored on your hard drive to allow that website to recognise you when you visit. They collect statistical data about your browsing actions and patterns and do not identify you as an individual. This helps us to improve our website and deliver a better and more personalised service. Cookies are widely used to make websites work more efficiently for visitors, and to provide information to the owners of the site. We use cookies and similar technologies (also known as tags / pixels / beacons / floodlights) on our websites to personalise content, provide social media features and analyse traffic.
When you first visit our website, you will see a cookie banner at the bottom of the page. From this banner you can accept all the cookies that we use by clicking on the ‘Accept Cookies’ button or reject all cookies with the “Reject All” button, which means we will only use strictly necessary cookies (cookies necessary for the website to function). If you would rather decide what cookies are set, you can choose your preferences by clicking on Customise’. You can change your cookie settings at any time by clicking the cookie icon in the bottom right of the page.
It is also possible to switch off cookies on your computer by setting your browser preferences. Please note though, if you choose to turn cookies off or refuse all cookies, our website may not function for you as we would like, nor will other websites.
We use cookies on our websites to:
- Facilitate people’s ability to navigate through the website.
- Ascertain whether the website is operating effectively.
- Compile statistics on how our website is being used, which can help us to improve our website and online services.
- Personalise and improve the service we offer you by understanding your preferences and establishing which areas of the website are most relevant to you.
We use cookies that do not collect personal information but that do help us to collect anonymous information about how people use our website. We use a third-party service, Google Analytics for this purpose.
Google Analytics
Google Analytics generates statistical and other information about website usage by means of cookies, which are stored on people’s computers. The information collected by Google Analytics about usage of our website is not personally identifiable to us. The data is collected, stored by Google and used by us to create reports about website usage. We do this to learn things such as the number of visitors to the various parts of the site. We do not make, and do not allow Google to make, any attempt to find out the identity of anyone visiting our website.
For more information about how Google Analytics cookies work on websites visit: https://developers.google.com/analytics/devguides/collection/analyticsjs/cookie-usage. You can also opt out of the use of Google Analytics across all websites: http://tools.google.com/dlpage/gaoptout.
If you use an online form to contact us
If you use a contact form on our website (e.g. https://www.dorsetmentalhealthforum.org.uk/contact), the information you provide will be emailed to the relevant employee and your enquiry and other personal information (e.g. name, email address and your message) will then be handled in the same way we handle emails (see below).
A copy of your enquiry and information may also be stored in the backend database of our website for back up purposes. We have a legitimate interest to do so, to make sure we do not lose any messages. Once we have dealt with your enquiry, the copy in the website database will be periodically deleted.
If you contact us about our activities or ask another question about the Forum
If you contact us via email, we will store your email with our email service provider and your email will be dealt with by the appropriate employee. This may mean that your email is also stored on the employee’s device within their email software.
We will only use the data you provide (e.g. your name, email and the content of the email) for the purposes of responding to your email, as and such rely on contract as the lawful basis for doing so.
How long we will keep this information will depend on the nature of your enquiry, and your relationship with the Forum. We may delete it straight away or store a copy (e.g. if you use our services).
Likewise, if you contact us via telephone, in person or by post, what we record will depend on the purpose or outcome of our interaction. In some cases we may need to record details of the conversation, your name and contact details for the purposes of getting back to you or providing you with the information you have requested. We may also store details of the conversation in our client database if appropriate to do so.
If you are a person who accesses one of our activities, projects or services
If you make use of any of our services, we will keep the minimal amount of information needed to provide those services to you. We are likely to process the following information:
- Your name
- Your contact details (email, phone, address)
- Demographic information such as your date of birth, gender, nationality, etc.)
- Your medical history
- Details of any criminal offences
To provide our services we will store and process this information via our client database, in our email (where applicable) and in some cases, in locked filing cabinets if the information is in paper form.
We need this information to be able to provide the appropriate services to you. As such we rely on the lawful basis of contract for the storage and processing of this information.
We will typically keep this information up to six years after you finish using our services (as a legitimate business interest), unless required by law or otherwise (e.g. insurance) to keep it longer.
We may also use some of your information, but in anonymised form (e.g. demographic data) for reporting purposes to our partners, the referrer, etc. It will not be possible for them to identify you from this information.
If you access one of our partnership projects with Dorset HealthCare University NHS Foundation Trust such as the Recovery Education Centre, The Retreat, Dorset Work Matters or the Discovery Project
If you make use of any of our services in partnership with Dorset Healthcare, we will have access to your data via NHS systems and as well as processing your data as set out above, we will also share the outcomes of the services with Dorset HealthCare who will process your data in accordance with their Privacy Notice. (https://www.dorsethealthcare.nhs.uk/about-us/your-information/privacy-notice).
Our use of your NHS data and the national data opt-out?
The national data opt-out was introduced on 25 May 2018 and enables patients to opt out from the use of their patient data for research or planning purposes. Patients can view or change their opt-out choice at any time, online at www.nhs.uk/your-nhs-data-matters or by clicking on “Your Health” in the NHS App.
The national opt-out only applies in very specific situations, such as for research or planning. From providing our services to you, the national opt-out will not apply. However, should we be given access to your NHS records for our research or planning purposes will of course honour your opt-out, if set, and will not use your data.
If you share your story or your experiences with us through the website, in conversation, through projects and focus groups
We will typically only maintain your contact details for the purposes of discussing the publication of your story or experiences.
Should we publish your story we will usually do so anonymously, unless you have consented otherwise. Equally, we will only use your photo if you have completed the photo consent form.
If you refer someone to our services as a relative, friend of health professional
If you refer someone to the Forum we will typically store and process your name and contact details. These will be stored in our client database and in email. We will keep this information for as long as you continue to refer individuals to us, or if applicable for as long as the refered person continues to access our services (and in accordance with our client retention set out above).
We need this information for the purposes of the referral and therefore we rely on consent as our lawful basis for processing.
If you support our work or donate to us
If you are one of our benefactors, we will keep your name and contact details within our finance systems for accounting purposes. We rely on contract as the lawful basis for this processing and may keep your information for up to 7 years (including the current year) for tax purposes, or longer if you continue to donate to us.
If you apply for a job
We will collect and process usual job application information, such as, your name, contact details, your CV and any other application information you provide, details of any references and vetting information (e.g. ID checks, right to work, etc. and if applicable details of any or lack of criminal offences).
We will only use this information for the purpose of considering you for the role for which you have applied. Without this information we are unable to consider you for the role.
When you first apply, we will rely on contract as the lawful basis for processing, as we consider you for the position for which you have applied. If you are successful, your data will be processed in accordance with our employee privacy policy which will be provided to you separately.
If your application is unsuccessful, we may keep your information up to 6 months after we have rejected your application. It is lawful for us to keep your information for this period, as a legitimate interest, to protect our business should you decide to appeal our decision or involve us in a tribunal.
If your application is unsuccessful, but we would like to keep your details on file for future consideration, we will seek your consent to do so, and your information will be kept on this basis for up to a year from when you have given consent. You can withdraw your consent for this purpose at any time by contacting us.
All application data is stored in within our systems, with any correspondence kept in our email application. If you apply for a role using an online form on our website, your information may also be stored within our website database during the application process.
If you apply to get involved with our work (e.g. as a member, volunteer or trustee)
We will collect the minimal information needed to consider you as a member, volunteer or trustee. This will typically mean your contact details, information about your experiences and criminal offence data where applicable.
This information will be kept within our service database for the purposes of enabling your membership or for you to be a volunteer or trustee. It will be kept for as long as you’re involved in our work, or as required by law or our legitimate interests otherwise.
If you are a trustee, we may also keep other information about you should it be recorded at trustee meetings. We will keep such information as part of our charitable obligations, and as such are relying on legal obligation to retain this information.
If you are an employee
We will process your data in accordance with our separate employee privacy policy which will be provided to you when you become an employee, but can also be available via your Peer Lead or someone from HR.
If you sign up to receive information from us
We will keep your name and contact details for the purposes of sending you updated information, newsletters and other engagement information. This will typically be the case if you are a member, as we will provide the information to you as part of being a member.
As such we rely contract as the lawful basis for processing and will keep your information in accordance with our retention periods for member data.
If you are one of our suppliers
We will collect your name, contact details, details of your business and billing information for the purposes of settling your invoices.
This information will be stored in our finance systems for the purposes of pay you when you provide services to us. As such we rely on contract as the lawful basis for processing your data.
We need to keep some of this information (e.g. copies of invoices) for tax purposes, where we have a legal obligation to retain such financial information for up to 7 years (including the current tax year), or longer if you continue to provider services to us.
4. Sharing people’s personal data
The personal information that we collect about you will be used by our staff, for the specific purposes identified. We will only pass your data to third parties in the following circumstances:
- You have provided your consent for us to pass your personal data to a named third party;
- We are using a third party purely for the purposes of processing data on our behalf and where we have carried out data protection due diligence and we have in place a data processing agreement with that third party that fulfils our legal obligations in relation to the use of third-party data processors; or
- We are required by law to share your data.
In addition, we will only pass data to third parties outside of the UK where appropriate safeguards are in place as defined by General Data Protection Regulation (UK GPDR) and UK Data Protection Act.
We will never sell or share your personal information with other organisations for contact or marketing purposes, including web browsing activity.
5. How we keep people’s personal data
Often we need to keep your information so that we can carry out the activity that you have requested, such as being a member, an employee, accessing one of our projects, sharing your story or your experience (this information is always anonymised), sending you information and so on.
All personal data is stored securely, and we have put in place appropriate security measures to safeguard personal data from unauthorised access, destruction, use, modification or disclosure. Only Forum authorised individuals are allowed to access the data we process.
We only keep personal data for as long as is reasonable and necessary for the relevant activity and to fulfil our statutory obligations (for example, the collection of Gift Aid).
We take the principles of data minimisation and removal seriously. We have internal policies and procedures in place to ensure that we collect the minimum amount of data for specific purposes and that we delete and destroy, or anonymise data promptly and securely once it is no longer required.
We seek renewal of consent regularly for data that is collected on the basis of consent.
6. Your rights over your personal data
You have a range of rights in relation to your personal data, which are set out below:
- Access – You have the right to ask us for copies of any information that we have about you. We will need to remove any third party information (about other people) which may be in your file. We will send your information within 30 days and there is no charge for this. Read more
- Rectification – You have the right to ask us to correct personal information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete. We will consider the reasons why you think information is wrong. We will either change the information we hold or make a note that you think information is wrong on your file, as well as what you think should be written down instead. You have the right to ask us not to use your information until this is done. Read more
- Erasure – You have the right to ask us to erase your personal information in certain circumstances. There are some circumstances where we may not be able to do this but we will always tell you why. If we cannot delete your information, you can ask us not to process or use your information. We will explain to you how this might affect any support that you get from us. Read more
- Restriction of processing – You have the right to ask us to restrict the processing of your personal information in certain circumstances. If you are concerned about the accuracy of the information we have on you or how it is being used, you can ask us to limit how we use your personal information. If necessary, you can also stop your data being deleted. Read more
- Object to processing – You have the right to object to the processing of your personal information in certain circumstances. This means that you can stop or prevent the organisation from using your data. However, this only applies in certain circumstances and the processing may not need to stop if the organisation can give strong and legitimate reasons to continue using your data. Read more
- Data portability – You have the right to ask that we transfer the personal information that you have given us to another organisation, or to you, in certain circumstances.
- Your rights relating to automated decision making and profiling – We do not carry out any automated processing or profiling of your personal data.
A full summary of your legal rights over your data and further information can be found on the Information Commissioner’s website here: https://ico.org.uk
Please contact us at: [email protected] or with the contact information provided at the beginning of this policy if you wish to make a request.
Your right to complain
If you feel this privacy policy does not go far enough in explaining how we have used your personal data, we are happy to provide any additional information or explanation needed. Any requests for this should be sent by email to: [email protected].
If you want to make a complaint about the way we have processed your personal information, we’d rather you brought it to us in the first instance, but of course you can contact the Information Commissioner’s Office in their capacity as the statutory body that oversees data protection law in the UK: https://ico.org.uk/make-a-complaint/
7. Changes to our privacy notice
We may change or update elements of this privacy notice from time to time or as required by law. The most current version of our privacy notice is available on our website at: https://www.dorsetmentalhealthforum.org.uk/privacy-policy
July 2024