We are committed to protecting your personal information.
1. Introduction
This Privacy Statement sets out how we collect, use and store your personal information (this means any information that identifies or could identify you).
Protecting personal information and being transparent about how we use it is important to us. It is core to how we build and maintain trust in our work: the trust people place in us when they approach us for advice and support, and the trust placed in us by people involved in resourcing and delivering our work, including donors, volunteers, funders, partners, employees, suppliers and other stakeholders.
This statement explains how we gather and use personal information, depending on your relationship with BLNSS and how the personal information is stored and transmitted. Personal data is subject to the legal safeguards specified in the Data Protection Act 2018 (DPA 2018). BLNSS Ltd is a data controller and is responsible for processing personal information about you. For more information on data protection and your rights as an individual, see https://ico.org.uk/
When you interact with BLNSS, we will communicate how we collect and work with your personal information in various ways. Such communications are underpinned by this privacy statement. We want to make it easy for you to find out more, and for you to exercise your rights.
Please take the time to read this privacy statement: as an organisation that gives advice, we think it is important for people to understand how their personal information is used by organisations and what their rights are. If you are short of time, look first at the things that apply to all personal data collected and used by BLNSS, and then at the sections that apply to your particular relationship(s) with BLNSS.
2. Contact and further information
BLNSS is a registered charity (no. 1050456) and a company limited by guarantee (no.2662382). We are registered with the Information Commissioner’s Office (registration number ZA047636). See https://ico.org.uk/about-the-ico/what-we-do/register-of-data-controllers/ for further details.
For all enquiries related to data protection and privacy, including your rights under data protection legislation, please contact: The Centre Manager either by email c/o Asac.reception@agnessmith.co.uk or by telephoning the Centre on 01865 770206 or by dropping into the Centre at 96 Blackbird Leys Road, Oxford, OX4 6HS during our opening hours (9.30 a.m. – 4.00 p.m. Monday – Friday).
When exercising your rights, it may be necessary for us to verify your identity (e.g. security questions or photo ID) before we can respond: this is to protect your personal data and confidential information.
3. Whose personal data does BLNSS collect and work with?
- People getting advice, information and support from BLNSS and those connected with them.
- Supporters, donors and individuals involved in our fundraising, campaigning and policy work.
- Our volunteers and trustees.
- People representing partner organisations, funders and other stakeholders relevant to our work, including our suppliers.
- Our employees and others working on our behalf.
- People visiting our website.
4. Things that apply to all our processing of personal data
We collect and work with personal data. Personal data is information that can be used to identify a living individual, such as names, addresses, phone numbers, e-mail addresses, postcodes, case and client files, details of enquiries, IP addresses, location data, online identifiers, pictures or other biometric data, service records, attendance lists, minutes of meetings, mailing lists, bank account details and other financial records.
We need to collect and use personal data to provide advice, information and support services, to fundraise and generate income for our work, to fulfil our charitable objectives, to run the organisation efficiently and effectively, to meet our legal obligations and to contract with individuals and organisations. We give more detail for each group of people listed in the section above. However, the following points apply to all personal data processed by BLNSS.
We only collect personal data that we need. If we need your consent to collect or use your personal data, we will ensure that we have this consent from you.
We will do our best to keep personal information secure by taking appropriate technical and organisational measures. We will never sell personal information to third parties.
We will never give personal data to third parties, with the following exceptions:
- Where you have given us your consent to share your personal data, for example to get help or advice related to your case or enquiry from another organisation.
- To further the legitimate interests of those seeking advice, information and support from BLNSS, for example sharing personal data of volunteers and employees with third parties in the normal course of giving advice, or processing the personal data of third parties involved in beneficiary cases and enquiries.
- Where we use third party organisations to process your personal data on our behalf as set out in this privacy statement, for example organisations that provide us with cloud-based ICT services. Such processing is governed by written agreements.
- Where we have legal obligations, for example, our legal obligations to prevent terrorism and money laundering, or to provide personal data to HMRC.
- In a life or death situation where we need to protect your vital interests or the vital interests of a third party, for example if you needed urgent medical assistance and were unable to give your consent to us seeking such assistance on your behalf.
- Where we have reasonable grounds for believing that not sharing personal information will result in serious harm to you or a third party, in line with our confidentiality policy and legitimate charitable purposes.
- Where we judge that sharing personal information is justified for the prevention of crime, in line with our confidentiality policy and legitimate charitable purposes.
We are committed to ensuring that suppliers who process personal data on BLNSS’s behalf as ‘data processors’ treat your personal data carefully and in accordance with our written instructions and data protection legislation. We regularly review the written agreements we have with organisations and individuals that process personal data on our behalf. These include services such as postal delivery, e-mail communication, marketing support, market research, data analysis, payment processing, data storage and backup, payroll and other administrative and HR functions. They have access to personal information needed to deliver the service, but may not use this personal information for other purposes.
5. What are my rights?
Under the Data Protection Act 2018, you have the rights listed below. Get in touch as described in the ‘Contact and further information’ section if you wish to exercise any of your rights. We will respond within one month, though in some circumstances we may need to extend the time for a full response for a further two months. You will not usually need to pay us for making the request. However, we may charge a reasonable fee if your request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.
It is important that the personal information we hold about you is accurate and current. Please keep us informed if your personal information changes during your working relationship with us.
For further, independent information and detail about your rights, see https://ico.org.uk/for-the-public/
- The right to be informed – we inform you through this privacy statement and through other privacy-related communications, whether you interact with us in person, by telephone, by e-mail, online or using other channels.
- The right of access – you have the right to ask us for confirmation that your data is being processed and to access this data (a ‘subject access request’).
- The right to rectification – you have the right to have inaccurate or incomplete personal data corrected or completed.
- The right to erasure – you have the right in some circumstances to ask us to erase your personal data (the ‘right to be forgotten’). Sometimes, this right may not apply, for example when the personal data needs to be retained for insurance purposes, or in relation to legal claims.
- The right to restrict processing – you have the right to ask us to limit how we collect and use your personal data, for example, to stop us deleting data that you might need in relation to a legal claim, or to suspend processing if you want us to establish its accuracy or the reason for processing it..
- The right to data portability – you have the right in some circumstances to be given your personal data in a structured, commonly used and machine readable form. This only applies to personal data you have given directly to us, where processing is carried out by automated means, and where the personal data is being processed based on your consent or in relation to a contract.
- The right to object – you have the right in some circumstances to object to processing of your personal data. This includes your right to object to: processing that we justify as being based on our legitimate interests; direct marketing; and processing of personal data for research and statistical purposes.
- Rights in relation to automated decision making and profiling – BLNSS has not identified any processing of personal data that currently involves solely automated decision-making or profiling.
6. Security and measures to protect personal data, including secure disposal
We maintain appropriate levels of security in relation to the collection, storage and disclosure of your personal data and confidential information. Information is stored securely by BLNSS in electronic files and databases on servers at our offices, off-site locations and in the cloud. We also store information in paper files and records.
We have security measures in place to protect against the loss, misuse, alteration or disclosure of personal data under our control. These include: limiting access to personal information to authorised individuals; encrypting information; protecting systems, drives, folders and files by password; physical security measures; and regular backups of information to protect against ransomware and systems failure.
While we cannot guarantee that loss, misuse, alteration or disclosure of data will not occur while it is under our control, we take appropriate measures to try to prevent this. We also have procedures to deal with any suspected data security breach and will notify affected data subjects and any applicable regulator of a suspected breach where we are legally required to do so.
Any sensitive or special categories of data collected and used by BLNSS are only shared on a need-to-know basis. In the course of providing our advice services, we may collect certain categories of sensitive data, including details of race; ethnic origin; politics; religion; trade union membership; genetics; biometrics (where used for ID purposes); health; sex life; and sexual orientation. Such processing typically relates to our legitimate interests as an advice provider, employer and in some limited circumstances, enables us to comply with our duty of care to people who contribute to our work on a voluntary basis. In some situations, we will process such data with your consent, for example when providing it to third party organisations in connection with your advice and support needs.
7. Payment by credit or debit card
If you use your credit or debit card to donate to us, or pay online or over the phone, we will ensure that this is done securely and in accordance with the Payment Card Industry Data Security Standard. Find out more information about PCI DSS standards by visiting their website at www.pcisecuritystandards.org
Only those staff authorised to process payments will have access to card details. Once your transaction is completed, we do not store your full credit or debit card details.
We hold bank account details for the purpose of collecting direct debits in accordance with direct debit mandate rules.
Where your information is no longer required we will ensure that it is disposed of in a secure manner (e.g. physical destruction such as shredding and electronic deletion of information stored electronically).
8. How can I complain?
We want to improve the ways in which we work. Please tell us if something has gone wrong or not happened as it should. We will try to put things right if we can. We also want to take every opportunity to learn from your comments and feedback, both positive and negative. There is a feedback/complaints box on our reception for general feedback or complaints.
If you wish to make a formal complaint you will find our Complaints Procedure booklet on our reception, and on our website.
You have the right to lodge a complaint with the Information Commissioner’s Office. For more information, visit https://ico.org.uk/
9. What about personal data transferred to other countries?
BLNSS makes use of cloud-based services where personal data is not transferred outside the EEA.
We use cloud-based client and case management services where data is stored in secure data centres within the UK or other EEA countries.
BLNSS also makes use of cloud-based services where personal data may be transferred outside the European Economic Area (EEA). For Office 365, Monkey Survey for example, this involves transfers to the United States of America. More information can be found on the European Commission’s website. We only use data processors that are part of the Privacy Shield framework. These data processors may provide us with the following services:
- Calendar and appointment management
- Electronic survey and online form processing services
- Event management services
- File backup and storage
- E-mail services
- Website management and hosting
- Online platforms for processing payments and donations
10. People getting advice, information and support from BLNSS and those connected with them
Why do we collect and use personal data?
We do this to give advice, information and support. We also gather some personal data to help us understand how to improve our services, to resource our work and to promote our legitimate interests as a charity.
How do we justify this according to data protection legislation?
Our lawful bases for processing this data include: our legitimate interests as a charity providing advice, information and support services and the legitimate interests of our beneficiaries; the contracts and funding agreements we have with bodies to provide advice; our legal obligations, including those related to social security regulations and social welfare law, terrorism and money laundering; and your consent to process personal data for particular purposes.
What kinds of personal data do we collect and use and where we do get them from?
We gather your personal information and the personal information of others involved in your case or enquiry when you visit us in person, use our websites, complete printed paper forms, speak to us on the telephone, complete surveys or questionnaires or communicate with us by post, e-mail, online or other channels. Information is recorded in paper files, electronic files and cloud-based case management systems. In line with the advice we give, some of this personal data is sensitive, relating to health, finances, social welfare, employment, protected characteristics and other circumstances.
We use some of this sensitive information to generate anonymised reports and undertake statistical analysis to identify and evidence the needs and issues faced by our beneficiaries and resource our work. This could for example include the proportions or numbers of people experiencing a particular type of problem, or with a given personal characteristic (such as health condition or ethnicity).
We collect and use your personal data for administrative purposes, for example getting your feedback, telling you about changes to our service and responding to complaints or concerns.
Who might your personal data be shared with?
We will only share the personal data of our beneficiaries with third parties when we have explicit consent, subject to the general exceptions listed in ‘Things that apply to all our processing of personal data’.
We may also process the personal data of other people involved in the cases or enquiries of BLNSS’s beneficiaries, for example, personal data relating to family members, friends, carers or support workers.
Personal data may be passed to BLNSS by our partner organisations and other stakeholders involved in our work, for example in situations where you have given your consent for information to be shared directly with us through referral. When you provide your personal data to other organisations, you should check their privacy policies carefully.
How long do we keep personal data for?
We keep personal data related to beneficiary cases and enquiries for at least 6 full years after case closure or last contact with BLNSS. This enables us to protect both beneficiary interests and the interests of BLNSS in regard to legal claims that may arise in relation to work carried out. For some personal data, we may retain information for longer periods depending on our legal obligations, client instructions and any limitation periods that may apply to the case files concerned.
If you continue using BLNSS’s services over a period of time, for example in relation to a number of separate issues over a period of years, we will not erase personal data in past case files which are over 7 years old whilst other more recent personal data is being retained. This is to ensure continuity of service and avoid loss of information that may be relevant.
11. Supporters, donors and individuals involved in our campaigning and policy work
Why do we collect and use personal data?
We do this to process donations we may receive from you, to claim Gift Aid on these donations and to update you on how your donations are being used. We collect and use your personal data when processing event bookings and setting up direct debits or standing orders. We use your personal data to engage with you as a supporter of our work, for example to provide you with information about our activities, to tell you about how you can support our work and to record the contacts that we have with you. We collect and use your personal data so that you can participate in our policy and campaigning work, including surveys or research activities.
We collect and use your personal data when you sign up for newsletters or other direct marketing communications, including e-mail newsletters. We may also collect and use your personal data for administrative purposes, for example responding to complaints or concerns.
How do we justify this according to data protection legislation?
Our lawful bases for processing this data include: your consent to collect and use your personal data, including your consent to receive direct marketing communications; our legitimate interests as a charity, including monitoring who we deal with to protect BLNSS against fraud, money laundering and other risks; the contracts we may have with you that relate to paid-for events; and our legal obligations, for example, meeting statutory requirements when processing Gift Aid payments.
What kinds of personal data do we collect and use and where we do get them from?
We collect your personal information when you visit us in person, use our websites, complete printed paper forms, speak to us on the telephone, make donations, attend events, complete surveys or questionnaires or communicate with us by post, e-mail or other online channel. Information is recorded in paper files, electronic files and cloud-based databases. The personal data we collect will include financial information when you make a donation, set up a direct debit or standing order, or leave us a legacy in your will.
We may receive information about you from third parties, for example from a friend who wants to send you information about our work or book an event on your behalf.
Who might your personal data be shared with?
We will only share your personal data with third parties with your explicit consent, subject to the general exceptions listed in ‘Things that apply to all our processing of personal data’. Such sharing of personal data with your consent might include sharing your personal details with another named organisation if we run an event or activity in collaboration with them.
How long do we keep personal data for?
We keep personal data that relates to financial records, for at least 6 years from the end of the last financial year they relate to for BLNSS accounting purposes. Some financial information may be kept for longer, for example information related to legacy gifts.
We will retain other personal data related to your support for and engagement with BLNSS for a period of at least 6 years since the date of your last engagement with BLNSS. We will ensure that you can simply and easily withdraw your consent to be sent information about our work and to indicate your preference for receiving communications in a particular format. If you withdraw your consent or change your preferences, we may retain a record of your withdrawal of consent or change of preferences for a period of 6 years from the date you notified us: this helps us maintain accurate records and ensure that information is not sent to you in error when you have withdrawn consent.
12. Our volunteers, trustees and patrons
Why do we collect and use personal data?
To engage with you as a volunteer, trustee or patron, including your recruitment, induction, training and the activities you undertake in your role. We collect and use personal data for management and administrative purposes and for internal record keeping, such as the management and facilitation of volunteer activity, safeguarding, conflicts of interest, seeking your feedback, dealing with complaints and to further the charitable aims of BLNSS, including the legitimate interests of those we support.
How do we justify this according to data protection legislation?
Our lawful bases for processing this data include our legitimate interests as a charity and the legitimate interests of our beneficiaries, including: supporting you effectively in your role and fulfilling our duty of care to you; ensuring that BLNSS operates effectively and efficiently; and monitoring those who volunteer on BLNSS’s behalf to protect the organisation against fraud, money laundering, conflicts of interest and other risks. We process personal data on the basis of our legal obligations, for example complying with our reporting requirements as a registered charity and company limited by guarantee. We also process your personal data based on your consent, including your consent to receive direct marketing communications.
What kinds of personal data do we collect and use and where we do get them from?
We collect and use your personal information when you express an interest in volunteering or acting as a trustee or patron and when you undertake such roles and activities. We collect and use your personal data when you visit us in person, use BLNSS computer and communication systems and cloud-based services, websites, complete printed paper forms, speak to us on the telephone, complete surveys or questionnaires or communicate with us by post, e-mail, online or other channels. Information is recorded in paper files, electronic files and cloud-based databases. The personal data we collect will include information to assess your suitability to undertake the role in question, and may include processing of sensitive data and personal data relating to criminal offences and convictions, including data processed in relation to the safeguarding of children and vulnerable adults. We will also process data to enable us to fulfil our duty of care to you, for example, information about any particular health, access or communication needs. We may process your personal data to further the legitimate interests of our beneficiaries, for example providing your contact details to partner organisations. We may process your personal data to reimburse expenses incurred in undertaking your role for BLNSS.
We may receive information about you from third parties, for example from a friend who thinks you might be interested in volunteering, or someone who provides you with a reference when you apply to volunteer with us. We may make use of personal data that is publicly available to communicate with you about voluntary opportunities at BLNSS.
Who might your personal data be shared with?
We may take up references for any trustee or volunteer undertaking activities for BLNSS. We will take up such references during your recruitment. We may also need to share your personal data, for example as part of safeguarding checks, to enable you to undertake particular activities for BLNSS. This will be done in line with the written hopes and expectations associated with the role to which you have been recruited and in consultation with the person responsible for your recruitment, supervision and support. Personal data of trustees and directors will be shared with the Charity Commission and Companies House and the Financial Conduct Authority in line with our legal obligations.
How long do we keep personal data for?
We keep application forms and interview notes for unsuccessful volunteer and trustee applications for 12 months. Records of successful applicants will be transferred to the appropriate volunteer or trustee record.
We keep personal data that relates to financial records, including reimbursement of expenses, for at least 6 years from the end of the last financial year they relate to for BLNSS accounting purposes.
We will retain other personal data related to your activities as a trustee, volunteer or patron for BLNSS for a period of at least 6 years since the date you last undertook activity on our behalf. Some data, for example minutes of trustee meetings, or records of people volunteering for BLNSS listed in our annual report will be kept permanently for historical and archiving purposes.
We will ensure that you can simply and easily withdraw your consent to being sent information about voluntary activities and to indicate your preference for receiving communications in a particular format. If you withdraw your consent or change your preferences, we may retain a record of your withdrawal of consent or change of preferences for a period of 6 years from the date you notified us: this helps us maintain accurate records and ensure that information is not sent to you in error when you have withdrawn consent.
13. People representing partner organisations, funders and other stakeholders relevant to our work, including our suppliers
Why do we collect and use personal data?
We collect and use your personal data to engage with you as a BLNSS partner, funder, supplier or stakeholder. We collect and use personal data to network and undertake joint activities where we have common interests, to manage our existing income, to purchase and use services and products for BLNSS purposes, and to publicise and promote our work. This includes telling you about changes to our activities and services and work to analyse and improve the services we offer. We may also collect and use personal data when undertaking work on behalf of individual beneficiaries of BLNSS.
How do we justify this according to data protection legislation?
Our lawful bases for processing this data include our legitimate interests as a charity and the legitimate interests of our beneficiaries, including: working with other organisations and individuals in line with our charitable objectives; ensuring that BLNSS operates effectively and efficiently; and monitoring BLNSS activities to protect the organisation against fraud, money laundering, conflicts of interest and other risks. We process personal data on the basis of our legal obligations, for example complying with accounting requirements and reporting requirements as a registered charity and company limited by guarantee. We process personal data on the basis of the contracts that we may have with you that relate to provision of services or products. We also process your personal data based on your consent, including your consent to receive direct marketing communications.
What kinds of personal data do we collect and use and where we do get them from?
Your information may be shared with us by other organisations, individuals, BLNSS’s beneficiaries, employees and volunteers, for example when developing joint projects or undertaking networking activities, or when you have been involved in a beneficiary’s case. We may receive updated contact information from third parties so that we can correct our records and engage with you more easily.
We may combine information you provide to us with information available from public sources or records in order to gain a better understanding of organisations and individuals who may be interested in engaging with BLNSS. This helps us to generate new income to support our work and deliver our services more effectively.
Who might your personal data be shared with?
We may share personal data with third parties to further our legitimate interests as a charity and the legitimate interests of our beneficiaries. This might include details of your work in relation to BLNSS’s beneficiaries, or other personal data as set out in our contractual terms and conditions. We may also share your personal data with third parties with your explicit consent, subject to the general exceptions listed in ‘Things that apply to all our processing of personal data’.
How long do we keep personal data for?
We keep personal data that relates to financial records, including provision of services or products, for at least 6 years from the end of the last financial year they relate to for BLNSS accounting purposes.
We will retain other personal data related to your engagement with BLNSS for a period of at least 6 years since the date of your last engagement with us. We will ensure that you can simply and easily withdraw your consent to be sent information about our services and to indicate your preference for receiving communications in a particular format. If you withdraw your consent or change your preferences, we may retain a record of your withdrawal of consent or change of preferences for a period of 6 years from the date you notified us: this helps us maintain accurate records and ensure that information is not sent to you in error when you have withdrawn consent.
14. Our employees and others undertaking paid work on our behalf
Why do we collect and use personal data?
We collect and use personal data to engage with you as a current or former employee, worker, self-employed person or contractor in relation to the work you undertake in these roles, including associated recruitment and selection processes. We collect and use personal data to fulfil our responsibilities as an employer, and for management and administrative purposes including personnel and HR functions, the supervision and monitoring of work, safeguarding, conflicts of interest, seeking your feedback, dealing with complaints, to further the charitable aims of BLNSS and the legitimate interests of those we support. We may also use your personal information in the following situations, which are likely to be rare: where we need to protect your interests (or someone else’s interests); or where it is needed in the public interest or for official purposes.
How do we justify this according to data protection legislation?
Our lawful bases for processing this data include our legitimate interests as an employer and charity and the legitimate interests of our beneficiaries. These legitimate interests include: ensuring that BLNSS operates effectively and efficiently; monitoring BLNSS activities to protect the organisation against fraud, money laundering, conflicts of interest and other risks. We also process personal data on the basis of our legal obligations, for example complying with accounting and reporting requirements as an employer, a registered charity and company limited by guarantee. We process some personal data on the basis of the contracts BLNSS has with you that relate to your employment or work at BLNSS. We also process some personal data based on your consent, including your consent to receive direct marketing communications. We do not need your consent to process where we have another legal basis to do so as set out above. However, if we do need to seek your consent to processing, we will provide you with full details of the information that we would like and the reason we need it, so that you can carefully consider whether you wish to consent. You should be aware that it is not a condition of your contract with us that you agree to any request for consent from us and, where you have given consent, this can be withdrawn at any time by contacting the Centre Manager.
What kinds of personal data do we collect and use and where we do get them from?
We collect and use personal data during the course of your work for BLNSS, including: personal details such as name, title, addresses, telephone numbers, personal email addresses, date of birth, gender, marital status and dependents, next of kin and emergency contacts, National Insurance number, payroll records and tax status information, salary, annual leave, pension and benefits information, location of employment or workplace, copy of driving licence, and photographs; recruitment and selection records, including references and information from your application; use of BLNSS computer and communication systems and cloud-based services; time recording; personnel and HR records, including job titles, work history, working hours, training records, professional memberships, compensation history, , performance and supervision, and disciplinary and grievance information; and other personal data required in order to contract with you, including personal data related to your right to work in the UK and financial details to enable us to make payments to you. Some of your personal data may be sourced from recruitment agencies, background check agencies, referees and publicly-available sources during recruitment and selection processes.
We collect sensitive personal data in some cases, including: information about your health, including any medical condition, health and sickness records, and details of any absences (other than holidays) from work including time on statutory parental leave and sick leave; details of any absences (other than holidays) from work; personal data relating to criminal offences and convictions; personal data processed in relation to the safeguarding of children and vulnerable adults; and information about your race or ethnicity, religious beliefs, sexual orientation and political opinions. We will also process data to enable us to fulfil our duty of care to you as an employee, worker, self-employed person or contractor, for example, information about any particular health, access or communication needs.
We may only use information relating to criminal convictions where the law allows us to do so. This will usually be where such processing is necessary to carry out our obligations and provided we do so in line with our data protection policy. We will only collect information about criminal convictions if it is appropriate given the nature of the role and where we are legally able to do so. Where appropriate, we will collect information about criminal convictions as part of the recruitment process or we may be notified of such information directly by you in the course of you working for us. We will use information about criminal convictions and offences in the following ways: to assess continued suitability for your role; and to comply with our safeguarding obligations.
How we may use your personal information
We may use your personal information when: making a decision about your recruitment or appointment; determining the terms on which you work for us; checking you are legally entitled to work in the UK; paying you and, if you are an employee, deducting tax and National Insurance contributions; providing the following benefits to you: annual leave, death in service benefit; enrolling you in a pension arrangement in accordance with our statutory automatic enrolment duties and liaising with your pension provider; administering the contract we have entered into with you; business management and planning, including accounting and auditing; conducting performance reviews, managing performance and determining performance requirements; making decisions about salary reviews and compensation; assessing qualifications for a particular job or task, including decisions about promotions; gathering evidence for possible grievance or disciplinary hearings; making decisions about your continued employment or engagement; making arrangements for the termination of our working relationship; education, training and development requirements; dealing with legal disputes involving you, or other employees, workers and contractors, including accidents at work; ascertaining your fitness to work; managing sickness absence; complying with health and safety obligations; to prevent fraud; to monitor your use of our information and communication systems to ensure compliance with our IT policies; to ensure network and information security, including preventing unauthorised access to our computer and electronic communications systems and preventing malicious software distribution; equal opportunities monitoring. Some of the above grounds for processing will overlap and there may be several grounds which justify our use of your personal information.
Special Categories of personal information require higher levels of protection. We may process such information in the following circumstances: in limited circumstances, with your explicit written consent; where we need to carry out our legal obligations and in line with our employment policies or this data protection policy; where it is needed in the public interest, such as for equal opportunities monitoring and in line with our employment policies or this data protection policy; where it is needed to assess your working capacity on health grounds, subject to appropriate confidentiality safeguards. Less commonly, we may process this type of information where it is needed in relation to legal claims or where it is needed to protect your interests (or someone else’s interests) and you are not capable of giving your consent (such as a medical emergency), or where you have already made the information public.
We may use Special Categories of personal information in the following ways: we may use information relating to leaves of absence, which may include sickness absence or family related leaves, to comply with employment and other laws; we may use information about your physical or mental health, or disability status, to ensure your health and safety in the workplace and to assess your fitness to work, to provide appropriate workplace adjustments, to monitor and manage sickness absence and to administer benefits; we may use information about your race or national or ethnic origin, religious, philosophical or moral beliefs, or your sexual orientation, to ensure meaningful equal opportunity monitoring and reporting.
We do not envisage that any decisions will be taken about you using automated means, however we will notify you in writing if this position changes.
Who might your personal data be shared with?
We will share your data with other organisations and individuals to comply with our legal obligations. We will also share your data with organisations that undertake data processing on our behalf, including HR and personnel functions such as payroll administration, pension administration, benefits provision, and to provide IT services. In some circumstances we may need to share your personal data to further the legitimate interests of BLNSS and BLNSS’s beneficiaries, for example in situations where you are representing a client at tribunal or where you are undertaking work that requires interaction with third party organisations.
We may share your personal information with other third parties, for example in the context of merger with another organisation. In this situation we will, so far as possible, share anonymised data with the other parties before the transaction completes. Once the transaction is completed, we will share your personal data with the other parties if and to the extent required under the terms of the transaction.
We may also need to share your personal information with a regulator or to otherwise comply with the law. This may include making returns to HMRC, or reporting to funders or auditors.
How long do we keep personal data for?
We will only retain your personal information for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.
To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
We keep the following types of personal data for at least six years since the date of the last record: accident books and records; accounting records; income tax and National Insurance returns, correspondence with HMRC; records of notifiable events in relation to retirement benefit schemes; maternity pay records; wage and salary records; and working time records.
Certain types of record will be kept for longer periods, including records related to pension schemes and pensioners, which will be kept for 12 years from the date pension benefits cease, and records related to parental leave, which will be kept for 18 years from the birth of the child. If records involve the control of lead, asbestos, other hazardous substances or ionising radiation, special rules apply and records will be kept for periods in excess of 40 years, see https://www.cipd.co.uk/knowledge/fundamentals/people/hr/keeping-records-factsheet.
Certain types of records will be kept permanently, including: health and safety assessments and consultations; and senior executive records.
We keep application forms and interview notes for unsuccessful job applicants for 12 months. Records of successful job applicants will be transferred to their personnel file.
15. People visiting our website and interacting with us on social media
Why do we collect and use personal data?
We collect and use personal data to analyse the use of our websites and ensure their content is presented in the most effective manner for you and your device (see also our cookies policy). We use Google Analytics and other services to collect information about how our websites are used. These help us to know how often users visit our websites, what pages they visit when they do so, and how they use our content online.
Our website contains links to other websites belonging to third parties and we sometimes choose to participate in social networking websites including, but not limited to, YouTube, Facebook, Twitter, Pinterest and Instagram.
Some areas are designed to allow you to submit personal data, for example to contact us for help or to offer support as a volunteer or donor. We take your privacy very seriously and data gathered via this channel is collected using a secure connection.
How do we justify this according to data protection legislation?
You don’t have to disclose any of this information to browse our websites. However, if you choose to withhold requested information, we may not be able to provide you with certain services. When submitting personal data using online forms, the way we use that data subsequently is determined by your relationship(s) to us as described elsewhere in this privacy statement.
What kinds of personal data do we collect and use and where we do get them from?
Website usage information is collected using cookies. This helps us to see how many people use our websites, how many people visit on a regular basis, and how popular individual pages are. Cookies are also essential to our websites running correctly and delivering services to website visitors. For more information, please see our cookies policy.
Otherwise, this is determined by your relationship(s) to us as described elsewhere in this privacy statement.
Who might your personal data be shared with?
Your personal data may be recorded by the company who hosts the BLNSS website. If you use social media services such as Facebook, Twitter, Pinterest, Instagram or YouTube, you should be aware of their privacy policies and practices.
Otherwise, this is determined by your relationship(s) to us as described elsewhere in this privacy statement.
How long do we keep personal data for?
This is determined by your relationship(s) to us as described elsewhere in this privacy statement.
16. Children and young people
If you are aged under 18, we take particular care of your personal information. Please just ask us if you have any questions.
If we get information from you directly, we will tell you why and how we are going to use your personal information.
Sometimes, we use your personal information to help your parent or someone caring for you. This might be, for example, to help your family sort out problems with money, housing or work.
If you are under 18, BLNSS will not normally advise or support you directly.
Children aged 13 upwards may give their own consent in relation to any initial advice or information offered by BLNSS, which will typically involve referral to services that specialise in working with young people.
If you are aged 16 or under and would like to participate in an event, make a donation or get involved with supporting our work, please make sure that you have the permission of your parent, guardian or person with parental responsibility.
You need to have this before giving us your personal information. You also need to make sure that you have the permission of the card holder if making a donation by card. If we find out that you do not have permission, we will ask you to get permission.
17. Changes to this Privacy Statement and our Privacy Policy
We keep our privacy policy under regular review. Any significant changes will be reflected in this Privacy Statement, which will be available via our website and through other channels.
Date last updated: Dec 2018, June 2020, June 2022, September 2024
Dates of next review: September 2026