- Background
ADHD Embrace understands that your privacy is important to you and that you care about how your personal data is used and shared online. We respect and value the privacy of everyone accessing our services. Any personal data we collect will only be used as permitted by law.
Please read this Privacy Policy carefully and ensure that you understand it. Your acceptance of Our Privacy Policy is deemed to occur upon your first accessing our services. If you do not accept and agree with this Privacy Policy, you may not be able to access ADHD Embrace services.
The Board of Trustees is responsible for ensuring compliance. Any questions or concerns about this policy should be referred in the first instance to [email protected].
- Definitions and Interpretation
In this Policy, the following terms shall have the following meanings:
- “personal data” means any and all data that relates to an identifiable person who can be directly or indirectly identified from that data. In this case, it means personal data that you give to ADHD Embrace. This definition shall, where applicable, incorporate the definitions provided in the EU Regulation 2016/679 – the General Data Protection Regulation (“GDPR”);
- and “we/us/our” means ADHD Embrace (Charity No: 1188759). Being registered with the Charities Commission the Trust is governed in accordance with charitable law and applies the Charity Code of Governance in order to develop the highest standards of governance.
- What Does This Policy Cover?
This Privacy Policy applies to your use of ADHD Embrace services and website. Our website may contain links to other websites. Please note that we have no control over how your data is collected, stored, or used by other websites and we advise you to check the privacy policies of any such websites before providing any data to them.
- Your Rights
As a data subject, you have the following rights under the GDPR, which this Policy and ADHD Embrace use of personal data have been designed to uphold:
- The right to be informed about ADHD Embrace collection and use of personal data;
- The right of access to the personal data we hold about you;
- The right to rectification if any personal data we hold about you is inaccurate or incomplete;
- The right to be forgotten – i.e. the right to ask ADHD Embrace to delete any personal data we hold about you;
- The right to restrict (i.e. prevent) the processing of your personal data;
- The right to data portability (obtaining a copy of your personal data to re-use with another service provider or organisation);
- The right to object to ADHD Embrace using your personal data for particular purposes; and Rights with respect to automated decision making and profiling.
If you have any cause for complaint about ADHD Embrace’s use of your personal data, please contact us on [email protected].
For further information about your rights, please contact the Information Commissioner’s Office at Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF (https://ico.org.uk). The ICO may be contacted on 0303 123 1113 or online for support and to report any breach.
ADHD Embrace has an obligation to report any personal data breach to the ICO within 72 hours of discovering it.
5. How do we collect information about you?
5.1 ADHD Embrace may collect information from you directly when you interact with us, i.e. when you access our services. We may also receive information from you from partner organisations who refer you into our services.
5.2 When you interact with third parties such as when you make a donation through a third-party website e.g. Just Giving and give your permission for your information to be shared with us. Similarly, if you engage with us on social media and messaging services like Facebook, WhatsApp or Twitter you might give us permission to access information from those accounts. The data we are given access to by social media services will vary but will always be in line with the Terms of that particular service.
5.3 Depending on how you interact with us, the information that we collect may include your name, postal address, email address, telephone or mobile number, your contact preferences, taxpayer status (to understand if we can claim Gift Aid), the date or year of your birth, and gender.
5.4 When you visit our website we may gather information, such as which pages you visit or how long you spend reading a particular page. This data helps us to improve your online experience, for example by adding new features, or removing elements that make the website difficult to use.
5.5 We may also use on-line services to provide you with support. For example, we may use Zoom / Microsoft Teams. You may be required to provide your name and contact details for the purposes of setting up a user profile and using this service. As a user, the on-line service will keep information about you such as your account settings, contact details, user preferences, technical information, metadata and approximate location. Any on-line meeting or messaging service may keep the contents of any on-line chat or messages, or voice mail messages. However, we will not enable the recording or transcription of the content of any meeting with you without your specific agreement. Where we are not able to meet with you in person, we will take appropriate steps to ensure that any on-line meeting or other communication with you is secure and confidential. We will rely upon you to comply with the guidance we provide for this reason.
6. How Do We Use Your Data?
When you register with us, the information we collect about you helps us to ensure you receive the appropriate services and support from us.
We process personal data in accordance with the Data Protection Act 2018 and any other applicable legislation (referred to as the ‘data protection legislation’). We adhere to the principles of data protection, as set out in the Data Protection Act 2018, and observe the conditions relating to the fair and lawful processing of personal data.
We will treat your information sensitively and confidentially and will not share your information with anyone, unless specifically agreed with you. We will not disclose your personal details to a third party without your permission unless we are concerned that either you or someone else is at risk.
We may gather and use information about you in one of the following ways:
6.1 If you choose to register for our services, we will ask for information which may include but is not exclusive to your name, date of birth, address, gender, email address and contact details (personal information). We will also ask for details of your children. We will use this information to:
- Offer appropriate services to you.
- Provide information as required by funders, although this data will be anonymised.
- Feedback to referring organisations or organisations who are also involved in your care (with your express consent).
6.2 If you choose to give us personal information via the internet (for example, when you register with us), it will be used for the provision of services or anonymised feedback to funders. We will not use this information for marketing purposes.
6.3 Where you have consented to us sending you information by joining ADHD Embrace as a member, we may also use your data for marketing purposes. This may be information that we think may be of interest to you or information about other organisations’ goods and services that we think may be of interest to you. We do not pass your email address to other organisations for marketing purposes.
6.4 To process your donations or other payments and verify financial transactions.
6.5 If you apply for a job or role as a volunteer, we will use your information for the purposes of recruitment and selection, corresponding with you and equal opportunities monitoring and may hold your information for up to six years in case other suitable opportunities arise.
6.6 We may disclose personal data in order to comply with a legal or regulatory obligation.
6.7 We do not store credit card details, nor do we share client details with any third parties without explicit consent.
6.8 We will not sell or lease your personal information to third parties.
Data protection law recognises that certain types of personal information are more sensitive. This is known as ‘sensitive’ or ‘special category’ personal information and covers information revealing racial or ethnic origin, religious or philosophical beliefs and political opinions, trade union membership, genetic or biometric data, information concerning health or data concerning a person’s sex life or sexual orientation.
Sensitive information will only be collected where necessary, for example, we may need to collect health information from you if you register for a challenge event or information about your children’s other health conditions for example. Clear notices will be provided at the time we collect this information, stating what information is needed, and why.
You have the right to withdraw your consent to ADHD Embrace using your personal data at any time, and to request that we delete it. Doing so will restrict your ability to use ADHD Embrace services.
7. How and Where Does ADHD Embrace Store Your Data?
We make sure that appropriate physical, technical and human controls are in place to ensure we take good care of your information. However, the transmission of information over the internet is never completely secure and as a result, while we strive to protect your personal information, we cannot guarantee the security of any information you transmit to us, and you do so at your own risk.
Once we receive your data, we make every effort to try to ensure its security, both on our systems and while in transit between our systems and our partners who work on our behalf. We only keep your personal data for as long as we need to in order to use it as described above in section 6, and/or for as long as we have your permission to keep it.
Steps we take to secure and protect your data include:
7.1 Ensure computer systems containing personal data are password protected and laptops/mobile devices have appropriate encryption.
7.2 Ensure that staff know that passwords must be treated as private to the individual and must not be disclosed to others.
7.3 Ensure that only those who need to use the data have access.
7.4 Instruct staff to not leave their workstation/PC signed on when they are not using it.
7.5 Instruct staff to exercise caution in what is sent via email and to whom it is sent.
7.6 Provide the means to securely dispose of information (electronic and on paper).
7.7 Ensure that paper files are stored in secure locations and only accessed by those who need to use them.
7.8 Instruct staff not to disclose personal data to anyone other than the data subject unless they have the data subject’s consent, or it is a registered disclosure, required by law, or permitted by a General Data Protection Regulation (EU) 2016/679 exemption.
7.9 Instruct staff not to leave confidential information on public display in any form.
7.10 Provide all staff with a copy of this policy, our Website T&C’s, our IT Acceptable Use Policy and our Code of Conduct Policy, to provide training on data protection, and to ensure that all staff are aware of their obligations under the GDPR.
8. What legal basis do we use for processing your personal information?
8.1 Consent: Under the Data Protection Regulation there are a few lawful reasons that we can use as a basis to process your personal information. One of these lawful reasons is ‘consent.’
This means any personal information you share with ADHD Embrace is securely recorded by us, once you have given us your clear consent to do so. We will only use your personal data to provide the most appropriate services and support to you.
We will only hold personal data about children that is strictly relevant to our work with them and/or their family. When a person becomes an adult at 18 years of age, they have the right to withdraw their consent to us processing their information (see section 4).
8.2 Legitimate Interests:
One of the other lawful reasons that we use as a basis to process your personal data is ‘legitimate interests.’ This means when you provide your personal information to us, we may use it for legitimate business interests that further support our charity’s objectives.
Our legitimate business interests do not automatically take priority over your interests (unless we have your consent or are otherwise required or permitted to by law). Therefore, before we use your personal data under legitimate interests, we will carefully consider and balance any potential impact on your individual interests, rights and freedoms. This means that we will process your personal details in ways that you would reasonably expect from us, which will have minimal impact on your privacy, be non-intrusive and will not cause you harm.
Some examples where we might use your personal data under legitimate interests — providing updates on our services; informing you of community events; emailing our newsletter; or communicating information on our fundraising events. Any business interest communication with you will be relevant and tailored to your interests.
9. How long do we keep your information?
We hold all records for our service’s users on our secure database. Personal data will be hidden from general view and will only be accessible to a limited number of staff.
We only keep your personal information for as long as we need it. We decide how long to keep your information based on what we need and what the law says.
10. Disclosure for law enforcement purposes
ADHD Embrace reserves the right to access and disclose personal information to comply with applicable laws and lawful government requests to operate its systems properly or to protect itself or others. We may attempt to obtain the prior consent of the individual before disclosing the personal information, but we have no obligation to do so.
11. Children and young people
ADHD Embrace provides services to Children and Young People under these conditions:
- If you’re aged 18 or under, you must get your parent/guardian’s permission before you provide any personal information to us. Consent will be sought from parents/guardians, as well as the young person, before accessing services.
- Any personal information we actively collect from anyone under the age of 18 we will do so in compliance with the General Data Protection Regulation (EU) 2016/679.
12. Vulnerable Circumstances
We understand that additional care may be needed when we collect and process the personal information of vulnerable members, supporters and volunteers. In recognition of this, we observe good practice guideline in our interactions with vulnerable people.
All staff and volunteers are required to attend Safeguarding Children and the Protection of Vulnerable Adults Training.
13. How Can You Access Your Data?
13.1 You have the right to ask for a copy of any of your personal data held by ADHD Embrace (where such data is held). Under the GDPR, no fee is payable, and we will provide any and all information in response to your request free of charge. We will respond to a data request without delay and within one month of receipt of the request.
Please contact us at [email protected].
13.2 You have the right to see a copy of the data that ADHD Embrace holds about you in a form that is acceptable to you. We will provide a copy of the data in one of the following electronic formats: Pdf, docx, xlsx, xlsm.
13.3. When making an SAR (Subject Access Request), you are required to provide two forms of identification. Acceptable forms of identification include; Passport, Driving Licence, Birth Certificate, Bank Statement and Utility Bill (from last 3 months).
14. Contacting Us
If you have any questions about ADHD Embrace or this Privacy Policy, please contact us at [email protected].
15. Updates to this Privacy Policy
We may change this Privacy Policy from time to time (for example, if the law changes). Any changes will be immediately posted on our website, and you will be deemed to have accepted the terms of the Privacy Policy on your first use of our services / website following the alterations.
Policy reviewed | November 2024 |
Next review date | November 2025 |