Privacy Notice

Advocating Together Summary Privacy Notice

Advocating Together (AT) is committed to protecting the privacy of the people whose personal information we process and to meeting our obligations under Data Protection legislation.
AT uses personal information for a range of purposes and our privacy notices provide information about your data protection rights, and in particular your right to be informed about how and why we obtain and collect your personal information and how we process it during and after your relationship with us.

This privacy notice provides a summary of that information and explains:
• Who we are & how to contact us
• some key definitions and our commitment to the seven data protection principles when using your personal data
• the types of personal information we collect, why and how we use it, and who we share it with
• how we keep your personal information safe
• how long we keep your personal information for
• what your rights around personal information are
• who you can talk to if you are unhappy about the way we use your personal information

We are developing more detailed privacy notices for each of the main groups of individuals (data subjects) whose personal information we process.

These will be published on the Privacy section of our websites with links provided in this summary notice and when we first ask you to provide personal information for a specific purpose. In the meantime, if you require more detailed information about how and why we process your information, please contact our Data Protection Compliance Officer using the contact details provided below.

Who we are
Advocating Together (Dundee) SCIO is an independent advocacy and capacity building organisation which benefits people in Scotland with learning disabilities, autistic spectrum disorders and/or complex communication needs. We achieve this through professional advocacy, self-advocacy, and collective advocacy. Human rights is at the heart of everything Advocating Together (Dundee) SCIO does. We need to gather and hold the personal data of a variety of different groups of individuals – data subjects – for a number of different reasons to support the work that we do.

AT is registered with the Information Commissioner’s Office under number ZA234704 and is a Scottish Charitable Incorporated Organisation (SCIO), charity number SC026064.

How to contact us
If you have any questions or suggestions regarding this privacy notice or our approach to data protection generally, please contact our Data Protection Lead by email at office@advocating-together.org.uk or by writing to:
The Data Protection Lead
Advocating Together (Dundee) SCIO
13 Ryehill Lane
Dundee
DD1 4DD
You can change how we contact you at any time, simply by contacting us by email at office@advocating-together.org.uk or calling us on 01382 666601.

What is personal data?
Your personal data is any information that can be identified as being about you. For example, contact and financial details. Some of the personal data we hold is called special category data, which has extra protections because it’s more sensitive than other personal information.

What is special category data?
Special category data includes information about an individual’s physical and mental health, racial or ethnic origin, political opinion, trade union membership, health, sex life or sexual orientation and biometric data. Sometimes we will need special category data to help us carry out our advocacy work. We also ask people to share some of this information with us to help us meet our equalities duties.

To ensure the protection of the people we work with, while also providing equal opportunities for all, we need to process “Criminal records data”. This is information about an individual’s criminal convictions and offences, and information relating to criminal allegations and proceedings.

What is processing personal data?
Processing is anything we do with your personal data, from collecting and storing it, to using it, for example to contact you, and disposing of it when we no longer need it to support our relationship with you.

Data protection principles
We are committed to using your personal information responsibly and in compliance with the seven principles outlined in data protection law:
• We will handle your personal information lawfully, fairly and in a transparent way.
We will collect your personal information only for the valid purposes that we have explained to you, and not use it in another way that is at odds with those purposes. Valid purposes are the legal reasons someone is allowed to process your personal information. You can find out about these on the Information Commissioner’s website. – https://ico.org.uk/
• We will make sure that the personal information we hold about you is relevant to the purposes we have told you about.
• We will make sure that your personal information is accurate and kept up to date.
• We will keep your personal information only as long as it is needed for the purpose we have told you about.
• We will keep your personal information safe and secure.
• We will be accountable for and be able to demonstrate compliance with the commitments listed above.

Whose personal data do we hold?
AT collects and processes the personal data of:

Our employees This includes core and casual workers, people (including members) Protected Supported Employment- prospective and former employees.

Our Charity Trustees AT members who are responsible for the governance and strategy of AT, including providing assurance that the charity is administered effectively and can account for its activities and outcomes to OSCR, funders and members

Our members. Anyone who has registered to be a member of our organisation, including advocators and volunteers

Our volunteers Individuals who support the work of AT through a number of different voluntary roles. Volunteers may be required to join the PVG scheme.

Students in further and higher education who carry out work placements with AT. Students may be required to join the PVG scheme.

Advocacy Partners Individuals whom Advocating Together (SCIO) provide professional advocacy for.

Supporters Anyone who has contacted us to find out about what we do or otherwise supported us, other than through relevant groups above; this includes attending our events, signing up for our newsletters and accessing our website and social media sites

Contractors and suppliers Sole traders and employees of organisations who provide us with products and services.

Other contacts required for business purposes Individuals and employees of organisations we have to engage with to carry out our work and meet our statutory and regulatory obligations e.g Funders, Regulators,

AT either collect personal information directly from you or receive it from third-parties. We only receive your personal data from outside agencies or third- parties where there is a sound legal basis and purpose for doing so.

When gathering and using personal information, we will comply with the data protection principles, as summarised in this notice and set out in AT data protection policy. Depending on the purpose of processing, we may collect some or all of the following types of information:
• Identity (name, date of birth, gender, passport, national insurance number, family details)
• Contact (address, email address, telephone numbers)
• Technical (IP address)
• Social data (lifestyle, housing needs)
• Education (student and employee records)
• Financial (bank account, transaction data, salary, benefits)
• Staff records (pensions, appraisals, nationality)
• Visual images, (photographs, videos)
• Business activities (employment, licences and permits held)
• Case file information

Under certain circumstances we may need to collect and process the following special categories of personal data:
• medical (physical or mental health details)
• racial or ethnic origin
• offences (including alleged offences)
• religious or other beliefs of a similar nature
• genetic data or biometric data
• sexual orientation

We recognise that personal information concerning criminal convictions and offences is not special category personal data but is a very sensitive type of personal information which can only be shared in narrow circumstances.

Reasons we collect and use your personal information
The list below provides examples of the reasons we collect and use your personal information.
• to make a decision about your recruitment, appointment, membership or participation
• to determine the terms on which you work or participate with us
• to support trustees, volunteers and members
• to support you within an advocacy partner/relationship
• to respond to enquiries or complaints
• for education, training and development requirements
• to monitor your use of our information and communication systems to ensure compliance with our IT policies
• train and manage employees or volunteers
• for business management and planning including accounting and auditing
• to comply with health and safety obligations

For AT to be able to process your personal information we need to demonstrate that we have a lawful basis for doing so. The most common lawful bases AT has for processing personal information are:
• performance of a contract with you
• with your consent
• necessary to comply with a legal obligation
• necessary for our legitimate interests – where this is the case we will explain to you what those legitimate interests are

To be able to process sensitive personal information, we must also have an additional a lawful basis for doing so, specific to the special category group that information comes under (see above)
The most common lawful bases AT has for processing special category data are:
• in limited circumstances, with your explicit written consent.
• where we need to carry out our legal obligations and in line with our data protection policy
• where it is needed in the public interest, such as for equal opportunities monitoring [or in relation to our occupational pension scheme], and in line with our data protection policy.
• where it is needed to assess your working capacity on health grounds, subject to appropriate confidentiality safeguards.
• where it is needed to work with you as an advocacy partner.

Sharing your data
Your personal data will only be shared internally with those AT staff, trustees and volunteers who have a legitimate reason to access it.

We regularly need to share personal information with other organisations to carry out our work, for example our partner agencies and Regulators Where this is necessary, we are required to comply with data protection legislation. We will only disclose or share personal information with your consent or where there is a legitimate and lawful purpose to do, such as fulfilling a contract with you or because we have a statutory requirement do so such as complying with employment or health and safety legislation.

We have joint procedures and data sharing agreements with partner agencies with whom we regularly share personal information to ensure that this information is properly protected and appropriately, fairly and lawfully handled and disposed of.

Some of our suppliers provide us with services that requires them to collect or process personal data on our behalf (data processors), such as payroll and IT service providers. Where this is the case, we carry out comprehensive checks on these companies, and put in place contracts to control how they manage the data they collect or have access to. This means that they cannot do anything with your personal information unless we have instructed them to do so. They will hold it securely and retain it for the period we instruct.

AT will never sell or inappropriately disclose your personal data to any other external organisation or individual.

Transfer of data overseas
It may sometimes be necessary to transfer your personal information overseas, out with the European Economic Area (EEA). Any transfers made will be in full compliance with all aspects of Data Protection legislation. Mailchimp, for example, are a US-based third-party provider that we use to deliver our newsletter and are signed up to the EU-US Privacy Shield.
How long do we keep your personal data?

We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. At the end of this period the information will be destroyed or deleted in line with our confidential destruction procedures. We retain anonymised statistical information to help inform our work, but you cannot be identified from that data.

Keeping your information safe and secure
We are committed to ensuring that your right to privacy is respected and that your personal information is secure and only available to those who have a right to access it.

We have put in place appropriate organisational and technical measures and controls to maintain the confidentiality, integrity and availability of your personal data and the systems and services we use to process that data so it is protected from accidental or deliberate loss or inappropriate deletion, amendment or disclosure.

We have monitoring and incident management procedures in place to detect and resolve any personal data breaches as quickly as possible, to notify you and the UK information commissioner where we are legally required to do so, and to improve our controls by addressing the underlying causes of such breaches.

Cookies
When users enter the AT website, their computers will automatically be issued with ‘cookies’. Cookies are text files which identify users’ computers to website server. If accepted, the website then creates “session” cookies to store some of the preferences of users moving around the website, e.g. retaining a text-only preference. Cookies do not in themselves identify individual users but identify only the computer used: they are deleted on departure from the website.

When using the AT website, users will be invited to accept cookies to measure use of the website including number of visitors, how frequently pages are viewed, and the city and country of origin of users. Information on how people use the site, through cookies and page tagging, helps us improve our website and our services. For this purpose, AT uses Google Analytics to measure and analyse usage of the website. The information collected by AT will include IP address, pages visited, browser type and operating system.

Users can set their web browsers to accept all cookies, to notify them when a cookie is issued, or not to receive cookies at any time. The last of these means that certain personalised services cannot then be provided to that user.

More information about how we use Cookies:

This site uses cookies – small text files that are placed on your machine to help the site provide a better user experience.

In general, cookies are used to retain user preferences, store information for things like shopping baskets, and provide anonymised tracking data to third party applications like Google Analytics.

As a rule, cookies will make your browsing experience better.

However, you may prefer to disable cookies on this site and on others.

The most effective way to do this is to disable cookies in your browser.

We suggest consulting the Help section of your browser or taking a look at the About Cookies website which offers guidance for all modern browsers.

Links to other websites
This privacy notice applies solely to information collected by us. AT website and social media channels may contain links to other websites. We are not responsible for the privacy practices of those sites. We encourage you to be aware when you leave any of our sites and to read the privacy notices of any site you subsequently visit.

Your data privacy rights
Under Data Protection legislation, you have a number of rights in relation to your personal information. You have the right to:
• Data Subject Access Request to your personal information, enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it.
• Request correction of the personal information that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.
• Request erasure of your personal information. This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing (see below).
• Object to processing of your personal information where we are relying on a legitimate interest (or those of a third party) and we would have to stop unless we have a sound overriding reason to continue.
• Request the restriction of processing of your personal information. This enables you to ask us to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for processing it.
• Request the transfer of your personal information to another party in certain circumstances.
• There are also specific legal rights relating to automated decision making but AT does not have any such processes.

To exercise any of these data privacy rights, please contact the Data Protection Lead
You will not have to pay a fee to access your personal information (or to exercise any of the other rights). However, we may charge a reasonable fee if your request for access is excessive.
Requests that relate to rectification, erasure or restricting processing will be passed to any recipients of your personal information.

We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is an added security measure to ensure that personal information is not disclosed to any person who has no right to receive it.

There may be occasions when AT is unable to comply with requests to
exercise the rights above. Should this apply to a request you make, it will be explained to you why AT is unable to comply with the request and any options available.

Where your personal information is being processed using consent, one further right is the right to withdraw your consent at any time. You should be aware that, while AT will stop using your information for that purpose with immediate effect, it may not always be possible to remove information from the public domain, for example where it has been used in hard copy publications. You should also be aware that the ability to withdraw consent only applies to information considered to be personal. It does not usually apply to information about groups or organisations.

You are not required to pay any charge for exercising your rights. If you make a request, we will respond without undue delay and at least within one month, or, in the case of complex requests, up to a maximum of three months, starting from the date of receipt of a valid request.
For more information on your data protection rights see https://ico.org.uk/forthepublic .

To exercise any of these rights or for more information, please contact our Data Protection Lead, using the contact information provided in this notice.

Complaints
If you are dissatisfied with our response to a complaint you send us, or have any concerns about our handling of your personal data, you can complain to the Information Commissioner’s Office by using the details below:
Information Commissioner’s Office
Wycliffe House,
Water Lane,
Wilmslow,
Cheshire, SK9 5AF
Telephone: 0303 123 1113
Online: https://ico.org.uk/concerns/handling/

Changes to our Privacy Notices
We will keep our privacy notices under regular review to make sure they are up to date and accurate. This notice was last updated on 30 July 2020.