Privacy Policy In Full

Short on time? Go to our ‘Privacy Policy in Brief’

Who are we?

In this policy, whenever you see the words We, Us or Our, it refers to Falkirk & District Association for Mental Health (FDAMH). We are:

Falkirk & District Association for Mental Health (FDAMH), a charity registered in Scotland (SC011889) and a Company Limited by Guarantee (SC151357).

About this policy

This policy sets out how we will use and look after the personal information you have shared with us.

This policy applies to our legal responsibilities under the Data Protection Act 2018 (DPA 2018) and the UK General Data Protection Regulation (UK GDPR). We will refer to these as the ‘regulations’. These ‘regulations’ affect how we gather and use your personal data (information about you). They relate to:

  • Websites we operate
  • Our use of emails, text messages and direct mail for marketing purposes
  • Our use of information held to provide our services
  • Our use of information held to manage and support volunteers and staff
  • Any other methods we use for processing personal information

This policy covers what we collect and why, what we will and will not do with the data and what rights you have.

Your rights include the right to see the data we hold about you and to object to us using your data or to ask for it to be deleted – you can find out more about your rights at the end of this policy.

Our right to change this policy

We may make changes to this policy from time to time. We will post the changes on this page and they will apply from the time we post them.

Changes to our policy will not affect how we use your data. When you give us your data it will be for a specific reason, for example to use a service. Later on, if we want to do something else with your data we would contact you and ask your permission.

This policy was last updated on 1st September 2021.

What is personal data?

Personal data is information that can be used to help identify you, such as your name, address, phone number or email address and other information gathered during your contact with us. It also includes digital identifiers that are linked to you, such as an ‘IP’ address.

Some of this information belongs to ‘special categories’. Special categories of personal data are given extra protection by the regulations because they are particularly sensitive, for example details about your beliefs, race or sexuality. Data about your health is one of these ‘special categories’ of information and, as a mental health organisation, it is something we routinely process.

Why do we have to use personal data?

We collect and use data so that we can provide our services for the benefit of the public. The information you give us helps us to provide you with a more personalised service.

You don’t have to give us any data, however if you do not provide us with the information that we ask for we may not be able to offer you certain services or the level of service we would normally provide.

How we will use your personal data is explained in more detail in the section ‘Groups of people we process data about’ below.

If you have any questions about your personal data and FDAMH please discuss this with the staff member you are in contact with. They will be able to explain what they will do with your data and how failing to provide information might affect you and the service we can offer.

Understanding the rules that allow us to use your data

The ‘regulations’ only allow us to collect and use your data if we are doing so within the reasons that are written down in the regulations. Each of these permitted reasons is known as a ‘lawful basis’ or if we are talking about more than one reason we would call them ‘lawful bases’.

It is important that you know what lawful basis is being used for your data because it may affect what rights you have (more information about your rights is available at the end of this policy).

The following definitions explain the common lawful bases that we use. When we talk about ‘processing’ your data we mean anything we do with it, from collecting it, through storing and using it to deleting it.

“Contract” – We can process your data using the lawful basis of a ‘contract’ when you have asked us to provide you with a service (for example to receive a service or take part in a course or event). We process information about you so that we can provide you with the service you have asked for. We cannot use this reason to process ‘special categories’ of data.

“Consent” – We can ask for your permission to use your information. You must take a positive action to give your consent, such as ticking a box or verbally agreeing to our request. When you give your consent you can withdraw it at any time.

“Vital Interests” – We are allowed to process your data if it is in your or someone else’s vital interests – that is, using the data might be life-saving. We can only process ‘special categories’ of data under this rule if for some reason you are physically or legally unable to give your consent.

“Legitimate Interests” – We are allowed to process your data if it is our legitimate business need or those of another organisation acting on our behalf, unless there is a good reason to protect your personal data which overrides our interests. We cannot use this lawful basis to process ‘special categories’ of data.

“Legal Purposes” – This lawful basis allows us to process your data, including ‘special categories’ of data, if it is necessary for us to comply with a legal obligation.

“Employment” – If you work for us then we are entitled to process your data, including special categories of data, for the purposes of your employment.

Groups of people we process data about

We are required to let you know why we are allowed, by law, to collect and use your personal data, what data we collect about you and what we will do with it.

This information will vary depending on how and why you interact with us, so we have grouped it to make it easier for you to see what details apply to you (see groupings below).

People who use or ask to use our services

What data do we collect about you?

As a minimum we will collect your contact details and your date of birth, so that we can identify you as an individual. We will also record the dates and times you have contacts with us, such as meetings, phone calls, sessions or your attendance at courses and groups.

We may record the outcomes of those meetings and some notes about what you have told us. We also record your feedback and evaluations on your own progress and what you thought of our services.

If you are accessing FDAMH’s services we may also collect information about the people around you – such as who referred you to the service or your next of kin.

We may also collect what are known as ‘special categories’ of information. This is more personal information such as what you tell us about your mental and sometimes physical health.

What GDPR rules allow us to collect and use this data about you?

We will use the rules around ‘contract’ to collect your data, and where ‘special categories’ of data (such as health data) are involved we will ask for your consent.

From time-to-time we may use the lawful basis ‘vital interests’ to process data about you that may help to save your or someone else’s life.

What do we do with your data?

We use your data to deliver the service to you. It allows us to be able to get in touch with you and communicate with you and it helps us to tailor our services to your needs by getting a better understanding of your situation.

We also use your information to help take care of your health and safety and that of other people using our services or visiting our centre, our staff and our volunteers.

By looking at data of all of the people who use our services we are able to get statistics that help us to monitor and develop our services. These statistics are used anonymously – that is no one can be identified from the information. Our charitable activities rely on funding and many funders ask for anonymous data about our services so they can make sure their money is being spent in the way they expected.

We also use anonymous data to help us apply for new funding.

Will we share your data?

In the course of our work with you it is possible that you may request us to refer you to another organisation. If we do this for you then we will pass your details on as you have requested. We only do this with your knowledge and will only share the minimum amount of data required.

If you are using our charitable services we may provide feedback to the person who referred you – your GP for example. Such feedback is limited to very simple information, such as letting them know if you attended.

From time-to-time we may share your data using rules of ‘vital interest’ to protect you or someone else, for example if we are concerned about you we may contact emergency services.

If you are receiving a service from FDAMH Training Academy it may be necessary to share your data with other organisations that verify the course you are attending, so that you can receive your certificate or qualification.

How long will we keep your data?

If you have used FDAMH’s services we will hold your data for 7 years from the last action on your record, for example the last time you attended an appointment. This ensures we will have your details for a reasonable length of time if you come back to us. It also means we will have your information if you wish to speak to us about a service you received at FDAMH.

After 7 years your data will be anonymised – that is we will remove any information that would allow you to be identified from the record. This way we can still keep historical data on, for example, how many people used FDAMH’s services. Any paper records would be entirely and securely destroyed.

If you have used services from FDAMH Training Academy then your data will be deleted shortly after our contract with you is complete. If we have your consent we will retain your contact details so we can get in touch with you about other courses and services that you may be interested in.

Special rules apply to students on our COSCA Counselling Skills Certificate – students on this course are given full information when they apply.

What happens if you don’t want to provide data?

Some people who come to us have serious concerns about their privacy. You are urged to make any concerns known to the member(s) of staff that you are working with.

If necessary we will do our best to further minimise what we record about you, however you should be aware that this is likely to affect the quality of the service that you receive from us and in some cases it may mean that we are unable to provide you with a service at all.

People who use Our Website and Social Media 

What data do we collect about you? 

We receive data about how people use our website and any other online platforms that we employ. Data on website usage is anonymous but some other platforms will show your activity on a personal level – for example on social media we could see if you ‘like’ a post. 

Data collection may involve tracking your behaviour by using Cookies — please see Our Cookie Policy for more information. We may also track short links that we send out via our website and social media platforms, to monitor where people clicked on them. We do not identify anyone from this sort of data. 

If you use one of our website referral forms to ask to use a service you are sending much more detailed information to us – please see the section on ‘People who use or ask to use our services’. 

What GDPR rules allow us to collect and use this data about you? 

The use of this sort of data is in our ‘Legitimate Interests’. 

What do we do with your data? 

The data helps us to find out what people are interested in on our site(s),so that we can make them better for the people that want to use them. 

We may also use the data to prevent or detect fraud or abuses of our websites and enable third parties to carry out technical functions on our behalf. 

Will we share your data? 

Your data is collected, analysed, stored and viewed on the online services that we use. These include ‘Google Analytics’, hyperlink tracking and shortening services like Bit.ly and Quick Response code (codes you scan with your mobile) creation and tracking services. Data from these services is anonymous. Our social media platforms like Facebook and Twitter also display information about you if you interact with our social media sites and posts. 

How long will we keep your information? 

We only keep anonymous aggregated data about website and link usage. 

Comments and messages on social media platforms will be stored by the platform provider and may be visible on the platform you used e.g. Facebook. Remember that social sites (such as Facebook, YouTube and Twitter) are subject to their own privacy policies and ways of operating and you should understand how joining these may affect your privacy before starting to use them.
If you would like a contribution you have made on one of our social media platforms removed please contact us and we will remove it if it is within our power. 

What happens if you don’t want to provide information? 

You can decline cookies using your own browser settings, you could also use your browser in ‘private’ mode. You do not need to use social media to contact us or find out about us. Instead you can visit our website, email us, pick up the phone or pop in and see us.

Remember that social media sites often offer you a number of settings to enhance your privacy. 

Donors and Supporters 

What data do we collect about you? 

We collect contact details about our supporters. We may also collect information about our contact with you. 

We also gather data about donations that are made to us, sometimes through donation websites that we use such as Just Giving and Charities Aid Foundation  – unless you make your donation anonymous. 

If you participate in our events we might have to collect quite detailed information about you, such as payment details and information to help look after participant safety. This may include ‘special categories’ of information such as details about your physical health, for example you may need to tell us about a serious allergy that could affect you during our event. 

What GDPR rules allow us to collect and use this data about you? 

We will use your consent as our lawful basis for processing your data to keep in touch with you about our fundraising activities and so on. 

When you sign up to a fundraising event organised by us or with another organisations whilst supporting FDAMH, our lawful basis for collecting and using your data will be ‘contract’. If we have to gather any ‘special categories’ of data we will ask for your consent. If necessary, we may also collect and use data using the lawful basis of ‘legitimate interests’. 

In the event of an emergency situation, we may use the lawful basis ‘vital interests’ to share data about you that may save your or someone else’s life. 

What do we do with your data? 

We will use your data to give you the specific information you have consented to receive such as about events and activities and to keep you up-to-date on our services. 

If you register for an event we will use the data so that you can take part and to help us look after the safety of all participants. Your data may also be used to determine whether you are eligible for an event – for example are you old enough or are you fit enough for the challenge? 

Financial data you provide will be used to process payments and donations. 

We will use data about our supporters, such as interests and behaviour, to gain a better understanding of them and to enable us to improve our service. This research may be carried out internally by our employees or we may ask another company to do this work for us. 

Will we share your data? 

We may share your data with the following other organisations : 

  • Events companies who on our behalf are organising events or activities, that you sign up for 
  • Mailing and marketing companies to enable us to communicate with you, only if you have given us consent to do so 
  • Online database servers to enable us to organise the data we hold and process 

How long will we keep your data? 

Data you give us under consent will be kept and processed until you withdraw your consent or the data is no longer required. The data will then be deleted. You should note that sometimes we need to keep the basic details of people who have withdrawn consent simply to make sure that they are not added to a consenting group in the future. For example, email newsletter services retain the details of people who have unsubscribed so that organisations cannot re-subscribe them. 

Data obtained under ‘contract’ will be kept up-to-date during the contract period. At the end of the contract period we will delete your personal data unless you have given your consent to use your personal data for other purposes – for example to update you with the success of the fundraising event. 

Data obtained under ‘Legitimate Interests’ will kept until it is no longer required and then it will be deleted. 

What happens if you don’t want to provide data? 

If you choose not to provide any or parts of your personal information requested, we may not be able to provide you with any, some, or all, of the features of our products or services. 

In particular, you may not be able to take part in any event or activity organised by us or organised by another organisation on our behalf. If you knowingly withhold or fail to supply information as requested for any event or activity organised by us or on our behalf, we cannot be held responsible for any loss (financial or personal), illness, injury or death of the individual during such events. 

Volunteers 

What data do we collect about you? 

When you apply to volunteer with us we will ask for your contact details and for information that will help us to match you to the correct volunteer opportunities, such as your interests. We will also ask you about any criminal convictions you may have and for details of people who can give you a reference. 

All of our volunteers must provide the details required to apply to join the Protection of Vulnerable Groups (PVG) scheme.

We will maintain data about your contacts with our service users and your participation in training, supervision and other volunteer events. 

All active volunteers will be requested to provide bank details so that we can pay your expenses directly into your bank account. 

What GDPR rules allow us to collect and use this data about you? 

We use the lawful basis ‘Legitimate Interests’ to process your data. Where we are required to gather ‘special categories’ of data we will ask for your consent. In some cases, you will have a choice whether you provide certain data or not, at these times we will seek your consent, for example to sign you up to receive the volunteer bulletin or to request a trustee biography to publish on our website. 

What do we do with your data? 

We use your data to help us check that you are suitable for volunteering. Once you become a volunteer, we use it to help make sure that your role is working out for you and the people you come into contact with. 

We will also use your data to help develop your skills as a volunteer and to make sure any legitimate expenses are paid by us. We may use your data to find ways to thank you for your efforts, such as by providing awards for length of service. 

Will we share your data? 

We share limited details with Disclosure Scotland so that they can identify you for the purposes of the PVG scheme. 

If you volunteer as a Trustee all of the information you provide will be made available to our auditors, along with minutes from formal meetings. Trustees’ contact details, dates of birth and national insurance numbers will also be shared with Companies House. Depending on your trustee role, we may ask you to provide basic details as signatories to business-related documentation. Details may also be shared with funding bodies and other organisations seeking to validate FDAMH so that we can receive their services/funding. 

Trustees will have their name and a short biography published on our website with their consent.  

How long will we keep your data? 

We will keep your data for as long as you volunteer with us, and then for 6 years after that. A basic record of your details and your role with us will be retained for 25 years. Your name will appear on service user case files until that file is destroyed – 7 years from the last action on the record. 

In addition, if you are a trustee your basic details, conflict of interest forms and contributions to official business will become part of the permanent records of the organisation. 

What happens if you don’t want to provide data? 

Unfortunately, you would not be able to volunteer with us if you did not provide the information that we ask for. This information is important for your safety and welfare and for the safety and welfare of our service users and our organisation. 

Members 

What data do we collect about you? 

We collect your name, address and telephone number. We also ask if you would like to receive our newsletter. 

What GDPR rules allow us to collect and use this information about you? 

Data that we use to record members is collected in our ‘Legitimate Interests’. Where you agree to receive our newsletter we ask for your consent. 

What do we do with your data? 

The data you provide is made available to the Board so that they can approve your application to become a member. 

We also use your data to keep in touch with you and to make sure we know who our members are. 

Having your data means we can invite you to the meetings you are allowed to attend as a member and it helps us make sure that our formal business is carried out within the rules of our organisation – for example a minimum number of members must attend FDAMH’s Annual General Meeting for any decisions made at them to be valid. 

Will we share your data? 

This data is not normally shared, however FDAMH’s auditors will be able to review membership records. 

How long will we keep your data? 

We will keep your membership form for 1 year after your membership ends. Your name as a member, attendance and contributions at any members meetings will form part of the permanent records of the organisation. 

What happens if you don’t want to provide data? 

Unfortunately, you could not become a member without providing the data that we request. 

People who sign up for our newsletters or other marketing information 

What data do we collect about you? 

If you wish to receive information about us we will collect the address, phone number or email address that you would like us to use to contact you. You may also provide your name and information about the kind of things you are interested in. 

Sometimes we add to our lists of people who would like to receive information from us by using information that we have gathered from other sources, but only if you have given us the consent to do so. 

Once you start receiving our communications we may also see data on whether or not you have opened them and what links you have clicked, depending on what method we have used to contact you. 

What GDPR rules allow us to collect and use this data about you? 

We use your consent as our lawful basis for using your information to provide you with newsletters and other marketing communications. 

What do we do with your data? 

We use your data so we can send you newsletters, bulletins and updates, sometimes with tailored information to suit your interests. This helps us to let people know about our news, the opportunities we offer and to gain support for our charitable activities. 

We use statistics from our communications to look at how people have used them. This helps us to work out what people like and don’t like so that we can improve the information we send out. 

Will we share your data? 

Most of our email newsletters are provided thanks to a service called Mailchimp. We use Mailchimp to design and send our newsletters and it manages and stores information about the people who have signed up. You can view Mailchimp’s policies at https://mailchimp.com/legal/. 

We may, from time-to-time, share your information with marketing companies working for us to, for example, to send out mail on our behalf. These companies would only use your information for our marketing and no one else’s. 

How long will we keep your data? 

We will keep your details until you choose to stop receiving information from us. When you do this your basic details may be kept on an ‘unsubscribed’ list so that you are not mistakenly contacted by us again in the future. 

You can easily unsubscribe from our email newsletters at any time by clicking the ‘unsubscribe’ link on our emails. 

For all other forms of communication, we will always provide information about ‘opting out’ on the information we send you. Alternatively, you can get in touch with us to let us know that you would like us to stop sending you information. 

What happens if you don’t want to provide data? 

We can’t send the communications you want without your contact details.
If you don’t want to provide your contact details FDAMH publishes its most recent newsletters on our website. You could also follow our social media accounts to keep up-to-date. 

People who visit Our building (CCTV & Signing In) 

What data do we collect about you? 

Your image will be captured on our security camera (outside the building). Your name, who you visited and the time you visited will appear in our sign-in book – you can also leave your car’s registration number if you have used our car park. 

What GDPR rules allow us to collect and use this information about you? 

We use ‘Legitimate Interests’ as the lawful basis for collecting this data. 

What do we do with your data? 

Images captured by Our security camera are only reviewed in the event of an incident – for example an accident in our car park or an attempted break in. 

Information in the sign-in book is used in the event of a building evacuation so that we know when everyone has been successfully evacuated. It may also be used to identify car owners if there is an incident in the car park. Occasionally it may be used to verify that someone attended an appointment or to check when someone was last at FDAMH if we have concerns about them. 

Will we share your data? 

In the event of an incident, law enforcement agencies (for example local police) may be given access to video images generated by our security camera. In addition, insurers may use images to investigate claims. 

Only if there is real concern for your safety, data about your attendance may be shared with other agencies under the lawful basis known as ‘vital interests’. 

How long will we keep your data? 

Security camera footage is deleted automatically after 7 days. 

Sign in sheets are retained until the visitor statistics mentioned above are tallied – this may take up to 6 months. They are then destroyed (by shredding). 

What happens if you don’t want to provide data? 

Our security cameras remain on at all times as they are there to prevent crime and protect the safety of people coming to our centre. 

You do not need to provide your full name when you sign in, we just need to be able to identify you in the event of a building evacuation. 

Professionals and Organisations 

What data do we collect about you? 

We will record your name, role and contact details for your place of work. 

What GDPR rules allow us to collect and use this information about you? 

When you have referred someone to our services or you work with someone using our services your data is recorded under our ‘Legitimate Interests’. 

We may also process your data under ‘Vital Interests’ rules. 

What do we do with your data? 

If you have referred someone to our services we will use your information, if necessary, to contact you about the referral. Your information will also be used to provide us with statistics about who is referring in to our services. 

If you work with someone using our services from time-to-time it may be helpful for us to get in touch with you with the person’s permission. More rarely we may contact you without their permission if we are very concerned about the person. 

Will we share your data? 

This data is not normally shared, however the broader sources of referrals (e.g. ‘GPs’, ‘Social Work’) are published in aggregated statistics. 

How long will we keep your data? 

Information about people working in our community is maintained while it is useful in terms of our work and in producing statistics on, for example, referral sources. When we become aware that someone is no longer working with an organisation or related to a service user we will mark this on the record or remove them as a contact as appropriate. 

What happens if you don’t want to provide information? 

In the case of making a referral, most services accept self-referrals and therefore you may suggest that the individual you wish to refer contacts us for themselves. 

People making a complaint or involved in an accident or incident 

What data do we collect about you? 

For a complaint we will ask you for your contact details and a description of your complaint. In the event of an incident (for example a fight) or accident we will keep a record of what happened. 

What GDPR rules allow us to collect and use this data about you? 

We gather this data because it is in our ‘Legitimate Interests’. 

What do we do with your data? 

For complaints, we use the information you provide to help us investigate the complaint you have made, keep in touch with you about the investigation and to arrive at a decision about the complaint. 

For incidents and accidents, we use the information gathered to investigate what has happened and take any further appropriate action. 

Will we share your data? 

Our Board members (volunteers) will be involved in reviewing complaints investigations and making decisions about your complaint. 

If we could help someone whose life was at risk by sharing the data you provide we would do so under the ‘Vital Interests’ rule. 

If your complaint, incident or accident was about or involved criminal activity we may be required, by law, to share information with law enforcement agencies such as the Police. Similarly, if your complaint or the incident showed that we were in breach of other rules that we are subject to we may have to share your information with relevant governing bodies. 

We may also be required to share your details with our insurers. 

How long will we keep your data? 

We retain full information for 6 years. We retain a complaints register, which holds basic details, for 10 years. 

What happens if you don’t want to provide data? 

We would be unable to investigate a complaint if you did not provide us with enough information about it. If you are involved in an incident or accident and do not want your data recorded, we would need to weigh up the rights of everyone involved to determine the most acceptable course of action. 

Students on placement 

What data do we collect about you? 

We will collect your contact details and any information that we need to help manage your student placement. 

Depending on your course, we may collect data that will help to assess your learning or help you to reflect on your performance and learning while with us. 

What GDPR rules allow us to collect and use this data about you? 

Your data will be processed due to our ‘contract’ with you or your place of study to provide you with a student placement. 

What do we do with your data? 

We will use your data to make sure that your placement works for you and us. We may use the data to ask for agreed payments from your place of education. 

Will we share your data? 

We will share your data with your course tutor and any other staff at your place of education as required by your course. 

How long will we keep your data? 

We will keep your data for as long as your placement with us, and then for 6 years after that. A basic record of your details and your role with us will be retained for 25 years. Your name will appear on service user case files until that file is anonymised – 7 years from the last action on the record. 

If you have worked with our service users then your name may be linked to their records. In such a case your name will remain on service user records until the record is anonymised. Service user records are kept for 7 years from when the last action took place on them. 

What happens if you don’t want to provide data? 

Unfortunately, you could not have a student placement with us if you did not provide the information that we and your place of education ask for. 

Suppliers 

What data do we collect about you? 

We collect contact details for people in your organisation that we need to get in touch with. We will have records of our interactions with you/your company such as emails, purchase orders, quotes, invoices, notes of meetings and contracts – such information may contain your personal details. 

As an individual, you may have to provide us with information about your qualifications and experience. If you are working directly with our service users we will also need to check your PVG scheme membership. Self-employed individuals would also be required to provide us with personal bank details. 

What GDPR rules allow us to collect and use this data about you? 

Our lawful basis for processing this data is that of ‘Contract’.
We may also process this data when it is in our ‘Legitimate Interests’. 

What do we do with your data? 

Your personal details will be kept in lists of our business contacts so that we can get in touch with you. Your data will also be used so that you can supply us with the goods and services that we have requested. 

Depending on your role we may also use your data to check that you are properly qualified and safe for the role. 

If you are self-employed then we may use your personal banking details to provide you with payments. 

Will we share your data? 

Information about our business transactions is viewed by our auditors.
In the event that we became involved in a dispute with you then your personal data might be shared with our legal advisors and any other necessary external bodies. 

How long will we keep your data? 

Data surrounding our financial transactions is retained for 7 years. If we are advised that you have left your company or been replaced by a different staff member, we will remove your contact details from our contact listings. 

If during your work with us you have had contact with our service users then your role may form part of their personal record. In such cases this data is not deleted until 7 years from the last action on the service user’s record. 

What happens if you don’t want to provide data? 

If you do not provide your details, we may not be able to contact you to place and manage our orders. We would not be able to allow you to provide certain services, for example working with our service users. 

Employees and Job Applicants

What data do we collect about you? 

When you apply for a job with us, we collect your contact details, employment and learning history, application documents, records of your qualifications and your referees. 

When you are offered a post, we will also gather information about your right to work in the UK and a criminal convictions declaration. Most staff will also be required to provide details for the PVG scheme. 

When you start working with us, we will also require your banking details and your National Insurance number. 

In the course of your employment with us, we will continue to gather data about your performance, training and work with us. 

What GDPR rules allow us to collect and use this data about you? 

We will gather data about our employees or people who apply for a job with us under the lawful basis of ‘contract’. Special categories of your data are processed under ’employment’ rules. 

What do we do with your data?

Your information is used to check that you are properly qualified and safe to be offered a role with us. It is also used to check that you are legally eligible to work with us. 

If you join our staff team your information will be used to pay you and provide any other benefits you are entitled to. We will use information about your work to help you develop in your role, including identifying training needs that you have. 

Will we share your data? 

Your work your details, such as your work contact details, may be shared with a wide variety of organisations and individuals to allow you to perform your role. 

Certain data, such as bank details, will be shared with organisations that help us to provide employee pay and other benefits, for example Payroll, Pensions, Online Banking and Childcare Vouchers. 

We may also share information about your work role, qualifications and experience with funders or other types of customers to help us gain funding or business. We may also provide details about you to certification authorities to help us, for example, gain accreditation standards. 

How long will we keep your data? 

If you apply for a job with us but are unsuccessful, we will destroy your data after 6 months – this allows us to respond to any queries we receive about the application process. 

Employee data will be kept as follows: 

  • Personnel file – all information 6 years from termination, basic details including work roles and training for 25 years. 
  • Documentation relating to pay and benefits – 6 years from end of tax year. 
  • Absence monitoring – 6 years from absence date. 
  • Supervision, grievances, employment tribunals – 6 years from termination. 
  • Upheld disciplinary documentation – 25 years. 
  • Your name in relation to work done with service users – 7 years from last action on service user file. 
  • Information relating to major injuries sustained during your employment will be retained for 40 years from termination. 

What happens if you don’t want to provide data? 

You would not be able to work with us if you did not provide the details that we request. 

The remainder of this policy applies to everyone who gives us their personal data 

Who will see my information? 

Your information will only be seen by our staff and volunteers who need to see it in order to provide the service you have requested or unless there is a strong reason to share it with other staff members – for example where a member of staff would like to consult with another member of staff about your case so that we can give you the best possible service. 

Your information may also be shared – see ‘Sharing your information’ 

Sharing your information 

The section ‘Groups of people we process information about’ tells you about how we share your information depending on how you interact with us. We will also share information you have given us for the following reasons: 

  • If it is necessary to perform the service you have requested from us and you could reasonably expect us to have to share your information in this way. 
  • If we are legally required to do so, for example by a law enforcement agency legitimately exercising a power or if required to share information by an order of the Court. 
  • If we believe it is necessary to protect or defend our rights, property or the personal safety of our people or visitors to our premises or websites 
  • If we are working with a carefully-selected partner that is carrying out work on our behalf. These partners may include event companies, payment processors, IT specialists, education and examining bodies, research firms, mailing houses, and marketing agencies. The kind of work we may ask them to do includes organising events; sending postal mail, emails and text messages; carrying out research or analysis; processing card payments and direct debits; and packaging, mailing and delivering purchases. We only choose partners we can trust. We will only pass personal data to them if they have signed a contract that requires them to: abide by the requirements of the GDPR; treat your information as carefully as we would; only use the information for the purposes it was supplied (and not for their own purposes or the purposes of any other organisation); allow us to carry out checks to ensure they are doing all of these things. 

Only if our relationship with you involves payments we may at times, for financial protection, have to share your information with: 

  • financial organisations 
  • credit reference agencies 
  • debt collection and tracing agencies 

Disclosing information to protect a person’s safety 

If you disclose information to us that gives us serious concern for yourself or others, or is in relation to an actual or intended crime, we may be obliged to contact the relevant authorities and/or public agencies. 

Using your information for marketing 

We send marketing information to tell people about our services, gain support for our charity or advertise our training courses. We will only send you marketing information if you have agreed to this. You can also tell us how you want to get information, for example by email or post. 

You can change how you receive marketing information from us or stop marketing information altogether at any time:
For emails look for the ‘unsubscribe’ link in the emails.
For other means please call FDAMH on weekdays between 10am and 4pm on 01324 671600 or send an email to dpo@fdamh.org.uk 

If you would like to receive information from us but haven’t told us yet, please contact us at admin@fdamh.org.uk. 

Storing your information 

Information is stored by us on our computer systems and also in secure online services. We may transfer the information to other locations and to other reputable third party organisations – see ‘Transferring your information to other places’. 

To protect your information, we also use online back-up services to create a secure copy of your data in the event of a problem with FDAMH’s own systems. 

We may also store information in paper files, within secured cabinets on our premises. 

Under the regulations We must not keep your information for any longer than necessary. We use a set of rules to tell us how long we should keep your information for – this is called Our ‘Data Retention Policy’. These rules have been put together by looking at industry standards and guidance and by thinking about your needs, our needs and any legal requirements. Each of the sections under ‘Groups of people we process information about’ above tells you what to expect depending on how you interact with us. 

You have rights in relation to your data. This includes having the right to request that your data is deleted or no longer used. Look at our section on ‘Your rights’ to find out more. 

Keeping your information secure 

We take the security of your personal information seriously. We have security measures in place to protect your information. Our security measures aim to protect your information against being lost or stolen, being used in ways it shouldn’t be or being altered in some way. For example, only authorised staff will have access to your information and we use SSL to encrypt financial and personal information you input online before it is sent to us.

While we cannot ensure or guarantee that loss, misuse or alteration of information will not occur while it is under our control, we use our best efforts to try to prevent this. 

If we have given you a password to access parts of our websites or use our services you should keep your password private. Please don’t share your password with anyone. 

When we no longer need information, we will delete it in line with our Data Retention Policy. If we are disposing of information, we do this securely to prevent anyone from gaining access to information we have destroyed – for example paper records are shredded. Sometimes we use specialist companies to do this work for us, for example when disposing of computers and other data storage devices so that data cannot be recovered.

Transferring your information to other places 

It may sometimes be necessary to transfer personal information abroad. For example, we may use an online service where the data servers that store your information are not in the UK. When this is required, information will only be shared in compliance with rules on international data transfers as set out in the regulations, this is to ensure your information is as well protected abroad as it is in the UK. 

What we don’t do with your information 

We never sell or share your information to other organisations to use for their own purposes. 

Photography, Videos and Interviews 

We keep a database of photographs and videos taken by us or supplied by another organisation working for us. These images often come from events and activities organised by us or others. From time to time we also make audio recordings of interviews or write down your responses to interview questions. 

We use this information to tell people about our services and recognise the achievements of our supporters, service users and donors. 

Your image falls into what is known as ‘special categories’ of information, these are particularly sensitive types of information. 

We will never use your image or identifiable interview content without your consent. 

However, at certain public events and activities where photography or videoing is expected to take place it may be impossible to receive consent from everyone in attendance. In these circumstances we will provide notices and use other appropriate methods to inform attendees of the photography or videoing that is going to take place. 

If you do not want your image to be used, you must follow the guidance given at the event or approach the photographer/videographer to let them know. 

Before giving your consent to the use of your image or interview you should think about how you will feel about this information not just now, but how you might feel about it in the future. 

We use photographs, video and interviews in a wide variety of places, which include: 

  • Our websites and other websites associated with us in relation to publicising Our events and services 
  • Social Media pages, including, but not limited to Facebook, Twitter, LinkedIn, Instagram 
  • Local and national written and broadcast media, for example local newspapers and radio stations 
  • Brochures, Literature, Reports and other documents produced by us 

We will never 

  • Use photos, videos or interviews featuring you without your consent (unless images taken at a public event as above) 
  • Sell or share photographs of you to others for their own purposes or financial gain 

If you change your mind about an image that you have allowed us to publish, we will do our best to remove it, although we may have to take into account the effort involved – for example printed materials would be impossible to locate and cost a lot to replace. You should also remember that we may not be able to remove information that is in the control of other organisations. 

Your feedback and personal stories 

We keep a record of feedback provided to us by people who use our services, help us to provide our services or work with us in other ways. 

Feedback is mostly used to help us reflect on and improve our services. However, it also offers us the chance to use your real experiences to tell people about our services and recognise the achievements of people associated with us. Sometimes people give us more detailed personal stories to tell us more about the role of our services in their lives. 

We publish short, completely anonymous feedback statements in a wide variety of places to promote our services and demonstrate our impact (see below). 

Where we are provided with longer feedback or personal stories that contain significant personal information there is a greater chance that you can be identified from the information you provide. We will only ever publish such feedback or personal story with your consent, and you may ask to review the final version before it is published.

It is, however, our normal practice to publish all personal stories, sometimes known as ‘case studies’, anonymously (without a name or with a fake name). We will do this unless you specifically request otherwise. We also think about how someone might be able to guess that the story is about you and then we make changes to the story or remove certain information to ensure anonymity. 

Before giving your consent to the use of your personal story you should think about how you will feel about this information not just now, but how you might feel about it in the future. 

We use feedback and personal stories in a wide variety of places, which include: 

  • Our websites and other websites associated with us in relation to publicising our events and services 
  • Social Media pages, including, but not limited to Facebook, Twitter, LinkedIn, Instagram 
  • Local and national written and broadcast media, for example local newspapers 
  • Brochures, Literature, Reports and other documents produced by us 

If you change your mind about information that you have allowed us to publish we will do our best to remove it, although we may have to take into account the effort involved – for example printed materials would be impossible to locate and cost a lot to replace. You should also remember that we may not be able to remove information that is in the control of other organisations. 

Your privacy on other websites 

Our websites link to other websites. Our privacy notice only applies to FDAMH’s site. If you are concerned about information that you are asked for on other sites please check the privacy notices/policies of these. 

Your rights

The General Data Protection Regulations (GDPR) gives you certain rights over your data and how we use it. These include: 

Right of Access. You have the right to find out if we hold personal information about you and if so you have a right to gain access to that information. 

Right to Rectification. If we hold incorrect information about you, you have the right to have it corrected. You also have the right to give us additional information where there are details missing from the information that we hold. 

Right to Erasure (“Right to be Forgotten”). In certain cases, you will have the right to ask for the data we hold about you to be erased. 

Right to Restriction of Processing. In certain cases, you have the right to ask us to stop using your data. 

Right to Data Portability. You have the right to ask for a copy of your information and you may be able to ask us to transfer that information to another organisation. 

Right to Object. In certain cases, you have the right to object to us using your personal information. You may also object to the use of your data where it has been collected for direct marketing purposes. 

Right to be Not Subject to Automated Individual Decision-Making. You have the right to prevent us from making decisions about you that are based solely on rules used by computers (automated processing). FDAMH does not currently undertake any automated decision making.

Right to Filing Complaints. You have the right to file complaints about how we have used your personal data with the relevant data protection authorities (see below). 

Right to Compensation of Damages. If we breach applicable legislation on the use of your data, you have the right to claim damages from us for any damage the breach may have caused you. 

If you wish to exercise any of these rights, please contact the Data Protection Lead in writing at FDAMH, Victoria Centre, 173 Victoria Road, Falkirk FK2 7AU or by emailing dpo@fdamh.org.uk 

For more information about your rights go to the website of the Information Commissioner’s Office at ico.org.uk. 

Falkirk & District Association for Mental Health is not a ‘public authority’ as defined under the Freedom of Information Act and we will not therefore respond to requests for information made under this Act; using the funds generously donated to us by our supporters for such activities is not in accordance with our charitable purposes.