Client Privacy

Policy

City Hearts (UK) Limited is a registered charity that runs programmes to help vulnerable people and survivors of modern day slavery. You can find out more information about us here https://city-hearts.co.uk/.

This document (our “privacy notice”) sets out information relating to how we use personal information relating to our clients (we have a separate privacy notice which relates to non-clients e.g. donors and other individuals we interact with.  It also sets out information about what rights individuals have in relation to their personal information and various other matters required under data protection law.

In particular, this privacy notice provides information to individuals about how they can object to our use of their personal information, how they can withdraw any permissions they have given to us to enable us to process their personal information and how they can make a complaint. 

  • This privacy notice applies to: 

    • Our clients;

    In the sections below, when referring to the individuals listed above, we use the terms “you” or “your”. 

  • We take your privacy extremely seriously and want everyone who supports us or who comes to us for support to feel confident about how any personal information that they share will be looked after or used and to enable you to feel that your personal information is safe in our hands. 

    We will only use your personal information in accordance with data protection law applicable to England and Wales from time to time.

    Under data protection law, when we use your personal information, we will be acting as a data controller. Essentially, this means that we will be making decisions about how we want to use your personal information and why. 

    Below, we summarise the main rules that apply to us under data protection law when we use your personal information: 

    We must be upfront about how we intend to use your personal information and must use your personal information fairly. Providing privacy information to individuals (such as in this privacy notice) is one aspect of using personal information fairly. 
    We must only use your personal information if we have a legal basis to do so under data protection law. These legal bases include: 

    • That we need to use your personal information to perform a contract between us (or to take steps at your request prior to entering into a contract); 
    • That we (or someone else) has a legitimate reason for needing to use your personal information and those legitimate interests are not outweighed by your rights or interests. We must balance our respective rights and interests before we can rely upon this legal basis; and
    • We need to use your personal information to comply with laws we are subject to. 
    We must only use certain types of sensitive personal information (such as information relating to your health, racial or ethnic origin or religion, sexual orientation) if we can also satisfy one of the conditions for processing this type of information set out in data protection law. These conditions include:

    • As a not-for-profit body, it is necessary for us to process your personal data internally, in the course of our legitimate activities;
    • That the processing is necessary for reasons of substantial public interest. 
    • That processing is necessary to protect your vital interests; or
    • That you have given us your explicit consent.
    We are only permitted to share your personal information with others in certain circumstances and if we take steps to ensure that your personal information will be secure.
    Generally speaking, we must only use your personal information for the specific purposes we have told you about. If we want to use your personal information for other purposes, we need to contact you again to tell you about this. 
    We must not hold more personal information than we need for the purposes we have told you about and must not retain your personal information for longer than is necessary for those purposes (this is known as the “retention period”). We must also dispose of any information that we no longer need securely. 
    We must ensure that we have appropriate security measures in place to protect your personal information. 
    We must act in accordance with your rights under data protection law.
    We must not transfer your personal information outside the European Economic Area (“EEA”) unless certain safeguards are in place. One such safeguard is that [the personal data is only transferred to a country that has been approved by the European Commission as having an acceptable level of data protection law. 
  • How we will use your personal information, the legal bases we will rely upon, how long we will keep your personal information and other details will depend upon who you are and why we need your personal information in the first place.

    In this section, we provide specific privacy information relating to the different categories of individuals that this privacy notice applies to.

    Our Clients

    What personal information we will use  Your name;

    Your address;

    Your email address; 

    Your telephone number;

    Your date of birth;

    Photograph;

    Your gender;

    Your religion;

    Your racial origin;

    Information concerning your health;

    Information concerning your personal history which may include other sensitive information such as sexual orientation;

    Details of any criminal convictions;

    Images of you on CCTV and dates and times you access City Hearts premises;

    Details of any complaints you have made in relation to City Hearts services.  

    How we will obtain the personal information Information will either be provided by you when you apply to access our services or information about you will be provided from an external agency (e.g. referring agencies, NHS, Probation, social services) when you are referred to a City Hearts programme.

    CCTV images will be captured by automated CCTV recording cameras.

    What purposes we will use the personal information for We will use your name, address and other contact details to:

    • Communicate with you, and for administration purposes; and 
    • To provide you with information about what we are doing, this may include letting you know about services we offer now and hope to offer in the future. You can opt out of receiving this information at any time.

    We will use your name, date of birth, gender, information concerning your health, information concerning your personal history which may include other sensitive information such as sexual orientation to:

    • Facilitate your access to our services;
    • Provide you with appropriate services; 
    • Better understand your needs to provide you with the advice and support you require;
    • Understand trends in the issues our clients face to inform our practices, policies and procedures.

    We will process your personal data (including special category data) if required by law to do so, for example to comply with applicable laws, regulations, codes of practice or in response to a request from a competent authority.

    We use the information you provide about your religion and racial origin to enable us to support and facilitate your cultural and religious observations as part of our equality and diversity policy. 

    If you are in the Restore programme we use this information to facilitate your development if you opted into the Spiritual Stream of the program.  

    We use your criminal conviction information to ensure the safety of other staff and clients.

    We use images of you on CCTV to ensure the safety of yourself and other residents. 

    The legal bases for processing we rely upon Our use of your personal information to communicate with you, for administrative purposes and to communicate with you is based on our legitimate interests in ensuring that our services are run properly;

    Our use of your personal information to understand your needs as a client is based on your and our legitimate interests in ensuring that you are given the appropriate advice and support.

    Our use of your personal information to inform our practices, policies and procedures is based on your and our legitimate interests in ensuring that our services are appropriate and fit for purpose.

    Our use of your personal information for legal or regulatory purposes is necessary to enable us to comply with our legal and regulatory obligations. 

    Where we use special category information about you to:

    • Facilitate your access to our services;
    • Provide you with appropriate services; 
    • Better understand your needs to provide you with the advice and support you require;
    • Understand trends in the issues our clients face to inform our practices, policies and procedures.

    Processing is carried out in the course of our legitimate activities as a not-for-profit charity. On the condition that the processing relates solely to  clients, former  clients or persons who have regular contact us.

    Where we process your special category data which is relevant for the purposes of equality monitoring with 3rd party organisations outside City Hearts we will rely on the fact the processing is necessary for reasons of substantial public interest, namely, equal opportunity or treatment.

    If we consider that you or another individual may be at risk and we are required to process your special category personal data with a 3rd party organisation outside City Hearts we will where appropriate rely on the fact that:

    • It is necessary to process your personal information for reasons of substantial public interests, such as, preventing or detecting unlawful acts or safeguarding children or individuals at risk; or
    • It is necessary to protect your vital interests.

    In other circumstances where it is necessary to share your special category personal data with 3rd party organisations outside City Hearts we will obtain your explicit consent, save for where sharing your information is necessary to enable City Hearts to establish, exercise or defend a legal claim. For information about how to withdraw your explicit consent please go to this section.

    In relation to CCTV images we rely on legitimate interest in ensuring that you, other residents and our staff are safe.

    How long we retain the personal information and why  We usually keep records relating to clients for 7 years [after the end of your involvement with us]. This retention period is either required by law or is with the limitation period from bringing a contractual or personal injury claim.

    If there are any safeguarding issues relating to your involvement with us we will retain this information for 50 years [after the end of your involvement with us]. In accordance with the terms set out in our Insurance Policy.

    Consequences of not providing/permitting us to obtain personal information  Without the personal data we have outlined above we will be unable to provide you with access to our services.

     

    Engagement with us on social media

    Any social media posts or comments you send to us (on our Facebook page, for instance) will be shared under the terms of the relevant social media platform (e.g. Facebook or Twitter) on which they’re written and could be made public. Other people, not us, control these platforms. We are not responsible for this kind of sharing. So, before you make any remarks or observations about anything, you should review the terms and conditions and privacy policies of the social media platforms you use. That way, you’ll understand how they will use your information, what information relating to you they will place in the public domain, and how you can stop them from doing so if you’re unhappy about it.

  • In addition to data protection law, if we use your personal information to send you information for marketing purposes, we may also be subject to additional rules that regulate direct marketing. The term “direct marketing” essentially means directing marketing material or advertising at a particular individual.

    To ensure compliance with both data protection laws and the specific rules relating to direct marketing, we will only use your personal information to tell you about what we are doing. This may include letting you know about services we offer now and hope to offer in the future; providing you with information which may be of interest to you, news and events; and/or providing you with fundraising updates. We will do this with your consent and you can change your mind and remove or add your consent at any time (see how to unsubscribe below).

    We will retain your personal information unless and until you inform us that you no longer wish to receive direct marketing information from us. 

    You can ask us to stop sending direct marketing to you at any time by [contacting us using the details set out here or going to the “unsubscribe” section of our website.

    Information about automated decision making

    Automated decision making takes place when an electronic system uses personal information to make a decision without human intervention. 

    We do not undertake any processing activities which involve making decisions about you using automated means.

  • Sometimes, we will need to share your personal information with others. This section sets out details of who we will share your personal information with and why. It also tells you about our legal basis for doing so under data protection law and steps we will take to protect your personal information. 

    We will never sell your personal information on to third parties.

    Our service partners

    Information about our service partners
    • Our service partners are other organisations that we have entered into contract with. They include:
      • The Salvation Army;
      • The Home Office;
      • The NHS;
      • The police;
      • Legal Advisers;
      • The Department for Work and Pensions;
      • Her Majesty’s Revenue & Customs; 
      • Other agencies that may be necessary to provide you with services and support.
      • Local Authorities
    Why we need to share your personal information with our Service Partners The purpose for sharing your personal data with our Service Partners is to facilitate the services we provide to you and to ensure that you obtain the advice and support you need.
    The legal bases we rely upon when sharing your personal information  Sharing of personal data with our Service Partners will be:

    • That we need to use your personal information to perform a contract between us (or to take steps at your request prior to entering into a contract); 
    • That we (or someone else) has a legitimate reason for needing to use your personal information and those legitimate interests are not outweighed by your rights or interests. We must balance our respective rights and interests before we can rely upon this legal basis; 
    • That we need to use your personal information to comply with laws we are subject to.
    What precautions do we take?
    • Clients referred to us as part of our Victim Care Contract with the contract holder have their personal data stored on CMS which is a secure platform. Only City Hearts staff working with the clients and individuals in the Salvation Army (the contract holder) who fund the clients support have access to the information.
    • Outline safeguards for other clients e.g. data sharing agreements with policy/agencies etc.?

    Providers of information technology services

    Who will we be sharing your personal information with?
    • Suppliers of information technology products and services such as: 
    • IT helpdesk and IT maintenance work provider.
    • We haven’t included the names of our IT providers in this privacy notice because their identity will change from time to time. [However, if you would like further information about any of our current IT providers, [please contact us using the details set out here. 
    Why we need to share your personal information with such providers
    • We use suppliers of information technology products and services in connection with the supply, maintenance and/or improvement of our IT network and the creation, development hosting and maintenance of our website;
    • We use analytics and search engine providers to assist us to improve our website.
    The legal bases we rely upon when sharing your personal information 
    • We rely upon our legitimate interests in ensuring that our business can function properly and efficiently and that our IT network is secure;
    • The sharing of your personal data with analytics and search engine providers is based on our legitimate interests in having an efficient and user-friendly website.
    What precautions do we take?
    • We enter into contracts with our IT providers which require them to put appropriate security measures in place and which restrict their use of your personal information.


    Other third parties

    We may also need to share your personal information with others in the following circumstances:

    Legal or regulatory requirements On occasion, we may be required to disclose your personal information to organisations such as the courts or the police to comply with legal obligations we are subject to and/or to prevent fraud or crime. 
    Protecting our organisation From time to time we may need to disclose your personal information in connection with steps we need to take to protect our organisation’s interests or property. 
    Professional advice and legal action We may need to disclose your personal information to our professional advisers (for example, our lawyers and accountants) in connection with the provision by them of professional advice and/or the establishment or defence of legal claims. 
  • We will only send your personal data outside the EEA where we have your explicit consent to do so. 

  • We take various steps to protect your personal information while it is in our possession, including:

    • clients details are stored on our secure computer system and only those who work with you have access to it. 
    • We have implemented appropriate security measures to protect our IT infrastructure;
    • Encryption of personal information;
    • Pseudonymisation of personal information;
    • Implementation of internal data security policies and training for members of staff in relation to such policies;
    • Regular reviews of data security measures implemented by service providers who may handle your personal data.
    • CCTV recordings will only be accessed by employees and DBS checked volunteers on a ‘need to know’ basis.
  • Under data protection law, you have a number of different rights relating to the use of your personal information. The table below contains a summary of those rights and our obligations. More information about your rights and our obligations can be found on the ICO website https://ico.org.uk/. 

    Your rights What this involves What our obligations are
    A right of access  This is a right to obtain access to your personal data and various supplementary information.  We must provide you with a copy of your personal information and the other supplementary information without undue delay and in any event within 1 month of receipt of your request; 

    We cannot charge you for doing so save in specific circumstances (such as where you request further copies of your personal information). 

    A right to have personal data rectified
    • This is a right to have your personal information rectified if it is inaccurate or incomplete.
    We must rectify any inaccurate or incomplete information without undue delay and in any event within 1 month of receipt of your request;

    If we have disclosed your personal information to others, we must (subject to certain exceptions) contact the recipients to inform them, that your personal information requires rectification.

    A right to erasure
    • This is a right to have your personal information deleted or removed. 
    • This right only applies in certain circumstances (such as where we no longer need the personal information for the purposes for which it was collected).
    • We have the right to refuse to delete or remove your personal data in certain circumstances.
    If this right applies, we must delete or remove your personal information without undue delay and in any event within 1 month of receipt of your request;

    If we have disclosed your personal information to others, we must (subject to certain exceptions) contact then recipients to inform them that your personal information must be erased.

    A right to data portability This is a right to obtain and re-use your personal information for your own purposes;

    It includes a right to ask that your personal information is transferred to another organisation (where technically feasible).

    This right only applies in certain limited circumstances. 

    If this right applies we must provide your personal information to you in a structured, commonly used and machine reasonable form;

    Again, we must act without undue delay and in any event within 1 month of receipt of your request;

    We cannot charge you for this service. 

    A right to object  This is a right to object to the use of your personal information.

    The right applies in certain specific circumstances only. 

    You can use this right to challenge our use of your personal information based on our legitimate interests;

    You can also use this right to object to use of your personal information for direct marketing 

    If you object to us using your personal information for direct marketing, we must stop using your personal information in this way as soon as we receive your request. 

    If you object to other uses of your personal information, whether we have to stop using your personal information will depend on the particular circumstances. 

    A right to object to automated decision making This is a right not to be subject to a decision which is made solely on the basis of automated processing of your personal information where the decision in question will have a legal impact on you or a similarly significant effect.  Where such a decision is made, you must be informed of that fact as soon as reasonably practicable;

    You then have 21 days from receipt of the notification to request that the decision is reconsidered or that a decision is made that is not based solely on automated processing;

    Your request must  be complied with within 21 days. 

    A right to restrict processing  This is a right to ‘block’ or suppress processing of your personal information.

    This right applies in various circumstances, including where you contest the accuracy of your information.

    If we are required to restrict our processing of your personal information we will be able to store it but not otherwise use it. 

    We may only retain enough information about you to ensure that the restriction is respected in future. 

    If we have disclosed your personal information to others, we must (subject to certain exceptions) contact them to tell them about the restriction on use. 

    If you wish to exercise any of your rights you can make a request by contacting us using this email address Data.Protection@cityhearts.co.uk

    If you request the exercise of any of your rights we are entitled to ask you to provide us with any information that may be necessary to confirm your identity.

  • If you have given us your consent to use any of your personal information, you can withdraw your consent at any time. To do so, please contact us using this email address Data.Protection@cityhearts.co.uk.

  • We have appointed a Data Privacy Manager to oversee our compliance with data protection law and this privacy notice. Her details are set out below. If you have any questions about this privacy notice, how we handle your personal information or if you wish to make a complaint, please contact our Data Privacy Manager. 

    You can get in touch with us in the following ways: 

    Name Louise Durham
    Email address Louise.durham@cityhearts.co.uk
    Phone number  +44 (0)114 213 2061
  • If we are unable to deal with a complaint to your satisfaction or if you are unhappy with the way we are using your personal data, you also have the right to make a complaint at any time to the UK’s supervisory authority for data protection issues, the Information Commissioner’s Office.

  • We may update this privacy notice from time to time. If we make any substantial updates, we will provide you with a new privacy notice. We may also notify you in other ways from time to time about the processing of your personal information. 

City Hearts Privacy Notice- Client: 1 | Reviewed: August 2019 | Responsible Contact: Louise Durham