This statement explains HEALS’ obligations under the UK General Data Protection Regulation (UK GDPR) for how it handles and uses personal data collected from those who use services. We are registered as a Data Controller with the Information Commissioner’s Office (ICO). We are committed to protecting your personal information and to being transparent about what information we hold about you.
 
WHY WE HOLD YOUR PERSONAL DATA: 

• To deliver services and support to you, and to understand and provide the appropriate level of support to you.

• To manage the service(s) we provide to you and inform you of services that we can offer you. 

• To investigate any concerns or complaints you have about the services you receive.

• To check the quality of our services and help with planning of new services. 

• To keep track on the use of public funds.

• For our legitimate business interests, - reasonable use in line with our aims and activities. 

We only keep the information we need to provide a service and support to you.  Any information used for analysis will remain anonymous unless you have given your explicit consent that you can be identified. 
 
WHAT INFORMATION WE COLLECT:
To carry out our services, we collect and process a range of information (including “sensitive personal data”).  We may also hold information that has been provided to us by another organisation/person authorised to act on your behalf, e.g., received by us as a referral. 
 
LEGAL BASIS FOR PROCESSING:

• You have given HEALS clear consent to hold and process your personal data for a specific purpose(s).

 
HOW WE USE YOUR PERSONAL DATA:
Your personal data may be used for several purposes, including but not limited to:

• Supporting you in the way that you have requested

• Responding to requests you may make.

• Internal reporting and record keeping. 

• Administrative purposes.

• Keeping you informed of any relevant changes. 

 
If you have any concerns or queries about any of these purposes, or how we communicate with you, please contact us at the address below.  We will always respect a request by you to stop processing your personal data. 
 
SHARING YOUR DATA WITH OTHERS:
Data may be shared between certain members of HEALS staff, Trustees and Volunteers who legitimately need the information to support you and carry out their duties. We may share your information with, and obtain information about you, from third-party and other professionals, depending on the service we provide to you.  For example:

• With an appropriate referring organisation/person.

• If a safeguarding issue arises.

• If there is a criminal investigation and we are requested to provide information.

• With reputable third-party organisations we use to help provide our services to you, i.e. provision of services, or sending communications to you. 

 
We would ask your permission and consent before we shared your information with another organisation.
 
There may be times HEALS needs to make other disclosures of your personal information without your consent.  Any such disclosures will be made in accordance with the obligations imposed on HEALS by the UK General Data Protection Regulation and other relevant legislation.  This will always be done with due consideration of your rights. This would normally only occur if it were necessary to protect your vital interests or the vital interests of another person, or for example, disclosures to the police for prevention or detection of crime. 
 
HEALS does not sell your personal data to third parties under any circumstances or permit third parties to sell on the data we have shared with them. HEALS does not share or store data outside of the UK.
 
Photography & Filming:
The HEALS team often takes photos and videos at the events it organises. These may be used internally and externally to promote the work of HEALS. This could be in either print or digital format, for example in publications/websites/e-marketing/social media/film. Images on websites can be viewed throughout the world and some countries may not provide the same level of protection to the rights of individuals as the UK. The images may be kept permanently once they are published, and as an archive.
 
Consent for photos and filming will be obtained as part of registering for each event. If you withdraw your consent at any time, the media will not be used in the future but may continue to appear in publications already in circulation. 
 
HOW WE PROTECT YOUR DATA AND HOW LONG WE KEEP YOUR DATA:
HEALs recognises the significance of sensitive personal data and we take the security of your data seriously. Your data is stored on Charity Log, a secure database. Policies and controls are in place to ensure that your data is not lost, accidentally destroyed, misused, or disclosed and not accessed except by those authorised during the proper performance of their duties. 

Your data will only be kept as long as is necessary for the purpose(s) for which it was collected and in accordance with our Data Protection Policy & Procedures and will be securely destroyed when it is no longer required. We reserve the right to judge what information we must continue to hold in the fulfilling of any contracts we hold. 
 
If you would like to implement your right to be forgotten and have your data deleted, please contact us at the address below. Please note that we may not be able to delete your data if there are outstanding safeguarding issues, if a recent hardship fund award has been made or in other limited circumstances. In this situation, we would discuss your circumstances and agree next steps. Please also be aware that using your right to be forgotten would prevent you from being able to use HEALS case notes to evidence your circumstances.
 
YOUR RIGHTS: You can find out more detailed information about your rights here: https://ico.org.uk/forthe-public/.
[1] The right to be informed; [2] The right of access; [3] The right to rectification; [4] The right to erasure; [5] The right to restrict processing; [6] The right to data portability; [7] The right to object; HEALS does not use automated decision-making processes, or profiling.
 
If you would like to exercise any of these rights, you can contact our Data Protection Officer using the details below. If you believe the organisation has not complied with your data protection rights, you can complain to the Information Commissioner’s Office : https://ico.org.uk/make-a-complaint/dataprotection-complaints/data-protection-complaints/
​