Salford Foundation is an organisation that supports the vocational, personal, social and academic development of young people and adults in Salford and other boroughs of Greater Manchester and the North West.
For the purposes of providing these services, Salford Foundation holds personal data on a variety of people including: children, young people or adults who use our services; current and former employees; job applicants; volunteers/mentors; donors and funders.
We (‘Salford Foundation’) respect your privacy and are committed to protecting your personal data and being transparent about how we collect and use your data. We demonstrate this through operating within the requirements of General Data Protection Regulation (GDPR) and by building in appropriate safeguards during the collection, storage, processing, sharing and disposing of personal data.
This notice contains important information about:
- Who collects personal information about you;
- What information we collect and how and why we do so;
- How we use the information and who we may share it with;
- Where we may hold your personal information;
- How long we keep your information;
- Your rights to correct and access your information and to ask for it to be erased; and
- Details of where you can find further information and how to complain if we get things wrong and cannot resolve them for you.
1 - Who we are
Salford Foundation is a registered charity (registered in England and Wales: 1002482) and a company limited by guarantee (Company Number: 2472369).
The registered address is:
3 Jo Street
Salford Foundation’s Data Protection Officer, Mairi Palmer, is responsible for data protection compliance and for answering any questions you have about this privacy notice. Our DPO can be contacted at the above address, by email: firstname.lastname@example.org or by phone 0161 787 8500.
In the main, Salford Foundation is the Data Controller in respect of your personal information, and is responsible for what happens to it, where it goes and who sees it. However, in some instances, for example, the National Citizen Service (NCS) Programme, we process personal information as a Data Processor. This means that we are not completely responsible for your personal information, but have other responsibilities under GDPR. You can find more information on our NCS programme here.
2 - What information we collect and how and why we do so
2.1 The children, young people and adults who use our services
Salford Foundation offers a wide range of services to children, young people and adults. We collect your details and any data that is relevant to delivering the service to you or your child. We aim to collect the minimum personal information we need to carry out a service.
For children and young people this may include:
- Parent/ carer name
- Age/ date of birth
- Contact number(s)
- Email address(es)
- Postal Address
- National Pupil Database number
- College/ school information
- Emergency contact details
- Medical information and details of any special educational needs
- Images (digital photographs, moving images)
For adults this may include:
- Age/ date of birth
- Contact number(s)
- Email address(es)
- Postal Address
- National Insurance and NHS numbers
- Family details
- Emergency contact details
- Religious or other beliefs of a similar nature
- Sexual orientation
- Physical or Mental Health details
- Offences and criminal convictions
- Information relating to your finances or housing status
- Information relating to your education and training
- Images (digital photographs, moving images)
Information is collected in a number of ways: verbally when you are with one of our caseworkers; manually when you complete a referral or assessment form; or indirectly when you have been referred from your school/ college or any other agency.
Under the General Data Protection Regulation (GDPR), we must have a legal reason to keep your data and process it. When Salford Foundation provides you with a service we will process your data on the basis of legitimate interest. We do this because we cannot provide a service to you without using your personal information. When processing personal information based on a legitimate interest, we will make sure that it is exercised proportionately and is always balanced against the privacy rights and other legal rights you have as an individual.
Where we process sensitive personal information, known as ‘special category data’, we will make sure that we only do so with your permission.
2.2 Volunteers and Mentors
When you work with Salford Foundation as a volunteer or a business mentor, we will collect some personal information from you. The range of information we collect from you is appropriate to the role you perform with us and may include: your name and contact details; details of your qualifications, skills, experience and volunteering or employment history; information about your emergency contacts; information about your criminal record and references which may be used to access suitability for volunteer positions.
In cases where you work with children, young people and vulnerable adults, we will also ask you if you have a current Disclosure and Barring Service (DBS) Certificate and, if not, would you be willing to undergo a DBS check.
We collect your information in a variety of ways. For example, you may have filled in an application form or submitted a CV; from correspondence with you; or through meetings, telephone calls or other assessments.
We may also collect information about you from third parties, such as references supplied from former employers, and information from criminal records checks as permitted by law.
Under the General Data Protection Regulation (GDPR), we must have a legal reason to keep your data and process it. Salford Foundation processes your information on the basis of the following legal conditions:
- Where we have a legitimate interest to do so in support of the Salford Foundation’s charitable objectives, to make informed decisions and to use and process personal information for administrative purposes;
- To comply with our legal obligations and for reasons of substantial public interest;
- Where we process sensitive personal information, known as ‘special category data’, we will make sure that we only do so with your consent.
2.3 Job applicants
As part of any recruitment process, Salford Foundation collects and processes personal data relating to job applications. You can find more information here about how we collect, keep and store your personal data.
3 - How we use the information and who we may share it with
We collect and retain personal information about the children, young people and adults who use our services in order to provide you with a service, keep you safe and to inform you of future opportunities that may be of interest to you. The information collected is confidentially held by Salford Foundation and will not be sold or shared with any third parties for the purposes of direct marketing or fundraising.
For our volunteers and mentors, Salford Foundation needs to process your data to enter into a relationship with you and to ensure that we are complying with our legal obligations. For example, for certain positions it is necessary to carry out criminal records checks to ensure that individuals are permitted to carry out the role in question. We use this information to progress applications or any other enquiries relating to volunteering and business mentoring.
There will be occasions when we need to share information with third parties. For example, we may need to share information with our funders (for contractual purposes), with evaluators who are helping us to improve our service or with external agencies that inspect our work. We may also use third parties to ensure secure storage of your personal information (e.g. Charitylog and AdvicePro). We also have a legal duty to share information with relevant authorities if we believe there is a clear health or safety risk to an individual or other third party, or where there is a legal requirement to do so.
We will only share information with third parties where we have information sharing protocols in place which protect personal information. Wherever possible, information will only be shared in ways which do not identify you as an individual.
There may be occasions when we will ask you for your consent to use your data to help us inform the public about our work via case studies or for use on social media. Consent to being filmed or photographed can be withdrawn at any time by notifying us in writing. Please note that should you withdraw your consent after the filming material or photographs have been published, we will do our best to remove them, however, we will not be able to remove these from publications already in circulation and may not be able to guarantee their complete erasure.
4 - Where information may be held
Your personal information will be stored, securely in paper and electronic forms at our offices. We have in place appropriate technical and security measures to prevent personal information from being accidentally lost or used and accessed in an unauthorised way.
We store your personal details on our secure server which is protected via a firewall or on secure case management systems located in the UK (Charitylog and AdvicePro).
We limit access to your personal information to those who have a genuine need to know it. Those processing your information will do so only in an authorised manner and are subject to a duty of confidentiality.
We also have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.
5 - How long we keep your information
Salford Foundation will only use and store personal information for as long as it is required for the purposes for which it was collected.
The criteria we use for determining retention periods for personal information is based on: legislative requirements; the purpose for which we hold the data; requirements of our funders and guidance issued by relevant regulatory authorities. We review our data retention periods for personal information on an annual basis.
Personal information that we no longer need is securely disposed of and/or anonymised so individuals can no longer be identified from it.
6 - Your rights to correct and access your information and to ask for it to be erased
Under the General Data Protection Regulation (GDPR) you have the following rights:
- The right to access your personal information;
- The right to edit and update your personal information;
- The right to request to have your personal information deleted;
- The right to restrict processing of your personal information;
- The right to object; and
- The right to lodge a complaint with a supervisory authority.
Please contact our Data Protection Officer (DPO) at email@example.com if you wish to exercise your rights, update your personal information or if you have any questions about this notice. If you wish to access your personal data by making a ‘subject access request’, please do so in writing with proof of your identity. This will be provided free of charge and we will make every effort to respond within one calendar month.
7 - How to complain
We hope that our Data Protection Officer can resolve any query or concern you raise about our use of your personal information. The DPO can be contacted at firstname.lastname@example.org and you will be provided with a copy of our Complaints and Compliments Policy.
If you feel that we have not been able to address your concerns, please contact the Information Commissioner for further information about your rights and how to make a formal complaint:
The Office of the Information Commissioner
Tel: 0303 123 1113
8 - Glossary
Anonymisation is the process of either encrypting or removing personally identifiable information from data sets, so that the people who the data describe remain unknown or anonymous.
Consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes.
The Data Controller is the organisation that is responsible for your personal data. They are required to keep it secure, make decisions about what happens to your data and are accountable if it’s lost or not kept confidential.
The Data Processor is the natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
General Data Protection Regulation (GDPR) is the 2018 legal framework that sets guidelines for the collection and processing of personal information of individuals in the European Union.
Legitimate business interest legal basis means the interests of our organisation in conducting and managing our business to enable us to give you the best service and the best and most secure experience. When we process your personal information for our legitimate interests, we make sure to consider and balance any potential impact on you (both positive and negative), and your rights under data protection laws. Our legitimate business interests do not automatically override your interests – we will not use your personal data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required to do so by law).
Personal data means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, psychological, genetic, mental, economic, cultural or social identity of that natural person.
Personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
Special category data means data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.
Subject access request is your right to get a copy of the information that is held about you.
Third party means a natural or legal person, public authority, agency or body other than the data subject, controller, processor or persons who, under the direct authority of the controller or processor, are authorised to process personal data.