Privacy Notice
This document is about your personal data. It describes what we may do with your data, why we need your data and your rights under the General Data Protection Regulations (GDPR) of 2018.
In this Privacy Notice, “MCP” is an abbreviation for Maryvale Community Project
About MCP
MCP is a Charity registered with the Charity Commission under number 1147691 and is a Company Limited by Guarantee, registered in England and Wales under number 7745594. The contact details are below.
| MCP – Principal Place of Business Maryvale Community Centre Old Oscott Hill Kingstanding Birmingham B44 9SR MCP – Registered Office |
0121 382 3590 |
Data Controller
MCP’s board of Charity Directors (also known as MCP trustees) are the ‘data controller’, collectively they decide why and how MCP process personal data.
Data Protection Officer
MCP has nominated a Director to be its Data Protection Officer. This person knows about data protection and ensures the regulations are followed. The name of the Data Protection Officer is Gary O’Brien who is the Company Secretary. He can be contacted by the Information Commissioner or members of the public in writing at MCP’s registered office or by email at gary@maryvalecommunityproject.org.uk
Data Processing
This means collecting, recording, organising, altering, storing or using personal data.
Why does MCP process data?
MCP processes personal data only when it has a lawful basis. These bases are:
- Consent. Sometimes an individual will give clear consent for us to process their personal data for a specific purpose. This will include people who have allowed us to use their photograph on one of our leaflets.
- Contract. We may need to process data to carry out a contract. This will include facilitating the employment contract between MCP’s staff and Father Hudson’s Care – charity number 512992 or a contract to provide a service.
- Legal obligation. We may have to keep data on people to comply with the law. This includes keeping records of former employees for a set period of time.
- Vital interests. We care for vulnerable people. In some instances keeping details such as medical records is necessary to protect someone’s life.
- Public task. Processing may be necessary for us to perform a task that has a clear basis in law and is in the public interest.
- Legitimate interests. MCP supports people in their time of need and relies on data for its daily operation. An example of this is data on individual donors, who support the charity financially. Writing to supporters raises funds for vital work.
MCP aims to ensure the data we have about individuals is accurate and not excessive.
Special categories of personal data
Some personal information can be especially sensitive. Examples include biometrics, ethnicity, genetics, health, political views, race, religion, sex life, sexual orientation and trade union membership. We will only process such data if we have one of the six legal bases listed above or:
- Where this data is manifestly made public by the individual.
- Where it is necessary for a legal claim or judicial procedure.
- Where it is needed on medical grounds, including occupational health.
- Where a reasonable level of archiving is necessary to enable scientific or historical research in the public interest.
For how long will we keep your data?
Your data will be deleted or disposed of securely when we no longer have a legal basis to hold it. We have set retention periods for certain types of data.
- Application forms where the candidate is unsuccessful: delete after six months.
- Employee files and payroll information: delete six years after the employee leaves MCP.
- Pensions: delete then years after the death of the pensioner, or ten years after the death of a spouse who may receive the pension.
- Accident books: destroy 25 years after the last entry.
- Creditors, debtors and staff or volunteer expenses: destroy six years after the end of the financial year to which these matters relate.
- Names, addresses and telephone numbers of Legal Members: destroy after one year after you cease to be a Legal Member which is when your Legal Guarantee expires.
- Names, address, telephone numbers and other information not covered above of service users: will be destroyed after 3 months after you personally stop using any service or personally notify the Project Manager that you no longer wish to use and of MCP’s services.
- Bank details, names, addresses and telephone numbers of members of MCP 50/50: destroy 18 months after you cease to be a member.
- Bank details, names addresses and telephone numbers of those making a gift aided donation: destroy six years after the last donation.
Your rights
You have eight rights under the GDPR. MCP respects your rights.
The right to be informed
You have the right to be informed about the collection and use of your personal data. This document forms part of that information. We will provide specific information when we collect personal data from an individual.
The right of access
You have the right to obtain access to the personal data we hold on you. Unless your request is manifestly unfounded or excessive, we will provide this data free of charge within a month of your request. The data will be in an accessible format (see ‘the right to data portability’ below). Please contact the Project Manager in the first instance. If you are not satisfied with their response, please contact the Data Protection Officer.
The right to have your data corrected
If the data we hold about you is incorrect or incomplete, please let us know – verbally or in writing – and we will correct it or complete it within one month. Please contact the Project Manager of your service in the first instance. If you are not satisfied with their response, please contact the Data Protection Officer.
The right to be forgotten
If you wish to be ‘forgotten’ we will delete your data within one month of asking. Please contact the Data Protection Officer. If your request is manifestly unfounded or excessive, we may charge a reasonable fee for this request. We may refuse your request if:
- We need your data to exercise the right of freedom of expression and information.
- We need your data to comply with a legal obligation or for the establishment, exercise or defence of legal claims.
- We need your data to perform a task carried out in the public interest or in the exercise of official authority.
- Archiving your data is in the public interest, to benefit scientific or historical research or for statistical purposes.
- We need your data for public health purposes in the public interest.
- Health professionals working for MCP need your data for the purposes of preventative or occupational medicine.
The right to restrict processing
In some cases, you may wish us to keep hold of your data but not to use it in certain ways. For example, you may allow us to keep your photograph, but not to post it on our website. Or you may allow us to keep your address details, but not send you our newsletter. These are just two examples. If you want us to restrict processing, please contact the Data Protection Officer.
The right to data portability
With electronically stored personal data that you have provided with consent, or personal data needed to carry out a contract, we will ensure the data can easily be transferred to you or a third party when required. We will send the data in a format (such as Word or PDF) that can be read by almost all computers, without the need for a particular software package.
The right to object
You have the right to object to your data being used for any of the following:
- Processing that is in the legitimate interests of MCP.
- Performance of a task in the public interest.
- Direct marketing.
- Processing for purposes of statistical, scientific or historical research.
Please contact the Data Protection Officer.
Rights in relation to automated decision making and profiling
Some organisations use computer algorithms to make decisions or assumptions about people. If we ever do this we will let you know and you will be able to challenge the decision or refute the assumption with a human being. Please contact the Data Protection Officer.
Sources of aata
In most cases, when we have your data it is because you have given it to us. In these cases we will inform you of your rights when the data is obtained.
In some cases, we may have received your data from other sources. In these cases we will inform you of your rights when we are first in contact.
The data we have
We keep the data of a variety of people for the reasons listed earlier. These people include:
- Contacts at companies, trusts and other supporting organisations.
- Contacts at companies that do business with MCP.
- Contacts at partner organisations.
- Members of the public who make enquiries.
- Members of staff, past and present.
- Parish priests and other clergy in the Archdiocese.
- People who apply for our jobs.
- People who access our services.
- Supporters of our work.
- Volunteers, past and present.
The data we keep on individuals will vary from person to person. We take strides to ensure this information is accurate and not excessive. The data may include:
- Name, address, telephone number and e-mail address.
- Qualifications and work experience, for staff, volunteers and job applicants.
- Medical notes, for staff, volunteers and people who access our services.
- Financial details, for people who give or receive money from us.
- Interests and life stories, for people who attend our services.
Website and Social Media Use
We do not collect personal data about you when you browse our website or social media pages. Please note that we may have access to any personal or sensitive information you may have on your social media profile unless your privacy settings are restricted.
Data storage
We will store your data securely in locked cabinets and password-protected computers. Members of staff will have access to your data on a need-to-know basis. If we transfer your data, we will encrypt it. When there remains no justification to keep your data, we will delete it from our computers and shred any paper copies.