Privacy Policy

CISFA UK Privacy and Data Protection Policy

document outlines CISFA UK’s Privacy and Data Protection Policy in relation to four main stakeholder groups supporting or benefitting from CISFA UK activities:

Beneficiaries of the services that CISFA UK provide, which also includes anyone using our support groups, benefitting from support services such as care boxes, or contacting us directly for support.
Volunteers working with CISFA UK to provide services to beneficiaries, including but not limited to support volunteers, volunteers offering business or administration services and anyone volunteering to fundraise for us.
Donors to also include anyone who donates money to CISFA UK in any format
Directors and/or Trustees of CISFA UK

For the purpose of ease and transparency throughout this document, the above four groups of people data Protection Act 2018 and other applicable UK and EU laws that regulate the collection, processing and privacy of personal information relating to our stakeholders. This privacy policy applies to all prospective, current, and former stakeholders within the four main groups mentioned above.

For the purposes of Data Protection Law, CISFA UK acts as a “data controller” of the personal information we hold about our stakeholders. This means that we are responsible for deciding how to hold and use personal information about each of these groups of people. CISFA are required under Data Protection Law to notify each stakeholder of the information contained in this Privacy Policy.

It is important that all CISFA stakeholders read this Privacy Policy, together with any other privacy policy or notice CISFA may provide on specific occasions when we are collecting or processing personal information, that that they are aware of how and why CISFA are using such information.

Data protection principles

CISFA comply with Data Protection Law. This says that the personal information CISFA hold about our stakeholders must be:

Used lawfully, fairly and in a transparent way.
Collected for specified, explicit and legitimate purposes and not processed in a manner that is incompatible with those purposes.
Adequate, relevant, and limited to the purposes CISFA have told stakeholders about.
Accurate and kept up to date.
Kept only for as long as necessary for the purposes CISFA have told stakeholders about.
Processed in a manner that ensures appropriate security of the personal information.

The type of information CISFA holds

Personal information (which may also be called personal data), means any information about an individual from which that individual can be identified, whether directly or indirectly. It does not include data where personally identifying elements have been removed (anonymous data).

For simplicity, we have broken down this section by stakeholder group below and covered all data that is collected in relation to each group. There is a separate set of information for the CISFA Counselling programme at the bottom of this section. Where data collected falls under the definition of Special Category Data (data that is likely to be more sensitive such as medical condition information) or Criminal Offence Data we provide detailed information regarding our processing and storage of this data within the CISFA Appropriate Policy Document (APD) which can be found on our website.

Beneficiaries

CISFA will collect, store, and use the following categories of personal information about beneficiaries:

Category
Data collected
What CISFA use it for
How is this information stored and how long for

Community support group beneficiaries

Personal contact details such as name, title, addresses, telephone numbers, and personal email addresses

To contact beneficiaries about timings and dates for our community support groups.

Addresses are also used for transport services should the beneficiary need this – if transport is requested by the beneficiary, the name and address of the beneficiary will be passed onto the transport service.

This information is collected via a community support group registration form which is completed by the beneficiary wishing to join the group. The information in this form is then scanned and saved in a secure online data centre. Only Laura Beet and Joanne Kelly have access to this information.

The paper registration forms are then stored within a folder that is brought to each support group meeting in case of emergencies and in case of no access to the secure online data centre. This folder is accessed only by Laura Beet and Joanne Kelly and is stored securely at all times.

Whilst the beneficiary is attending the group, the information will continue to be stored. The information will be destroyed 1 year after the last meeting attended by the beneficiary.

For the purpose of advertising group sessions and informing beneficiaries of changes to dates/times of sessions, phone numbers will be stored in a private Whatsapp group.

Date of birth

To ask for consent if the beneficiary is under 18 (in circumstances where CISFA are able to include under 18s in our support groups).

Emergency contact information

To contact someone on behalf of the beneficiary in case of an emergency

Information about your health, including any medical condition and medication

To comply with our health & safety obligations and enable any reasonable adjustments to be made.

To enable CISFA to provide medical information to authorities should you request help through us or in case of emergencies during a support group.

Please see the CISFA APD document for more information.

Attendance record

To comply with health & safety requirements of the halls/rooms that we rent for sessions, specifically in relation to fire safety.

We also anonymise this data and use it for funding request purposes to prove the usefulness of these sessions.

This information is collected in an attendance Fire Safety form for each session. At the end of each session, Laura Beet or Joanne Kelly will anonymise the data for demographics and destroy this form.

Participant agreement

This outlines a set of guidance for each session to ensure the safety of all members. Participants sign this agreement to show understanding and willingness to participate in the sessions under the guidance.

This information is collected via a participant agreement form which is completed by the beneficiary wishing to join the group. The information in this form is then scanned and saved in a secure online data centre. Only Laura Beet and Joanne Kelly have access to this information.

This information is deleted 1 year after the last session attended by the beneficiary.

These forms are updated once a year to reflect current peer led guidance. Previously signed forms are deleted when a new version is uploaded.

Online support group beneficiaries

Request to join group questions including where did you hear about us, do you have a chronic illness, do you live in the UK and do you agree to the group rules

To understand more about our marketing efforts, ensure that only chronically ill people, or those that care for chronically ill people are joining the groups and reduce the risk of spammers for the safety of beneficiaries. To identify those that live within the UK as this is the demographic of individuals we can support and to ensure the group rules are met for the safety and comfort of others within the group

This information is captured during the facebook request to join a group process and is held within the facebook application only as per facebook privacy policies. This information can only be seen by administrators of the group until the point a person is accepted or rejected into a group.

Interactions or any information posted by the beneficiary

User self-selects to post this information, it is entirely voluntary. Information is then used to help provide support to the beneficiary.

This information is held within the Facebook group. The information can be seen by anyone within the group as it is posted publicly. If posted privately, only the administrators of the group will see this. This information will not be deleted, unless done so by the beneficiary, where it provides support to other beneficiaries. If it does not provide support or engage with chronically ill people on the forum, this information is deleted within a week of being posted.

Messages sent by beneficiaries through Facebook messenger directly to a CISFA support admin

To provide specific support to beneficiaries who are directly asking us for help. The information is sent directly to a specific CISFA support admin. Where there is a risk of self-harm, or harm to others, or a disclosure of a sensitive nature, this information will be passed to a senior support admin or the head of support. In emergency cases where someone’s life is deemed to be at risk, this information may be passed to external agencies or emergency services.

This information is stored within facebook messenger. This information will be deleted 12 months after the last message sent by each support admin.

List of beneficiary names who are deemed vulnerable or high risk

We use this information to identify anyone who is particularly vulnerable to ensure that they are getting focussed support through CISFA, for example anyone with a life limiting illness, anyone with severe depression, or someone perhaps in hospital.

List of beneficiary names who have an Autism Spectrum Disorder

We use this information to ensure that we adapt CISFA support conversations with these individuals so they receive the best levels of support possible. This information is only captured once it is volunteered by a beneficiary, we do not ask for this information directly and it does not restrict support given.

Handover information between admins at the end/start of each shift

This information is shared between admins to ensure continuity of care and enable CISFA to provide the best levels of support possible.

This information includes what has been posted on the facebook group and anyone to add to the vulnerable lists.

It also includes a list of people that require specific support over the next 24 hours but are not suitable for the vulnerable list.

This information is shared via the CISFA UK preferred internal communication channels. This is in a private channel that only the support team can see. This information is deleted 48 hours after being communicated.

Helpline phone calls

Phone number

We collect this information only if the person calling required a call-back.

This information is collected the helpline team and included in a diary reminder within CISFA’s preferred calendar system, where a call back is requested.

Support requirement and name of person calling

We collect this information to provide ongoing support to the individual.

We also use this information anonymised for training and monitoring purposes to ensure we provide the best support to our beneficiaries

Any notes taken during the calls are uploaded into our call log which is stored in our secure online data centre. These notes are then destroyed. The call log is only visible to those working on the helpline.

Where a caller is known to be on the closed support group facebook pages, the name of the caller and support requirements are included in the handover as per the above.

Emails from beneficiaries

Email address and content of the email

We use this information to try and provide the most appropriate support to the individual or to answer any enquiries

This is stored in our secure email folders. Where the email related to support, this information is stored for 12 months before being deleted. Where the email is a general enquiry, this is deleted once the enquiry is resolved unless the emails relate to a specific CISFA service provision that is ongoing in which case the emails are deleted after 12 months.

1-2-1 beneficiary visits

Phone number, name and address

To know where to meet the beneficiary and to contact them regarding times to meet

This is stored in a phone message or as part of the call logs as per the above. The messages will be deleted 12 months after the last contact for support.

Care box nomination scheme

Name and email of nominator. Name, address, allergies, gender and age of person nominated, along with information regarding why they should receive a care box

To contact the nominator as to the progress of the nomination.

To address the box for postage.

To ensure items included within the box are relevant

To establish whether the person nominated meets the criteria for a care box.

We also anonymise this data and use it for funding requests,

This information is collected via an online application form which is completed by the nominator. The information in this form is then emailed to Joanne Kelly and Laura Beet. The information is transferred into a spreadsheet that is saved in a secure online data centre. Only Joanne Kelly and Laura Beet have access to this information. Once a decision has been made about the nomination, the emails are then deleted. The information in the spreadsheet is kept for 12 months from the date of nomination to ensure no duplicate nominations.

For users of our Social Media channels and online support groups, this Policy should be read in conjunction with each channels Privacy Policy, in particular the Data Policy

Donors

Category
Data collected
What CISFA use it for
How is this information stored and how long for

Donors

Name of donor, date, donation amount.

If via Paypal, date and time of donation, name of donor, amount, email address, shipping address and any note added to the transaction

To record donation amounts in our annual account submission to Companies House.

For fundraising planning purposes and to understand trends in fundraising.

To provide to an appointed accountant for the purposes of auditing, completing, and filing CISFA annual accounts.

This information is stored within our banking records and PayPal records. This information is downloaded from banking and paypal records and stored in a secure online data centre. Access to this information is only given to Laura Beet and Joanne Kelly and a CISFA appointed accountant. This information is stored for 6 years from the end of the associated accounting period for each set of data.

Volunteers and Trustees

CISFA will collect, store, and use the following categories of personal information about volunteers:

Category

Data collected

What CISFA use it for

How is this information stored and how long for

Counsellor

Name of course provider, name, contact number and email of placement manager

To contact the course provider/placement manager to confirm the Counsellor is registered to a course there, request competency to practice information and review requirements the course has of CISFA during the placement

This information is collected via the Counsellor registration form which is then saved in a secure online data centre. Only Laura Beet and Joanne Kelly have access to this information.

Whilst the Counsellor is working with CISFA, the information will continue to be stored. The information will be destroyed 1 year after the volunteer stops working with CISFA.

Governing body registration number

To confirm the Counsellor is registered with a governing body to ensure suitability to provide services through CISFA.

External Supervisor – Name, contact number and email address

To confirm the Counsellor has external supervision.

To contact the supervisor should CISFA have concerns regarding the Counsellor’s ability to practice

Competency to Practice letter

To confirm the counsellor is suitable and able to provide services through CISFA

This information is stored in a secure online data centre. Only Laura Beet and Joanne Kelly have access to this information.

Whilst the Counsellor is working with CISFA, the information will continue to be stored. The information will be destroyed 1 year after the volunteer stops working with CISFA.

Beneficiary of CISFA counselling service

Personal contact details such as name, telephone numbers, email addresses and date of birth

To contact the beneficiary regarding their application and during the counselling where applicable

To ensure the application is 18 or over

To provide to the counsellor if the application is successful to being the counselling arrangement (name, phone and email only)

This information is collected within the CISFA UK potential Counselee Risk Assessment Form and is then uploaded and stored in a secure online data centre. Only Laura Beet and Joanne Kelly have access to this information. If the applicant is unsuccessful, the information will be anonymised. If the application is successful the information will be stored for 12 months from the date of the last counselling session after which it will be anonymised.

Personal information such as condition and medication information, counselling experience, ability to join counselling sessions, further medical history regarding disorders or abuse experience

To assess the suitability of the CISFA counselling service for this individual given the experience levels of the counsellors

To understand the suitability of the service as a whole to the beneficiaries of CISFA as part of a pilot and whole service review process.

Responses to patient health questionnaires PHQ-9 and GAD-7

Feedback forms, including name, gender, and feedback regarding the counselling service and how the beneficiary is feeling

To determine the effectiveness of the counselling service and also the feedback forms

This information will be collected via feedback forms at different stages of the counselling relationship. These are then emailed to Laura Beet who will upload them into a spreadsheet stored in a secure online drive. This information will be kept for 12 months after the date of the last feedback form for each person, after which it will be anonymised.

4. How is personal information collected?

CISFA collect personal information about stakeholders through the methods outlined above, directly from the stakeholder. CISFA may sometimes collect additional information from third parties, including former employers.

CISFA asks stakeholders to ensure that any personal information supplied to CISFA which relates to third party individuals is provided to CISFA with their knowledge of CISFA’s proposed use of their personal information, for example for the provision of references or within the care box nomination process.

CISFA may collect, use and store additional personal information in the course of providing any activities throughout the period of the stakeholders’ involvement with us. For example, fundraising volunteers working at an event may choose to have their photo taken and used in a marketing campaign.

5. The lawful grounds on which we use information about you

CISFA will only use personal information when the law allows. CISFA process personal information for the above purposes relying on one or more of the following lawful grounds:

Where CISFA need to perform as per the volunteer agreement they have entered into with the volunteer, or in order to take any pre-contract steps at their request;
Where it is necessary for CISFA to comply with a legal obligation;
Where a stakeholder has freely provided specific, informed and unambiguous consent for particular purposes; and
Where it is necessary for CISFA’s legitimate interests (or those of a third party) and a stakeholder’s interests and fundamental rights do not override those interests. In broad terms CISFA’s legitimate interest is fulfilling the charitable purpose of CISFA, which involves sending direct marketing to our supporters, publishing content relating to chronic illness, contacting volunteers to plan and administrate activities, taking steps to ensure and monitor compliance with CISFA’s legal obligations and internal standards and procedures, assessing suitability of volunteers for potential roles and keeping records of volunteer activities and performance, providing suitable support to beneficiaries alongside ensuring the safeguarding of anyone benefitting from the services provided by CISFA.

CISFA may also use personal information in the following situations, which are likely to be rare:

To protect a stakeholder’s interests (or someone else's interests), such as in a medical emergency; and
Where it is needed in the public interest.

6. How CISFA use particularly sensitive personal information and information about criminal convictions

CISFA may process 'special category' or 'sensitive' personal information, such as information regarding a stakeholders physical and mental health. For example, CISFA may use information about a volunteer’s physical or mental health, or disability status, to ensure their health and safety in the workplace and to assess their fitness to work and to provide appropriate workplace adjustments.

CISFA will only collect information about criminal convictions where it is appropriate given the nature of a volunteering role and where CISFA are legally permitted to do so. If it is appropriate and legal, this information may be collected as part of the volunteer recruitment process or in the course of volunteering for CISFA, but may also be provided to CISFA directly by the volunteer in the course of volunteering for CISFA.

CISFA will use information about criminal convictions and offences in the following ways:

To determine, without discrimination, your suitability for the role; and
To continue to ensure you are still suitable for the role, including by means of continual screenings, where appropriate.

Details of these data sets are outlined above and within the CISFA UK Appropriate Policy Document (APD)

7. If you fail to provide personal information

If you fail to provide certain information when requested, CISFA may be prevented from complying with it’s legal obligations (such as to ensure the health and safety of volunteers) and may not be able to process volunteer applications or offer certain volunteering opportunities, support a beneficiary or offer particular services to certain individuals.

8. Change of purpose

CISFA will only use a stakeholder’s personal information for the purposes for which CISFA collected it, unless CISFA reasonably consider the need to use it for another reason and that reason is related to the original purpose.

9. Data sharing

CISFA may disclose information regarding a stakeholder in the following circumstances:

To other CISFA entities, suppliers or service providers where it is necessary to do so to facilitate volunteering or service offerings. By way of example, CISFA may disclose a volunteer’s name and email address to register them for a fundraising event.
Where CISFA are legally obliged to, CISFA will share the information of stakeholders. CISFA provide the Charity Commission and Companies House with basic contact details of its Trustees.
CISFA may provide stakeholder information such as email address, mobile phone number or cookies or other online identifiers in an encrypted format to social media companies, such as Facebook, Instagram, Twitter or YouTube, or to digital advertising companies that display advertising on online platforms (social media and other websites). Stakeholders can object to their data being used in this way by contacting Ruby Davies (enquiries@cisfauk.org). However, this may not prevent CISFA advertisements being shown to a stakeholder where they have not been targeted personally.

If CISFA share a Stakeholder’s data, CISFA require third parties to respect the security of that data, use it only for lawful purposes and handle it in accordance with Data Protection Law.

CISFA do not sell or rent information regarding stakeholders to third parties for marketing purposes.

CISFA do not transfer data out of the UK.

10. Data security

CISFA have put in place appropriate technical and organisational measures to protect the security of information regarding stakeholders.

Third parties will only process personal information on the instruction of CISFA and where they have agreed to treat the information confidentially and to keep it secure.

CISFA have put in place appropriate security measures to prevent personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, CISFA limit access to your personal information to those volunteers, employees, agents, contractors and other third parties who have a business need to know.

CISFA will notify stakeholders and any applicable regulator of a suspected breach where legally required to do so. Where a breach has happened, we will document our decision-making process and keep a record of the breach whether stakeholders or applicable regulators are notified. As part of this we will investigate whether the breach was a result of human error or a systematic issue and see how a recurrence can be prevented. Our data security and privacy processes will be updated where appropriate.

11. Data retention

CISFA will only retain personal information for as long as necessary to fulfil the purposes it was collected, including for the purposes of satisfying any legal or reporting requirements.

To determine the appropriate retention period for personal data, CISFA consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of personal data, the purposes for processing personal data and whether CISFA can achieve those purposes through other means, and the applicable legal requirements. Personal information that is no longer needed will be securely destroyed.

In some circumstances CISFA may anonymise a volunteer’s personal information so that it can no longer be associated with the volunteer, in which case CISFA may use such information without further notice to the volunteer.

12. Stakeholder rights

Stakeholders have the following legal rights in relation to CISFA’s collection and processing of personal information:

Right to be informed – Stakeholders have the right to be told how personal information will be used. This Policy and other CISFA policies and statements are intended to provide a clear and transparent description of how personal information may be used.
Right of access – Stakeholders can write to CISFA to ask for confirmation of what information CISFA hold on them and to request a copy of that information (and other related information). Provided CISFA are satisfied that they are entitled to see the information requested and have successfully confirmed that person’s identity, CISFA will provide them with their personal information subject to any exceptions that apply. They will not have to pay a fee to access personal information (or to exercise any of the other rights). However, CISFA may charge a reasonable fee if a request for access is clearly unfounded or excessive. Alternatively, CISFA may refuse to comply with the request in such circumstances.
Right of erasure – at a stakeholder’s request, CISFA will delete all personal information from our records as far as CISFA don't have a valid reason for holding on to it (e.g. to comply with a legal obligation).
Request correction of the personal information that CISFA hold about a stakeholder. This enables them to have any incomplete or inaccurate information CISFA hold about them corrected. Stakeholders are asked to please keep CISFA informed if personal information changes during their volunteering, working or beneficiary relationship with CISFA.
Right to restrict processing – they have the right to ask CISFA to restrict the processing of personal information if there is disagreement about its accuracy or whether use is legitimate or not.
Right to object – they have the right to object to processing where CISFA are: (i) processing personal information on the basis of the legitimate interests ground and have no compelling reason demonstratable to continue with that processing; (ii) using personal information for direct marketing, or; (iii) using personal information for statistical purposes.

If a stakeholder wishes to exercise any of these rights, they should contact Ruby Davies at enquiries@cisfauk.org. CISFA will aim to fulfil all right of access requests within 1 month of receiving the request, as per the above rights. For more information about rights or if they are not happy with CISFA’s response to a request, they can contact the Information Commissioner’s Office (ICO) – for more details, see https://ico.org.uk/.

13. Information Governance Lead

We have appointed an Information Governance Lead to oversee data protection standards at CISFA. If a stakeholder has any questions about this privacy notice or how CISFA handle personal information, please contact our Information Governance Lead Ruby Davies at enquiries@cisfauk.org.

The role of the information governance lead is to support stakeholder requests as per section 11, keep this policy up to date, ensure that data is stored and deleted as per the above policy and provide an internal audit of CISFA data processing, usage and storage on a regular basis.

13. Changes to this privacy policy

CISFA reserve the right to update this privacy policy at any time, and will provide stakeholders with access to a new privacy policy when any substantial updates are made. CISFA may also notify them in other ways from time to time about the processing of their personal information.

If you have any questions about this privacy policy, please contact Ruby on enquiries@cisfauk.org

CISFA UK Appropriate Policy Document (APD)

in accordance with the requirements of the Data Protection Act 2018 (DPA 2018)

Description of data processed

CISFA UK processes (i) Special Category (SC) data concerning health and (ii) Criminal Offence (CO) data, as defined in the DPA 2018. These Data Sets are described as follows:

Medical condition information including, where appropriate, medication and allergy information for community support group beneficiaries, CISFA UK volunteers and care pack nominees.
List of names of beneficiaries within CISFA UK support channels who are deemed high risk due to mental or physical health conditions.
Past and current health data for applicants to CISFA UK’s counselling service.
Information regarding a beneficiary’s past, current or future health status provided voluntarily by beneficiaries within CISFA UK’s support groups.
Disclosure and Barring Service (DBS) records for volunteers wishing to volunteer with CISFA UK.

Schedule 1 conditions for processing

As per the above Data Sets, and in accordance with Schedule 1 of the DPA 2018, the appropriate conditions for processing this data are as follows:

Data Set (as above)

Schedule 1 condition

1-4

Condition 16: Support for individuals with a particular disability or medical condition

Condition 18: Safeguarding of children or individuals at risk

Procedures for ensuring compliance with the principles

CISFA UK has a responsibility to demonstrate that our policies and procedures ensure our compliance with the wider requirements of the General Data Protection Regulation and, in particular, the Principles therein. The sensitivity of SC and CO data means the technical and organizational measures we have in place to protect such data are crucially important.

CISFA UK maintains both this document and the CISFA UK Privacy Policy regarding the processing of data. We have appointed an Information Governance Lead to ensure these are appropriate and kept up to date regarding guidance and legislation. We carry out data protection risk assessments with regards to all data we collect, process and store to ensure the suitability of our policies and processes.

We ensure that:

We have a lawful, fair and transparent basis for processing SC/CO data;
We are open and honest when we collect the SC/CO data and do not deceive or mislead people about the use of this data;
We clearly identify our purpose for processing the SC/CO data and include details of this within our CISFA UK Privacy and Data Protection Policy (Privacy Policy);
We only collect SC/CO data we actually need for specified purposes, periodically reviewing this data and deleting anything that is not needed;
Where available, we have the appropriate processes in place to check the accuracy of the SC/CO data we collect and keep it updated to properly fulfil our purpose;
We have outlined the rights to individuals to update SC/CO data within our Privacy Policy;
We have carefully considered how long we keep the SC/CO data and regularly review the information and erase or anonymize the SC/CO data when it is no longer needed; and We have reviewed and implemented an appropriate level of security needed for this data, details of which are outlined in our Privacy Policy.

Retention and Deletion policies

Our retention and deletion processes for each SC/CO Data Set are as follows:

Data Set (as above)

Retention and deletion policy/process

For community support group beneficiaries, this information is collected via a community support group registration form which is completed by the beneficiary wishing to join the group. The information in this form is then scanned and saved in a secure online data centre. The paper registration forms are then stored within a folder that is brought to each support group meeting in case of emergencies and in case of no access to the secure online data centre. This folder is accessed only by Laura Beet and Joanne Kelly and is stored securely at all times. The information is stored for the duration of the beneficiary’s attendance at the group and destroyed 12 months after the last meeting attended by the beneficiary.

For CISFA UK Volunteers, this information is collated via a volunteer registration form which is then saved in a secure online data centre. Only Laura Beet and Joanne Kelly have access to this information. Whilst the volunteer is working with CISFA UK, the information will continue to be stored. The information will be destroyed 12 months after the volunteer stops working with CISFA UK.

For care box nominees, this information is collected via an online application form which is completed by the nominator. The information in this form is then emailed to Joanne Kelly and Laura Beet. The information is transferred into a spreadsheet that is saved in a secure online data centre. Once a decision has been made about the nomination, the emails are then deleted. The information in the spreadsheet is kept for 12 months from the date of nomination for the purpose of ensuring no duplicate nominations.

Only Laura Beet and Joanne Kelly have access to any of this information.

This information is collected by the lead support admin and the head of support. The information in this list is stored in a secure online data centre. Only the support team have access to this information. Any information will be deleted 12 months from the date that the relevant member of the onlinDetails of the retention and deletion processes and policy for each category of SC/CO data can be found within the CISFA UK Privacy and Data Protection statement.

APD review date

This APD will be reviewed by the Information Governance (IG) Lead every 6 months. Confirmation of these reviews will be noted below:

Date of review

Name of IG Lead / Reviewer

Significant changes made

09/03/21

Laura Beet

First draft of document – edits made in line with Privacy Policy (as defined above)

11/03/21

Ruby Davies

No significant changes, edits made in line with Privacy Poliy
support group leaves the online support group.

This information is collected within the CISFA UK Potential Counselee Risk Assessment Form and is then uploaded to, and stored in, a secure online data centre. Only Laura Beet and Joanne Kelly have access to this information. If the applicant is unsuccessful, the information will be anonymised. If the application is successful, the information will be stored for 12 months from the date of the last counselling session attended by the relevant counselee, after which it will be anonymised.

Where this information is held within the Facebook group, the information can be seen by anyone within the group (as it is posted publicly). If posted privately, only the administrators of the group will see this. This information will not be deleted, unless done so by the beneficiary, where it provides support to other beneficiaries. If it does not provide support or engage with chronically ill people on the forum, this information is deleted within a week of being posted. For any private messages sent through Facebook Messenger, this information will be deleted 12 months after the last message sent by each support admin.

This information is collected via our preferred third-party agency. This information will be deleted 12 months after the volunteer stops working with CISFA UK.

Records relating to DBS checks undertaken (including applicant, type of DBS check and outcome of check) will not be deleted, as this helps CISFA UK to determine who is able to volunteer for CISFA UK

We Need Your Support Today!

Donate

Privacy Policy

SUBSCRIBE TO OUR NEWSLETTER