Ruils is a local user-led charity that supports children and adults with disabilities and the elderly to live independently, be part of their community and to live life to the full. We provide information, advice, advocacy, befriending and activities to our clients and their families.
Ruils is defined as the ‘controller’ of the personal data you provide to us. Personal data means any information relating to an identifiable person, who can be directly or indirectly identified in particular by reference to an identifier (e.g. name, address, or identification number on an online database). We will be very clear with you that we wished to collect such information, our reason for collecting such information, and we would only do so with your specific consent and permission.
What information do we collect about you?
You have the right to be informed of the collection and use of your personal data. We collect information about you when you register with us to use our services. This includes contact details, such as you name, address, email and telephone number. We use this information to contact you where necessary in relation to using our services.
We will collect details about you in relation to any conditions or disabilities, or access requirements to ensure we provide you with the appropriate support and mitigate risk where possible.
We collect details in relation to your protected characteristics under the Equality Act to ensure we are working with a diverse range of clients and to target areas, where we feel we are not reaching people.
We also collect information from you when you voluntarily complete customer surveys and provide feedback for us. Any information shared will be anonymised with no identifying factors.
Note that in keeping with our commitment to the secure processing of personal data, Ruils’ IT system runs as a domain based on Microsoft Server 2012 R2, with workstations running a mixture of Windows 7 Pro and Windows 10 Pro, and also has a cloud-based business account with MS Office 365. Traffic between workstations and server is encrypted using Server Message Block (SMB) 3, and remote Virtual Private Network (VPN) traffic is additionally encrypted using SSL.
The server is kept physically secured in a lockable office. A hardware firewall sits between the internet and the server, with only the TCP ports necessary for VPN access open to external users. The server and all workstations also employ Microsoft’s software firewalls, and all systems are protected by AVG Business Anti-virus.
With Office 365, data is encrypted at rest and in transit, using several strong encryption protocols, and technologies that include Transport Layer Security/Secure Sockets Layer (TLS/SSL), Internet Protocol Security (IPSec), and Advanced Encryption Standard (AES). Further details about MS Office 365 encryption can be found here: https://support.office.com/en-us/article/encryption-in-office-365-0a322724-08ca-43db-b69a-afbfa20484cd
How will we use the information about you?
When you register with us, the information we collect about you helps us to ensure you receive the appropriate services and support from us. If you agree, we would like to send you Ruils’ newsletter and/or information and updates on our services that may be of interest to you by post, telephone, email or text. If you consent to being contacted in this way, you will be offered a choice on how you wish to be contacted, including an option to opt out of receiving any communication from us.
We process personal data in accordance with the Data Protection Act 2018 and any other applicable legislation (referred to as the ‘data protection legislation’). We adhere to the principles of data protection, as set out in the Data Protection Act 2018, and observe the conditions relating to the fair and lawful processing of personal data.
We will treat your information sensitively and confidentially and will not share your information with anyone, unless specifically agreed with you. We will not disclose your personal details to a Third Party without your permission unless we are concerned that either you or someone else is at risk. If any inaccurate personal data is shared with another organisation, we will tell them about the inaccuracy so they correct their records.
What legal basis do we use for processing your personal information?
Consent: Under the Data Protection Regulation there are a few lawful reasons that we can use as a basis to process your personal information. One of these lawful reasons is ‘consent.’
This means any personal information you share with Ruils is securely recorded by us, once you have given us your clear consent to do so. We will only use your personal data in order to provide the most appropriate services and support to you.
We will only share information, where appropriate, with third parties (this may include colleagues in our organisation, other support services in our organisation, other voluntary agencies or charities and those with statutory responsibility) if you have clearly agreed to it.
You have the choice to opt out of third party information sharing, but this may affect how best we provide our services and support to you. Please contact Ruils for more information on how we process information with third parties to whom you have given your consent.
Where we require consent to process a child’s personal data and where the child is under 13 years, where relevant, we will attempt to seek consent from a parent/guardian or ensure consent is in place before any data is shared with us. We will only hold personal data about children that is strictly relevant to our work with them and/or their family. When a parent or guardian has given consent on behalf of a child, we may contact that child after their 16th birthday to ensure they are happy for us to hold their information. Legitimate Interests: One of the other lawful reasons that we use as a basis to process your personal data is ‘legitimate interests.’ This means when you provide your personal information to us, we may use it for legitimate business interests that further support our charity’s objectives.
Our legitimate business interests do not automatically take priority over your interests (unless we have your consent or are otherwise required or permitted to by law). Therefore, before we use your personal data under legitimate interests, we will carefully consider and balance any potential impact on your individual interests, rights and freedoms. This means that we will process your personal details in ways that you would reasonably expect from us, which will have minimal impact on your privacy, be non-intrusive and will not cause you harm.
Some examples where we might use your personal data under legitimate interests -- providing updates on our services; informing you of community events; emailing our newsletter; or communicating information on our fundraising events. Any business interest communication with you will be relevant and tailored to your interests.
Sharing your information
We will only release information to third parties or individuals when obliged to by law, for purposes of national security, taxation and criminal investigations and where you have agreed for us to do so. We will never sell or rent your personal information to other organisations.
In certain circumstances we will disclose information to a third party without the data subject’s (your) agreement if the data subject is deemed incapable of providing consent and the third party is the individual’s authorised representative. If there is any doubt about the validity of the request, a copy of the power of attorney will be needed.
A parent or guardian can request to see personal information relating to a minor without the child’s consent. Generally children 13 years and over may be expected to have sufficient understanding to give their consent for sharing of their personal data. When assessing children for “sufficient understanding” we will consider whether the child has a reasonable understanding of what information might be shared, the main reason(s) for sharing it and the implications of sharing or not sharing the information.
Where a child cannot consent, one person with parental responsibility would be asked to consent on behalf of the child. In these circumstances we will ensure that we seek the child's views as far as possible. When seeking parental consent, we will ensure proper consideration is given to whose consent to seek. For example, where parents are separated consent should be sought from the parent with whom the child resides.
How long do we keep your information?
We hold all case files for clients on our secure database and on the Ruils secure server. Once work with our client is complete their personal data will be hidden from general view and will only be accessible to a limited number of staff.
Ruils will retain client case files on the Ruils database for seven years from the date that the case or piece of work has been completed. After seven years the client will be contacted. If you do not wish to remain on the database, your data will be safely anonymised and/or deactivated in a manner so as to put the personal record beyond use. This means that we will not be able to nor attempt to use the personal data to inform any decision in respect of any individual or in a manner that affects the individual in any way. Data that has been processed as beyond use will not be available to other organisations. We will permanently delete the information if, or when, this becomes possible.
Managing your Information: Your Rights
Under the new data protection laws, you have the following rights in respect of the personal information we hold about you.
• The right to be informed: This includes Ruils’ obligation for ‘fair processing information’ through our privacy notice, and transparency over how we will use your personal data
• The right of access: This means you have the right to access your personal data and additional information, and to be aware of and verify the lawfulness of the processing. When you request a copy of the information we hold about you, we will respond to your request within one month. Please contact us to access our Subject Access Policy for more information
• The right to rectification: This provides the right to have any personal data we hold about you corrected, if it is inaccurate or incomplete or requires to be updated
• The right to erasure: Also known as ‘the right to be forgotten’. This enables you to request the deletion or removal of personal data where there is no compelling reason for its continued processing. You can make a request verbally or in writing. Any organisations that you have consented to having your personal information shared with via our organisation will also be informed of the changes you have requested on your personal data
•The right to restrict processing: You have the right to have your personal data ‘blocked’ or suppressed. You can make a request for restriction verbally or in writing. When you restrict processing Ruils will store your personal data, but not use it. Ruils will retain your information only to ensure the restriction is respected in future. Another example of when we would restrict your personal data would be if you contested the accuracy of personal data we have on your record or the lawful basis for processing it. In this instance we would restrict your personal data, while we verify the accuracy of your personal information
• The right to data portability: This allows you to obtain and reuse your personal data for your own purposes across different services. You can also move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without hindrance to usability
• The right to object: You can object to processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority, direct marketing and processing for the purposes of scientific/historical research and statistics. You can express your objection verbally or in writing. Upon receipt of your objection, we will stop processing your personal data for such purposes. In addition, we will always offer you choice on your preferred method of communication from us and an opt-out option to stop us from contacting you at any time
• The right not to be subject to automated decision-making including profiling: This includes making a decision solely by automated means without any human involvement, and automated processing of personal data to evaluate certain things about an individual.
We may also need to collect and share this data with our funders or commissioners in line with the terms and conditions of our funding arrangements. This information will be kept confidential and any information shared will be anonymised with no identifying factors. If it is a requirement of our funders or commissioners to provide identifying information, we will always advise you of this prior to using the service so that you can decide if you wish to proceed.
We may collect and process personal data for the purposes of business operations. This could include: administration, accounting and auditing for quality purposes, monitoring including anonymous statistical reporting to funders or commissioners, business planning etc., in accordance with the notification requirements of the Information Commissioner. We are registered with the Information Commissioner’s Office.
You are under no obligation to use our service/s and are free to stop engaging with us or withdraw consent at any time. If you have any concerns or complaints about the way we use your personal information, please don’t hesitate to get in touch with us. We will do our best to answer your questions and make things right for you.
If after speaking to us you still remain concerned, you can complain to the Information Commissioner’s Office (ICO).
If you would like to know more about your rights under the data protection law please refer to the ICO website https://ico.org.uk
If you would like a free copy of some or all of your personal information or no longer wish to be contacted by us, please contact:
Disability Action & Advice Centre
4 Waldegrave Road
Or email firstname.lastname@example.org
Or telephone 020 8831 6083