The Passionate about Sexual Health (PaSH) Partnership) is a collaboration between BHA for Equality, George House Trust and the LGBT Foundation. The PaSH Partnership delivers a comprehensive programme of interventions to meet the changing needs of people newly diagnosed with HIV, living longer term with HIV or at greatest risk of acquiring HIV.
For the purpose of this policy, George House Trust, BHA for Equality and LGBT Foundation (The PaSH Partnership) are Joint Data Controllers.
The PaSH Partnership is committed to protecting the rights and privacy of service users, staff, and other stakeholders, where personal data is held, in accordance with the General Data Protection Regulation (GDPR). The Regulation, effective from 25th May 2018, protects the rights and privacy of individuals and gives more control over how data is used and gathered, giving better protection overall of personal data.
In carrying out the work of the PaSH Partnership, personal data is recorded and processed about people who receive advice or support services from us; about those who attend our training courses or activities and events; about visitors to our website and about those who work for us.
We are committed to protecting personal data and being transparent about what information we hold. This Policy has been developed to help set out how personal data will be treated where there is either online or in-person engagement.
It’s important that everyone we work with knows about, and has confidence and trust in, how we record and process their personal data. We are committed to ensuring that we use the information shared with us in accordance with all applicable laws concerning the protection of personal data.
The Policy applies to staff and covers any person who has provided their personal data to The PaSH Partnership, be they staff, volunteers, service users, or third parties.
This Policy sets out:
what information we may collect about individuals;
By signing up to the PaSH Partnership’s campaigns and using our services, the respective Privacy Notice is deemed to be accepted and authorisation given to The PaSH partnership to collect, store and process personal data in the ways set out. Data processing may include obtaining, recording, retaining, disclosing, destroying, or otherwise using data.
George House Trust is registered as a data controller with the Information Commissioner’s Office under the Data Protection Act 1998 under the registration number Z2788095.
BHA for Eqaulity is registered as a data controller with the Information Commissioner’s Office under the Data Protection Act 1998 under the registration number ZA327535.
LGBT Foundations is registered as a data controller with the Information Commissioner’s Office under the Data Protection Act 1998 under the registration number Z8069952.
As The PaSH Partnership’s Lead Organisation, The Data Protection Lead at BHA for Equality is accountable for ensuring that all personal data is processed in compliance with this Policy.
Qurab Ahmed, Data Protection Lead, BHA, 609 Stretford Road, Old Trafford, Manchester, M16 0QA
Telephone: 0845 450 4247
This type of information does not identify the individual, but it does help us to improve our services. When visitors look around our website, we record things like their IP (internet protocol) address – the unique number of the device being using to access our website, which pages are visited (on our website only), when they were visited, and the type of device being used. This information helps us create a better experience for everyone who uses our website. Examples of the type of information that can be collected using an IP address include the type and version of browser, and the location from which the site is being accessed. This helps us improve how our page templates appear and change content to make it relevant to our website visitors.
This means any information that may be used to identify individuals, such as:
We sometimes also collect sensitive information about individuals. This includes information about health (which may include HIV status), religion, sexuality and ethnicity.
We will normally only record this data where we have explicit consent, unless we are permitted to do so in other circumstances under data protection law. For example, we may make a record that a person is in a vulnerable circumstance to comply with legal requirements.
Children and young people.
Protecting children's privacy is paramount. However, to deliver a service we need to collect and manage personal data about children and young people and aim to manage it in a way which is appropriate to the age of the child.
Information is usually collected when we are working directly with children and young people. Consent from a parent or guardian, if the child is under 16, or consent from the young person, if they are aged 16 or over, is required before collecting personal data.
We collect information in the following ways:
When it is given to us DIRECTLY
We collect personal information for many reasons, for example to provide a service, to communicate information and send information that’s has been requested, and to run campaigns. Depending on how individuals interact with us, we may process data when they:
This information may be collected via any paper forms that are completed, telephone conversations, emails, face-to-face interactions, digital forms completed via our website, online surveys, publicly available sources, or communication via social media.
When it is collected at the time of using our WEBSITE
Where anyone is receiving support from us we will need to process their personal data because of the specific relationship with us. We use a Customer Relationship Management system (CRM) to support our work. This means that we can keep the information provided to see the history and relevant details of our work, and the interactions that have taken place.
When we work either face to face or by phone with service users relevant notes may be taken of the information that is given to us and recorded on our database. Where communication is by email, these will be recorded on our database. This information is used to enable us to provide the most appropriate and relevant support. It is also used for quality assurance, complaint investigations, to support our policy work, to fulfil our obligations to our funders, and for anonymised statistical reporting. Individuals are informed of this before any data collection occurs.
We keep service users up to date about our activities, including information sessions. We use a range of methods to keep in touch including our website, email, telephone calls and occasionally by post. We will always gain consent to make contact and request contact preferences.
Individuals can withdraw consent, unsubscribe, or update their contact preferences at any point.
We must have a lawful basis to collect and use personal data under data protection law. The law allows for six ways to process personal data. The PaSH Partnership processes data on the basis of:
Personal data may be shared internally, with The PaSH Partnership’s staff members for purposes including project administration, service delivery, HR, health and safety, insurance and events.
Personal data will not be shared with a third party – except where:
We will never share or sell personal data to a third-party organisation for marketing, fundraising or campaigning purposes.
The PaSH Partnership takes the security of personal data seriously. The PaSH Partnership’s member organisations’ internal policies and controls are in place to protect personal data and to prevent loss, accidental destruction, alteration, misuse, disclosure, or unauthorised access. Where necessary we implement appropriate network access controls, user permissions and encryption to protect data. For example, using trusted third-party suppliers to provide secure pages on the website for a clinic referral.
The PaSH Partnership recognises that sending information via the internet is not completely secure, and although we will do our best to protect personal data, we cannot guarantee the security of the data sent to our website on standard pages. Once information has been received, procedures and security features are in place to try to prevent unauthorised access.
We will only retain personal information for as long as necessary to fulfil the purposes for which it was collected. The length of time personal data is kept, depends on the reasons for processing it, on the law or regulations that the information falls under, such as financial regulations, Limitations Act, Health and Safety regulations, or on any contractual obligation which may be in force, such as with government contracts. For business case data, the data will be anonymised so no individual is identifiable.
Data will be retained in line with the organisations Record Retention Policy. Once the retention period has expired, personal data will confidentially be disposed of or permanently deleted.
Where consent has been given for The PaSH Partnership to use personal data, there is always a right to withdraw consent at any time.
If changes are made to consent, records will be updated as soon as we possibly can. Email communications will be stopped immediately where unsubscribe is clicked or if communication preferences are updated online.
Requests for updates to contact preferences received by email, given by phone or in person may take up to 30 calendar days to process, including stopping any postal communications.
Individuals have a right to access their personal data and to have any inaccuracies corrected. There is no fee to pay for accessing personal data. However, if it is believed that the request is unfounded, or excessive, a reasonable charge may be made or a refusal to comply with the request given. Where an individual wishes to exercise these rights, they may need to prove their identity with two pieces of approved identification. Any request will receive a response within 30 calendar days.
Individuals also have the right to request that personal data is erased; to object to the processing of their personal data and for a restriction on processing their personal data. Any request will receive a response within 30 calendar days.
Any suspected breaches to this Policy will be reported in the first instance to the Finance Director, as the person accountable for ensuring compliance with this Policy.
Where an individual believes that George House Trust has not complied with their data protection rights, they can complain to the Information Commissioner's Office (ICO)