Privacy Policy - Every Life Matters

Every Life Matters is committed to protecting your personal data. This policy explains how and why we use your personal data to make sure you remain informed and in control of your information.

Your personal data (i.e. any information which identifies you, or which can be identified as relating to you) will be collected and used by Every Life Matters which is a registered Charity No: 1180815 and data controller number ZA565475. For the purposes of data protection law, Every Life Matters will be the Data Controller.

About
Questions
What information will we collect?
How do we use personal information?
Website Privacy Statement
How do we protect personal data
Evaluation and Research at Every Life Matters
Your rights
Complaints
Data Protection and Security Policy

1. About

As part of the services we offer, we are required to process personal data about our people who attend our training or other community events, people receiving support from us, our staff and volunteers and people subscribing to our newsletters and other updates. “Processing” can mean collecting, recording, organising, storing, sharing or destroying data.

We are committed to being transparent about why we need your personal data and what we do with it. This information is set out in this privacy notice. It also explains your rights when it comes to your data.

You can choose not to receive information or change how we contact you at any time. If you would like to, please let us know by:

Emailing: info@every-life-matters.org.uk

Writing to us at; Every Life Matters, Bulls Head, Shap, Penrith CA10 3NG

Telephone: 07908 537541

We will never sell your personal data.

2. Questions

Any questions you have about this policy or how we use your personal data should be sent to: info@every-life-matters.org.uk or addressed to: The Data Protection Officer at the postal address given above.

3. What information do we collect?

Training and Community Activity

We collect data you give to us when you sign up for training or other community events. For example:

Personal details (name, date of birth, email, address, telephone, occupation etc.) when you sign up to training or other community events
Financial information (payment information such as credit/debit card for direct sales).

Information from other organisations

We sometimes receive personal data from other organisations who manage training or events bookings for us, for example, Eventbrite or your employer.

Accidents or incidents

If an accident or incident occurs in one of our training centres or involving one of our employees then we’ll keep a record of this (which may include personal data and sensitive personal data).

Support After Suicide Service

Personal data you directly give to us

So that we can provide a safe and professional service, we need to keep certain records about you.

We may process the following types of data:

Your basic details and contact information e.g. your name, address, date of birth and next of kin;

We also record the following data which is classified as “special category”:

Health and social care data about you, which might include both your physical and mental health data.
We may also record data about your race, ethnic origin, sexual orientation or religion.

Information from other organisations

We sometimes receive personal data from other organisations who may refer you to our service.

Accidents or incidents

If an accident or incident occurs involving one of our clients or employees then we’ll keep a record of this (which may include personal data and sensitive personal data).

4. How do we use personal information?

We will only use your information for the purpose or purposes it was collected for.

Training and Community Activity

We only ever use your personal data with your consent, or where it is necessary:

To enter into, or perform, a contract with you for training or other community event
To comply with a legal duty
To protect your vital interests; this means, for example, keeping you safe from harm
For our own (or a third party’s) lawful interests, provided your rights are not affected

Administration

We use personal data for administrative purposes. This includes:

Receiving payment (e.g. direct debits or payment card details)
Maintaining databases of our learners
Performing our obligations under training contracts
Helping us respect your choices and preferences (e.g. if you ask not to receive marketing material, we’ll keep a record of this).

Marketing

We use personal data to communicate with people and to promote Every Life Matters training and other activity. Every Life Matters will ask its learners and contacts to “opt-in” for marketing communications. This means you’ll have the choice as to whether you want to receive these messages.

Research and Analysis

We may carry out research and analysis on the data we hold to understand behaviour and responses and identify patterns and trends.

We evaluate, categorise and profile personal data to tailor services and communications we send out (including targeted advertising) and to prevent unwanted material from being sent to you.

Support After Suicide Service

High Quality Support

We need this data so that we can provide ongoing high-quality support.

By Law

By law, we need to have a lawful basis for processing your personal data and we may collect your data because;

It is necessary due to social security and social protection law (generally this would be in safeguarding instances);

Information Sharing

We may also process your data, or share information about you, with your consent. If we need to ask for your permission, we will offer you a clear choice and ask that you confirm to us that you consent.

We will also explain clearly to you what we need the data for, or why we need to share your data, and how you can withdraw your consent at any time. Information may be collected from or shared with:

Other parts of the health and care system such as local hospitals, the GP, the pharmacy, social workers, clinical commissioning groups, and other health and care professionals;
The Local Authority;
Your family or friends – with your permission;
Organisations we have a legal obligation to share information with i.e. for safeguarding, the CQC;
The police or other law enforcement agencies if we have to by law or court order.

5. Website Privacy Statement

This section of the privacy policy applies to our website www.every-life-matters.org.uk (the “Site”). If you do not accept this privacy policy, you should not use this Site.

Collection of personal information

Every Life Matters collects personal information from you (such as name, address, telephone number, email address etc) when you complete contact and enquiry forms or send emails to us. Please do not submit your personal information to us if you do not wish us to collect it.

Right to Access

You have the right to request and obtain the information that is being collected from you and for what purpose this information is being collected. You may request an electronic version of all data Every Life Matters has on you, please email info@every-life-matters.org.uk to request this.

Right to Be Forgotten

You have the right to request that all data collected from you is removed. To request removal of all data collected please email info@every-life-matters.org.uk.

Data Portability

You have the right to request, obtain, and/or transfer possession of collected data at any time.

Breach Notification

In the event of a breach or unauthorized access of personal data that is likely to “result in a risk for the rights and freedoms of individuals”, we will notify you within 72 hours.

Log Data

Like many site operators, we collect information that your browser sends whenever you visit our Site (“Log Data”). This Log Data may include information such as your computer’s Internet Protocol (“IP”) address, browser type, browser version, the pages of our Site that you visit, the time and date of your visit, the time spent on those pages and other statistics. In addition, we may use third party services such as Google Analytics that collect, monitor and analyse this.

Cookies and similar technology

www.every-life-matters.org.uk also uses cookies and similar technical tools to collect information about your access to the Site and the services we provide.

A cookie is a small text file that contains a unique label or cookie ID number. When you visit a website that uses cookies, the website sends a cookie to you browser’s software and it is stored on your computer even after you leave the site. When you visit the website at a later date the cookie’s ID number is sent back to the website, allowing the website to recognise the user which can be really useful for you. This remembers you on repeat visits effectively letting you move around the Site without having to keep re-introducing yourself.

We use cookies to:

Remember that you have used the Site before; this means we can identify the number of unique visitors we receive to different parts of the Site. This allows us to make sure we have enough capacity for the number of users that we get and make sure that the Site runs fast enough;
Store your preferences or your user name and password so that you do not need to input these every time you visit the Site;
Customise elements of the layout and/or content of the pages of the Site for you;
Collect statistical information about how you use the Site so that we can improve the Site; and
Gather information about the pages on the Site that you visit, and also other information about other websites that you visit, so as to place you in a “market segment”.

This information is only collected by reference to the IP address that you are using, but does include information about the county and city you are in, together with the name of your internet service provider.

Some of the cookies used by our Site are set by us, and some are set by third parties who are delivering services (such as interest based advertising directed at your market segment) on our behalf.

Most web browsers automatically accept cookies but, if you prefer, you can change your browser to prevent that or to notify you each time a cookie is set.

Visiting www.allaboutcookies.org will provide information on settings within your browser as well as other useful information on cookies.

Please note however, that by blocking or deleting cookies used on the Site you may not be able to take full advantage of the Site if you do so.

If you continue using this Site we will assume that you are happy to receive all cookies and similar technical tools from this Site and reserve the right to amend, remove or add new cookies and similar technical tools at any time.

If you would like to disable and or prevent any cookies from this Site from being saved in your browser, then please follow the links below or consult with your internet browser provider.

General cookie management resources

Browser specific cookie management resources

6. How do we protect personal data?

We use a variety of physical and technical methods to keep your data safe and to prevent unauthorised access or sharing of your personal information.

Electronic data and databases are stored on secure computer systems and we control who has access to information using both physical and electronic means.

Our employees receive data protection training and we have a set of detailed data protection procedures which personnel are required to follow when handling personal data.

Payment security

All electronic forms that request financial data will use secure web technology to encrypt the data between your web browsers and our computers.

If you use a credit card we will pass your credit card details securely to our payment provider. Every Life Mateters complies with the payment card industry data security standard (PCI-DSS) published by the PCI Security Standards Council, and will never store card details.

Storage of personal data

Where Lifetime Training information is stored. Every Life Matters operations are based in the UK and we store our data within the European Economic Area (EEA).

How long does Every Life Matters Keep information for?

We will only use and store information for as long as it is needed for the purposes it was collected for. How long we keep information depends on the information and what it’s used for. For example, if you ask us not to send you marketing emails, we will stop storing your emails for marketing purposes (though we’ll keep a record of your preference not to be emailed).

We continually review what information we hold and delete what is no longer required. We never store payment card information.

7. Evaluation and Research at Every Life Matters

Every Life Matters takes responsibility for the protection of the personal information that any reserach study or evaluation is collecting about you. In order to comply with the legal obligations to protect your personal data Every Life Matters has safeguards in place such as policies and procedures. All staff are appropriately trained and your data will be looked after in the following way:

Only the staff team will have access to identifiable information i.e. data which could identify you, but this will be made anonymous as soon as the data is transcribed/analysed using randomly generated pseudonyms or numbers. The data will not be shared with any other organisations.
All information is collected using a secure online network that is password-protected and only accessible by members of Every Life Matters staff team. All data will be destroyed after five years. Please remember you can withdraw your data until it is anonymised. Once anonymised, it is no longer possible to withdraw individual cases.

You have a number of rights under data protection law regarding your personal information. For example you can request a copy of the information we hold about you, including audio recordings or photographs. This is known as a Subject Access Request.

Overview

Every Life Matters works with partners to conduct research to the highest standards of research integrity to ensure it is both beneficial and enriches our learning and development of suicide prevention and suicide bereavement support. Our research outcomes are in the public interest. As part of our commitment to research integrity, we follow the UK General Data Protection Regulation (UK GDPR) and the UK Data Protection Act 2018 (DPA), (hereafter referred as UK data protection law). In the case of health and care research, we also follow the UK Policy Framework for Health and Social Care Research.

We promise to respect the confidentiality and sensitivity of the personal information that you provide to us, that we get from other organisations, and that we share with other collaborating organisations (such as Universities or our research funders). We will tell you how we will use your information, how we will keep it safe and who it will be shared with. We commit to keeping your personal information secure and will not use it to contact you for any other purpose unless you have agreed to this.

Research has a special status under UK data protection law. Research conducted by our staff and our University Partners ( including those studying for a PhD or Masters in Philosophy) is defined as making an original contribution to knowledge which is published in order to share that knowledge.

Research projects may also be conducted by undergraduate and taught postgraduate (Masters in Arts/Science etc.) students to fulfil the requirements of their programme of study. Although these projects are not intended to make an original contribution to knowledge, nor are they usually published, they are essential to the student’s education and are therefore included under our definition of research.

We are usually the Data Controller for research studies. This means that we will decide how your personal information is created, collected, used, shared, archived and deleted (processed). When we do this we will ensure that we collect only what is necessary for the project and that you have agreed to this. If any other organisation will make decisions about your information, this will be made clear in the participant information sheet provided to you.

If more than one organisation work together on a project, there may be two or more Data Controllers for a specific project. If this happens, the organisations will have agreements in place which outline their responsibilities and details of this will be make clear in the Participant Information Sheet, provided to you.

Information about you

‘Personal data’ means any information which can identify you. It can include information such as your name, gender, date of birth, address/postcode or other information such as your opinions or thoughts. It can also include information which makes it possible to identify you, even if your name has been removed (such as quotes or social media postings).

We will only ever collect personal information that is appropriate and necessary for the specific research project being conducted. The specific information that we will collect about you will be listed in the Participant Information Sheet, given to you by the research team.

We may process some information about you that is considered to be ‘sensitive’ and this is called ‘special category’ personal data. This includes, but is not limited to, information such as your ethnicity, sexual orientation, gender identity, religious beliefs, details about your health or past criminal convictions. These types of personal information require additional protections, particularly in relation to sharing, which the University ensures are in place.

Under UK data protection law we must have special safeguards in place to help protect your rights and freedoms when using your personal information and these are:

Policies and procedures that tell our staff and students how to collect and use your information safely.
Training which ensures our staff and students understand the importance of data protection and how to protect your data.
Security standards and technical measures that ensure your information is stored safely and securely.
All research projects involving personal data are scrutinised and approved by a research ethics committee in line with University policies and procedures.
Contracts with companies orindividuals not associated with the University have confidentiality clauses to set out each party’s responsibilities for protecting your information.
We carry out data protection impact assessments on high risk projects to ensure that your privacy, rights as an individual or freedoms are not affected.

If we use collaborators outside of the UK, we will ensure that they have adequate data protection laws or contractual mechanisms for international transfers have been put in place. In addition to the above University safeguards the UK GDPR and the DPA also require us to meet the following standards when we conduct research with your personal information:

(a) the research will not cause damage or distress to someone (e.g., physical harm, financial loss or psychological pain).

(b) the research is not carried out in order to do or decide something in relation to an individual person or their care, unless the processing is for medical research approved by a research ethics committee.

(c) the Data Controller has technical and organisational safeguards in place (e.g. appropriate staff training and security measures).

(d) if processing a special category of data, this must be subject to a further public interest test to make sure this particularly sensitive information is required to meet the research objectives.

The Legal Part

Data protection law requires us to have a valid legal reason to process and use personal data about you. This is often called a ‘legal basis’. UK GDPR requires us to be explicit with you about the legal basis upon which we rely in order to process information about you. For research the legal reason is “Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller” (Article 6 of the UK GDPR):

For sensitive information the legal reason is: “the processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes… which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject”. (Article 9 of the U K GDPR).

When research involves criminal convictions, the legal reason is listed in Schedule 1 of the Data Protection Act 2018 which requires that special safeguards are in place.

Where we need to rely on a different legal reason, such as consent, this will be listed in the Participant Information Sheet provided to you. In clinical trials or medical studies, for example, we may use the following reason:

“Processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards”.

We may also use your personal information for additional research purposes, such as other analysis or future projects on the same research topics. This is known as a secondary use or purpose. If we want to do this it will be explained to you in a Participant Information Sheet and we will ensure that your information will not be used in ways which might have a direct impact on you (such as damage or distress) or will lead to decisions being made about you.

Sharing your information

Your personal information will be kept confidential at all times and researchers are asked to de-identify it (anonymise), pseudonymise (remove any information which can identify you such as your name and replace this with a unique code or key) or delete it as soon as possible. However in some cases it may not be possible to de-identify your information as it is necessary in order to achieve the aims of the research. If this is the case you will be informed of this in the Participant Information Sheet.

Your personal information as well as any de-identified information will only be shared with members of the research team in order to conduct the project. If they need to share your information with anyone else including anyone outside of the UK, you will be told who they are and why this is the case in the Participant Information Sheet.

We also sometimes use products or services provided by third parties to conduct research activities or share research data, such as Dropbox for Business, Microsoft collaboration products e.g. Teams, or other online communication tools e.g. Zoom.. These third parties are known as data processors and when we use them we have agreements in place to ensure your information is kept safe. This does not always mean that they access your information but if they do this will be outlined in the Participant Information Sheet. As Data Controller, we will always carry out due diligence in respect of the use of third parties in order to keep your information safe throughout the research.

We will only keep your personal information for as long as necessary to complete the aims of the research. However, some personal information (including signed records of consent) will be kept for a minimum amount of time as required by external funders or our policies and procedures. You can read more about how long we will keep this information for in our retention schedule. The Participant Information Sheet will state how long your personal information will be kept, if it is different to our standard data retention policy, and for what purpose.

For some research projects, your de-identified or pseudonymised information will be kept after the project has ended, placed into a data repository/online archive for sharing with other researchers or used in future research. If the researchers would like to do this with your information you will be told in the Participant Information Sheet.

When using research repositories, researchers are often required to upload their supporting or underlying data which may be identifiable or sensitive. The repositories have technical controls in place to ensure that only authorised individuals can access the information.

Obtaining information about you from other organisations

On occasion, other organisations share personal information about you with our research teams, your information is treated in the same way as the information we collect directly from you in accordance with appropriate laws and technical standards. The suppliers of this data are usually official bodies, such as NHS Digital, NHS England, the Home Office, or the Department of Education.. When your data is supplied by those organisations, our research teams will publish privacy information on dedicated websites.

8. Your Rights

We want to ensure you remain in control of your personal data and that you understand your legal rights which include:

The right to ask and be told whether or not we have your personal data and, if we do to obtain a copy of the personal data we hold (this is known as a subject access request)
The right to have your data deleted (though this will not apply where it is necessary for us to continue to use the data to administer your training course or apprenticeship.
The right to have incorrect data amended
The right to object to your data being used for marketing purposes or profiling

Please note that there are some exceptions to the rights above and, although we will always try to respond to your satisfaction, there may be situations where we are unable to do so.

If you would like further information on your rights please write to or email our Data Protection Officer at the addresses given in section 1.

We can provide you with a subject access form template which includes guidance on how to make your request and will help us respond more quickly. Please contact us for a copy of this.

9. Complaints

You can complain to Every Life Matters directly by contacting our Data Protection Officer using the contact details set out above. If you would like to make a complaint which does not directly relate to your data protection and privacy rights please see Every Life Matters complaints policy which is available here.

If you are not happy with our response, or you believe that your data protection or privacy rights have been infringed, you can complain to the UK Information Commissioner’s Office which regulates and enforces data protection law in the UK. Details of how to do this can be found at www.ico.org.uk.