Information on consent and your choices for anyone getting support from our services
How we use your information
This privacy notice tells you what to expect when Change Grow Live collects personal information. It applies to information we collect about:
- Visitors to our website
- Data protection or freedom of information complaints
- People who use Change Grow Live services
- Job applicants, current and former Change Grow Live employees
When someone visits changegrowlive.org we collect standard internet log information and details of visitor behaviour patterns. We do this to find out things such as the number of visitors to the various parts of the site. We collect this information in a way which does not identify anyone. We do not make any attempt to find out the identities of those visiting. We will not associate any data gathered from this site with any personally identifying information from any source. If we do want to collect personally identifiable information through our website, we will be up front about this. We will make it clear when we collect personal information and will explain what we intend to do with it.
Search queries and results are logged anonymously to help us improve our website and search functionality. No user-specific data is collected by either Change Grow Live or any third party.
Security and performance
Change Grow Live uses a third party service to help maintain the security and performance of the Change Grow Live website. To deliver this service it processes the IP addresses of visitors to the Change Grow Live website.
The IP address (Internet Protocol address) is a numerical label that computers, tablets, smartphones, and other computing devices, use to identify themselves and communicate with other devices.
People who email us
Any email sent to us, including any attachments, may be monitored and used by us for reasons of security and for monitoring compliance with office policy. Email monitoring or blocking software may also be used. Please be aware that you have a responsibility to ensure that any email you send to us is within the bounds of the law.
2. Complaints and other individuals in relation to a data protection or freedom of information complaint or enquiry
People who make a complaint to us
When we receive a complaint from a person we make up a file containing the details of the complaint. This normally contains the identity of the complainant and any other individuals involved in the complaint.
We will only use the personal information we collect to process the complaint and to check on the level of service we provide. We do compile and publish statistics showing information like the number of complaints we receive, but not in a form which identifies anyone. We usually have to disclose the complainant’s identity to whoever the complaint is about. This is inevitable where, for example, the accuracy of a person’s record is in dispute. If a complainant doesn’t want information identifying him or her to be disclosed, we will try to respect that.
However, it may not be possible to handle a complaint on an anonymous basis.
We will keep personal information contained in complaint files in line with our retention policy. This means that information relating to a complaint will be retained for two years from closure. It will be retained in a secure environment and access to it will be restricted according to the ‘need to know’ principle. Similarly, where enquiries are submitted to us we will only use the information supplied to us to deal with the enquiry and any subsequent issues and to check on the level of service we provide.
Change Grow Live offers a wide variety of different services to local communities, young people, families, adults and general members of the public.
The personal information we hold on people who use our services will include their contact details, details on why they are receiving support from us and details of their contact with us. However, we only use this information to provide the service the person has requested and for other closely related purposes. For example, we might use information about people who have requested some of our service materials to find out if they would like further support from us. There may be occasions where we will share data with other organisations involved in supporting people who use our services - you can find further details on our consent page.
We will ask service users how they would like us to stay in touch with them during their treatment. Service users can update this information on their preferred contact methods at any time.
We normally retain service user records for seven years after they finish treatment with Change Grow Live, and delete their files after this.
All information held by Change Grow Live in this regard is subject to strict data protection principles to ensure the security, consistent management and compliance to Information Commissioner’s Office (ICO) standards are maintained at all times due to the confidential nature of the data filed.
Service providers reporting a breach
Public service providers are required to consider reporting serious security breaches to the Information Commissioner’s Office (ICO). We provide an online form for this purpose, we use the data collected by the form to record the breach, to make decisions about the action we may take, and as relevant in order to carry out those actions.
We retain personal information only for as long as necessary to carry out these functions, and in line with our retention schedule. This means that logs and breach reports will be retained for two years from receipt and longer where this information leads to regulatory action being taken. Change Grow Live has measures in place to ensure the security of data collected and only processes personal information in line with our policies and procedures.
When individuals apply to work at change, grow, live, we will only use the information they supply to us to process their application and to monitor recruitment statistics. Where we want to disclose information to a third party, for example where we want to take up a reference or obtain a ‘disclosure’ from the Disclosure and Barring Service we will not do so without informing them beforehand unless the disclosure is required by law.
Personal information about unsuccessful candidates will be held for 12 months after the recruitment exercise has been completed, it will then be destroyed or deleted. We retain de-personalized statistical information about applicants to help inform our recruitment activities, but no individuals are identifiable from that data.
Once a person has taken up employment with Change Grow Live, we will compile a file relating to their employment. We have to hold this information in order to employ people. The information contained in this will be kept secure and will only be used for purposes directly relevant to that person’s employment. Once their employment with Change Grow Live has ended, we will retain the file for six years after they leave Change Grow Live’s employment, and delete it after this.
Complaints or queries
Change Grow Live tries to meet the highest standards when collecting and using personal information. For this reason, we take any complaints we receive about this very seriously. We encourage people to bring it to our attention if they think that our collection or use of information is unfair, misleading or inappropriate. We would also welcome any suggestions for improving our procedures. This privacy notice was drafted with brevity and clarity in mind. It does not provide exhaustive detail of all aspects of Change Grow Live’s collection and use of personal information. However, we are happy to provide any additional information or explanation needed. Any requests for this should be sent to the address below.
Legal basis for processing data
Change Grow Live has identified the legal basis from Article 6 the GDPR for processing of personal data. This is legitimate interests Article 6(1)(f). We need to hold data on service users in order to provide support / treatment. We need to hold data on employees in order to employ them
Change Grow Live has identified the legal bases from Article 9 of the GDPR for processing of special category data on service users. These include:
- Explicit consent from the service user Article 9(2)(a).
- When this is necessary to protect the vital interests of the data subject or of another person Article 9(2)(c). Vital interests will cover situations where an individual is at risk of immediate and serious harm.
- Data has already been made public by the data subject Article 9(2)(e).
- Processing of legal claims Article 9(2)(f).
- Preventive or occupational medicine Article 9(2)(h)
- Public interest in the area of public health Article 9(2)(i).
- Research purposes Article 9(2)(g)
Change Grow Live has identified the legal basis from Article 9 of the GDPR for processing of special category data on employees. This is employment and social security law Article 9(2)(b).
Access to personal information
Change Grow Live tries to be as open as it can be in terms of giving people access to their personal information. Individuals can find out if we hold any personal information by making a ‘subject access request’ under the Data Protection Act 2018. If we do hold information about you we will:
- give you a description of it;
- tell you why we are holding it;
- tell you who it could be disclosed to; and
- let you have a copy of the relevant information requested in an intelligible form.
To make a request to Change Grow Live to receive details on any personal information we hold on you, please send your request to the relevant Change Grow Live office. You can also send your request to the Data Protection Officer, Legal Services Dept.
If you are unhappy with the way your data has been managed, you can make a complaint using Change Grow Live’s complaints procedure. You can also raise a complaint with the Information Commissioner’s Office (ICO).
Changes to this privacy notice
Change Grow Live will review this privacy notice annually or as and when required by legislation.
How to contact us
Change Grow Live, Tower Point, 3rd Floor,
44 North Road, Brighton,
East Sussex BN1 1YR
Address to Head of Legal Services, Legal Services Dept.
Alternatively please contact us at [email protected]
Privacy Impact Assessments
We consider data protection issues as part of the design and implementation of our systems, services and processes. We do this in order to identify risks associated with data processing, and to take action to mitigate against these risks.
We carry out Privacy Impact Assessments before we:
- Use new systems to process personal data
- Use new tools to communicate with service users
- Process new types of personal data
The Privacy Impact Assessment for CRiiS, our client management database, is available here. If you would like to request copies of completed Privacy Impact Assessments for any other systems, please contact [email protected].