Service User Privacy Policy

This policy falls under our group of policies in agreement with current relevant legal guidelines of GDPR:

  1. Data Protection Policy – general 
  2. Data Privacy Policy-  users service 
  3. Data Privacy Policy – users of website, social media and digital marketing
  4. Data Privacy Policy-  staff
  5. Data Privacy Policy information security
  6. Information Security - Incident Management Policy
  7. Information Security - Lifecycle Policy

Data controller: Youth First
Data protection officer: Sara Martins, sara.martins@youthfirst.org.uk

 

The organisation collects and processes personal data relating to its service users to manage service provision. The organisation is committed to being transparent about how it collects and uses that data and to meeting its data protection obligations.

What information does the organisation collect?

The organisation collects and processes a range of information about you. Some of this information is mandatory in order to use our services, for safeguarding and medical reasons. This includes:

We also ask for certain other information about the young person in order to provide the best possible service to our users. None of this information is mandatory:

The organisation, as well as those third parties with which it works to provide youth services, uses a Membership Form to collect this data, which is then uploaded into Views, a fully GDPR compliant data management system, run by data processing company Substance.  Their own data protection policies can be found here: Substance Substance –.

Why does the organisation process personal data?

In some cases, the organisation needs to process data to ensure that it is complying with its legal obligations. For example to comply with health and safety laws, safeguarding regulations and police/social service referrals.
In other cases, the organisation has a legitimate interest in processing personal data. Processing data allows the organisation to:

Parents/guardians will be sent one email asking if they would like to join our Friends of Youth First group. Other than this their information will not be used for any marketing or fundraising purposes.

Who has access to data?

Your information may be shared internally where it is required to provide the service, including with relevant youth workers and members of the management team.

In certain very limited cases the organisation shares your data with external organisations and governmental agencies in order to fulfil its safeguarding legal obligations to the young person or adult members, their families/carers and the safety of the broader community.

The organisation may also share your data with third parties that process data on its behalf, in these instances, a Data Sharing Agreement is set in place according to the law, some examples of DSA in place:

The organisation will not transfer your data to countries outside the European Economic Area.

How does the organisation protect data?

The organisation takes the security of your data seriously. The organisation has internal policies and controls in place to try to ensure that your data is not lost, accidentally destroyed, misused or disclosed, and is not accessed except by its employees in the performance of their duties. Please find our full Data Protection Policy at: https://www.youthfirst.org.uk/privacy.

Where the organisation engages third parties to process personal data on its behalf, they do so on the basis of written instructions, are under a duty of confidentiality and are obliged to implement appropriate technical and organisational measures to ensure the security of data.

For how long does the organisation keep data?

The organisation will hold your personal data for the duration of the time that the young person uses the service, plus a period of three years.

Your rights

As a data subject, you have a number of rights. You can:

If you would like to exercise any of these rights, please contact sara.martins@youthfirst.org.uk.

We do not make decisions on how to process data based solely on automated decision-making.

If you believe that the organisation has not complied with your data protection rights, you can complain to the Information Commissioner.