Who we are
Our website address is: https://gohealth.org.uk.
What personal data we collect and why we collect it
Comments
When visitors leave comments on the site we collect the data shown in the comments form, and also the visitor’s IP address and browser user agent string to help spam detection.
An anonymized string created from your email address (also called a hash) may be provided to the Gravatar service to see if you are using it. The Gravatar service privacy policy is available here: https://automattic.com/privacy/. After approval of your comment, your profile picture is visible to the public in the context of your comment.
Media
If you upload images to the website, you should avoid uploading images with embedded location data (EXIF GPS) included. Visitors to the website can download and extract any location data from images on the website.
Contact forms
Cookies
If you leave a comment on our site you may opt-in to saving your name, email address and website in cookies. These are for your convenience so that you do not have to fill in your details again when you leave another comment. These cookies will last for one year.
If you visit our login page, we will set a temporary cookie to determine if your browser accepts cookies. This cookie contains no personal data and is discarded when you close your browser.
When you log in, we will also set up several cookies to save your login information and your screen display choices. Login cookies last for two days, and screen options cookies last for a year. If you select “Remember Me”, your login will persist for two weeks. If you log out of your account, the login cookies will be removed.
If you edit or publish an article, an additional cookie will be saved in your browser. This cookie includes no personal data and simply indicates the post ID of the article you just edited. It expires after 1 day.
Embedded content from other websites
Articles on this site may include embedded content (e.g. videos, images, articles, etc.). Embedded content from other websites behaves in the exact same way as if the visitor has visited the other website.
These websites may collect data about you, use cookies, embed additional third-party tracking, and monitor your interaction with that embedded content, including tracking your interaction with the embedded content if you have an account and are logged in to that website.
Analytics
Who we share your data with
How long we retain your data
If you leave a comment, the comment and its metadata are retained indefinitely. This is so we can recognize and approve any follow-up comments automatically instead of holding them in a moderation queue.
For users that register on our website (if any), we also store the personal information they provide in their user profile. All users can see, edit, or delete their personal information at any time (except they cannot change their username). Website administrators can also see and edit that information.
What rights you have over your data
If you have an account on this site, or have left comments, you can request to receive an exported file of the personal data we hold about you, including any data you have provided to us. You can also request that we erase any personal data we hold about you. This does not include any data we are obliged to keep for administrative, legal, or security purposes.
Where we send your data
Visitor comments may be checked through an automated spam detection service.
Your contact information
The Guild of Health and St Raphael
General Data Protection Regulation (GDPR) Policy
As a registered charity, the Board of the Guild of Health and St Raphael (GoHSR) is the Data Controller for the charity. It is the Trustees’ responsibility to ensure that all Trustees, members, staff and volunteers understand the importance of data protection and of keeping the data it collects and stores safe. It is also everyone’s responsibility to comply with the Policy’s requirements.
The Trustees have designated the Executive Administrator as the Data Protection Officer, who should be contacted for any information or advice: support@gohealth.org.uk
Why does data protection matter?
The legislative requirements have been set by the Data Protection Act 1998, updated by the General Data Protection Regulation ((EU) 2016/679) (GDPR). The law is designed to give individuals more control over their personal information. Any organisation which collects and stores “personal data” about individuals can only do so for specific reasons and for specific times. Individuals have the right to know about the data an organisation keeps about them and to ask for it to be amended or deleted.
What is “personal data”?
“Personal data” is any information about a living individual which allows them to be identified from that data (for example a name, photographs, videos, email address, or address). Identification can be by the information alone or in conjunction with any other information. The processing of personal data is governed by the Data Protection Act 2018 and the Human Rights Act 1988.
What are the principles governing the use of personal data?
The law says that” personal data” must be:
a) processed lawfully, fairly and in a transparent manner in relation to individuals;
b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be incompatible with the initial purposes;
c) adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed;
d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased, or rectified without delay;
e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals;
f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
Why does the Guild collect personal data?
There are a number of reasons why GoHSR might obtain your personal data.
- To enable us to meet all our legal and statutory obligations;
- To carry out comprehensive safeguarding procedures (including due diligence and complaints handling) in accordance with best safeguarding practice from time to time, with the aim of ensuring that all children and adults-at-risk are provided with safe environments;
- To deliver the Guild’s mission to its membership communities, and to carry out any other voluntary or charitable activities for the benefit of the public as provided for in the constitution and statutory framework of each data controller;
- To administer the Guild’s membership records;
- To fundraise and promote the interests of the charity;
- To maintain our own accounts and records;
- To process a donation that you may have made (including Gift Aid information);
- To notify you of changes to our services, events and role holders;
- To send you communications which you have requested and that may be of interest to you. These may include information about campaigns, appeals, other fundraising activities;
- To process a grant or application for a role;
- To enable us to provide a voluntary service for the benefit of the public in a particular geographical area as specified in our constitution
The Guild maintains a mailing list which is only used to deliver its membership benefits, promote its work and share relevant information.
How does the Guild collect personal data?
The means by which the Guild collects data are set out below, together with the legal basis for processing in each case.
- The Guild’s website
People can make enquiries, register for events and join membership communities via the Guild’s website. They can also contact members of staff by email. When people contact the Guild, personal information will be collected to allow the enquiry to be dealt with. This may include:
- name
- email address/correspondence address
- details of the matter raised
- dietary requirements for an event
All information received is dealt with on a confidential basis.
- Newsletter, events, and journal subscription
When people join the Healthy Healing Hub network, we collect data about the church and contact details. The church can then share information about their services. It is up to the church to maintain these details. Members of the GoHealth Community may link with their local Healthy Healing Hub on the website. This allows the administrator of the Healthy Healing Hub church website to contact the GoHealth Community member who has linked to their hub.
When you subscribe to the Guild’s email service, ask to be notified of events or subscribe to Chrism, the following information may be collected:
- your name
- email address
- subscription preferences
- type of contact
- telephone number
- dietary requirements
- Recruitment of staff and volunteers
The Guild uses its own internal processes to recruit most staff. In exceptional circumstances, e.g., where the Guild intends to recruit a Chair or CEO, it may use an external recruitment agency. As part of these processes, it may be necessary for the Guild to obtain your personal data. This may include:
- your name
- email address/correspondence address
- date of birth
- details of current/previous employment and job role
- details of current pay
- details of referees
- details of qualifications and educational establishments attended
Special categories of personal data such as racial/ethnic origin and disability information may also be collected.
How does the Guild use your personal data?
The lawful basis for collecting and using your personal data depends on the specific context in which it is collected.
- Where you have contacted the Guild, including signing up to an event or a mailing list, the lawful basis relied on is that processing is necessary for the performance of a task carried out in the public interest or in the exercise of the Guild’s legitimate business.
- Where you have applied for a job vacancy the Guild is relying on the lawful basis of consent and legitimate interest, namely the recruitment of employees and fair procurement of services.
- In order to carry out the Guild’s functions, it is necessary for the Guild to maintain lists of relevant stakeholders and/or contacts with whom communication may be required. The Guild will make clear to these contacts that they can request to be removed from these lists.
The Guild will use the personal data you have provided to handle the issue raised by your correspondence or inquiry, including an application for a role. The information you provide will not be made available to anyone else. However, the Guild may contact you to clarify and respond to your correspondence. The Guild will notify you about what information is being collected and the intended uses. The Guild will also make clear what information is required and what is optional.
Who manages your data?
Most data are handled internally by staff members of the Guild. The Guild will not disclose your personal data to a third party without your consent.
The Guild uses a third-party provider, Mailchimp, and a bespoke membership database for its website. Microchimp’s data protection statement is available here: https://mailchimp.com/en-gb/help/mailchimp-european-data-transfers/#More_information_about_data_transfers. The Guild also uses Creative Stream to manage its website. Creative Stream’s data protection statement is here:
Will the Guild disclose your personal data? And, if so, to whom?
It may be necessary for the Guild to disclose your personal data to third parties when permitted to do so. The Guild will only disclose your personal data to a third party for the following reasons:
• with your consent
• for specific reasons set out in this notice
• if the Guild has a lawful basis for doing so
• if the Guild is under a duty to disclose or share your personal data in order to comply with any legal obligation
Where you have consented to the use of your personal data, this consent can be withdrawn at any time. Any withdrawal of consent will not affect the lawfulness of processing based on consent before its withdrawal.
How will your data be stored?
The Guild has in place a records management policy [NB still to be drafted] which ensures retention periods are appropriate to the types of data collected. At the end of the relevant retention period your personal data will be disposed of securely.
What are your rights as an individual?
All people in contact with or employed by the Guild have rights which they can exercise in relation to the information the Guild holds about them. You can exercise these rights either verbally, by email or by post to the Registered address.
You have the following rights:
- right to access your personal data (also known as a subject access request)
- right to rectification or erasure of your personal data
- right to the restriction of processing concerning your personal data
- right to object to the processing of your personal data
- right to data portability
More information on your individual rights can be found on the Information Commissioner’s Office’s (ICO) website.
If you have subscribed to an email alert or subscription service, the Guild will keep your personal data for as long as you are subscribed to that service. If you make a request to be removed from this service, then your personal data will be deleted.
What happens if there is a data breach?
The ICO describes a personal data breach as a security incident that has affected the confidentiality, integrity or availability of personal data. In short, a personal data breach occurs whenever any personal data is lost, destroyed, corrupted or disclosed. If you think you’ve had a personal data breach, you can contact the Guild or the ICO.
If the Guild suspects there has been a data breach e.g., we become aware that an email has been sent to the wrong person, a laptop has been stolen or files have been lost, the Guild will deal with the breach quickly and effectively to minimise any security issues. We will follow the guidance provided by the Information Commissioners Office: (72 hours – how to respond to a personal data breach | ICO ): to report an incident within 72 hours of our awareness of its occurrence, investigate what happened, contain the breach as far as possible, assess the level of risk and prepare a report for submission to the ICO.
What are the responsibilities of staff and volunteers in relation to data protection?
• Consent
All staff must ensure that when gathering data from a data subject that they have appropriate written consent to process their data. The consent form and its purpose should be clearly explained to the data subject including their right to withdraw consent. Consent forms should be filed correctly and be readily accessible when needed. This includes consent for image and videos.
• Passwords
Passwords should be regularly changed, i.e., every 6 months. All staff must take due diligence when storing passwords. All staff must ensure that their GoHSR account is password protected at all times. Antivirus should be installed, running and updated.
• Support
If staff or volunteers lose paper records containing data, they must inform the Executive Administrator immediately so appropriate action can be taken to retrieve the records and, if necessary, report a data breach under UK GDPR.
All staff and volunteers must read and understand the full Data Protection Policy and complete Data Protection training.
• Breaches of the policy by staff and volunteers
Any breach of the policy or any breach of the data protection legislation is a serious matter which could bring the Guild into disrepute. Depending on the circumstances, a breach may be regarded as misconduct and will be dealt with under the Guild’s disciplinary procedure. A significant or deliberate breach of this policy constitutes a gross misconduct offence and could lead to your summary dismissal.