Personal Information Privacy Charter
Contents
- Transparency
- What is personal data?
- Who does the GDPR apply to?
- What are my rights?
- How we use your data?
- When we share personal data
- When we publish personal data
- How long will we keep data?
- What if my details are inaccurate or incomplete?
- How do I ask to see the data we hold about you?
- Do you transfer my personal data outside of the European Economic Area?
- Can I withdraw my consent or request my personal data be deleted?
- What are the consequences if I do not supply the requested personal data?
- Will my data be used for automated decision making?
- How do I make a complaint about how my personal data has been handled?
- Contacts
- Changes to the Personal Information Charter
Inspire is committed to the responsible handling and security of personal data. Your privacy is important to us and it is protected in law through the UK GDPR, EU GDPR, the Data Protection Act 2018 (DPA 2018), and/or the other updated legislation.
We must provide you with information setting out how we process your personal data. This is set out below for all aspects of the Inspire Group and is intended to apply to any Inspire website, application, product, software, or service that links to it (collectively, our ‘services’).
Services will have many variations in how they manage your data operationally or within the service and a link directly to a specific privacy notice that outlines the particular privacy practices of that service are available on our website. When we make changes, we will update the relevant privacy notice.
Transparency
Transparency is an overarching obligation under the both UK and EU GDPR, applying to three central areas:
(1) the provision of information to data subjects related to fair processing;
(2) how data controllers communicate with data subjects in relation to their rights under the UK and EU GDPR; and
(3) how data controllers facilitate the exercise by data subjects of their rights. Insofar as compliance with transparency is required in relation to data processing under Directive (EU) 2016/6803, these guidelines also apply to the interpretation of that principle.
Transparency is a long established feature of the law and is about engendering trust in the processes which affect the citizen by enabling them to understand, and if necessary, challenge those processes. It is also an expression of the principle of fairness in relation to the processing of personal data expressed in Article 8 of the Charter of Fundamental Rights of the European Union. Under the GDPR (Article 5(1) (a) 6), in addition to the requirements that data must be processed lawfully and fairly, transparency is now included as a fundamental aspect of these principles.
Transparency is intrinsically linked to fairness and the new principle of accountability under the GDPR. It also follows from Article 5.2 that the controller must be able to demonstrate that personal data are processed in a transparent manner in relation to the data subject.
What is personal data?
Personal data is data which identifies an individual directly or indirectly, in particular by reference to an identifier such as their name or a reference number.
Some personal data is more sensitive in nature and requires more careful handling. GDPR defines ‘special categories of personal data’ which means data relating to a living person’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health or data concerning someone’s sex life or sexual orientation.
Who does the UK/EU GDPR apply to?
UK including NI
The EU GDPR is an EU Regulation and it no longer applies to the UK. However, if you operate inside the UK, you will need to comply with UK data protection law.
UK GDPR means the EU GDPR as it applies in the UK after the end of the transition period (as set out in Article 126 of the EU-UK Withdrawal Agreement) by virtue of section 3 of the European Union (Withdrawal) Act 2018.
The Information Commissioner’s Office (ICO) in UK has set out its view on who GDPR applies to:
- GDPR applies to ‘controllers’ and ‘processors’.
- A controller determines the purposes and means of processing personal data.
- A processor is responsible for processing personal data on behalf of a controller.
- If you are a processor, GDPR places specific legal obligations on you; for example, you are required to maintain records of personal data and processing activities. You will have legal liability if you are responsible for a breach.
- However, if you are a controller, you are not relieved of your obligations where a processor is involved – GDPR places further obligations on you to ensure your contracts with processors comply with the GDPR.
- The UK/EU GDPR applies to processing carried out by organisations operating within their relevant jurisdiction. It also applies to organisations outside the UK/EU that offer goods or services to individuals in the UK/EU.
- The GDPR does not apply to certain activities including processing covered by the Law Enforcement Directive, processing for national security purposes and processing carried out by individuals purely for personal/household activities.
What are my rights?
You have rights under the UK and EU GDPR and also the Data Protection Act 2018 (DPA 2018). These are listed in full on the ICO website or DPC Ireland website.
How we use your data?
We process your personal data in a number of ways to deliver public services. We will inform you at the point of collection via a specified service privacy notice, the reasons why we need your information, how your information is being collected, what we will do with it and who we will share it with. In some cases we may pass it on to our associates, partners or representatives to do these things on our behalf.
When we share personal data
We share or disclose personal data where we are required to so by law or to provide services to fulfil our public task. Where we know there is a requirement to share your personal data we will tell you why and who we will share your personal data with. We will ensure that the data processor agrees to handle your data in conformity with your rights.
How long will we keep data?
Inspire retain information for various reasons, primarily to ensure accountability. When we no longer need personal data, arrangements are made to securely delete or destroy it. Records periods are set in line with statutory, regulatory, legal, security reasons or for their historic value. Details will be on the relevant specific service privacy notice.
What if my details are inaccurate or incomplete?
If you discover that the personal data we hold about you is inaccurate or incomplete, please contact us at dpo@inspirewellbeing.org so we can update your records. When doing so, please explain where you have seen it and what data you feel is inaccurate. We will aim to respond to you within one month but may extend this period to two if the request is complicated. Where we maintain that the original information held was accurate, we will explain why. If you do not agree with our decision, you have the right to complain to the ICO or DPC Ireland.
How do I ask to see the data we hold about you?
You can ask to see what data we hold about you. This is called a ‘Subject Access Request’ and can be requested by emailing: sar@inspirewellbeing.org
On receipt of your request we will acknowledge it and may ask for proof of your identity.
We will respond within one month, and exceptionally extend this by up to 2 months in complex cases. If we determine that the costs and or resources to provide you with all of the data requested, due to the volume, we may have to refuse your request or ask you to provide a contribution to meet these costs.
When you ask to see information we hold it is helpful to include as much information as possible to help us find the data you want,
Do you transfer my personal data outside of the European Economic Area?
There are instances where personal data is stored outside the European Economic Area. If your personal data is processed outside European Economic Area i.e. the United Kingdom or Ireland you will be informed of this and the safeguards that are in place e.g. Standard Contractual Clauses and/or Data Sharing Agreements, Additional Safeguards etc.
Can I withdraw my consent or request my personal data be deleted?
You have the right to request that we no longer process your personal data and delete your personal data at any time. However, agreement may not be assumed as we may have to refuse your request should the data be required to comply with a legal obligation, performance of a contract or public interest task or exercise of official authority. We may also refuse for the purposes of public health purposes, exercise or defence of legal claims or archiving purposes in the public interest, scientific research, historical research or statistical purposes.
Where this is the case and agreement is not required we will advise you of this. Prior to deletion we may anonymise and hold data for data analysis.
What are the consequences if I do not supply the requested personal data?
If you do not supply the requested personal data, it is more than likely that the service you are applying for or wish to use will not be available to you. This may have consequences in terms of non-compliance, for example not complying with specific legislation. We try to ensure that we only collect the minimum personal data that is necessary for us to offer the services to you.
Will my data be used for automated decision making?
Your personal data will not be subject to automated decision making.
How do I make a complaint about how my personal data has been handled?
If you think your data has been misused or that Inspire has not kept it secure, you should contact us in the first instance.
Contacts
For day to day use, please contact the service team you are already communicating with. They are best placed to manage general enquiries, update the accuracy of your data or provide you with information.
If they cannot help you please contact:
Anne Bill, Inspire Group Data Protection Officer, via dpo@inspirewellbeig.org
If you have a complaint about how your data is being handled, please use the following contacts making it clear which right you wish to exercise:
Information Commissioner’s Office – UK
If you’re unhappy with our response or need any advice, contact the Information Commissioner’s Office (ICO) who are the supervisory authority.
Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
0303 123 1113
Email: casework@ico.org.uk
If you are a UK Resident – Inspire ensure your rights under UK GDPR. For more on your rights see: https://ico.org.uk/your-data-matters/
Data Protection Commissioner Ireland
If you are an EU Resident – Inspire have suitable safeguards in place (Standard Contractual Clauses and Data Sharing Agreements to ensure your rights under EU GDPR are not impacted and ensure that an equivalent level of protection for personal data standards of information security are maintained. For more on your rights see: https://www.dataprotection.ie/en/individuals
Any complaint to the Commissioner is without prejudice to your right to seek redress through the courts.
Changes to the Personal Information Notice
We keep our Personal Information Notice under regular review. This Personal Information Privacy Notice was last updated on 1st December 2021.