Privacy Policy In Full

Short on time? Go to our ‘Privacy Policy in Brief’

Who are ‘We’?

In this policy, whenever you see the words ‘we’, ‘us’ or ‘our’, it refers to Falkirk & District Association for Mental Health (FDAMH) and FDAMH Training Academy. The full legal information for each entity is:

Falkirk & District Association for Mental Health (FDAMH), a charity registered in Scotland (SC011889) and a Company Limited by Guarantee (SC151357).

FDAMH Training Academy, a Company Limited by guarantee (SC534122).
 

About this policy

This policy sets out how ‘we’ will use and look after the personal information you have shared with ‘us’.

This policy applies to ‘our’ legal responsibilities under the Data Protection Act 1998 (DPA) and, from 25th May 2018, the General Data Protection Regulations (GDPR). ‘We’ will refer to these as the ‘regulations’. These ‘regulations’ affect how ‘we’ gather and use your personal data (information about you). They relate to:

  • all websites ‘we’ operate
  • ‘our’ use of emails, text messages and direct mail for marketing purposes
  • ‘our’ use of information held to provide ‘our’ services
  • ‘our’ use of information held to manage and support volunteers and staff
  • any other methods ‘we’ use for processing personal information

This policy covers what ‘we’ collect and why, what ‘we’ will and will not do with the data and what rights you have.

Your rights include the right to see the data we hold about you and to object to us using your data or to ask for it to be deleted – you can find out more about your rights at the end of this policy.
 

‘Our’ right to change this policy

‘We’ may make changes to this policy from time to time. ‘We’ will post the changes on this page and they will apply from the time ‘we’ post them.

Changes to ‘our’ policy will not affect how ‘we’ use your data. When you give ‘us’ your data it will be for a specific reason, for example to use a service. Later on, if ‘we’ want to do something else with your data ‘we’ would contact you and ask your permission.

This policy was last updated on 3rd April 2018.
 

What is personal data?

Personal data is information that can be used to help identify you, such as your name, address, phone number or email address and other information gathered during your contact with ‘us’. It also includes digital identifiers that are linked to you, such as an ‘IP’ address.

Some of this information belongs to ‘special categories’. Special categories of personal data are given extra protection by the regulations because they are particularly sensitive, for example details about your beliefs, race or sexuality. Data about your health is one of these ‘special categories’ of information and, as a mental health organisation, it is something ‘we’ routinely process.
 

Why do ‘we’ have to use personal data?

‘We’ collect and use data so that ‘we’ can provide ‘our’ services for the benefit of the public. The information you give ‘us’ helps ‘us’ to provide you with a more personalised service.

You don’t have to give ‘us’ any data, however if you do not provide ‘us’ with the information that ‘we’ ask for ‘we’ may not be able to offer you certain services or the level of service ‘we’ would normally provide.

How ‘we’ will use your personal data is explained in more detail in the section ‘Groups of people we process data about’ below.

If you have any questions about your personal data and FDAMH please discuss this with the staff member you are in contact with. They will be able to explain what they will do with your data and how failing to provide information might affect you and the service ‘we’ can offer.
 

Understanding the rules that allow ‘us’ to use your data

The ‘regulations’ only allow ‘us’ to collect and use your data if ‘we’ are doing so within the reasons that are written down in the regulations. Each of these permitted reasons is known as a ‘lawful basis’ or if ‘we’ are talking about more than one reason ‘we’ would call them ‘lawful bases’.

It is important that you know what lawful basis is being used for your data because it may affect what rights you have (more information about your rights is available at the end of this policy).

The following definitions explain the common lawful bases that ‘we’ use. When ‘we’ talk about ‘processing’ your data ‘we’ mean anything ‘we’ do with it, from collecting it, through storing and using it to deleting it.

 
“Contract” – ‘We’ can process your data using the lawful basis of a ‘contract’ when you have asked ‘us’ to provide you with a service (for example to receive a service or take part in a course or event) and ‘we’ process information about you so that ‘we’ can provide you with the service you have asked for. We cannot use this reason to process ‘special categories’ of data.

“Consent” – ‘We’ can ask for your permission to use your information. You must take a positive action to give your consent, such as ticking a box or verbally agreeing to our request. When you give your consent you can withdraw it at any time.

“Vital Interests” – ‘We’ are allowed to process your data if it is in your or someone else’s vital interests – that is, using the data might be life-saving. ‘We’ can only process ‘special categories’ of data under this rule if for some reason you are physically or legally unable to give your consent.

“Legitimate Interests” – ‘We’ are allowed to process your data if it is ‘our’ legitimate business need or those of another organisation acting on ‘our’ behalf, unless there is a good reason to protect your personal data which overrides ‘our’ interests. ‘We’ cannot use this lawful basis to process ‘special categories’ of data.

“Legal Purposes” – This lawful basis allows ‘us’ to procees your data, including ‘special categories’ of data, if it is necessary for ‘us’ to comply with a legal obligation.

“Employment” – If you work for ‘us’ then ‘we’ are entititled to process your data, including special categories of data, for the purposes of your employment.

Groups of people ‘we’ process data about

‘We’ are required to let you know why ‘we’ are allowed, by law, to collect and use your personal data, what data ‘we’ collect about you and what ‘we’ will do with it.

This information will vary depending on how and why you interact with ‘us’, so ‘we’ have grouped it to make it easier for you to see what details apply to you (see groupings below).

Expand each group to find out information that applies to you

We are currently working on expanding these sections to comply fully with the new GDPR requirements that will come into force on 25 May 2018.

People who use or ask to use ‘our’ services

People who use ‘our’ Website and Social Media

Donors and Supporters

Volunteers

Members

People who sign up for ‘our’ newsletters or other marketing information

People who visit ‘our’ building (CCTV & Signing In)

Professionals and Organisations

People making a complaint or involved in an accident or incident

Students on placement

Suppliers

Employees

 

The remainder of this policy applies to everyone who gives us their personal data

 

Who will see my information?

Your information will only be seen by ‘our’ staff and volunteers who need to see it in order to provide the service you have requested or unless there is a strong reason to share it with other staff members – for example where a member of staff would like to consult with another member of staff about your case so that ‘we’ can give you the best possible service.

Your information may also be shared – see ‘Sharing your information’
 

Sharing your information

The section ‘Groups of people ‘we’ process information about’ tells you about how ‘we’ share your information depending on how you interact with ‘us’. ‘We’ will also share information you have given ‘us’ for the following reasons:

  • If it is necessary to perform the service you have requested from ‘us’ and you could reasonably expect ‘us’ to have to share your information in this way
  • If ‘we’ are legally required to do so, for example by a law enforcement agency legitimately exercising a power or if required to share information by an order of the Court
  • If ‘we’ believe it is necessary to protect or defend ‘our’ rights, property or the personal safety of ‘our’ people or visitors to ‘our’ premises or websites
  • If ‘we’ are working with a carefully-selected partner that is carrying out work on ‘our’ behalf. These partners may include event companies, payment processors, IT specialists, education and examining bodies, research firms, mailing houses, and marketing agencies. The kind of work ‘we’ may ask them to do includes organising events; sending postal mail, emails and text messages; carrying out research or analysis; processing card payments and direct debits; and packaging, mailing and delivering purchases.

‘We’ only choose partners ‘we’ can trust. ‘we’ will only pass personal data to them if they have signed a contract that requires them to:

  • abide by the requirements of the GDPR
  • treat your information as carefully as ‘we’ would
  • only use the information for the purposes it was supplied (and not for their own purposes or the purposes of any other organisation)
  • allow ‘us’ to carry out checks to ensure they are doing all of these things.

Only if ‘our’ relationship with you involves payments ‘we’ may at times, for financial protection, have to share your information with:

  • financial organisations
  • credit reference agencies
  • debt collection and tracing agencies

 

Disclosing information to protect a person’s safety

If you disclose information to ‘us’ that gives ‘us’ serious concern for yourself or others, or is in relation to an actual or intended crime, ‘we’ may be obliged to contact the relevant authorities and/or public agencies.
 

Using your information for marketing

‘We’ send marketing information to tell people about ‘our’ services, gain support for ‘our’ charity or advertise ‘our’ training courses. ‘we’ will only send you marketing information if you have agreed to this. You can also tell ‘us’ how you want to get information, for example by email or post.

You can change how you receive marketing information from ‘us’ or stop marketing information altogether at any time:
For emails look for the ‘unsubscribe’ link in the emails.
For other means please call FDAMH on weekdays between 10am and 4pm on 01324 671600 or send an email to dpo@fdamh.org.uk

If you would like to receive information from ‘us’ but haven’t told ‘us’ yet, please contact ‘us’ at dpo@fdamh.org.uk .
 

Storing your information

Information is stored by ‘us’ on ‘our’ computer systems and also in secure online services. ‘We’ may transfer the information to other locations and to other reputable third party organisations – see ‘Transferring your information to other places’.

To protect your information ‘we’ also use online back-up services to create a secure copy of your data in the event of a problem with FDAMH’s own systems.

Depending on the service used ‘we’ may also store information in paper files, within secured cabinets on ‘our’ premises.
 

Under the regulations ‘we’ must not keep your information for any longer than necessary. ‘We’ use a set of rules to tell ‘us’ how long ‘we’ should keep your information for – this is called ‘our’ ‘data retention policy’. These rules have been put together by looking at industry standards and guidance and by thinking about your needs, ‘our’ needs and any legal requirements. Each of the sections under ‘Groups of people ‘we’ process information about’ above tells you what to expect depending on how you interact with ‘us’.

You have rights in relation to your data. This includes having the right to request that your data is deleted or no longer used. Look at ‘our’ section on ‘Your rights’ to find out more.

 

Keeping your information secure

‘We’ take the security of your personal information seriously. ‘We’ have security measures in place to protect your information. ‘Our’ security measures aim to protect your information against being lost or stolen, being used in ways it shouldn’t be or being altered in some way. For example, only authorised staff will have access to your information and ‘we’ use secure server software (SSL) to encrypt financial and personal information you input online before it is sent to ‘us’. While ‘we’ cannot ensure or guarantee that loss, misuse or alteration of information will not occur while it is under ‘our’ control, ‘we’ use ‘our’ best efforts to try to prevent this.

If ‘we’ have given you a password to access parts of ‘our’ websites or use ‘our’ services you should keep your password private. Please don’t share your password with anyone.
 

When ‘we’ no longer need information ‘we’ will delete it. If ‘we’ are disposing of information ‘we’ do this securely to prevent anyone from gaining access to information ‘we’ have destroyed – for example paper records are shredded. Sometimes ‘we’ use specialist companies to do this work for ‘us’, for example when disposing of computers and other data storage devices.
 

Transferring your information to other places

It may sometimes be necessary to transfer personal information abroad. For example, ‘we’ may use an online service where the data servers that store your information are not in the UK. When this is required information will only be shared in compliance with rules on international data transfers as set out in the regulations, this is to ensure your information is as well protected abroad as it is in the UK.
 

What ‘we’ don’t do with your information

‘We’ never sell or share your information to other organisations to use for their own purposes.
 

Photography, Videos and Interviews

‘We´ keep a database of photographs and videos taken by ‘us’ or supplied by another organisation working for us. These images often come from events and activities organised by ‘us’ or others. From time to time ‘we’ also make audio recordings of interviews or write down your responses to interview questions.

We use this information to tell people about ‘our’ services and recognise the achievements of ‘our’ supporters, service users and donors.

Your image falls into what is known as ‘special categories’ of information, these are particularly sensitive types of information.

‘We’ will never use your image or interview content without your consent.

However at certain public events and activities where photography or videoing is expected to take place it may be impossible to receive consent from everyone in attendance. In these circumstances ‘we’ will provide notices and use other appropriate methods to inform attendees of the photography or videoing that is going to take place.

If you do not want your image to be used you must follow the guidance given at the event or approach the photographer/videographer to let them know.

Before giving your consent to the use of your image or interview you should think about how you will feel about this information not just now, but how you might feel about it in the future.

We use photographs, video and interviews in a wide variety of places, which include:

  • ‘Our’ websites and other websites associated with ‘us’ in relation to publicising ‘our’ events and services
  • Social Media pages, including, but not limited to Facebook, Twitter, LinkedIn, Instagram
  • Local and national written and broadcast media, for example local newspapers and radio stations
  • Brochures, Literature, Reports and other documents produced by ‘us’

‘We’ will never

  • Use photos, videos or interviews featuring you without your consent (unless images taken at a public event as above)
  • Sell or share photographs of you to others for their own purposes or financial gain

If you change your mind about images that you have allowed ‘us’ to publish ‘we’ will do ‘our’ best to remove it, although ‘we’ may have to take into account the effort involved – for example printed materials would be impossible to locate and cost a lot to replace. You should also remember that ‘we’ may not be able to remove information that is in the control of other organisations.

 

Your feedback and personal stories

‘We´ keep a database of feedback provided to ‘us’ by people who use ‘our’ services, help ‘us’ to provide ‘our’ services or work with ‘us’ in other ways.

Feedback is mostly used to help ‘us’ reflect on and improve ‘our’ services. However, it also offers ‘us’ the chance to use your real experiences to tell people about ‘our’ services and recognise the achievements of people associated with us. Sometimes people give ‘us’ more detailed personal stories to tell ‘us’ more about the role of ‘our’ services in their lives.

We publish short, completely anonymous feedback statements in a wide variety of places to promote ‘our’ services (see below).

Where ‘we’ are provided with longer feedback or personal stories there is a greater chance that you can be identified from the information you provide. ‘We’ will only ever publish such feedback or personal story with your consent and you may ask to review the final version before it is published. It is ‘our’ normal practice to publish all such stories anonymously (without a name or with a fake name) unless you specifically request otherwise. ‘We’ also think about how someone might be able to guess that the story is about you and then ‘we’ make small changes to the story or remove certain information to reduce this risk.

Before giving your consent to the use of your feedback or personal story you should think about how you will feel about this information not just now, but how you might feel about it in the future.

We use feedback and personal stories in a wide variety of places, which include:

  • ‘Our’ websites and other websites associated with ‘us’ in relation to publicising ‘our’ events and services
  • Social Media pages, including, but not limited to Facebook, Twitter, LinkedIn, Instagram
  • Local and national written and broadcast media, for example local newspapers
  • Brochures, Literature, Reports and other documents produced by ‘us’

If you change your mind about information that you have allowed ‘us’ to publish ‘we’ will do ‘our’ best to remove it, although ‘we’ may have to take into account the effort involved – for example printed materials would be impossible to locate and cost a lot to replace. You should also remember that ‘we’ may not be able to remove information that is in the control of other organisations.
 

Your privacy on other websites

‘Our’ websites link to other websites. ‘our’ privacy notice only applies to FDAMH’s site. If you are concerned about information that you are asked for on other sites please check the privacy notices/policies of these.
 

Your rights

The General Data Protection Regulations (GDPR) gives you certain rights over your data and how ‘we’ use it. These include:

  • Right of Access. You have the right to find out if ‘we’ hold personal information about you and if so you have a right to gain access to that information.
  • Right to Rectification. If ‘we’ hold incorrect information about you, you have the right to have it corrected. You also have the right to give ‘us’ additional information where there are details missing from the information that ‘we’ hold.
  • Right to Erasure (“Right to be Forgotten”). In certain cases, you will have the right to ask for the data ‘we’ hold about you to be erased.
  • Right to Restriction of Processing. In certain cases, you have the right to ask ‘us’ to stop using your data.
  • Right to Data Portability. You have the right to ask for a copy of your information and you may be able to ask ‘us’ to transfer that information to another organisation.
  • Right to Object. In certain cases, you have the right to object to ‘us’ using your personal information. You may also object to the use of your data where it has been collected for direct marketing purposes.
  • Right to be Not Subject to Automated Individual Decision-Making. You have the right to prevent ‘us’ from making decisions about you that are based solely on rules used by computers (automated processing).
  • Right to Filing Complaints. You have the right to file complaints about how ‘we’ have used your personal data with the relevant data protection authorities (see below).
  • Right to Compensation of Damages. If ‘we’ breach applicable legislation on the use of your data, you have the right to claim damages from ‘us’ for any damage the breach may have caused you.

If you wish to exercise any of these rights please contact the Data Protection Officer in writing at FDAMH, Victoria Centre, 173 Victoria Road, Falkirk FK2 7AU or by emailing dpo@fdamh.org.uk

For more information about your rights go to the website of the Information Commissioner’s Office at ico.org.uk.

Falkirk & District Association for Mental Health or FDAMH Training Academy are not a ‘public authority’ as defined under the Freedom of Information Act and ‘we’ will not therefore respond to requests for information made under this Act; using the funds generously donated to ‘us’ by ‘our’ supporters for such activities is not in accordance with ‘our’ charitable purposes.