Privacy Notice – General Data Protection Regulations (GDPR) & The Data Protection Act: How we use your information We collect and hold personal information relating to our service users and may also receive information about them from referring agencies, the local authority and/or other professionals acting for the service user. We use this data to:

Support service user learning Provide appropriate pastoral care Support the emotional and physical wellbeing of our service users

This information can include the following personal data and special categories of personal data:

Name
Age & Date of Birth
Contact Details
Relevant Family Information
Referring Agency Details
Details of any special educational needs
Details of any relevant health information (Physical & Mental Health)
Details of any relevant social care information
Details of their current or previous school
Details of other services involved with the individual
Details of where they go after they leave us

We will not share information about our service users with anyone without their consent unless the law and our policies require us to do so. This means that it is permissible for us to share information about service users with referring agencies, the local authority and/or relevant social or healthcare professionals. We will retain the data of service users for the following periods which are designed to meet the statutory retention periods of our referring agencies:

Data Category:
Service User Files (Mentoring Services)
Retention Period:
Until the next 6 monthly destruction period following their 21st birthday.
Data Category:
Service User Files ( Disability Groups)
Retention Period:
Until the next 6 monthly destruction period following their 21st birthday.
The rights of service users under the General Data Protection Regulations (GDPR), are shown at the end of this document.
Heartlift’s lawful basis for processing your personal data under the GDPR is as follows:
The processing is necessary for our legitimate interests in providing our services (GDPR Article 6(1)(f))
Heartlift’s lawful basis for processing special category personal data is:
Processing is necessary for carrying out our Safeguarding obligations (GDPR Article 9(2)(b)).
If you require more information about how we store or use your personal data, please contact Heartlift Management on the following:
Tel: 01204 383131

Email: office@heartlift.co.uk

______________________ The General Data Protection Regulations

The Rights of Individuals

The General Data Protection Regulation (GDPR) is a regulation that aims to give control back to citizens and to simplify the regulatory environment for international business . It becomes enforceable from 25 May 2018 and will replace the Data Protection Act.
The GDPR provides the following rights for individuals:
The right to be informed

Under the GDPR you have the right to be informed about how your personal data is being processed.
The right of access

Under the GDPR, individuals will have the right to obtain:
confirmation that their data is being processed; access to their personal data; and other supplementary information The GDPR clarifies that the reason for allowing individuals to access their personal data is so that they are aware of and can verify the lawfulness of the processing

The right to rectification

Individuals are entitled to have personal data rectified if it is inaccurate or incomplete.

The right to erase

Individuals have the right to have their personal data erased. The right to erasure does not provide an absolute ‘right to be forgotten’. Individuals have a right to have personal data erased and to prevent processing in certain specific circumstances.

The right to restrict processing

Individuals have the right to restrict the processing of personal data in certain circumstances.

The right to data portability

The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services.

The right to object

Individuals have the right to object to the processing of their personal data but must have an objection on “grounds relating to his or her particular situation”. If there is an objection, processing of the personal data must stop unless:

there are compelling legitimate grounds for the processing, which override the interests, rights and freedoms of the individual; or the processing is for the establishment, exercise or defence of legal claims.

Rights in relation to automated decision making and profiling.

The GDPR provides safeguards for individuals against the risk that a potentially damaging decision is taken without human intervention.
For the avoidance of doubt, Heartlift do not employ automated decision-making systems.

In addition to the above rights contained within the General Data Protection Regulations, individuals also have a right to raise a concern or make a complaint regarding the handling of their data. In the first instance, this should be raised with Heartlift Ltd who will instigate their complaints procedure. If you are unhappy with how your complaint is being handled, you can escalate it to the Information Commissioners Office and their guidance is available at https://ico.org.uk/for-the-public/raising-concerns/.

Further information on individual rights under GDPR can be found on the Information Commissioners Office Website (https://ico.org.uk/) or by contacting Heartlift Management.