This Privacy Notice sets out what personal data we, People First (PF) and/or the Direct Payments Team, collect about you and how we use it when you first contact us and thereafter. It applies to anyone who contacts us to enquire about us or our services. (referred to as ‘Service User’ or ‘you’).
Please note that we will not necessarily hold, use or share all of the types of personal data described in this Privacy Notice in relation to you. The specific types of data about you that we will hold, use and share will depend on the services you are asking about or using and your individual circumstances.
We are required by data protection law to give you the information in this Privacy Notice. It is important that you read the Privacy Notice carefully, together with any other similar or additional information that we might give you from time to time about how we collect and use your personal data.
This Privacy Notice does not give you any contractual rights. We may update this Privacy Notice at any time.
Who is the controller?
People First, Milbourn Street, Carlisle, Cumbria, CA2 5XB is the “controller” for the purposes of data protection law. This means that we are responsible for deciding how we hold and use personal data about you.
Our main activities comprise:
- independent advocacy services
- providing information and advice to the general public about local health and social care services
- making the views and experiences of members of the general public known to health and social care providers
- enabling and empowering local people (including those with learning and other disabilities) to have a voice in the development, delivery and equality of access to local health and care facilities and services
- providing training and the development of skills for volunteers and the wider community in understanding, scrutinising reviewing and monitoring local health and social care services
- conducting investigation and research into relevant health and social care issues
- providing conference facilities and related training programmes in support of social inclusion
Our purposes are to:
- Deliver our services
- Manage our relationship with you
- Develop new ways to meet our service users’ needs
- Improve our service delivery
- Keep internal records
- Send promotional emails about events or other information which we think you may find interesting
- Provide information about People First and enable contact with us through our websites
- Enable individuals to make donations of money to us to assist us in our work
What is personal data?
Personal data means any information relating to a living individual who can be identified (directly or indirectly) in particular by reference to an identifier (e.g. name, address, email address, physical features). It can be factual (e.g. contact details or date of birth), an opinion about an individual’s actions or behaviour, or information that may otherwise impact that individual in a personal or business capacity.
Data protection law divides personal data into two categories: ordinary personal data and special category data. Any personal data that reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, physical or mental health conditions, sexual life or sexual orientation, or biometric or genetic data that is used to identify an individual is known as special category data. (The rest is ordinary personal data).
Legal grounds for using your personal data
Data protection law says that we must have a legal basis for collecting, holding and using ordinary personal data and an additional legal basis if we process special category personal data. We must tell you what these are.
What personal data do we hold about you and why?
When you first contact us, we collect, hold and use the following types of ordinary personal data about you:
We do this so that we can respond to you appropriately.
The legal bases we use for this are:
- You have given your consent to the processing (consent). By asking us a question you are giving your implied consent for us to use your details to respond to you.
- We need it to take steps at your request in order to enter into a contract with you (entry into a contract), because you may be asking us if we can provide services for you.
- It is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests (legitimate interest). For example, it is in our legitimate interests to monitor the number of visits to our website.
If you give us any special category personal data when you contact us, for example about your health or that of someone you represent, the legal basis we use for keeping it is your consent (explicit consent).
When you are a service user, a supporter or a referrer, we collect:
- Personal information to enable us to provide one or more of our services described above.
- We may also receive information disclosed by partner organisations where permission has been given. This may include special category personal data in respect of health conditions and other personal circumstances where relevant, including mental capacity.
The legal bases we use for processing your ordinary personal data are:
- You have given your consent to the processing (consent). In this instance it will be for marketing our services, sending newsletters etc.
- We have entered into a contract with you (entry into a contract).
- The processing is necessary for compliance with any legal obligations to which we are subject, other than an obligation imposed by contract (legal obligation), for example if there is a safeguarding issue.
- The processing is necessary in order to protect the vital interests of the data subject (vital interests). For example, if you fall ill whilst we are providing services to you.
- It is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests (legitimate interest). For example, it is in our legitimate interests to try to improve our services.
When you donate through a third party, this third party will ask if you wish your identity to be revealed to us. If you give your consent for this we will be given, hold and use the following types of ordinary personal data about you:
- Your name.
The legal bases we use for processing your ordinary personal data are:
- You have given your consent to the processing (consent). By giving your consent to the third party to pass your name to us you are giving your implied consent for us to use your details to respond to you.
- It is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests (legitimate interest). It is in our legitimate interests to know who is supporting us.
We use Just Giving to manage donations. Just Giving is a specialist service provider and processes data in accordance with its own professional obligations. We recommend that you read their privacy notice.
In addition, the legal bases we use for processing your special category personal data are:
- You have given your explicit consent to the processing of the personal data for one or more specified purposes.
- processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or the data subject in the field of employment and social security and social protection law.
- processing is necessary to protect the vital interests of the data subject or another natural person where the data subject is physically or legally incapable of giving consent.
- processing is necessary for the establishment, exercise or defence of legal claims or wherever courts are acting in their judicial capacity.
Who do we give your personal data to?
We will only disclose your personal information where we have your consent to do so, or where there is another legal reason to make the disclosure – for example, we may disclose information to CQC or a local authority where we think it is necessary to do so in order to protect a vulnerable person from abuse or harm.
We currently use, but are not limited to:
|White Bear / H&H||Website provision & maintenance|
|Microsoft 365/ TEAMS / David Allen IT||Email and IT provision|
|Online Systems||Phone provision|
|Sage Payroll, Sage HR and Sage Accounts*||Finance and HR|
|Indeed, News Quest*||Recruitment agency (e.g. indeed)|
|Royal London *||Pension|
|Facebook and Twitter and Instagram*||Social networking|
|Unity Trust Bank*||Banking|
|Home Office*||Verification of right to work|
* Please be aware that these organisations are data controllers in their own right, and by using any of them People First and you are subject to its privacy notice.
Consequences of not providing personal data
We only ask you to provide personal data that we need to enable us to provide appropriate services to you. If you do not provide particular information to us, then we will have to make a decision on whether or not we can provide those services which in some cases could result in us deciding not to do so.
If you choose not to provide us with personal data requested, we will tell you about the implications of any such decision at the relevant time.
How long will we keep your personal data?
If we have a legal obligation to keep your personal data for a specific length of time, we will tell you when we collect it.
Everything else is kept for 7 years after your last contact with us.
If we have a contract with another organisation we keep the personal data specific to that contract for as long as it tells us to. Again, we will tell you when it is collected.
You can see our retention policy on our website or request a copy by contacting us.
Our use of third party software
If you visit any of our websites your personal data is being collected.
We use google analytics, a web analytics service provided by Google, Inc. Google Analytics sets a cookie in order to evaluate your use of our website and compile reports for us on activity on it.
Because we use Google, your personal data is classed as being disclosed to them.
Google stores the information collected by the cookie on servers in the United States. People First has ensured that the states where the servers are held have sufficient protections in place to meet UK GDPR stipulations, usually by use of a standard contractual clause. Google may also transfer this information to third parties where required to do so by law, or where such third parties process the information on Google’s behalf. Google will not associate your IP address with any other of your personal data held by them.
You can set preferences for how Google advertises to you using the Google Ad Preferences page, and if you want to you can opt out of interest-based advertising entirely by cookie settings or permanently using a browser plugin.
We will retain personal data on our secure systems for no longer than necessary and in accordance with our record retention policy.
There may be links to the websites of other organisations on People First’s website. Please be aware that we have no control of and cannot be held responsible for how your personal data may be used if you follow these links.
We will always take necessary steps to ensure that your information is protected and treated securely. Any details you give us will be held in accordance with the UK General Data protection Regulation (UK GDPR), and our data protection confidentiality and IT security policies and procedures. If you would like to see any of these please contact us at the address given.
Where we use organisations that are either based outside the UK or where servers are outside the UK, we make sure that it is protected in the same way as if it was being used in the UK . To do this we will use one or more of these safeguards:
- Provisions are in place which permit the transfer of personal data from the UK to the EEA and to any countries which, as at 31 March 2022, were covered by a European Commission ‘adequacy decision’ or have been assessed as adequate by the Secretary of State together with the ICO.
- For additional transfers we will implement appropriate safeguards to protect your personal information, transferring it in accordance with an applicable transfer mechanism, including use of the ICO’s standard contractual clauses.
- You can find out more about these safeguards on the ICO website.
When we are contracted to do work for another organisation
Much of the work done by People First is commissioned by other organisations, such as Healthwatch Lancashire and Healthwatch Cumbria which are the independent consumer champions for health and social care in Lancashire and Cumbria respectively. Local Healthwatch are part of Healthwatch England, a statutory committee of the Care Quality Commission.
When we act under instruction from another organisation we are the data processor and the other organisation the data controller. There will be a contract in place which will tell us what to do with your information.
If any of your personal data is being used for a purpose that is not controlled by us, you will be given a different privacy notice by the data controller which will tell you all about it. If the other organisation tells us to use our own privacy notice we will tell you this, and who the data controller is.
Your rights are unlikely to be affected if your information is used in this way.
You have a number of legal rights relating to your personal data, which are outlined here:
- The right to make a subject access request. This enables you to receive certain information about how we use your data, as well as to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.
- The right to request that we correct incomplete or inaccurate personal data that we hold about you.
- The right to request that we delete or remove personal data that we hold about you where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have exercised your right to object to processing (see below).
- The right to object to our processing your personal data where we are relying on our legitimate interest (or those of a third party), where we cannot show a compelling reason to continue the processing
- The right to request that we restrict our processing of your personal data. This enables you to ask us to suspend the processing of personal data about you, for example if you want us to establish its accuracy or the reason for processing it.
- The right to withdraw your consent to us using your personal data. If we are relying on your consent as the legal ground for using any of your personal data, you have the right to withdraw your consent.
- The right to request that we transfer your personal data to another party, in respect of data that you have provided where our legal ground for using the data is that it is necessary for the performance of a contract or that you have consented to us using it (this is known as the right to “data portability”).
- Rights in relation to automated decision making and profiling. We do not use any of your personal data to make automated decisions or to create a profile of you.
If you would like to exercise any of the above rights, please contact the Finance and Operations Director, People First, Milbourne Street, Carlisle, CA2 5XB. Note that these rights are not absolute and in some circumstances we may be entitled to refuse some or all of your request.
If you have any questions or concerns about how your personal data is being used by us, you can contact the Finance and Operations Director, People First, Milbourne Street, Carlisle, CA2 5XB.
Our Data Protection Officer can also be contacted via contacting our Finance and Operations Director, People First, Milbourne Street, Carlisle, CA2 5XB.
Note too that you have the right to make a complaint at any time:
- to the organisation, by writing to our Finance and Operations Director, People First, Milbourne Street, Carlisle, CA2 5XB. Or by email contact HR@wearepeoplefirst.co.uk
- to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues. Details of how to contact the ICO can be found on their website: ico.org.uk
Reviewed – March 2022
Agreed by Trustees – 31st May 2022
Date of next review – May 2024
SLT Responsible – Catherine Hunt – DPO