At Wiltshire Mind we want everyone who receives a service from us, supports us, or works with us to feel confident and comfortable about how we use and protect any personal information that is shared with us.
This notice sets out how we collect your personal information, what we do with it, how we keep it secure and explains your rights in relation to any personal information that we hold about you. This policy applies to service users, fundraisers, supporters, funding organisations, job and volunteer applicants, suppliers and website users.
1.1 About us
For the purposes of the Data Protection Act 2018 and the General Data Protection Regulations (GDPR) 2018, we are registered with the Information Commissioners Office as a ‘data controller’ under registration number Z1740283. This means that we are responsible for the processing of your personal information.
For further information about our privacy practices, you can contact us in the following ways:
Call: 01225 706532
Write to: Data Protection Team, Wiltshire Mind, Part 1st/2nd Floor, 21-23 High Street, Melksham, Wiltshire SN12 7JY
2. How we collect information about you
Everything we do, we do to ensure that we can help people experiencing a mental health problem get both support and respect. We collect information from you in the following ways:
When you interact with us directly: This could be if you use one of our services, ask us about our activities, register with us for training or an event, make a donation to us, ask a question about mental health, apply for a job or volunteering opportunity or otherwise provide us with your personal information. This includes when you phone us or get in touch through the post, or in person.
When you interact with us through partners: This could be if you access a service which we deliver in partnership with another trusted organisation.
When you interact with us through third parties: This could be if you provide a donation through a third party such as Just Giving and provide your consent for your information to be shared with us.
When you visit our website: If you use our website to find information about us and our services.
3. Information we collect and why we use it
In order to provide our mental health services, we collect personal information about people who use our services, people who support us through fundraising, people who work or volunteer for us and people we work in partnership with. Personal information includes details such as your name, date of birth, email address, postal address and sometimes more sensitive data. We must have a ‘lawful basis’ upon which to process your personal data. Further details are provided below.
3.1 Service Users
When you first contact us, we will collect initial information such as your name, phone number and email address in order to contact you about the services we are able to offer you. We will collect this upon the basis of ‘legitimate interest’.
If you choose not to use any of our services further, we will store this information for no longer than 6 months.
3.2 Support Groups
If you wish to attend one of our support groups, we will collect your name, date of birth, phone number, postal address and email address on a registration form. We need this in order to contact you about the service. We will also ask you about your health which enables us to provide you with the most appropriate support. When you attend a group, we will record your name on the attendance register at each session. We will collect this on the basis of ‘legitimate interest’ as we are unable to provide our services without this information.
When attending the group, you might choose to disclose personal details about your life, this information is generally not recorded. However, in certain circumstances if we are concerned about serious risk of harm to you or others, or the safeguarding of a child or vulnerable adult, we may complete an internal report about this so that we can decide if further action is needed. We will record this data on the basis of either ‘legal obligation’ or ‘vital interests’ depending on the circumstances.
We will store your data for no longer than seven years from your last attendance at a group.
If you wish to receive one-to-one counselling, we will collect your name, date of birth, phone number, postal address and email address in order to contact you. We will also ask for an emergency contact name and number in case you become unwell during a session or we have serious concerns about your wellbeing.
We will undertake an initial assessment which may include details of your life, events that have happened to you, losses and traumas and how this has impacted your mental health. This information enables us to provide you with the most appropriate support.
Once you are allocated a counsellor, we will ask you to sign a counselling contract which outlines the boundaries of the relationship. From this point we will keep minimal notes about the content of your sessions, this is used to help and support you and is also required by our professional body and insurance company.
We will store your contact details (email, address, phone number and emergency contact) for one month after your final session. For adult clients, we will store your name, date of birth and counselling notes for no longer than seven years from your last session. For children and young people, we will store records for seven years, or until the child reaches age 21, whichever is longest.
We will collect and store this data on the basis of ‘contract’ because you have asked us to provide you with a service which is underpinned by a counselling contract.
3.4 Feedback from Service Users
From time to time, we may ask our service users to provide anonymous comments and feedback about our service. We use this to make improvements to our services and to highlight the effectiveness of our service to support funding and grant applications. We will only use feedback that has been given freely and will never include your name or other personally identifiable information when sharing this feedback.
We will store this information for no longer than two years. This information will be collected under ‘legitimate interest’ as it supports us in operating our service.
If you are supporting us, for example by making a donation or holding an event, we may collect data about your identity and any other information you choose to provide us with which is relevant to the fundraising. We may ask if you are happy for us to share details of the fundraising on our website and social media pages.
We may also wish to contact you with information about our work, such as forthcoming events or other ways you can support us. However, we will only use your information in this way to if we have your consent to do so. We will always let you know how you can stop receiving communications from us, for example with ‘unsubscribe’ information at the bottom of emails.
We will collect this data on the basis of ‘consent’ and store it for no more than three years from the date we last contacted you, unless you ask us to delete your information sooner.
If you have agreed to us claiming Gift Aid on your donation, we will need to collect your name, postal address, phone number and email address in order to process this. We will collect this data on the basis of ‘legitimate interest’ and will need to store your data for up to seven years in order to support our claim.
If we are in contact with you when applying for funding or grants, we may collect your name and contact details in order to make contact with your organisation both now and in the future.
The basis for holding this information is ‘legitimate interest’. We will store this information for no longer than seven years from our last contact with you.
3.7 Partnerships and Training Services
If we are working in partnership with you or your organisation in order to deliver mental health services, we may collect your name and contact details in order to fulfil our shared agreement.
If you have asked us to provide a specific service, for example mental health awareness training, we will collect your name and contact details in order to fulfil our agreement with you. If the training is for a group or organisation, we may also need to collect the names of all attendees.
The basis on which we hold this information is ‘contract’. We will store the information for no longer than seven years from when our work with you has ended.
3.8 Website Users
If you use our website to find information about us and our services, we may gather general information about your usage, including which pages you visit most often and which services, events or information is of most interest to you. This information is used to help us make improvements to our website and to provide the best service and experience for you.
We use ‘Cookies’ on our website. This is a name for a small file, usually of letters and numbers, which is downloaded onto your device, like your computer, mobile phone or tablet when you visit a website. They let websites recognise your device, so that the sites can work more effectively. We use this information on the basis of ‘legitimate interest’.
We use different types of cookies:
• Strictly necessary cookies are essential for you to move around our website and to use its features.
• Analytical or Performance cookies collect anonymous information about how you use our site, like which pages are visited most. This helps us to improve the way our website works.
• Functionality cookies collect anonymous information that remember choices you make to improve your experience, like your text size or location. They may also be used to provide services you have asked for such as watching a video or commenting on a blog.
You can opt out of cookies when you use our website, but if you refuse all cookies, our website may not function for you as we would like it to.
If we ask you to provide goods and services to us, we may need to collect your name and contact details in order to make on-going contact with your organisation. We will hold this information upon the basis of ‘legitimate interest’.
We will store this information for no longer than seven years from our last contact with you.
3.10 Job Applicants
If you apply for a job or volunteering role with us, we will ask you to complete an application form which will include your name and contact details, your work history, qualifications and other relevant details. We use this in order to assess your suitability for the role and will hold this on the basis of ‘legitimate interest’.
If you are unsuccessful, we will hold this information for six months from the last contact we have with you. If you are successful in your application, we will collect additional information about you, however you will be provided with a separate privacy notice which applies to staff and volunteers.
3.11 Meetings and Conferences Attendees
If you attend a meeting or conference organised by us, we may need to collect your name and contact details in order to communicate with you about the event. We will hold this information upon the basis of ‘legitimate interest’. We will store this information for no longer than seven years from the date of the event unless you have indicated you would like to receive future communications from us.
If the meeting you attend forms part of our governance proceedings, your name will be included on the formal record of the meeting which will be kept for the duration of the charity. We will hold this information on the basis of ‘legal obligation’.
3.12 Statistical Information
We may collect statistical information about our service users including information such as gender, age or ethnicity. These statistics are used to enable us to report on our services, or to support funding applications. The data is fully anonymised and does not contain information which could identify anyone personally, neither is it stored alongside files which contain personally identifiable information. Therefore, this is not considered personal information for the purposes of data protection laws.
We will only contact you about our work and how you can support us if you have previously agreed for us to contact you in this manner. You can update your choices or ask us to stop sending communications at any time by contacting us on the detail provided in section 1.
We will not share your data with any third-party marketing organisations.
5. Sharing your information
The personal information we collect will only be used by our staff, volunteers and trusted partners, and only for the purpose of performing their role. If you ask us to share your information, for example to provide a letter summarising that you are attending counselling, we will either provide the information directly to you or ensure we have your written consent before we share it with a third party.
In exceptional circumstances, we might have an ethical or legal duty to share information about our service users, as follows:
• If we are concerned there is a risk of serious harm to you or another person, we may need to contact your GP or the emergency services. If we are concerned about the safeguarding of a child or vulnerable adult, we may need to contact the appropriate authority. In either of these situations, we would aim to discuss this with you first however this may not always be possible.
• If we believe an offence has been committed under certain laws, we are required to report this to the authorities without your knowledge. This includes acts of terrorism, money laundering, involvement in drug trafficking, and acts of female genital mutilation on a person under the age of 18. In such situations we are obliged to do so without your knowledge.
We use some third parties to support our operation, such as our website hosting, provision of our IT and accounting services. We have contracts in place with our data processors which means that they cannot do anything with your personal information unless we have instructed them to do it. They will not share your personal information with any organisation apart from us. They will hold it securely and retain it only for the period we instruct.
6. Keeping your information safe
We take looking after your information very seriously. We have appropriate technical and organisational security measures in place to protect the personal information we have under our control from improper access, use, alteration, destruction and loss.
In the unfortunate event that we experience a data breach which impacts some or all of your data and we think this could result in a high risk to your individual rights and freedoms, then we will inform you directly as soon as we can.
7. How long do we keep your personal data?
We only keep your information for as long as is reasonable and necessary for the relevant activity and to meet our statutory obligations. When the retention period has been reached, we will securely dispose of the information, either by shredding physical copies or permanently deleting electronic copies.
8. Your Rights
Under data protection law, you have various rights in respect of the personal information we hold about you – these are set out in more detail below. If you wish to exercise any of these rights, you can do so by contacting using the details in section 1 above. We will respond to your request within 30 days.
8.1 The right to be informed – When we collect personal information about you, we must provide you with a copy of our privacy notice within a reasonable time and at least within 30 days. This will usually be done by providing a link to it on our website.
8.2 The right of access – You may ask us for a copy of the personal information we hold about you. This is often known as a subject access request. We prefer that you make such requests in writing using the email or postal address listed in section 1 above. If this isn’t possible, you have the right to request this verbally. We may ask you to provide proof of identity before we can complete your request.
8.3 The right to rectification – You may ask us to change any inaccurate or incomplete data that we hold about you. You may also ask that we restrict the processing of your data whilst we consider their request.
8.4 The right to erasure – You may ask us to delete your personal information where it is no longer necessary for us to hold it, where you have withdrawn your previous consent, or where we have no lawful basis for keeping it.
8.5 The right to restrict processing – You may ask us to restrict or suppress the processing of your personal information, meaning that we may still store it but cannot actively use or process it.
8.6 The right to data portability – You can ask us to provide you or a third party with some of the personal information that we hold about you in a structured, commonly used, electronic form, so it can be easily transferred. This does not apply to any records we hold about you in paper format.
8.7 The right to object – You have the right to ask us to stop using your information for marketing purposes. You may also object to us processing your personal information where we rely on legitimate interest as our lawful basis for doing so. We will review each request on a case by case basis and if we are unable to meet your request we will clearly explain why.
8.8 Rights in relation to automated decision making and profiling – You have additional rights about automated decision-making and profiling. However, we do not process information in this way.
Some of these rights only apply in certain circumstances. If we are unable to carry out your request to exercise any of these rights, we will clearly explain the reason to you.
8.9 The right to complain – If at any stage you are unhappy with how we are processing your information and we have been unable to resolve this between us, you have the right to complain to the UK supervisory authority which is the Information Commissioner’s Office. Further information can be found at https://ico.org.uk/make-a-complaint/ or by calling 0303 123 1113.
9. Changes to this Policy
From time to time we may make changes to this policy. Any significant changes to this policy or to the way we treat your information will be communicated via our website or listed below.
9.1 November 2020 – Updates made to most sections to provide more detail of how we process information.