At Step One, we are committed to protecting your privacy. We will respect any personal information you share with us (or that we receive from other organisations) at all times, and we will keep it safe.
This policy explains what personal data Step One collects from you, through our contact with you, working together with other people and organisations, and through this website.
In this policy, you’ll find important information about your personal rights to privacy, and how and why we use your personal information.
If you have any questions, queries or concerns about any information on this page, please contact us; you can find our contact details at the bottom of the page.
We’ve recently updated this policy to reflect the changes we’ve made to be compliant with the General Data Protection Regulation (the “GDPR”). The main differences are that we have:
- set out the rights you have regarding your data, such as to access or amend it
- detailed how we collect, store, share and use personal data and why
- set out the lawful grounds we rely on to process your data
- described how long we retain information
- clarified that we may collect sensitive personal information, if we have a valid reason to do so and if permitted under the GDPR
If you have any questions about these changes, please contact us and we’ll be happy to help.
What this policy covers
- How do we process your data?
- What is personal information?
- What is sensitive personal information?
- How do we use your personal information?
- How long do we keep it?
- What happens if you ask us to remove your data?
- Our lawful grounds for processing your information?
- Processing sensitive data
- Will we share your personal data
- Security, storage and access to your personal information
- Your rights
- How to contact us
About Step One
How we process your data
This policy sets out how we handle your data. It also explains your rights and options around how we use your personal information.
We collect information about you:
When you give it to us directly
This might be when you:
- interact with us online
- communicate with us
- apply to work or volunteer for us
- give us your personal information in any other way, for example, if you’re receiving support from Step One.
When others give it to us
This is when your personal information is given to us by third parties, such as other organisations that are supporting you, for example, NHS and Social Care providers, employers, and other organisations.
When you visit this website
When you visit this website, we automatically collect the following personal information:
Technical information, including:
- the internet protocol (IP) address used to connect your computer to the internet
- your browser type and version
- your time zone setting
- browser plug-in types and versions
- your operating systems and platforms
Information about your visit to our website, including:
- the uniform resource locator (URL) clickstream to, through and from this site (including date and time)
- page response times
- download errors
- length of visits to certain pages
- referral sources (how you arrived at the website)
- page interaction information (such as scrolling and clicks)
- methods used to browse away from the page.
We collect and use your personal information by using cookies on our website – please click here.
What is personal information?
We collect, store and use the following kinds of personal information:
- Essential details such as your name and contact details.
- Information about your computer/mobile device and your visits to and use of this website, including for example your IP address and geographical location.
- Information about our services which you use/which we consider of interest to you.
If you are receiving support from Step One or using our services:
- Essential information such as date of birth, your NHS number and details of your next of kin.
- Any contact we have had with you, for example when you have stayed in one of our services, visited us at one of our offices, or when we have visited you at home.
- Details of the support that we provide for you, and any information that we may need to give this support, for example, any health conditions or disabilities, medicines that you may take, your employment history, your bank details (if we are supporting you with your finances), or any criminal convictions.
- relevant information from your relatives or those who care for you and know you well
- Any other personal information shared with us as described above.
What is sensitive personal information (special category data)?
The GDPR recognises specific categories of personal information as sensitive and therefore requiring more protection.
For example, this includes information about your health, religious beliefs, and ethnicity.
In the course of providing support to people who use our services, Step One routinely processes sensitive personal data. In other limited cases, we may collect and use your sensitive personal information.
In each case, we will only do so if we have a valid reason and the GDPR permits it, as described in how and why we will we use your personal information.
How do we use your personal information?
We use your personal information to:
- provide you with services or information you’ve asked us for
- give more information about our work, services, or activities
- process your donations
- further our charitable aims
- research the impact and effectiveness of our work and services
- register and administer your participation in events you’ve registered for
- manage and keep our website safe and secure and for internal operations, including troubleshooting, data analysis, testing, research, statistical and survey purposes
- improve your interactions with our website, for example by making sure that we present content most relevantly and effectively for you and your computer/mobile device
- report on the results and impact of our work, services and events
- analyse and improve our work, services, activities or information (including our website) or for our internal records
- use IP addresses and monitor website use to identify locations, block disruptive use, record website traffic or personalise the way information is presented to you
- to process your application for a job or volunteer role with us
- training and quality control
- audit and administer our accounts
- satisfy legal obligations which are binding on us, for example, arising from contracts entered into between you and us or concerning regulatory, government or law enforcement bodies with whom we may work
- provide information for funders, where this is contractually required, and so that we can be paid for providing a service to you
- prevent fraud, misuse of services or money laundering and to perform due diligence
- reduce credit risk
- communicate with you in any other way
- for the establishment, defence and enforcement of legal claims
If you are receiving support from Step One as a person who is using our services, we use your personal information to:
- plan your support and provide you with a high standard of service
- provide health, social care and employment professionals who are involved in your support with relevant, accurate and up-to-date details about your support needs
- investigate any concerns or complaints you may have, either about your support or the standards of service you are receiving.
- check and make improvements to our services
- in some cases, use your anonymised information (by removing anything that identifies you) to help us improve the quality of our services, and make sure that our services can be planned to meet the future needs of people.
Telling you about how you can support us or get involved in our work:
- We use your details to give you information about our work, services, events, and fundraising opportunities which we think might interest you. We will only do this if you have given us consent to contact you about this.
How long do we keep your personal information?
In general, if we no longer need your information for the reasons you gave it to us, we remove your personal information from our records six years after the date it was collected.
However, we’ll remove it sooner if:
- your personal information is no longer required for the purpose you shared it with us
- we’re no longer lawfully entitled to process it
- you ask us to remove it.
Please note that special rules apply to records that we keep when we support you. We are bound by certain laws and guidelines concerning how long we must keep these records.
Our lawful grounds for processing your information
The GDPR requires us to rely on one or more lawful grounds to process your personal information. These are the grounds that are relevant to the services that we offer.
- Where you’ve given your consent for us to use your personal information in a certain way.
For example, if you are happy to share your story to help us to highlight the work we do, we will always ask for your consent to use your personal information in this way.
- Where necessary so that we can comply with a legal obligation (for example, where we need to share your personal information with regulatory bodies which govern our work and services, or where we are bound by certain laws, such as the Mental Health Act).
- Where necessary for the performance of a contract.
- Where it is in your/someone else’s vital interests (for example, in case of a medical emergency).
- Where there is a legitimate interest in us doing so.
What do we mean by ‘legitimate interests’?
The GDPR allows us to collect and process your personal information if it is reasonably necessary to achieve our or others’ legitimate interests, as long as that processing is fair, balanced and does not unduly impact your rights.
Step One’s legitimate interests
In broad terms, our “legitimate interests” means running Step One as a charitable entity in pursuit of our aims and ideals. For example, by:
- providing information about our services
- running events
- taking applications for staff and volunteers.
Your legitimate interests
“Legitimate interests” can also include your interests, such as when you have requested information or services from us.
How do we balance these interests?
When we legitimately process your personal information in this way, we consider and balance any potential impact on you (both positive and negative), and your rights under data protection laws. We won’t use your personal information for activities where the impact on you overrides our interests.
Will we share your personal information?
We never share, sell or rent your information to third parties for marketing purposes.
However, we may disclose your personal information to selected third parties to achieve the other purposes set out in this policy.
These may include (among others):
- other professionals and organisations involved in supporting you (for example, we currently share information with referring organisations including the NHS, County Councils, and where we have contracts with Shaw Trust and Reed in Partnership)
- business partners, suppliers and sub-contractors
- analytics and search engine providers
- IT service providers
- other beneficiaries, executors and legal advisers.
In particular, we reserve the right to disclose your personal information to third parties:
- if we are under any legal or regulatory duty to do so.
- to protect the rights, property or safety of Step One, its employees, people who use its services, visitors or others.
Please see below in ‘Your Rights’ how the National Data Opt Out may apply to our sharing of your data.
Security, storage and access to your personal information
We will always keep your personal information safe and secure.
We might store your information in paper or electronic records, or a combination of both. We restrict all our records so that only those individuals who need to know the information can get access. We have appropriate and proportionate security policies and organisational and technical measures in place to help us do this.
Who can see my personal information?
Only appropriately trained staff, volunteers and contractors can access your information. It is stored on secure servers with features to prevent unauthorised access.
Where is my personal information stored?
The personal information that we collect from you will be stored at the service that you are using (in the case of paper records), or on a secure server within the UK or European Economic Area (“EEA”).
It is important to remember that no transmission of your personal information over the internet can be guaranteed to be 100% secure and so we advise you to take suitable precautions when transmitting data to us via the internet.
These are your rights concerning how we process your personal information:
Right to be informed
You have the right to be told how we will use your personal information. This policy and other policies and statements used on this website and in our communications provide you with a clear and transparent description of how we may use your personal information.
Right of access
You can write to us to ask for confirmation of what information we hold on you and to request a copy of that information.
Provided we are satisfied that you are entitled to see the information requested, and we’ve successfully confirmed your identity, we’ll give you your personal information (subject to any exceptions that apply).
Right of erasure
You have the right to ask us to delete your personal information, and we’ll do this when you ask us to unless we are legally required to retain your information (for example, in the case of health records).
Right of rectification
If you believe our records of your personal information are inaccurate, you have the right to ask us to update those records.
You can also ask us to check the personal information that we hold about you if you are unsure whether it is up to date.
Right to restrict processing
You have the right to ask us to restrict the processing of your personal information if there is disagreement about its accuracy or legitimate usage.
Right to object
You have the right to object to processing where we are:
- processing your personal information on the grounds of legitimate interest.
- using your personal information for direct marketing.
- using your personal information for statistical purposes.
Where we rely on your consent to use your personal information, you have the right to withdraw that consent at any time.
Right to data portability
Where we are processing your personal information:
- because you gave us your consent
- because such processing is necessary for the performance of a contract to which you are party
you may ask us to provide it to you – or another service provider – in an electronic format, such as PDF.
National Data Opt-Out
The national data opt-out gives everyone the ability to stop health and social care organisations from sharing their confidential information for research and planning purposes, with some exceptions such as where there is a legal mandate/direction or an overriding public interest (for example to help manage the covid-19 pandemic.)
How to exercise your rights
To exercise any of these rights, please send a description of the personal information in question using the contact details below.
Please note that you may only use/benefit from some of these rights in limited circumstances. For more information, we suggest that you consult guidance from the Information Commissioner’s Office (ICO).
Making a complaint
If you have any concerns about anything we have told you in this policy, please contact us (using any of the contact details below).
You have the right to make a complaint if you feel unhappy about how we hold, use or share your information. We recommend contacting us initially to talk through any concerns that you have. If you wish to complain, we will tell you about the process for doing this. You may also raise a concern or complaint here.
If you remain dissatisfied following the outcome of your complaint, you may wish to contact the Information Commissioners Office:
Post: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Telephone: 0303 123 1113
Please note that the Information Commissioner will not normally consider an appeal until you have exhausted your rights of complaint to us directly. Please see the website above for further advice.
Changes to this notice
We may update this Policy to make sure it meets the needs of people that we support, people who use this website, and any changes in the law, so please check back periodically. We will notify you of significant changes by placing a notice on our website. This Policy was last updated in September 2020.
Links and third parties
We link our website directly to other sites. This Policy does not cover external websites, and we are not responsible for the privacy practices or content of those sites. We encourage you to read the privacy policies of any external websites you visit via links on our website.
How to contact us
Please let us know if you have any questions or concerns about this policy or about the way in which we are processing your personal information. You can contact us:
51 New North Road