We use google analytics to monitor activity throughout our website including which pages you visit and on what type of device but we have no way of identifying any of your personal data or you personally from this information.

Your photos and names will only be used on our website with your explicit consent but if you see a photo of yourself that you are not happy with, please don’t hesitate to contact us.

Your data may also be available to our website provider to enable us and them to deliver their service to us, carry out analysis and research on demographics, interests and behavior of our users and supporters to help us gain a better understanding of them to enable us to improve our services.  This may include connecting data we receive from you on the website to data available from other sources.  Your personally identifiable data will only be used where it is necessary for the analysis required, and where your interests for privacy are not deemed to outweigh their legitimate interests in developing new services for us.  In the case of this activity the following will apply:

1. Your data will be made available to our website provider
2. The data that may be available to them include any of the data we collect as described in this privacy policy.
3. Our website provider will not transfer your data to any other third party, or transfer your data outside of the EEA.
4. They will store your data for a maximum of 7 years.
5. This processing does not affect your rights as detailed in this privacy policy

If you have any questions or concerns regarding data protection, please contact us on:
01686 621586 or [email protected]

1 Introduction

1.1 In the course of their work Ponthafren Association employees will come into contact with or use confidential information about fellow employees, service users, volunteers, trustees and other organisations, for example their names and home addresses.

1.2 In order to operate effectively Ponthafren Association has to collect and use relevant information on service users, carers, organisations, employees, trustees and volunteers. The information is held exclusively Ponthafren Association for the purpose of providing a confidential support and information service to people experiencing mental distress and their carers in order for them to access the services that they need.

1.3 The General Data Protection Regulations 2016 (GDPR) contain principles affecting personal records. Information protected by the Regulations includes not only personal data held on computer but also certain manual records containing personal data, for example employee personnel files that form part of a structured filing system.

1.4 The purpose of this policy is to ensure that employees do not breach the Regulations. If there is any doubt about what can or cannot be disclosed and to whom, the personal information must not be disclosed until further advice is sought from Ponthafren Association Data Protection Officer (DPO).

1.5 Staff and volunteers must be made aware that they may be criminally liable if they knowingly or recklessly disclose personal data in breach of the Regulations. A serious breach of data protection is also a disciplinary offence and will be dealt with under the disciplinary procedures. If an employee accesses another employee’s personnel records without authority, this constitutes a gross misconduct offence and could lead to summary dismissal. Please see the Data Breach Policy guidance on handling a breach.

1.6 Ponthafren Association has a responsibility to all individuals and the security of their data and so will ensure that all other organisations with whom Ponthafren shares data are also GDPR compliant.

2 The Data Protection Principles

2.1 There are six principles that are central to the regulations. Ponthafren Association and all of its employees must comply with these principles at all times in their information-handling practices. In brief, the principles state that personal data must be:-

1. ‘Processed lawfully, fairly and in a transparent manner in relation to individuals’. Special category data and criminal offence data both require additional lawful bases as well as one of the standard bases (consent, legitimate interests, contract, legal obligation, vital interests, and public task). “Special categories” include: Race, Ethnic origin, Politics, Religion, Trade Union Membership, Health, Sex life, Sexual orientation.
   Please refer to Appendix A for an explanation of lawful bases for personal data, special category data, and criminal offence data.
2. ‘Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with initial purposes'.
3. ‘Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed’. Ponthafren Association will review personnel files on an annual basis to ensure they do not contain a backlog of out-of-date information and to confirm that there is sound business reason requiring information to continue to be held.
4. ‘Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay’. If personal information changes, for example a change of address, an employee must inform their line manager as soon as practicable so that Ponthafren Association’s records can be updated. The organisation cannot be held responsible for any errors unless it has been notified of the relevant change. Staff should update the relevant data as soon as possible if a member’s data needs to be amended.
5. ‘Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals’.
6. ‘Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures’.

2.2 Different categories of data will be retained for different time periods, depending on legal, operational and financial requirements. Please refer to the Archiving Policy for a breakdown of retention periods.

3 Rights of Individuals

There are circumstances where any or all of the following rights can be waived. Please see individual sections for details.

1. The right to be informed
   Individuals have the right to be kept informed about the collection and usage of their data. Concise, transparent privacy notices must be supplied in plain and clear language to explain what information we hold, what we use it for, who we share it with, and how long we will keep it.
2. The right of access
   Individuals have a right to be able to access their own information and have a right to verify the lawful basis for processing their data. The Association has one month to satisfy the request.
3. The right to rectification
   Individuals have the right to demand the rectification of the data where it is found to be incorrect. The request can be verbal or in writing and the Association has one month to respond to the demand.
4. The right to erasure
   Individuals have the right to ask for their information to be deleted or to withdraw their consent for processing. The request can be verbal or in writing and the Association has one month to respond.
5. The right to restrict processing
   Individuals have the right to demand that the Association restrict the processing of their information. The Association may still store the data but not use it. The request may be verbal or in writing and the Association must respond within one month.
6. The right to data portability
   Individuals have a right to reuse their personal data across multiple services and the Association has an obligation to provide that data in a commonly accessible electronic format upon request. The data subject is the owner of that data, not the Association.
7. The right to object
   Individuals have the right to object to the use of their data in cases of direct marketing (including profiling), processing for historical/scientific research and statistics, or processing where the lawful basis has been decided as ‘legitimate interests’ or ‘public interest’.
8. Rights in relation to automated decision making and profiling
   Individuals have various rights in relation to automatic decision making and profiling. These are detailed within the GDPR legislation and guidance but are not currently relevant to Ponthafren Association.

4 Periods of Retention

4.1 Ponthafren Association will not retain data for any long than is required in order to fulfil its legal obligations or to provide its services to a satisfactory standard. Please see appendix B for an outline of retention periods.

4.2 The Association, under guidance from the Data Protection Officer, will regularly audit the archiving and filing systems of all aspects of the Association to ensure that no data which is no longer required or permitted to be retained is kept.

5 Data Protection Officer (DPO)

5.1 Ponthafren Association’s DPO role resides with the role of the Central Resources Manager within Ponthafren Association, Longbridge Street, Newtown, Powys, SY16 2DY. Contact details are: Tel: 01686 621 586 e-mail: [email protected]

5.2 The DPO must retain a sense of detachment to avoid a conflict of interests. If the current DPOs role becomes such that a conflict of interests arises between their roles, the person currently assigned as the DPO must be reconsidered. As such the DPO must not be coerced or punished for carrying out the responsibilities under the GDPR.

5.3 The DPO’s responsibilities and tasks are:

• to inform and advise individuals about their obligations to comply with the GDPR;
• to monitor compliance with the GDPR and other data protection laws, and with your data protection polices, including managing internal data protection activities;
• raising awareness of data protection issues, training staff and conducting internal audits;
• to advise on, and to monitor, data protection impact assessments;
• to cooperate with the supervisory authority; and
• to be the first point of contact for supervisory authorities and for individuals whose data is processed (employees, customers etc).

5.4 The organisation’s responsibilities to the DPO are that:

• the DPO is involved, closely and in a timely manner, in all data protection matters;
• the DPO reports to the highest management level of your organisation, ie board level;
• the DPO operates independently and is not dismissed or penalised for performing their tasks;
• you provide adequate resources (sufficient time, financial, infrastructure, and, where appropriate, staff) to enable the DPO to meet their GDPR obligations, and to maintain their expert level of knowledge;
• you give the DPO appropriate access to personal data and processing activities;
• you give the DPO appropriate access to other services within your organisation so that they can receive essential support, input or information;
• you seek the advice of your DPO when carrying out a Data Protection Impact Assessments;
• And you record the details of your DPO as part of your records of processing activities.

6 Right of Access

6.1 Individuals have the right, upon request, to receive a copy of the personal information that the organisation holds about them, including their personnel file, and to demand that any inaccurate data be corrected or removed. They have the right on request:

• To be told by the organisation whether and for what purpose personal data about them is being processed.
• To be given a description of the data and the recipients to whom it may be disclosed.
• To have communicated in an intelligible form the personal data concerned and any information available as to the source of the data.
• To be informed of the logic involved in computerised decision-making. (E.g. how automated decisions are made)

6.2 Upon request, the organisation will provide the individual with a statement regarding the personal data held about them. This will state all the types of personal data that the organisation holds and processes about them and the reasons for which they are processed. If an individual wishes to access a copy of any personal data being held about them, they must make a written request for this. Ponthafren Association must provide this information free of charge and within one month from the date of the request. Requests must be made to the Data Protection Officer. Ponthafren reserves the right to challenge persisted or excessive subject access requests (SARs) and either refuse to comply or charge a suitable administrative fee for costs incurred. If the SAR is refused, the reasons as well as the individual’s right to complain and take remedy within one month must be explained to the individual.

6.3 If an individual wishes to make a complaint that these rules are not being followed in respect of personal data that Ponthafren Association holds about them, they should raise the matter with the Data Protection Officer. If the matter is not resolved to their satisfaction, it should be raised as a formal grievance under the Ponthafren Association’s grievance procedure. The individual also holds the right to contact the Information Commissioner’s Office if they feel the Association is not complying with the GDPR.

7 Consent to Personal Information Being Held

7.1 Ponthafren Association holds personal data about its staff. By signing the terms and conditions of employment, they consent to that data being processed by the organisation. Agreement to Ponthafren Association processing personal data is a condition of employment. The organisation also holds limited sensitive personal data about its employees and, by signing the contract of employment, they give explicit consent to the organisation holding and processing that data, for example sickness absence records, health needs and equal opportunities monitoring data.

8 Obligations In Relation To Personal Information

8.1 All employees must ensure that they comply with the following guidelines at all times:

• Not to give out confidential personal information except to the data subject. In particular, it should not be given to someone from the same family or to any other unauthorised third party unless the data subject has given their explicit consent to this. 
• Be aware that those seeking information sometimes use deception in order to gain access to it. Always verify the identity of the data subject and the legitimacy of the request, particularly before releasing personal information by telephone. 
• Only transmit personal information between locations by fax or e-mail if a secure network is in place, for example, a confidential fax machine or encryption is used for e-mail

8.2 If a request is received for personal information about another employee, it should be forwarded to the Data Protection Officer, who will be responsible for dealing with such requests.

8.3 Ensure any personal data that they hold is kept securely, either in a locked filing cabinet or, if computerised, it is password protected.

8.4 Compliance with the Regulations is the responsibility of each employee. If they have any questions or concerns about the interpretation of these rules they must consult with the Data Protection Officer.

Appendix A: Bases for Lawful Processing

Standard Lawful Bases for Processing Data (see Article 6 of the GDPR for more detail)

1. Consent: the individual has given clear consent for you to process their personal data for a specific purpose.
2. Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
3. Legal Obligation: the processing is necessary for you to comply with the law (not including contractual obligations).
4. Vital Interests: the processing is necessary to protect someone’s life.
5. Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
6. Legitimate Interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.

An Additional Lawful Bases for Processing Special Category Data must also be sought (see Article 9 of the GDPR for detail)

1. The data subject has given explicit consent to the processing of those personal data for one or more specified purposes, except where Union or Member State law provide that the prohibition referred to in paragraph 1 may not be lifted by the data subject;
2. Processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by Union or Member State law or a collective agreement pursuant to Member State law providing for appropriate safeguards for the fundamental rights and the interests of the data subject;
3. Processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent;
4. Processing is carried out in the course of its legitimate activities with appropriate 
   safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the data subjects;
5. Processing relates to personal data which are manifestly made public by the data subject;
   
   Processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity;
6. Processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject; 
   h) Processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3;
7. processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy;
8. processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) based on Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.

An Additional Lawful Bases for Processing Criminal Offences Data must be sought (see Article 10 of the GDPR for detail)

“Processing of personal data relating to criminal convictions and offences or related security measures based on Article 6(1) shall be carried out only under the control of official authority or when the processing is authorised by Union or Member State law providing for appropriate safeguards for the rights and freedoms of data subjects. Any comprehensive register of criminal convictions shall be kept only under the control of official authority.”

Appendix B: Confidentiality statement for staff and volunteers

When working for Ponthafren Association, you will often need to have access to confidential information which may include, for example:-

• Personal information about individuals who are service users or part of member organisations or otherwise involved in the activities organised by Ponthafren Association.
• Information about the internal business of Ponthafren Association.
• Personal information about colleagues working for Ponthafren Association.
• Information about trustees and others attending management meetings

Ponthafren Association is committed to keeping this information confidential, in order to protect people and Ponthafren Association itself.

‘Confidential’ means that all access to information must be on a need to know and properly authorised basis. You must therefore only use the information that you have been authorised to use, and for purposes that has been authorised. You should also be aware that under the General Data Protection Regulations, unauthorised access to data about individuals is a criminal offence.

You must assume that information is confidential unless you know that it is intended by Ponthafren Association to be made public. Passing information between Ponthafren Association offices does not count as making it public, but passing information to another organisation / individual does count.

You must also be particularly careful not to disclose confidential information to unauthorised people or cause a breach of security. In particular you must:

• Not compromise or seek to evade security measures (including computer passwords)
• Be particularly careful when sending information between the offices 
• Not gossip about confidential information, either with colleagues or people outside Ponthafren Association.
• Not disclose information — especially over the telephone — unless you are sure that you know who you are disclosing it to and that they are authorised to have it.

If you are in doubt about whether to disclose information or not, do not guess. Withhold the information while you check with an appropriate person whether the disclosure is appropriate.

Your confidentiality obligations continue to apply indefinitely after you have stopped working for Ponthafren Association.