This page details how Community Roots and Southdown (our lead provider) collect and process your data in accordance to The General Data Protection Regulation 2018 (GDPR). It also details your rights and how to request the data we hold about you.
What is data protection?
The General Data Protection Regulation 2018 (GDPR) sets out rules for processing personal information. The Regulation applies to personal information we might hold about you on paper files and on computers. The GDPR states that those who record and use personal information must ensure that it is handled properly. The General Data Protection Regulation (GDPR) alters how we can handle information and gives individuals more control over their information. It creates new rights and increases data management obligations for organisations like us. We are required, under the GDPR, to ensure that personal information is:
• Fairly and lawfully processed.
• Processed for limited purposes.
• Adequate, relevant and not excessive.
• Accurate and up-to-date.
• Not kept for longer than is necessary.
• Processed in line with your rights.
• Not transferred to other countries without adequate protection.
GDPR also allows you to find out what personal information is held about you. The Information Commissioner’s Office (ICO) is responsible for regulating, enforcing and promoting good practice and transparency in the access and use of personal information. GDPR is a pan-European law that governs EU organisations that collect, store or process personal data on people within the EU, regardless of their citizenship. The UK Government also created a new Data Protection Act (2018) which largely encompasses GDPR.
Organisations have to notify the ICO of all the purposes for which they will be processing information. We are a happy to supply you with a copy of Southdown’s notification upon request or you can contact the ICO by calling 0303 123 1113, or writing to Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.
You can find out more information online at www.ico.org.uk
What information does Southdown collect and how do we use it?
We collect different types of information such as:
• Personal data, for example, your name, address and contact details.
• Date of birth.
• Information about your support, care, health and housing needs
• Income and benefit details
We collect information for a number of other reasons, including:
• Monitoring diversity and equality.
• Research and statistical analysis.
• Prevention and detection of crime.
• Regulatory purpose.
• Law requirements.
We may collect “sensitive” personal information which includes details about your age, ethnicity, religion, sexual orientation and any medical conditions. We understand that you may not feel comfortable answering some of these questions and consider them private. We ask these questions to make sure that we do not discriminate against any of our customers and because we recognise that a person’s age, disability, ethnic origin, religion, sexual orientation or medical condition may affect the services they need. Understanding the diversity of our clients is very important to us and helps us work towards providing services and homes that meet people’s needs. If you feel uncomfortable providing this “sensitive” information, you can say no.
How do we take care of your personal information?
Information is held securely in paper files and on our protected computer systems. Access to information is limited to only staff that need to see your information, in line with the support we are offering you. We use the information to deliver a service to you. There may be occasions when we have to share information with others (e.g. with housing departments, other support providers, the government, regulators and social services) to enable us to deliver our services and fulfil our legal and contractual obligations. Where we are legally required to do so, we will share information in the following circumstances:
• Prevention or detection of crime.
• Apprehension or prosecution of offenders.
• Assessment or collection of tax or duty owed to customs and excise.
• In connection with legal proceedings.
• To comply with the law.
What are your rights?
If we hold personal information about you, you have the right to ask us:
• What we use the information for.
• To provide you with a copy of the information you are entitled to.
• To supply you with given details of the purposes for which the organisation uses the information and who it is shared with.
• For incorrect information to be corrected.
• For information we hold about you to be erased or transferred to another person or organisation.
Subject Access Request (SAR)
To see the information we hold about you, you can ask your worker or the service’s manager for a Subject Access Request form. Once you have completed the form either return it to them or, if you are no longer receiving a service, send it to the Data Protection Officer at the Head office in Lewes with:
• A detailed description of what information you are requesting.
• Two proofs of identity: one with your name and address (e.g. a recent utility bill) and one to confirm your name and date of birth (e.g. a copy of your driving license or birth certificate).
If you fail to supply this information, we may not be able to respond to your request.
What if someone is acting on your behalf?
If you have asked someone to act on your behalf (such as the Citizens Advice Bureau or a relative) you will be asked to supply an Authority to Act form, which you can get from the agency acting on your behalf.
What information will be sent to me?
You will be supplied with the personal information we hold on you which you are entitled to receive. If you feel we have not supplied you with information which you were expecting then please contact us.
How long will it take to receive the information?
We have 28 calendar days from the date we receive the completed Subject Access Request form, proof of identity and enough detail from you to locate the information you are requesting. However, we will try to give you the information as soon as possible.
What do I do if I think that the information provided is incorrect?
If you think the information provided is incorrect, you should contact Southdown’s Data Protection Officer in writing, explaining what you believe is incorrect and why. You will receive a letter from us within 21 calendar days, letting you know if we have or haven’t changed the information and why. The GDPR describes inaccurate information as being “information which is incorrect or misleading as to any matter of fact”.
What do I do if I feel my information is not being processed correctly?
If you feel the information we hold is not being processed correctly, please discuss with your worker or your service’s manager. If you are still concerned contact the Data Protection Officer in writing who will carry out an assessment and respond to you within 21 calendar days.
What do I do if I am dissatisfied with the service?
If you are dissatisfied with the service, you can submit a complaint through Southdown’s formal complaints procedure. You can also raise your concerns with the Information Commissioner who will consider if we have broken any of the data protection principles and whether or not we are processing information in accordance with the General Data Protection Regulation. Southdown’s Data Protection Officer is Vikki Hayward-Cripps, Deputy Chief Executive. Vikki can be contacted by phone 01273 405 800 or by email firstname.lastname@example.org