Quick Exit Hide Your Tracks

NOTTINGHAMSHIRE SEXUAL VIOLENCE SUPPORT SERVICES (NOTTS SVSS)

PRIVACY NOTICE

notts-svs-services-logo-nsvss

Last review: June 2024

Next review due: June 2026

Last update: June 2024

 

Introduction

Nottinghamshire Sexual Violence Support Services (Notts SVSS) is a not-for-profit specialist sexual violence service provider operational for over 40 years. Our core function is to deliver specialist services to anyone aged 18+ living in Nottingham City and Nottinghamshire who has experienced any form of recent or non-recent sexual violence and abuse.

 

It is central to our values to look after any personal data that is shared with us. We want everyone who supports us, or who comes to us for support, to feel confident about how we process personal data. This Privacy Notice explains how we process your personal data and what rights are available to you.

 

If you are a child or a young person under 18 years old you can choose to read our Privacy Notice for Children and Young People instead. The Privacy Notice for Children and Young People is written in a simple age-appropriate language to ensure you understand your rights and what we do with your information.

 

We are registered as a data controller with the Information Commissioner’s Office (ICO). Please see our details below-

ICO Registration Number: ZA018306

Organisation Name: Nottinghamshire Sexual Violence Support Services

Address: 30 Chaucer Street, Nottingham, NG1 5LP

Telephone Number: 0115 947 0064

Website: https://nottssvss.org.uk/

Data Protection Manager: Novlet Holness, novletholness@nottssvss.org.uk

Data Protection Officer: Zuzana Tykvova, zuzanatykvova@nottssvss.org.uk

 

Terms

  • Personal Information or Personal Data = any information that can directly or indirectly identify a specific living person, for example a name, an email address or a date of birth.
  • Special Categories of Personal Data = information concerning racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data, sex life or sexual orientation data.
  • Processing = any operation which is performed on personal data such as collecting, recording, accessing, organising, storing, alternating, using, transmitting, disseminating or otherwise making available, restricting, erasing, losing or destructing.
  • Data Controller = a natural or a legal person, public authority, agency or any other body which decides how and what personal data is processed for.
  • Data Processor = a natural or legal person, public authority, agency or other body which processes personal data on behalf of the data controller.

 

General Privacy Principles and Legal Obligations

Under the UK General Data Protection Regulation 2018 (UK GDPR 2018), we must always have at least one lawful basis for processing your personal data. These are-

  • Freely given consent
  • Contract
  • Legal obligation
  • Protection of vital interests
  • Public interest
  • Legitimate interest

 

Furthermore, we must ensure your personal data-

  • Is processed lawfully, fairly and in a transparent way.
  • Is only processed for specific valid purposes and not further processed for any other purposes. This is also known as purpose limitation.
  • Is adequate, relevant and limited to what is necessary in relation to the purposes the data has been collected for. This is also known as data minimisation.
  • Is accurate and kept up to date.
  • Is kept only as long as necessary for the purposes the data has been collected for. This is also known as storage limitation.
  • Is processed securely including ensuring that appropriate technical and organisational measures are in place.

 

We are also obliged to demonstrate compliance with the principles outlined above.

 

Your Rights

Under the UK GDPR, you have a number of rights with regards to your personal data-

  • Right to be notified – You have the right to know how and when we process your personal data. This right always applies.
  • Right of access – You have the right to ask us for copies of your personal data we process. This right always applies.
  • Right to rectificationYou have the right to ask us to rectify your personal data you think is inaccurate. You also have the right to ask us to complete information you think is incomplete. This right always applies.
  • Right to erasure – You have the right to ask us to erase your personal data. This right may not apply in certain circumstances. We will remove your personal data as far as we do not have a valid reason or a legal obligation to retain it.
  • Right to restriction of processing – You have the right to ask us to restrict the processing of your personal data. This right may not apply in certain circumstances. We will restrict the processing as far as we do not have a valid reason not to comply with your request.
  • Right to object to processing – You have the right to ask us to stop processing of your personal data. This right may not apply in certain circumstances. We will stop processing your personal data as far as we do not have a valid reason not to comply with your request.
  • Right to data portability – You have the right to ask us that we transfer your personal data you have given us to another organisation, or give it to you. This right always applies.
  • Right not to be a subject to a sole automated decision making – You have the right to contest a solely machine-made decision and to ask for a review by a human person. This right always apply.

 

You can find out more about your rights under the UK’s data protection laws at www.ico.org.uk. You are not required to pay any charge for exercising your rights. We have one month to respond to you.

 

To exercise your rights please contact us by

Writing:                Notts SVSS, 30 Chaucer Street, Nottingham, NG1 5LP

Email:                    admin@nottssvss.org.uk

Tel:                         0115 947 0064

Or any other channel of your preferred choice.

 

Subject Access Request (SAR)

As outlined above, you have the right to know what personal data we process about you, otherwise known as the Right of Access. You can ask us about anything that concerns your personal data such as but not limited to how and why we process it, what we process and who has access to it.

 

You can submit a subject access request to us via any means, i.e. over telephone, in writing, over social media etc. and we will aim to respond to you in the same manner unless requested otherwise. In certain cases we may ask you to visit our office to review your personal data in person. Our preferred communication channels are listed above but you are welcome to contact us in any way you prefer. You can submit your SAR to any member of staff.

 

We have one month to respond to you. In complex cases we may ask for an extension by further two months which we will always notify you of along with reasons for the extension. Where appropriate, we may ask you to specify your request to allow us to respond in a faster and more efficient manner. Our response will include a confirmation whether the data is processed, details on what kind of processing is taking place and a copy of the processed data. You have the right to ask to receive our response in an electronic format and/or presented in an accessible format.

 

In order to safeguard the personal data from illegitimate requests we can ask you for a proof of an ID to verify you. Please note, whilst we wait for your ID the one month response time period is paused. We do not have to respond to requests for which the requester fails to provide an ID. Requests will only be accepted from the data subjects whom the requested data belongs to and from third parties acting on behalf of the data subjects where the third party provides sufficient evidence that they are entitled to act on the data subject’s behalf. We will always notify data subjects where a request has been made on their behalf and we will seek their consent to respond to the request.

 

We will not charge you to respond to your request. Where repeat requests have been submitted for the same personal data we may charge you a reasonable fee to cover administrative costs. We may refuse to comply with your request if it is excessive, e.g. the same request submitted repeatedly, or malicious. Where additional genuine requests have been made our new response may only cover the time period between our previous response and the present or only the data that have undergone any change since your previous request.

 

Wherever we refuse to comply with your request our response will always include the reasons why your request has been declined, your right to make a complaint to the supervisory authority and your ability to seek to enforce your request through the courts.

 

Please note, we are only obliged to provide copies of your personal data we process. Therefore, the format you receive our response in may differ from the format we hold your data in. Additionally, we are not obliged to share any data that is not your personal data. This includes any redactions that we may make prior to sharing the data with you. These are usually carried out to protect the privacy of other persons.

 

In all cases we will aim to provide a fast and satisfactory response and where unable to do so to keep you informed of the progress and reasons for the delay.

 

SAR for Personal Data of Children

Whilst Notts SVSS does not support children as its main objective it may process personal data of children on occasions. Where a SAR is made by a child we will consider whether the child is mature enough to understand their rights and respond directly to them where appropriate. We will allow the parent or guardian to exercise the child’s rights on their behalf if the child authorises this, or if it is evident that this is in the best interest of the child. If the child is competent, they may authorise someone else, other than a parent or guardian, to make a SAR on their behalf.

 

How We Process Personal Data

In the sections below we outline how and when we collect your personal data, what personal data we collect and why. We also explain who may see your personal data if you share it with us, what security measures we have implemented and how long we retain your personal data for.

 

How We Collect Personal Data

We may collect personal data from you or from a third party when they share your personal data with us. There are many occasions when this could happen, for example if you:

  • Request or engage with our services.
  • Have someone else to refer you in for support.
  • Enquire about our services.
  • Visit our website or social media pages.
  • Make a donation to us.
  • Apply for a job or a volunteering opportunity.
  • Chose to provide a feedback or
  • Otherwise provide us with personal data.

 

This may be when you telephone us, go onto our website, email us, send us a letter through the post or talk to us in person.

 

What Personal Data We Process

The personal data we process might include:

  • Identity data such as your first name, last name and date of birth.
  • Information about your background such as your ethnicity, religious or philosophical beliefs, disabilities, sexual orientation, employment and immigration status.
  • Contact data such as your email address, home address and telephone number.
  • Health data such as details of your physical and mental health and wellbeing, your assessments, plans relating to your treatment, accessed support and services and notes from your therapy or any other accessed support.
  • Information about your experience or the experiences of a friend or relative.
  • Contacts with our organisation including the contents of our conversations and correspondence with you.
  • Criminal offences and details of perpetrators.
  • Internet behaviour data, such as cookies.
  • Complaints and organisational issues or disputes.

 

Why We Process Personal Data

Notts SVSS is established for charitable purposes only, in particular to relieve the trauma, distress and/or suffering of victims of rape, indecent assault and all other forms of sexual abuse, including but without limitation sexual harassment. Specifically, we may use your personal data to:

  • Provide you with information and support.
  • Administer activities relating to our services, such as updating you with important administrative messages, identifying you when you contact us or keeping our records in a good order.
  • Recruit new staff and volunteers.
  • Improve our services and to enhance your experience with us.
  • Personalise our website to tailor it to your needs.
  • Provide reports and feedback to our supporters and funders.
  • Comply with various legal obligations, including legislation relating to health and social care, and statutory obligations.

 

Who Sees Your Personal Data and Who We Share It With

Your personal data is processed by our staff and volunteers at Notts SVSS and any sub-contractors Notts SVSS contracts to deliver services on our behalf. Notts SVSS also uses third party provided software and organisations assisting Notts SVSS with tasks such as record keeping, IT, administration and finances. We consider these third parties to be our data processors. Where these third party organisations have access to your personal data they only ever act on behalf of and as instructed by Notts SVSS. Where required by law, your personal data may also be shared with legal and regulatory authorities. All involved parties are bound by confidentiality and data sharing agreements.

 

Notts SVSS operates a strictly confidential service for its service users. We only break confidentiality under exceptional circumstances or where we are legally obliged to provide your personal data even without your permission. These include a risk of harm to yourself or others, child protection or safeguarding matters, prevention of harm to yourself or others, the investigation or prevention of serious crime including terrorism or a Court Order. Please read our Confidentiality Policy for further details.

 

There may be times where Notts SVSS needs to share your personal data with other agencies and professionals who are also involved in your care. This is to ensure an effective and joined up approach is adopted to meet your needs. However, unless we have a legal responsibility to share your personal data without your consent, we will always seek your permission first and we will only share your personal data that is relevant to your care unless agreed otherwise.

 

Notts SVSS shares statistical and depersonalised information when applying for funding, monitoring how funds are spent and responding to request for information from Government offices, the Charity Commission and other reputable organisations.

 

We will never sell or share your personal data to organisations so that they can contact you for any marketing activities.

 

How We Protect Your Personal Data

We take the security of your personal data extremely seriously. We have implemented appropriate physical, technical and organisational measures both on and off-line to protect your personal data, such as-

  • Keeping electronic data off premises.
  • Keeping paper files in locked filing cabinets in locked offices and storages.
  • Following the locking up procedure at the premises and the individual offices.
  • Destroying paper-based data securely by cross-cut shredding or disposing of them as ‘confidential waste’ with reputable companies.
  • Carrying out regular updates of our devices, antivirus and anti-malware software and all of our other software.
  • Using firewalls, intrusion detection and prevention systems and encryption.
  • Encrypting and password protecting sensitive documents and data at all times.
  • Pseudonymising and anonymising records where possible.
  • Arranging an ongoing training and awareness raising of staff, trustees and other Notts SVSS affiliated individuals.
  • Conducting background checks and vetting for staff, trustees and other Notts SVSS affiliated individuals.
  • Setting out comprehensive policies and procedures that align with best practices and standards.
  • Ensuring data sharing contracts and confidentiality agreements with data processors are in place.
  • Conducting regular assessments to identify, assess, and mitigate data protection risks.

 

Furthermore, we will-

  • Be especially careful and sensitive when engaging with vulnerable people or those we have a reason to believe might be vulnerable.
  • Be especially careful when dealing with special categories of personal data or data that is relating to criminal convictions and offences.
  • Always act in accordance with our legal obligations outlined at the beginning of this Privacy Notice and our internal policies and procedures.

 

How Long We Keep Personal Data For

We only keep your personal data for as long as it is necessary for the purpose the personal data has been collected for. We carry out periodic deletion of personal data, whose retention period has expired and/or when the need to continue holding such personal data has ceased. At the end of the retention period the personal data is erased or destroyed securely.

 

Notts SVSS may keep anonymised data for statistical purposes, for applying for funding, monitoring how funds are spent and responding to request for information from Government offices, the Charity Commission and other reputable organisations. Personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable is not governed by the data protection legislation and therefore is not subject to the same retention policy as the personal data. However, wherever possible, we aim to destroy anonymised data that is no longer necessary.

 

Do You Have to Provide Your Personal Data to Engage with our Services?

You can choose not to provide us with your personal data, however it may impact the support we can offer you. Whilst certain services, such as the Helpline, can be accessed anonymously other services, such as the Counselling, require certain personal data to keep you safe during the support. These are your name, date of birth, contact details and your registered GP details.

 

It is your right to ask us to erase your personal data at any point but please be advised we need certain personal data to support you. An erasure of that personal data may lead to ending your support. In certain cases we may refuse to comply with your request, for example if we have a legitimate interest or a legal obligation to keep processing your personal data. However, any refusal will be communicated to you along with the accompanying reasons.

 

Job Applicants, Automated Decision-Making and Profiling

Notts SVSS is the data controller for the information you provide during the recruitment process unless stated otherwise. The information we ask for is used to assess your suitability for employment, to progress your application and/or to fulfil legal or regulatory requirements if necessary. You do not have to provide all information but it might affect your application if you choose not to do so. We will not share any of your personal data you provide during the recruitment process with any third parties except for our data processors nor we will use and/or share any of your personal data for marketing purposes. All personal data will be processed securely by us and/or our data processors.

 

As part of our recruitment process, we ask for equal opportunities information. This is not mandatory and choosing not to provide us with this information will not affect your application. Our recruitment team will have access to all information provided on your application. However, equal opportunities information will only be made available outside of our recruitment team including hiring managers in a way which cannot identify you. We may also ask you to complete tests and/or to attend an interview during which further information can be generated by you and by us. For example, you may complete a written test or we may take interview notes.

 

We use third party recruitment agencies to carry out certain elements of our recruitment process for us. We consider these our data processors and we have contracts in place with them. This means that they cannot process your personal data in any other way than we have instructed them and that they uphold the same data protection standards as us. They will not share your personal data with anyone apart from us.

 

All personal data of unsuccessful candidates is kept in our talent pool for 6 months following the job interview. Should any further suitable vacancies arise we will proactively contact you. You can contact our recruitment team via the contact details provided on our vacancy adverts or our Data Protection Manager using the contact details above if you would like us to remove your details sooner or retain them in our talent pool for longer. Equal opportunities data is anonymised and kept indefinitely.

 

We use an automated decision-making during our recruitment process. This is to help us to receive applications from candidates that fit the essential criteria for the vacancy. Under the UK GDPR you have the right to contest the decision and to ask for a review of your application by a human person. You can contact our recruitment team via the contact details provided on our vacancy adverts or our Data Protection Manager using the contact details stated at the beginning of this policy.

 

Contractors, External Agencies and Members of the Public

Notts SVSS may process personal data of other professionals and members of the public whilst carrying out its set charitable goals. This may happen when-

  • You visit our social media.
  • Your details are passed onto us by a service user or another third party.
  • You send in a referral on behalf of someone.
  • You request information about a service user.
  • You carry out a service as a contractor for Notts SVSS, e.g. a support literature translation.

 

Examples of what personal data we may process include-

  • Identity data such as your first name, last name and job role.
  • Contact data such as your email address and telephone number.
  • Contacts with our organisation including the contents of our conversations and correspondence with you.
  • Internet behaviour data, such as cookies.
  • Complaints and organisational issues or disputes.
  • Bank details.
  • Insurance details.
  • Qualifications details or references.

 

We process your personal data in order to-

  • Support our service users in an effective, efficient and holistic manner including but not limited to multi-agency working.
  • Contact you and pay you if you are in a contractual relationship with us.
  • Improve our services and to enhance your experience with us.
  • Personalise our website to tailor it to your needs.
  • Provide reports and feedback to our supporters and funders.
  • Comply with various legal obligations, including legislation relating to health and social care, and statutory obligations.

 

We recognise our duty and obligations to process your personal data with the same care and standard as the personal data of other data subjects. We will only process your personal data for the purposes it has been obtained for and only retain it as long as it is necessary for such purposes. Furthermore, we will uphold the same standard of security measures and protocols when processing your personal data and we will not share your data with any third party without your consent. We will never sell or share your personal data to organisations so that they can contact you for any marketing activities.

 

You can exercise any of your data subject rights in regards to your personal data as outlined in the above sections any time.

 

CCTV

We do not operate any CCTV; however, CCTV may be present at our premises either operated by other organisations or by the premises owner. We do not consider these parties our data processors and they do not act on our behalf. We would recommend inspecting Privacy Notices or Privacy Policies of said third parties if you wish to learn how they process your personal data.

 

Website

We use a third party service, Google Analytics (GA), to collect standard internet log information and behaviour patterns in the form of cookies (details of which can be found on Google’s developer guides) of our nottssvss.org.uk website visitors. We use the information to find out things such as the number of visitors to the various parts of the website, use of our web pages and journeys through the website. Disabling optional cookies on your internet browser will stop GA from tracking any part of your visit to our website. We consider Google to be our data processor.

 

We also gather general information such as which pages users visit most often and which services, events or facilities are of most interest. We may also track which pages users visit when they click on links in Notts SVSS emails. This information is used to personalise the way our website is presented, to make improvements to our website and to ensure we provide the best service for users.

 

We use h2o digital, a third party service, to manage and maintain our website.

 

Consent Coalition

This Privacy Notice fully applies to the Consent Coalition initiative which Notts SVSS hosts on its website nottssvss.org.uk/consent-coalition/. Consent Coalition processes personal data in line with Notts SVSS Data Protection policies.

 

Cookies

A cookie is a small file which asks permission to be placed on your device. Once you agree, the file is added and the cookie helps analyse web traffic or lets you know when you visit a particular website. Cookies allow web applications to respond to you as an individual. The web application can tailor its operations to your needs, likes and dislikes by gathering and remembering information about your preferences. We use traffic log cookies to identify which pages are being used. This helps us analyse data about webpage traffic and improve our website in order to tailor it to users’ needs. We only use this information for statistical analysis purposes. Overall, cookies help us provide you with a better website by enabling us to monitor which pages you find useful and which you do not. A cookie in no way gives us access to your device or any information about you, other than the data you choose to share with us. Additionally, the data you share with us via cookies cannot personally identify you to us. You must always accept mandatory cookies to enable our website function correctly. You can choose to accept or decline optional cookies, if you accept please note we keep the personal data collected via cookies for 12 months. Most web browsers automatically accept cookies, but you can usually modify your browser setting to decline cookies if you prefer. However, this may prevent you from taking full advantage of the website.

 

Shareable images

On our website, we have included content from Instagram and have shareable images, which can be shared to other social media platforms.  This helps to promote web pages (e.g. “like”, “pin”) or share (e.g. “tweet”) on social networks. This content is embedded with code derived from those social media sites.  This content might store and process certain information for personalized advertising. You should exercise caution and look at the Privacy Policy or Privacy Notice applicable to the website/social media platform in question before sharing such content.

 

Making Referrals

If you wish to make a referral through our website we have put measures in place to ensure that your data is kept safe. Our website is secure and any information that is sent through the referral forms is encrypted between the website and our email. Our website database is turned off, this means that any information you submit through our referral form is not stored on our website.

 

Links to Other Websites

Our website and social media accounts may contain links to other websites of interest. However, once you have used these links to leave our site, you should note that we do not have any control over that other website. Therefore, we cannot be responsible for the protection and privacy of any information which you provide whilst visiting such sites and such sites are not governed by this Privacy Notice. You should exercise caution and look at the Privacy Policy or Privacy Notice applicable to the websites in question.

 

Social Media

We use a specialist social media agency, Shake Social, to manage our social media communications. We consider Shake Social to be our data processor. We also have designated members of staff at Notts SVSS who access and post onto our social media accounts as required. All messages sent to our social media accounts will be stored on our accounts for 6 months before being deleted. This enables us to refer back to messages where there is a query and to capture statistical data for our reports. Any messages sent by known service users that are of a concerning nature or where a risk is identified may become a part of our client records and be treated as such. All of our social media accounts and work adhere to our Data Protection and Confidentiality Policies.

 

Email Newsletter

If you choose to join our email newsletter, the email address that you submit to us will be forwarded to our MailChimp account. We consider MailChimp to be our data processor. Your email address will remain within MailChimp’s database for as long as we continue to use it for our newsletter or until you request to be removed from the list. You can do this by using the unsubscribe link contained in every email newsletter or by emailing us directly at admin@nottssvss.org.uk. When requesting removal via email, please send your request to us using the email account that is subscribed to the mailing list to allow us to verify you.

 

Direct Marketing

If Notts SVSS wishes to use your personal data for the purpose of a ‘direct marketing’ (e.g. of courses or new services on offer), we will inform you at the time of collecting your data. You will be provided with the opportunity to opt into being contacted for this purpose by ticking an opt-in box. We will never opt you into a direct marketing without your explicit consent. All direct marketing recipients will be given the option to opt-out in a clear and easy to understand way at any point. Upon opting-out we will immediately stop processing your personal data for the purpose of direct marketing and we will delete your personal data immediately unless there are other purposes for which your data has been collected for and is still necessary. Direct marketing is an optional opt-in service and should never be a condition to access support from, gain employment with or otherwise interact with Notts SVSS.

 

Data Breaches

It is our duty to inform you if your personal data is involved in a data breach and it is likely to result in a high risk to your rights and freedoms. At minimum, we will also tell you the name and the contact details of our Data Protection Officer or another contact person from whom you can seek support and/or further information, we will describe the likely consequences of the personal data breach and we will tell you what we have done or are planning to do to address or to mitigate the personal data breach and its consequences.

 

We encourage you to contact our Data Protection Manager or our Data Protection Officer using the contact details stated at the beginning of this policy should you have any concerns or require support, advice or further information.

 

Complaints

In the event that you wish to make a complaint about how your personal data is being processed by Notts SVSS, you can contact the Data Protection Manager using the contact details above. If you are not satisfied with how your complaint has been, or is being, handled, you have the right to lodge a complaint directly with the Information Commissioner’s Office who is the identified supervisory body: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, Tel: 0330 8303 0338, Website: www.ico.org.uk.

 

We would be grateful if you would contact us first if you do have a complaint so that we can try to resolve it for you.

 

Changes to Our Privacy Notice

Our Privacy Notice is reviewed regularly to ensure that it reflects how we process your personal data. Any changes will be notified to you by updating the Privacy Notice so please review this document regularly to see if any changes have been made that are important to you.