PRIVACY NOTICE FOR YMCA THAMES GATEWAY HEALTH AND WELLBEING DEPARTMENT
Under data protection law, individuals have a right to be informed about how YMCA Thames Gateway (YMCATG) collects and uses any personal data that we hold about them.
We comply with this right by providing ‘privacy notices’ (sometimes called ‘fair processing notices’) to individuals where we are processing their personal data.
This notice provides you with the necessary information regarding your rights and obligations, and explains how, why and when we collect and process your personal data.
What is Personal Information?
Personal information is information that identifies you as an individual and relates to you. This includes your contact details, financial information, educational and health information as well as information such as ethnic group, photographs and video recordings.
What is YMCATG‘s Role Regarding Data?
YMCATG are registered on the Information Commissioner’s Office Register of Data Controllers under registration number Z5593674, and act as the data controller and a data processor. YMCATG’s registered office is at 29 Rush Green Road, Romford Essex RM7 0PH and we are a company registered in England and Wales under company number 06102037.
Our designated Data Protection Appointed Person for the organisation is our Director of Quality & Compliance and can be contacted at:-
- Address: 29 Rush Green Road, Romford, Essex RM7 0PH
- Tel: 01708 770435
- Email: firstname.lastname@example.org
YMCATG processes your personal information to meet our legal, statutory and contractual obligations and to provide you with the requested products and services. We will never collect any unnecessary personal data from you and do not process your information in any way, other than already specified in this notice.
What Information Do We Collect From You?
YMCATG will only ever collect the information that we need, including information that will be useful to improve our services. We collect the following:-
- Personal information:- such as name, address, phone numbers, email address, date of birth, gender, marital status, languages spoken, bank details, identity details, National Insurance numbers and vehicle registration details.
- Special Category Information:- such as your race, ethnic origin, religion and details of any medical conditions, including physical and mental health, where required
- Assessment and Attendance:- we may also collect attendance, safeguarding and assessment information as well as details of any support required/received, including care packages, plans and support providers
- Images and CCTV Footage: – collected in the course of activities (please see our CCTV policy and notices for further information on CCTV). Where images are intended to be used on social media or public display we will make every effort to confirm your explicit consent
- Non-personal information: – gathered from our websites such as pages accessed and files downloaded. This helps us to understand how many people use our website, how many people visit on a regular basis, and how popular our pages are. This information doesn’t tell us who you are, it simply allows us to monitor and improve our services
Why Do We Collect This Information?
The reason we collect your personal data is to be able to fulfil our role under the contract or to provide services that you have requested and for our own legitimate interests such as improving our own services. We also collect it to comply with your own requests before entering into an arrangement to access our services.
We also collect and store your personal data for equality & diversity monitoring and for funding applications as well as to fulfil our legal obligation for business accounting and tax purposes.
Who Might We Share Your Information With?
Personal Information will only be shared with authorised YMCATG staff and volunteers where necessary for them to undertake their roles. Members of YMCATG staff team may share relevant information from their records with each other. This may include front of house staff, instructors, safeguarding leads and administration staff.
We do not share or disclose any of your personal information with others except where we have a lawful basis to do so as explained in this notice, where there is a legal requirement to share it or with your consent.
Where YMCATG engages others (known as third parties) to process your personal data on its behalf, they do so on the basis of clear written instructions, are under a duty of confidentiality and are obliged to implement their own appropriate technical and organisational measures to ensure the security and protection of your data.
Gladstone MRM:- We currently use Gladstone MRM as our fitness management database in order to process records of members using our services, manage bookings and to process payments on our behalf. They do so on the basis of clear written instructions and are under a duty of confidentiality. For more information on Gladstone MRM privacy please go to: https://offers.gladstonesoftware.co.uk/privacypolicy
HALO:- We currently use HALO, as our tool to support our members to achieve their fitness goals and as a platform for fitness related communication with our members. You can record and download personal stats, goals and training plans using HALO. For more information please go to https://lifefitness.co.uk/content/privacy-policy
Mailchimp:- We currently use Mailchimp, an online marketing platform to send and manage our email communications with our members. For more information please go to https://mailchimp.com/legal/privacy/
Inform: Our case management software which we use in order to keep records of customer feedback, accidents, incidents and safeguarding report information. For more information please go to https://www.salesforce.com/uk/company/privacy/
What Do We Do With Your Information?
We have a lawful basis to process personal information to fulfill our obligations of the contract for services we are providing as well as for our legitimate interest.
We use personal information to:-
- Fulfil your requests, such as the provision of information, registration for services, applications for membership.
- Carry out our obligations arising from any contracts entered into between you and us.
- Look into and respond to complaints, incidents, near misses, legal matters or any other issues.
- Record any contact we have with you.
- Provide you with information that we think may be of interest to you if you have agreed to it.
- Handle class bookings and communicate with you about these bookings.
- Process your donations, purchases or other payments and verify financial transactions.
- Claim gift aid on your donations.
- If you have agreed to it, provide you with information that we think may be of interest to you.
- To carry out research on the demographics, interests and behaviour of our users, to help us gain a better understanding of them to enable us to improve our services.
Where you have consented to us providing you with promotional offers and marketing, you are free to withdraw consent at any time.
How Do We Store Your Data?
Information is stored by us on computers located in the UK. We may transfer the information to other offices and to other third party organisations as explained above. We may also store information in paper files and will keep those securely locked in a filing cabinet.
YMCATG takes your privacy seriously and we take every reasonable steps to protect and secure your personal data under our control from accidental loss, use or disclosure. For example, only authorised personnel are allowed to access information and we use secure server software (SSL) to protect financial and personal information you input before it is sent to us.
Whilst we cannot ensure or guarantee that loss, misuse or alteration of data will not occur whilst under our control, we use our best efforts to try to prevent this by carrying out robust checks on systems and security and having adequate policies, procedures and staff training in place to help protect your data.
Personal information that YMCATG holds may in some circumstances be transferred to locations outside of the European Union/European Economic Area (EU/EEA). Where we do, we will ensure that it is protected and transferred in a manner consistent with legal requirements applicable to the information, for instance:
- The country to which we send the personal information may be approved by the European Commission
- The recipient may have signed a contract based on “contractual clauses” approved by the European Commission, obliging them to protect the personal information, or
- Where the recipient is located in the US, it may be a certified member of the EU-US Privacy Shield scheme.
How Long Do We Keep Hold Of Your Information?
We will keep your information only for as long as we need it to provide you with services or information you have requested, to administer your relationship with us, to comply with the law, or to ensure we do not communicate with you if you have asked us not to do so. When we no longer need information we will always dispose of it securely, as outlined in our Data Protection Policy.
We are required under UK tax law to keep your basic personal data (name, address, contact details) for a minimum of 6 years after which time it will be destroyed.
Where you have consented to us using your details for direct marketing, we will keep such data until you withdraw your consent.
How Can I Access The Information You Hold About Me?
Individuals have a right to make a ‘subject access request’ to gain access to personal information that YMCATG holds about them.
If you make a subject access request, and if we do hold information about you we will:
- Give you a description of it
- Tell you why we are holding and processing it, and how long we will keep it for
- Explain where we got it from, if not from you or your child
- Tell you who it has been, or will be, shared with
- Let you know whether any automated decision-making is being applied to the data, and any consequences of this
- Give you a copy of the information in an intelligible form
If you wish to access your information, please request a Subject Access Request Form from:-
Director of Quality & Compliance
29 Rush Green Road, Romford, Essex RM7 0PH
If you believe that we hold any incomplete or inaccurate data about you, you have the right to ask us to correct and/or complete the information and we will strive to update/correct it as quickly as possible; unless there is a valid reason for not doing so, at which point you will be notified.
You also have the right (in certain circumstances) to request erasure of your personal data, and the right to prevent your data from being used for direct marketing.
If you wish to raise a complaint regarding how we process your personal data please contact our data controller:-
Director of Quality & Compliance
29 Rush Green Road, Romford, Essex RM7 0PH
Alternatively, if you are unsatisfied with how we have handled your information, you have the right to make a complaint direct to the supervisory authority:-
Information Commissioners Office
Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
Tel: 0303 123 1113
Date Issued: August 2019