Privacy Policy (Data Protection and GDPR) and Cookies

For any queries relating to data protection please contact admin@kasbah.org.uk or in writing to:

Data Protection Officer:  Sophie Aiken
KASBAH, 7 The Hive, Northfleet, Kent, DA11 9DE
Head office number: 01474 536 501

Summary:

This Privacy Notice explains what personal data we collect and how it is used. This notice also explains what rights you have over your personal data and how you can use those rights.

KASBAH is committed to protecting the privacy of our users. 

Fair Processing Principles:

• Your personal information is only processed with your knowledge.
• Only information that we need is collected and processed.
• Your personal information is only seen by those who need it to do their jobs.
• Personal information is retained only for as long as it is required.
• Decisions affecting you are made on the basis of reliable and up to date information.
• Your information is protected from unauthorised or accidental disclosure.
• Inaccurate or misleading data will be corrected as soon as possible.
• Procedures are in place for dealing promptly with any dispute.

All information requested is used solely for the purpose that it is intended. in accordance with the UK Data Protection Act Legislation and GDPR. We will treat your personal information as confidential and we will not disclose it to any third party except*or is required by law.

Any organisation which that KASBAH share data with is obliged to sign a data service contract requiring them to:

• Abide by the UK Data Protection Legislation and GDPR
• Have a policy for secure storage, handling, use, retention and disposal 

More information about your rights and how to exercise these is set out in the “Your rights” section of this notice.

We have updated our privacy policy to reflect the changes in data-protection laws. Any further changes will be updated when further changes come into effect.

Please read the policy carefully as it applies to our members, trainees, benefit clients, volunteers, service users, staff and trustees but does not apply to the information we hold about other companies or organisations.

It also applies even if you’re not one of our current members/service users/trainees and you interact with us for example by:

• Using one of our services – paid for by someone else
• Using one of the KASBAH services 
• Calling our Advisor helpline
• Generally enquiring about our services
• Enquiring regarding recruitment 

If you need to give us personal information about someone else in relation to our services, the privacy policy will also apply. If we need the permission of the other person to use that information, we will ask you to check they give consent to do this.

Asking for consent

☐ We have checked that consent is the most appropriate lawful basis for processing.

☐ We have made the request for consent prominent and separate from our terms and conditions.

☐ We ask people to positively opt in.

☐ We don’t use pre-ticked boxes or any other type of default consent.

☐ We use clear, plain language that is easy to understand.

☐ We specify why we want the data and what we’re going to do with it.

☐ We give separate distinct (‘granular’) options to consent separately to different purposes and types of processing.

☐ We name our organisation and any third party controllers who will be relying on the consent.

☐ We tell individuals they can withdraw their consent.

☐ We ensure that individuals can refuse to consent without detriment.

☐ We avoid making consent a precondition of a service.

☐ If we offer online services directly to children, we only seek consent if we have age-verification measures (and parental-consent measures for younger children) in place.

Recording consent

☐ We keep a record of when and how we got consent from the individual.

☐ We keep a record of exactly what they were told at the time.

Rights of Individuals and the Right to Withdraw

We want to make sure that any personal information we hold about you is up to date. if you think your personal information is inaccurate, you can ask us to correct or remove it completely.  If you are a KASBAH member, if you ask us to cancel your membership, we destroy all your information we hold. Please contact us via phone, email (admin@kasbah.org.uk) or post.

Under the Data Protection Act 1998, you have a right to know what personal information we hold about you. If you would like a copy of the information, please write to the head office address –  clearly identifying yourself and the information you require. We may ask you to provide identification to ensure we do not disclose your information to the incorrect person.

The one-month time limit for the organisation to reply to the request only starts once we have what they need in terms of proof of ID.

We might ask for more information about what information is being requested. 

Three common reasons for this are:

1. We have lots of information about the person and want to narrow down the search.
2. We need a clear understanding of what is being asked for.
3. A similar SAR was made in the past and the organisation wants to know if the same information or new information is needed.

You can always tell us that you do not wish to receive any KASBAH communications, and you will still remain a KASBAH member. However, remember, if you do not want us to get in touch, you may miss out on existing social events and useful information relevant to you or your family. 

Please note that it may take up to 60 hours to process your ‘opt out’ request.

What kinds of personal information do we collect and how do we use it?

We use your data to provide and improve our services, including research, feedback and enquiries.

We will use your data to comply with laws and regulations. 

The personal information we can request depends on the service you require. We have explained the different ways we use your personal information below.

• To provide you with KASBAH communications and services
• To act on your behalf when assisting you with other professional agencies (help with speaking to the Department of Work & Pensions, speaking to social services regarding Best Interest meetings etc)
• To gain a better understanding of how the Advisor service can assist members and members’ families 

Personal information is removed for:

• Developing our organisation and build a better understanding of what our members/members’ families needs are
• To gather statistical information for local funding

Employee information:

• An employee’s health, for the purposes of compliance with our health and safety and our occupational health obligations 
• For the purposes of personnel management and administration, for example to consider if there is a disability or health condition, whether he or she requires any reasonable adjustment to be made to assist him or her at work 
• The administration of insurance, pension, sick pay and any other related benefits in force from time to time 
• In connection with unspent convictions to enable us to assess an employee’s suitability for employment. 

We keep information you give us directly such as contact details (including name, email, address and telephone number), comments, date of birth, gender, region, feedback etc 

If there is an incident/accident of any kind, we need to log information about it.

If you engage with us online via our websites our cookies and similar technologies will capture your IP address, your location, and record how you use the site, where your browser settings or permission allows for this.

If you post information online about us or provide feedback, we may keep a record.

If you contact us directly and complain or give feedback, we will record details and all related information such as emails, letters and phone calls.

+Cookies and similar technologies

Our website uses cookies and similar technologies to improve functionality, recognise you and to customise your experience. You can reject and block cookies in your browser settings. Please see our Cookie Notice on www.kasbah.org.uk for more information.

Communicating privacy information 

We will aim to provide privacy notices through a variety of media: 

• Orally – face to face or when you speak to someone on the telephone (should also be  documented). 
• In writing – printed media; printed adverts; forms, such as financial applications or job application forms. 
• Displaying the link on our email signatures to the website to access the privacy policy and GDPR.
• Through signage – for example an information poster in a public area. 
• The privacy policy will also be linked to any GDPR documents or audits. 

Categories of Personal data obtained for anyone with disabilities:

• Personal: Name, address, date of birth, 
• Medical: medical records, medical condition, prescribed medication, doctors letters,    prescriptions, consultant letters regarding diagnosis, national insurance number, current benefits awarded

(KASBAH are compliant with the National Data opt-out policy).

Cyber security and how do we protect your information?

We have security measures in place to protect your personal information.  

• All personal information is locked away (if in hard copy format), PIN protected and/or password protected if in soft copy (e.g. any personal information on a computer storage system).  Sensitive data sent for payroll/pension processing is sent through encrypted software on a portal.   
• The IT consultant conducts monthly health checks (checking spy wear, phishing emails and ensuring anti virus software is up to date).
• Training agreements are signed on an encrypted portal.
• The router passwords are changed annually at each site.
• Each site has a ‘guest’ wifi login in order not to share site passwords.
• Shared desktop logins and email passwords are changed annually. 
• Sensitive data is password protected and if sent via email it is encrypted.
• Any hardware is disposed of by the ITC Digital. 
• The head office printer has individual pin codes for the managers who print sensitive information. 

*No information is be released to any third party or international organisation unless it meets the below criteria. 

Information we receive from third parties – *see below:

Examples of sharing:

• *Information is sometimes shared when social service care managers who make referrals into KASBAH (these emails are encrypted).
• *When the law requires us to process your data we will do so. This can include Legal, compliance, regulatory and investigative purposes, including information for government agencies and law enforcement.

How long will we hold information?

Benefit client information will be held for up to 6 months in soft format in the event of supporting an appeal at tribunal.

Trainee/Service User/Member information will be held indefinitely or until such a time deemed appropriate such as notice of a deceased, or it is requested by the member/carer to destroy all data. 

We always look to keep your data for the minimum time in line with data protection principles and our processes. See the data protection policy for full time lines.

If you unsubscribe from general correspondence we keep a record of this request indefinitely to ensure we do not send you direct mailshots again.

How we use information and the legal basis

We are allowed to use your data only if we have a proper reason to do so such as:

• To fulfil a contract we have with someone;
• When it is in our legitimate interest;
• When the person gives consent to it; or
• To comply with the law.

A legitimate interest is when we have a business or commercial reason to use your data. This involves us making an assessment of when we can rely on our legitimate interests. 

We have set out below how and why we may use your personal information and the legal basis we rely on. This is also where we tell you what our legitimate interests are.

• Our legitimate interests include keeping our records up to date, fulfilling our legal, compliance and contractual duties, working out which of our services may interest you, developing new services and projects (and telling you about them) and conducting research for this.

Further details of our legitimate interests:

• Keeping emails, for staff training, quality improvement purposes and establishing facts.
• If you post comments online or in other media we may capture this information, and use it to improve our services.
• To contact you where you provide us with feedback.
• To have a back ground history on health conditions and disability to support and advocate for the clients, service users and members.
• To check advice given is the correct, up to date and adequate advice. 

Any breaches of sharing data accidently is recorded and actioned with the outcome stated.

Information Commissioners Office

If the ICO think the organisation has not complied with its obligations they can give the organisation advice and ask it to solve the problem. They cannot award anyone compensation. Their main aim is to improve the information rights practices of organisations, where there is an opportunity for the ICO to do so.

Breach of Confidentiality

Any breach is recorded.  The DPO is informed either in writing or verbally and this in turn is relayed to management.

Serious data breaches of confidentiality will be reported to the Information Commissioner’s Office (ICO) within 72 hours.

How your information has been handled

If you have a concern about the way your personal information is held – perhaps the information about you that is incorrect, it has been held for too long, or it is not kept secure – the ICO may be able to help do something about it.

https://ico.org.uk/concerns/handling/y 

A data subject is the person whose personal data is being processed. 

Processing is anything that is done with personal data including collecting, recording, organising, structuring, storing, adapting, altering, retrieving, consulting, use and disclosure. 

A Data Controller is a person or organisation that determines why the data is being processed and how the data is processed

Cookies

Cookies are small files of information which are stored on your PC’s hard drive (“Cookies”). Cookies do not contain any Personal Information about you but allow our web server to recognise you when you visit our web site. However, if you do not wish us to use this information you may set up your website browser to reject Cookies and/or refuse Cookies when first using the web site.