Data controller: Youth First
Data protection officer: Michalis Migos, email@example.com
The organisation collects and processes personal data relating to its service users to manage service provision. The organisation is committed to being transparent about how it collects and uses that data and to meeting its data protection obligations.
What information does the organisation collect?
The organisation collects and processes a range of information about you. Some of this information is mandatory in order to use our services, for safeguarding and medical reasons. This includes:
- the name, address and contact details, including email address and telephone number, of both the young person and a parent/guardian
- date of birth and gender of young person
- registration of attendance at youth club sessions
- information about medical or health conditions, including whether or not the young person has a disability for which the organisation needs to make reasonable adjustments
We also ask for certain other information about the young person in order to provide the best possible service to our users. None of this information is mandatory:
- details about any care that the already being received (e.g from local authority/other agencies)
- details of doctor’s surgery and housing provision
- education/employment status
- interests and hobbies
- goals for achievement through the service provision
- additional needs
The organisation, as well as those third parties with which it works to provide youth services, uses a Membership Form to collect this data, which is then uploaded into Views, a fully GDPR compliant data management system, run by data processing company Substance. Their own data protection policies can be found here: http://www.substance.net/wp-content/uploads/Substance-GDPR-Statement-V2.pdf
Why does the organisation process personal data?
In some cases, the organisation needs to process data to ensure that it is complying with its legal obligations. For example to comply with health and safety laws, safeguarding regulations and police/social service referrals.
In other cases, the organisation has a legitimate interest in processing personal data. Processing data allows the organisation to:
- evaluate and improve its services to ensure that the provision is always of the highest standard.
- demonstrate and evidence to funders that their money is being used in an effective and prudent manner.
- obtain occupational health advice, to ensure that it complies with duties in relation to individuals with disabilities and meet its obligations under health and safety law.
- comply with insurance requests.
Parents/guardians will be sent one email asking if they would like to join our Friends of Youth First group. Other than this their information will not be used for any marketing or fundraising purposes.
Who has access to data?
Your information may be shared internally where it is required to provide the service, including with relevant youth workers and members of the management team.
In certain very limited cases the organisation shares your data with third parties in order to fulfil its safeguarding obligations
The organisation also shares your data with third parties that process data on its behalf:
Lewisham Borough Council
1 Community Project (1CP)
Bromley and Downham Youth Club
Elevating Success UK
Greenwich & Lewisham Young People's Theatre
Metro Centre Ltd
Millwall Community Trust and Sports Active
Triple Helix Training
Phoenix Community Housing
The organisation will not transfer your data to countries outside the European Economic Area.
How does the organisation protect data?
The organisation takes the security of your data seriously. The organisation has internal policies and controls in place to try to ensure that your data is not lost, accidentally destroyed, misused or disclosed, and is not accessed except by its employees in the performance of their duties. Please find our full Data Protection Policy at: https://www.youthfirst.org.uk/privacy
Where the organisation engages third parties to process personal data on its behalf, they do so on the basis of written instructions, are under a duty of confidentiality and are obliged to implement appropriate technical and organisational measures to ensure the security of data.
For how long does the organisation keep data?
The organisation will hold your personal data for the duration of the time that the young person uses the service, plus a period of two years.
As a data subject, you have a number of rights. You can:
- access and obtain a copy of your data on request;
- require the organisation to change incorrect or incomplete data;
- require the organisation to delete or stop processing your data, for example where the data is no longer necessary for the purposes of processing; and
- object to the processing of your data where the organisation is relying on its legitimate interests as the legal ground for processing.
If you would like to exercise any of these rights, please contact firstname.lastname@example.org
We do not make decisions on how to process data based solely on automated decision-making.
If you believe that the organisation has not complied with your data protection rights, you can complain to the Information Commissioner.