menuSearch
Milestones Trust

Privacy notice

This page features separate privacy notices for:

 

General Privacy Notice

Introduction

This is Milestones Trust’s general Privacy Notice. If you are an employee, volunteer or Trustee, or an applicant/candidate please refer to those separate Employee Privacy Notices.

Milestones Trust is a charitable trust limited by guarantee, registered in England under company number 2011021. Registered Charity No: 294377.

Milestones Trust is the controller for the personal information we process, unless otherwise stated.

Registered address: Unit 10, Eclipse Office Park, High Street, Staple Hill, Bristol BS16 5EL.

The Data Protection Officer for Milestones Trust can be contacted via email: dpo@milestonestrust.org.uk  or by telephoning 0117 970 9300.

 

Definitions

We are required to process personal data as part of the services we offer and as an employer.

‘Processing’ can mean collecting, recording, organising, storing, sharing or destroying data.

‘Personal data’ is defined by Data Protection legislation as “any information relating to an identifiable person who can be directly or indirectly identified”.  In simpler terms, it is any information about you that enables you to be identified. Personal data covers obvious information such as your name and contact details, but it also covers less obvious information such as identification numbers and CCTV images.

‘Special Category’ data is defined as personal data that is likely to be more sensitive and has extra protection under data protection law. It includes personal data about:

  • racial or ethnic origin
  • political opinions
  • religious or philosophical beliefs
  • trade union membership
  • genetic data
  • biometric data (where used for identification purposes)
  • health
  • sex life
  • sexual orientation

We are committed to being transparent about why we need your personal data and what we do with it. This information is set out in this Privacy Notice. It also explains your rights in relation to your data.

 

The lawful bases we rely on

We have to have a lawful basis for processing personal data and a separate lawful basis for processing any ‘Special Category’ data.

We have a ‘Legitimate Interest’ (GDPR Article 6(1)(f)) in processing personal information and use this as a lawful basis for processing personal data; the processing is necessary in order for us to carry out our core business aims of providing safe services to the people we support including through 3rd parties, contractors and others we work with and we couldn’t do that otherwise. We may also rely on the basis of Legal Obligation (GDPR Article 6(1)(c)) to process data, for example where we are required by law to process information. We also sometimes rely on consent e.g. as part of the application processes we have.

The Special Category data we process includes that which is related to our management of health and social care services (GDPR Article 9(2)(h) and Data Protection Act 2018 – Schedule 1, Part 1, (2)(f)) and as employers (GDPR Article 9(2)(b)). Some special category information is processed in the Substantial Public Interest (GDPR Article 9(2)(g)) such as checks we carry out around suitability of our Trustees. We also process criminal offence/convictions data where necessary (GDPR Article 10) and this includes for people providing one-to-one complementary therapy sessions with people we support. We have an Appropriate Policy Document in place for these purposes.

 

People we support

What data we process

So that we can provide a safe and professional service, we need to keep certain records about you. We may process the following types of data (including special category data):

  • Your basic details and contact information e.g. your name, address, date of birth and next of kin.
  • Your financial details e.g. details of how you pay us for your care or your funding arrangements.
  • Health and social care information about you, which might include both your physical and mental health data. This includes information provided by other services that may be working with you, e.g. Health and care workers, voluntary agencies.
  • We may also record data about your race, ethnic origin, sexual orientation or religion to support us delivering a person-centred service.
  • Information about the support and care we deliver to you e.g. daily diaries, support plans and risk assessments.
  • Information about meetings we have with you and / or that are about your support e.g., when we plan activities, if we have Best Interests meetings.
  • Information you or other people who know you have given us.
  • Information we have given you.

Why and how we process this data

We need this data so that we can provide high-quality care and support. We process your data (including special category data) because:

  • It is necessary in order for us to provide you with person-centred care and support using information that is accurate and up to date.
  • We have legal obligations to keep records of care and support.
  • It is necessary for our proper management of health and social care services.
  • We are required to provide data to our regulator, the Care Quality Commission (CQC).
  • We can refer to this information if you have a complaint about the serviced you’ve received.

We may also process your data with your explicit consent. This will happen if we want to use your information for a reason that’s different from why we collected it in the first place e.g., a photo to go in our internal magazine or if you wanted to be in a video for the website. If we need to ask for your consent we will offer you a clear choice and ask that you confirm consent to us before we use that information. We will also explain clearly to you what we need the data for and how you can withdraw your consent at any time.

Who we share your personal data with

Third parties are people or organisations we might lawfully ask for or share your data with. These include:

  • Other parts of the health and care system such as local hospitals, the GP, the pharmacy, social workers, clinical commissioning groups, and other health and care professionals.
  • The Local Authority.
  • Housing Associations where you have a tenancy with them.
  • Third party organisations like Access Social Care – with your permission.
  • Complementary Therapists – with your permission or as part of a Best Interests decision.
  • Your family or friends – with your permission unless already stated and/or as part of Best Interests decision making where appropriate.
  • Organisations we have a legal obligation to share information with i.e. for safeguarding, the Care Quality Commission (CQC).
  • The police or other law enforcement agencies if we have to by law or court order.

Where we process your data

We process data in the UK. This includes face to face, phone, email, website, post, application/referral forms, Connecting Care portal, systems that record information about incidents and accidents (AssessNet) and may also do this via apps.

So that we can provide you with high quality care and support we need specific data. This is collected from or shared with:

  1. You or your legal representative(s).
  2. Third parties including as part of the referral process.

 

Friends/relatives

What data we have

As part of our work providing high-quality care and support, it might be necessary that we hold the following information on you:

  • Your basic details and contact information e.g. your name and address, phone number/s and email address.
  • Information on your relationship to the person we support including any legal relationship e.g., Power of Attorney, Deputyship.

Why and how we process this data

By law, we need to have a lawful basis for processing your personal data.

We process your data because we have a legitimate business interest in holding next of kin and lasting power of attorney information about the individuals who use our service so that we are confident we are only communicating with the right people. We may ask for proof of identity before disclosing information to you.

We may also process your data with your consent. If we need to ask for your permission, we will offer you a clear choice and ask that you confirm to us that you consent. We will also explain clearly to you what we need the data for and how you can withdraw your consent.

Who we share your personal data with

Third parties are people or organisations we might lawfully ask for or share your data with include:

  • Other parts of the health and care system such as local hospitals, social workers and other health and care professionals.
  • The Local Authority.
  • Third party organisations like Access Social Care – with your permission.
  • Organisations we have a legal obligation to share information with i.e. for safeguarding, the Care Quality Commission (CQC).
  • The police or other law enforcement agencies if we have to by law or court order.

Where we process your data

We process your data in the UK. We do this face to face, and/or via phone, email, our website, post, application/referral forms, Connecting Care portal, systems that record information about incidents and accidents (AssessNet) and may also do this via apps. This is collected from or shared with:

  1. You
  2. Third parties including as part of the referral process

 

Third Parties (Contractors, external trainers, prospective clients/residents, corporate volunteers, complementary therapists etc.)

What data we process

We need to keep certain records about you/your company in order to ensure services are safe and we are fulfilling any obligations and responsibilities. We have a Legitimate Interest in doing this as processing is necessary in helping us be sure the services we deliver to people we support (including through visiting contractors etc.) are safe, and we could not do so otherwise. We also have a Legal Obligation to process some data.

We may process the following types of data (including special category data):

  • Basic details and contact information e.g. your name, address, contact details, company name and details, date of birth.
  • Financial details e.g. details of how you pay us for your care or your funding arrangements, or how we pay you for services delivered.
  • Health and social care information which might include both physical and mental health data only if appropriate e.g. referral information.
  • We may also record data about your race, ethnic origin, sexual orientation or religion where this is appropriate to delivering person-centred services.
  • We also process Criminal Conviction data where necessary e.g., for complementary therapists who work 1-1 with people we support. We have an Appropriate Policy Document in place for this processing.

Why and how we process this data

We need this data so that we can provide safe and high-quality care and support. We process your special category data because:

  • It is necessary in order for us to provide person-centred care and support.
  • It is necessary for our management of health and social care services.
  • We are required to provide data to our regulator, the Care Quality Commission (CQC).
  • We have to fulfil legal obligations.

We may also process your data with your explicit consent. This will happen if we want to use your information e.g., a photo, for a reason that’s different from why we collected it in the first place. If we need to ask for your permission, we will offer you a clear choice and ask that you confirm to us that you consent. We will also explain clearly to you what we need the data for and how you can withdraw your consent at any time.

Who we share your personal data with

People or organisations we might lawfully ask for or share your data with include:

  • Other parts of the health and care system such as local hospitals, the GP, the pharmacy, social workers, clinical commissioning groups, and other health and care professionals.
  • The Local Authority.
  • Third party organisations like Access Social Care – with your permission.
  • Organisations we have a legal obligation to share information with i.e. for safeguarding, the Care Quality Commission (CQC), the Health and Safety Executive (HSE).
  • The police or other law enforcement agencies if we have to by law or court order.

Where we process your data

We process data face to face, and/or via phone, email, our website, post, application forms, systems that record information about incidents and accidents (AssessNet) and may also do this via apps.

So that we can provide you with high quality care and support we need specific data. This is collected from or shared with:

  1. You or your legal representatives
  2. Other parties

 

Staff, volunteers and Trustees

We have separate Employee and Applicant/Candidate Privacy Notices, which cover our processing for applicants, candidates and staff, volunteers and trustees.

 

Our website

In order to provide you with the best experience while using our website, we process some data about you. When someone visits www.milestonestrust.org.uk  we use a third-party service, Google Analytics, to collect standard internet log information and details of visitor behaviour patterns. We do this to find out things such as the number of visitors to the various parts of the site. This information is only processed in a way which does not identify anyone. We do not make, and do not allow Google to make, any attempt to find out the identities of those visiting our website. You can find more information on how cookies are used on this website in our Cookies Policy here.

If we do want to collect personally identifiable information through our website, we will be up front about this. We will make it clear when we collect personal information and will explain what we intend to do with it.

 

Getting in touch

On our get in touch page we ask you to supply personal information, which allows us to get back in touch with you.  Your enquiry is received by our reception team, who then forward the email on to the relevant person, depending on your enquiry. Your personal information isn’t stored and the emails are deleted by the reception team once they have been forwarded on.

 

Newsletter sign up

As part of the registration process for our Recruitment and Friends of Milestones e-newsletters, we collect personal information.

For our Recruitment e-newsletter, we use that personal information to let you know about the current Milestones Trust job opportunities. If you no longer wish to receive this, you can let us know by clicking ‘unsubscribe’ at any time.

For our Friends of Milestones e-newsletter, we use that personal information to let you know about what we’ve been up to and our upcoming events. If you no longer wish to receive this, you can let us know by clicking ‘unsubscribe’ at any time.

We may also use the information from both e-newsletters to contact you if we need to obtain or provide additional information; to check our records are right and to check every now and then that you’re happy and satisfied. We don’t rent or trade email lists with other organisations and businesses.

We use a third-party provider, MailChimp, to deliver our newsletter. We gather statistics around email opening and clicks using industry standard technologies to help us monitor and improve our e-newsletter. For more information, please see MailChimp’s privacy notice.

You can unsubscribe to general mailings at any time by clicking the unsubscribe link at the bottom of any of our emails or by emailing our marketing team on marketing@milestonestrust.org,uk

 

Links to other websites

This privacy notice does not cover the links within this site linking to other websites. Those sites are not governed by this Privacy Notice, and if you have questions about how a site uses your information, you’ll need to check that site’s privacy statement.

 

How we protect your personal data

We have technical and organisational measures in place to protect your personal data and keep it secure. These include setting controls and permissions to folders and systems, using password protection, using secure email and making sure all staff are trained to understand their obligations around data protection. Information is stored, retained and disposed of in line with our policies and Retention Schedule and we do not keep your information any longer than we need to.

 

How long we process data for

Our Retention Schedule sets out the retention timescales for the different information we process. In line with data protection regulations we will not ask for more information than we need and do not keep data any longer than we have to.

 

Your rights

You have the following rights when it comes to your data:

  1. Right to be informed: We are transparent about how and why we collect and use your data and this Privacy Notice tells you about this.
  2. Right of access: You have the right to request a copy of the data we keep about you. Email your request to our data protection officer on dpo@milestonestrust.org.uk You may need to provide adequate information for identification, for example, a passport or driver’s licence. This is to make sure that data is not shared with the wrong person inappropriately. We will always respond to your request as soon as possible and at the latest within one month.
  3. Right to rectification: You have the right to ask us to correct any data we have which you believe to be inaccurate or incomplete. You can also request that we restrict the processing of your data while we consider your rectification request.
  4. Right to erasure: You have the right to ask that we erase any of your personal data which is no longer necessary for the purpose we originally collected it for. This is not an absolute right and we may need to continue using your information. We will tell you if this is the case.
  5. You can also ask for your data to be erased if we have asked for your consent to process any of your data. You can withdraw consent where it has been provided at any time – please contact us to do so.
  6. Right to restrict processing: You may request that we restrict processing if we no longer require your personal data for the purpose we originally collected it for but you do not wish for it to be erased.
  7. Right to portability: You have the right to request your personal data in a way that is accessible and machine-readable, for example as a csv file. You also have the right to ask us to transfer your data to another organisation.
  8. Right to object: If we are processing your data as part of our legitimate interests as an organisation or in order to complete a task in the public interest, you have the right to object to that processing. This is not an absolute right and we may need to continue using your information. We will tell you if this is the case.
  9. Rights related to automated decision-making including profiling: Where any activities involve this, e.g., as part of the recruitment process, we ask for explicit consent and do not rely solely on this information.

 

Further information

If you have any concerns or questions please contact the DPO by emailing dpo@milestonestrust.org.uk or phoning 0117 970 9300.

If you wish to complain about how we have dealt with your request, please contact:

Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

ico.org.uk/global/contact-us/

 

Changes to this Privacy Notice

We keep our privacy notice under regular review. This privacy notice was last updated in March 2022.

 

Applicants and Candidates Privacy Notice

Introduction

This is Milestones Trust’s Privacy Notice for applicants and candidates. It covers paid and unpaid roles.

Milestones Trust is a charitable trust limited by guarantee, registered in England under company number 2011021. Registered Charity No: 294377

Milestones Trust is the controller for the personal information we process, unless otherwise stated.

Registered address: Unit 10, Eclipse Office Park, High Street, Staple Hill, Bristol BS16 5EL

The Data Protection Officer for Milestones Trust can be contacted by emailing dpo@milestonestrust.org.uk or calling 0117 970 9300.

 

Definitions

We are required to process personal data about our people applying for roles with Milestones Trust.

‘Processing’ can mean collecting, recording, organising, storing, sharing or destroying data.

‘Applicant’ The term ‘applicant’ applies to anyone applying for a post (paid or unpaid) with Milestones Trust and covers successful and unsuccessful applications.

‘Candidate’ The term Candidate refers to ‘active applicants’ that have been screened and verified as qualifying for the requirements of the job or role opening and therefore likely to proceed to interview.

‘Personal data’ is defined by Data Protection legislation as “any information relating to an identifiable person who can be directly or indirectly identified”. In simpler terms, it is any information about you that enables you to be identified. Personal data covers obvious information such as your name and contact details, but it also covers less obvious information such as identification numbers and CCTV images.

‘Special Category data’ is defined as personal data that is likely to be more sensitive and has extra protection under data protection law. It includes personal data about:

  • racial or ethnic origin
  • political opinions
  • religious or philosophical beliefs
  • trade union membership
  • genetic data
  • biometric data (where used for identification purposes)
  • health
  • sex life
  • sexual orientation

‘Verification’ The term “verification” refers to the process of checking that details supplied by applicants (e.g. qualifications) are accurate and complete.

We are committed to being transparent about why we need your personal data and what we do with it and this Privacy Notice explains that and advises you of your rights in relation to the information we process. We will only ask you for the information we need from you at each stage of the recruitment process and will securely store it whilst in use then securely dispose of it in line with our retention schedule.

We have a separate Privacy Notice for Employees, Volunteers and Trustees which includes anyone employed by Milestones Trust including on a casual ‘Bank’ contract, volunteers (excluding corporate volunteers) and Trustees, and others. Successful candidates will be issued with the Employee, Volunteer and Trustee Privacy Notice during the onboarding process.

 

The lawful bases we rely on

We have a Legitimate Interest in processing information about you when you apply for a role (paid or unpaid) with Milestones Trust. We use this as the lawful basis for processing the personal data you provide us with; the processing is necessary for us to fulfil the requirements of screening and verifying the information you provide as part of the recruitment process and we could not do this without the data processing. We may also ask your Consent for the provision of some information and we also have a Legal Obligation to process some data relating to the recruitment process of applicants for paid and unpaid roles.

We process Special Category data and Criminal Conviction data as part of our obligations in managing health and social care services and as employers and have an Appropriate Policy Document in place. We are no longer legally required to process health data relating to Covid vaccinations for staff, volunteers, Trustees and visiting professionals.

 

What personal data do we process?

As above, in addition to the personal data you provide as part of your application and give us as part of any interview process we may also request special category and criminal offence and conviction data from you at certain stages of the application and recruitment process. We will only do this where asking for it is necessary and relevant to the role you’re applying for and in line with the Rehabilitation of Offenders Act 1974. We process this data as part of our obligations in managing health and social care services and our legal obligations as employers.

As part of the application and onboarding process (for successful candidates) we may record the following types of data:

  • Your basic details and contact information e.g. your name, address, contact number/s / email, date of birth, National Insurance number
  • Education and employment history
  • Financial information so payroll can set successful candidates up on our systems
  • Financial details so that we can pay authorised expenses to volunteers and Trustees
  • HMRC information (for due diligence purposes – Trustees)

The Special Category data we ask for may include:

  • Information about disabilities – to ensure reasonable adjustments are considered at interview and where possible to facilitate adaptations in the workplace/volunteering environment for successful candidates. We will only collect this if it is necessary for us to know and so we can support Occupational Health referral where appropriate for successful candidates
  • Evidence of your right to work in the UK
  • We may also, with your permission, record data about your race, ethnic origin, sexual orientation or religion – to monitor equality of opportunity
  • Criminal offences and convictions where necessary to assess suitability in relation to the role you’re applying for. Depending on the role being applied for you may be required to undergo a Disclosure and Barring Service (DBS) check (Criminal Record Check) as part of the recruitment process and for update checks. We do not keep this data once we’ve seen it but keep enough so we can evidence we’ve seen it.

 

Why and how we process your personal data

We require this data so that we can facilitate a fair and transparent process of screening applications for role suitability based on the job/role description and person specification, to comply with the law and to make sure we provide safe services to the people we support in line with our contracts and regulations. We process your data (including special category and criminal conviction data) because:

  • We have Legal Obligations under UK employment law and the Health and Social Care Act
  • We have Legal Obligations in relation to the Charities Act
  • We have a Legitimate Interest in processing personal data necessary for us to be able to carry out the checks we need to do before we can offer paid or unpaid roles
  • You have chosen to provide us with personal / special category information
  • We are required to provide data to our regulator, the Care Quality Commission (CQC), as part of our public interest obligations
  • It is necessary to support Occupational Health referrals
  • We have a legal requirement to do so

 

Recruitment newsletter sign up

As part of the registration process for our Recruitment e-newsletters, we collect personal information and, where you’ve opted in to receive it, use it to let you know about the current Milestones Trust job opportunities. If you no longer wish to receive this you can let us know by clicking ‘unsubscribe’.

 

Where we process your data

We process your data in the UK. We do this face to face as well as via phone, email, post, online application forms, website and via our systems including the HR ‘TrustNet’ system.

The personal data we process about you as an applicant/candidate is collected from:

  • You – as part of your application and/or newsletter sign up
  • Third parties e.g. reference information, government bodies (Home Office) regarding rights to work in the UK.

 

Who we share your personal data with

In order to process your application, and, where successful, to support the onboarding process, the information you provide will be shared with the following:

  • Our recruitment team who will liaise with you about the next steps in the process
  • Trustee application information is reviewed by the Executive Assistant and then the Recruitment Manager to process DBS applications and refresh applications
  • VZLA Ltd. who we use in relation to profiling exercises which are part of selection for some roles
  • The person responsible for interviewing you (special category information will not be provided at that point)
  • Our onboarding and payroll team if you are successful so we can get you set up on our systems
  • Her Majesty’s Revenue and Customs (HMRC)
  • Home Office in relation to rights to work in the UK. We retain this evidence for the duration of employment and for two years afterwards. It is then securely destroyed.
  • BHSF for Occupational Health clearances
  • DDC (Due diligence Checking) for our Disclosure and Barring Service (DBS) checks if you are offered a role and the role requires these checks to be carried out.

 

How we protect your personal data

When we receive your application, we save it in our TrustNet system if you are applying for a paid role. If you are applying for an unpaid role the information you provide will be kept securely within our secure server or securely in hard copy with appropriate access controls to keep it safe. We have technical and organisational measures in place to protect your personal data and keep it secure. These include setting controls and permissions to folders and systems like TrustNet, using password protection, using secure email and making sure all staff are trained to understand their obligations around data protection. Information is stored, retained and disposed of in line with our policies and Retention Schedule and we do not keep your information any longer than we need to.

 

How long we process your data for

Our Retention Schedule sets out the retention timescales for the different documents we process. For example, in relation to rights to work in the UK, we retain evidence for the duration of employment and for two years afterwards. It is then securely destroyed. In line with data protection regulations we will not ask for more information than we need and do not keep data any longer than we have to. All unsuccessful applications will be destroyed after a maximum of 6 months.

 

Your rights

You have the following rights when it comes to your data:

  1. Right to be informed: We are transparent about how and why we collect and use your data and this Privacy Notice tells you about this
  2. Right of access: You have the right to request a copy of the data we keep about you. Email your request to our data protection officer on dpo@milestonestrust.org.uk. You may need to provide adequate information for identification, for example, a passport or driver’s licence. This is to make sure that data is not shared with the wrong person inappropriately. We will always respond to your request as soon as possible and at the latest within one month.
  3. Right to rectification: You have the right to ask us to correct any data we have which you believe to be inaccurate or incomplete. You can also request that we restrict the processing of your data while we consider your rectification request
  4. Right to erasure: You have the right to ask that we erase any of your personal data which is no longer necessary for the purpose we originally collected it for. This is not an absolute right and we may need to continue using your information. We will tell you if this is the case.
  5. You can also ask for your data to be erased if we have asked for your consent to process any of your data. You can withdraw consent where it has been provided at any time – please contact us to do so.
  6. Right to restrict processing: You may request that we restrict processing if we no longer require your personal data for the purpose we originally collected it for but you do not wish for it to be  erased.
  7. Right to portability: You have the right to request your personal data in a way that is accessible and machine-readable, for example as a csv file. You also have the right to ask us to transfer your data to another organisation
  8. Right to object: If we are processing your data as part of our legitimate interests as an organisation or in order to complete a task in the public interest, you have the right to object to that processing. This is not an absolute right and we may need to continue using your information. We will tell you if this is the case.
  9. Rights related to automated decision-making including profiling: Where any activities involve this, e.g., as part of the recruitment process, we ask for explicit consent and do not rely solely on this information.

 

Further information

If you have any concerns or questions please contact the Data Protection Officer by emailing dpo@milestonestrust.org.uk or phoning 0117 970 9300. If you wish to complain about how we have dealt with your request, please contact:

Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

ico.org.uk/global/contact-us/

 

Changes to this Privacy Notice

We keep our privacy notice under regular review. This privacy notice was last updated in March 2022.

 

Employees, Volunteers and Trustees Privacy Notice

Introduction

This is Milestones Trust’s Privacy Notice for Employees, Volunteers and Trustees.

Milestones Trust is a charitable trust limited by guarantee, registered in England under company number 2011021. Registered Charity No: 294377.

Milestones Trust is the controller for the personal information we process, unless otherwise stated.

Registered address: Unit 10, Eclipse Office Park, High Street, Staple Hill, Bristol BS16 5EL.

The Data Protection Officer for Milestones Trust can be contacted via email: dpo@milestonestrust.org.uk  or by telephoning 0117 970 9300.

 

Definitions

Processing: As part of the services we offer, we are required to process personal data about our employees, volunteers and Trustees. “Processing” can mean collecting, recording, organising, storing, sharing or destroying data. Employees include anyone employed by Milestones Trust including on a casual ‘Bank’ contract. This Privacy Notice covers our processing of information for volunteers (excluding corporate volunteers) and Trustees as well as employees. We have separate Privacy Notices for candidates/applicants and others.

Employee: An employee is someone who works under an employment contract. This Privacy Notice also covers Bank and Casual staff.

Volunteer: A volunteer undertakes unpaid activities that benefit Milestones Trust

Trustee: Milestones Trust Trustees are the people who share ultimate responsibility for governing the charity and directing how it is managed and run.

‘Personal data’ is defined by Data Protection legislation as “any information relating to an identifiable person who can be directly or indirectly identified”. In simpler terms, it is any information about you that enables you to be identified. Personal data covers obvious information such as your name and contact details, but it also covers less obvious information such as identification numbers and CCTV images.

Special Category data is defined as personal data that is likely to be more sensitive and has extra protection under data protection law. It includes personal data about:

  • racial or ethnic origin
  • political opinions
  • religious or philosophical beliefs
  • trade union membership
  • genetic data
  • biometric data (where used for identification purposes)
  • health
  • sex life
  • sexual orientation

We are committed to being transparent about why we need your personal data and what we do with it. This information is set out in this Privacy Notice. It also explains your rights in relation to your data.

 

The lawful bases we rely on

We have to have a lawful basis for processing your personal data and a separate lawful basis for processing ‘Special Category’ data.

For example, we have Legal Obligations under UK employment law and the Charities Act and we also have a ‘Legitimate Interest’ in processing some information e.g. where the processing is necessary in order for us to carry out our core business aims of providing safe services to the people we support and we couldn’t do that otherwise.

We process Special Category data as part of our obligations using the lawful basis of Employment, Social Security and Social Protection (with a basis in law) and using the lawful basis relating to the management of health and social care services where applicable. This includes our processing of Criminal Offence/Convictions data. We have an Appropriate Policy Document in place where we rely on the Employment lawful basis.

 

What personal data do we process

So that we can provide a safe and professional service to you and the people we support, we need to keep certain records about you. We may record the following types of personal data:

Employees

  • Your basic details and contact information e.g. your name, address, date of birth, National Insurance number and next of kin;
  • Your financial details e.g. detail so that we can pay you, insurance, pension and tax details;
  • Your employment Terms and Conditions
  • Your training records, work experience, qualifications
  • Information about any disciplinary action
  • Information related to accidents connected with work

Volunteers

Volunteers are clearly distinct from employees in terms of responsibilities and rights however we still require certain personal information including:

  • Your basic details and contact information e.g. your name, address, date of birth
  • Emergency Contact details
  • Your financial details so that we can pay you expenses

Trustees

Being a Trustee is a voluntary role with particular duties and responsibilities as laid out in charity law. The Trustee information we’re required to process includes:

  • Name, address, date of birth
  • Financial details so that we can pay authorised expenses
  • Declarations e.g. interests, conflicts of interest, and eligibility as this is in the Substantial Public Interest
  • Qualification/disqualification data (for due diligence purposes)
  • HMRC and Companies House checks information (for due diligence purposes)

Depending on role and responsibilities the following types of Special Category data may also be processed for employees, volunteers and Trustees:

  • Health data, which might include both your physical and mental health information. We will only collect this if it is necessary for us to know for your job or role, e.g. fit notes or in order for you to claim statutory maternity/paternity pay or occupational health referrals
  • Trade Union membership e.g., some people request subscription to be automatically deducted (this is only done with your consent)
  • We may also, with your permission, record data about your race, ethnic origin, sexual orientation or religion, trade union membership

Depending on your job or role you may also be required to undergo a Disclosure and Barring Service (DBS) check (Criminal Record Check) as part of the recruitment process for paid and unpaid roles and for update checks. We do not keep this data once we’ve seen it but keep enough so we can evidence we’ve seen it.

 

Why and how we process your personal data

We require your personal data so that we can comply with the law, contact you, pay you and make sure you receive any training and support you need to perform your job or role, support your wellbeing and make sure we are providing safe governance and services to the people we support in line with our contracts and legal obligations and regulations.

We process your data because:

  • We have a legal obligation under UK employment law, Charity and common law and Health and Safety law
  • We have a Legitimate Interest. Processing your personal data is necessary for us to be able to carry out our core business functions
  • You have given us consent to do so in situations where this is relied on
  • We are required to provide data to our funders and regulator, the Care Quality Commission (CQC), as part of our public interest obligations
  • We need to undertake due diligence checks for potential Trustees.

We process ‘Special Category’ data about you because, for example:

  • It is necessary for us to process requests for sick pay or maternity pay etc.
  • It is necessary to support Occupational Health referrals
  • We have a legal obligation in relation to trade unions
  • It is necessary to evidence compliance
  • We have a legal obligation in relation to right to work in the UK
  • It is in the Substantial Public Interest to check Trustees continuing eligibility to act

If we request your criminal records data, e.g., an update of your DBS, it is because we have a legal obligation to do this due to the type of work you do or the role you have with us. This is set out in the Data Protection Act 2018 and the Rehabilitation of Offenders Act 1974 (Exceptions) Order 1975. We do not keep a record of your criminal records information (if any).

We process your data in the UK. We do this face to face as well as via: phone, email, staff intranet, post, application forms, via systems including the HRIS ‘TrustNet’ (Ceridian Dayforce) system, training portals, AssessNet, File Maker and CM2000.

The personal data we process is collected from:

  • You or your legal representative(s) e.g. as part of your application or an Occupational Health referral
  • Third parties e.g. references

 

Who we share your personal data with

Third parties are organisations we have a legal reason to share your data with. These include:

  • Her Majesty’s Revenue and Customs (HMRC);
  • Our pension scheme (TPT Retirement Solutions) regarding pension auto-enrolment, prior to the employee deciding whether they wish to opt-out.
  • Our Healthcare scheme / Health Cash Plan / Occupational Health Provider and Employee Assistance Programme (BHSF)
  • Sodexo and Vivup – providers of our discount platform (consent)
  • NHS Pension Scheme (not available for new employees)
  • Organisations we have a legal obligation or legitimate interest in sharing information with e.g. for safeguarding, the CQC, the Department of Health and Social Care, Charity Commission, Companies House
  • Trustee information is reviewed by the Executive Assistant to process refresher DBS applications
  • The police or other law enforcement agencies if we have to by law or court order.
  • DDC (Due diligence Checking) for our Disclosure and Barring Service (DBS) checks
  • The Home Office for right to work in the UK
  • There are occasions where we would share information with our lawyers regarding individual cases where it may be necessary to share personal or special category data, in the Trust’s legitimate interest.

 

How we protect your personal data

We have technical and organisational measures in place to protect your personal data. These include setting controls and permissions to IT folders and systems like TrustNet, using password protection, using secure email and making sure all staff,  volunteers and Trustees are trained to understand their obligations around data protection. Information is stored, retained and disposed of in line with our policies and Retention Schedule and we do not keep your information any longer than we need to.

 

How long we process data for

Our Retention Schedule, which can be found on the staff document library on the intranet and by request, sets out the retention timescales for the different documents we process. In line with data protection regulations and employment law requirements we will not ask for more information than we need and do not keep data any longer than we have to.

 

Your rights

You have the following rights when it comes to your data:

  1. Right to be informed: We are transparent about how and why we collect and use your data and this Privacy Notice tells you about this
  2. Right of access: You have the right to request a copy of the data we keep about you. Email your request to our data protection officer on dpo@milestonestrust.org.uk. You may need to provide  adequate information for identification, for example, a passport or driver’s licence. This is to make sure that data is not shared with the wrong person inappropriately. We will always respond to your request as soon as possible and at the latest within one month
  3. Right to rectification: You have the right to ask us to correct any data we have which you believe to be inaccurate or incomplete. You can also request that we restrict the processing of your data while we consider your rectification request
  4. Right to erasure: You have the right to ask that we erase any of your personal data which is no longer necessary for the purpose we originally collected it for. This is not an absolute right and we may need to continue using your information. We will tell you if this is the case
  5. You can also ask for your data to be erased if we have asked for your consent to process any of your data. You can withdraw consent where it has been provided at any time – please contact us to do so
  6. Right to restrict processing: You may request that we restrict processing if we no longer require your personal data for the purpose we originally collected it for but you do not wish for it to be erased.
  7. Right to portability: You have the right to request your personal data in a way that is accessible and machine-readable, for example as a csv file. You also have the right to ask us to transfer your data to another organisation
  8. Right to object: If we are processing your data as part of our legitimate interests as an organisation or in order to complete a task in the public interest, you have the right to object to that  processing. This is not an absolute right and we may need to continue using your information. We will tell you if this is the case.
  9. Rights related to automated decision-making including profiling: Where any activities involve this, e.g., as part of the recruitment process, we ask for explicit consent and do not rely solely on this information.

 

Further information

If you have any concerns or questions please contact the Data Protection Officer by emailing dpo@milestonestrust.org.uk or phoning 0117 970 9300. If you wish to complain about how we have dealt with your request, please contact:

Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

ico.org.uk/global/contact-us/

 

Changes to this Privacy Notice

We keep our privacy notice under regular review. This privacy notice was last updated in March 2022.