GDPR Privacy Notice

West Howe Community Enterprises Organisation

Privacy Notice

Our contact details

Address: West Howe Community Enterprises

32 Cunningham Crescent,

Bournemouth,

BH11 8DU

Email: admin@westhowe.net

Phone Numbers:

Henry Brown Office: 01202 580299

Inspiring Change Shop: 01202 570077

Website address: http://www.westhowe.net/

Main Contact for Data Protection Matters is: Charity Manager Anneliese Fay

Email: Anneliese.fay@westhowe.net

Mobile: 07483 442015

What type of information we have – “What we hold”

This addresses the GDRP 1st requirement of “What we hold“ Personal Data is any information that can be used to identify a living person. For example peoples’ email addresses, membership information, financial information, employee data, website data user statistics

In respect of Personal identifiers, contacts and characteristics we currently collect and process the following information:

Recruitment and Selection Data – names, NI number, addresses, email ,phone no , mobile no, eligibility to work in the UK, education and training , Professional Membership, Employment History, References , Disability, Driving , Criminal convictions, Equality Form Data: gender, ethnicity, marital status, sexual orientation, age, disability, religion, pregnancy and maternity, Refugee- Asylum seeker, Language, Union membership.
Staff Data – at on boarding – names, NI number, addresses, email ,phone no , mobile no, eligibility to work in the UK, education and training , Professional Membership, Employment History, References , Disability, Driving , Criminal convictions, Emergency Contacts Equality Form Data: gender, ethnicity, marital status, sexual orientation, age, disability, religion, pregnancy and maternity, Refugee- Asylum seeker, Language, Union Membership.
Staff Data – References (Inward)
Staff Data – References (Outward’s)
Staff Data – Bank account details, financial information NI Numbers
Staff Data – Staff Income tax/ Inland revenue, NI returns, HMRC
Staff Data – National minimum wage records
Staff Data – Pension & Retirement Data – Benefits Schemes – + notifiable events, e.g. incapacity
Staff Data – Salaries, overtime & expenses
Staff Data – Contract of employment
Staff Data – S&S / performance, Appraisals, RTW, training
Staff Data – Disciplinary , capabilities , warning , grievances,
Staff Data – Timesheets for working time regulations,
Staff Data – sick certificates, SSP.
Staff Data – Statutory Maternity Pay records, certificates (Mat B1s) Maternity Paternity data,
Staff Data – Parental leave
Community -Customers – names addresses phone no, mobile no, email addresses Facebook, Twitter, Instagram.
Community -Customers – Records relating to Children & young adults gathered at events e.g. parental permission membership, names address emergency contact etc. Community -Customers – names addresses phone no, mobile no, email addresses Facebook ac twitter account
Volunteers – names addresses phone no, mobile no, email addresses
Stakeholder organisations & staff – (e.g. BCP council) – names addresses phone no, mobile no, email addresses
Suppliers (goods & services) – e.g. stores supplies and Bookkeepers – names addresses phone no, mobile no, email addresses
COSHH – Control of Substances Hazardous to Health Regulations Medical records as specified by COSHH
Accident book entries – names addresses phone no, mobile no, email addresses.
Team Meetings – minutes
WHCE Accounts information
Team Meetings
Trustee Meetings
Staff & Volunteers criminal offences & DBS – (separate category requiring additional lawful bases to process);
Redundancy details – calculations of payments, dates, names

How we collect the information and why we have it – “Purpose”

This addresses the GDRP 3^RD requirement of the “Purpose” of collecting the data. We collect information electronically via emails, mobile phones lap tops, electronic documents and spreadsheets. We also collect data in hardcopy e.g. membership forms, letting agreements and sometimes verbally during conversations and in written notes.

Most of the personal information we process is provided to us directly by you for one of the following reasons. This section addresses the following 4 points

How we collect the data,
Where we get it from,
Why we collect it
the lawful basis for collection

Recruitment and Selection Data
How we collect the data	Electronically as part of the Recruitment and Selection Processes
Where we get it from,	We get the data from electronic and hard copy R/S application forms and E/Opportunities forms.
Why we collect it	So we can select the best candidates.
The lawful basis / bases	Consent

Staff Data at on boarding
How we collect the data	Electronic and Hard copy as part of the on boarding processes
Where we get it from,	From application forms, verbal communications, identity checking forms. Employee Detail Sheet (bank details) driving licences, insurance documents, Equalities forms
Why we collect it	So we can keep up to date staff records on BreatheHR and meet our contractual and procedural obligations.
The lawful basis / bases	Contractual Obligation for entering into an employment Contract and Consent for Equalities data

Staff Data – References (Inward)
How we collect the data	We request from references electronically and verbally by phone
Where we get it from,	References contact details provided on application form
Why we collect it	To ensure data provided at recruitment, selection and interview is correct / true.
The lawful basis / bases	Contractual Obligation

Staff Data – References (Outward’s)
How we collect the data	Electronically and verbally via phone
Where we get it from,	From the BreatheHR data base, Support and supervision Meeting , Meeting notes, Appraisals
Why we collect it	At a future employers request via details provided by yourself and is retained to provide consistency and cover claims of unfair references, compensation, constructive dismissal etc.
The lawful basis / bases	Consent

Staff Data – Bank account details, NI number etc.
How we collect the data	Electronically and in hardcopy
Where we get it from,	Employee Detail Sheet bank details
Why we collect it	To enable us to pay contractual agreements such as salary pension NI contributions and expenses, requirement of HMRC and Inland Revenue.
The lawful basis / bases	Contractual Obligation re bank account details and Legal Obligation under the Employment Rights Act 1996 itemised pay statement

Staff Income tax/ Inland revenue, NI returns, HMRC.
How we collect the data	Electronic and Hard copy
Where we get it from,	Employee Detail Sheet bank details
Why we collect it	To enable us to pay contractual agreements such as salary pension NI contributions and expenses, requirement of HMRC and Inland Revenue.
The lawful basis / bases	Legal Obligation

National minimum wage records
How we collect the data	Electronically
Where we get it from,	From contract of employment and payroll
Why we collect it	We need to retain under the requirements of National Minimum Wage Act 1998
The lawful basis / bases	Legal Obligation

Pension & Retirement Data – Benefits Schemes – + notifiable events, e.g. incapacity
How we collect the data	electronically and hardcopy
Where we get it from,	Payroll and from hardcopy documents provided by data subject
Why we collect it	Retained as an HMRC / Pension requirement and to ensure we pay correct benefits when changing from in house to statutory. To organisationally plan.
The lawful basis / bases	Legal Obligation

Salaries, overtime & expenses
How we collect the data	Electronically
Where we get it from,	Via payroll records
Why we collect it	Retained as a contract obligations, and to budget
The lawful basis / bases

Contract of employment
How we collect the data	electronically & in hard copy through Operational Activities
Where we get it from,	Job Application and Job advert
Why we collect it	To record & meet terms & conditions of employment
The lawful basis / bases	Contractual Obligation

Support & Supervision / Performance, Appraisals, RTW, Training.
How we collect the data	We collect data electronically & in hard copy through Operational Activities
Where we get it from,	Support & Supervision Meetings, Appraisal forms RTW FORMS Training documentation
Why we collect it	Retained to conduct operational activities & procedural staff support
The lawful basis / bases	Contractual Obligation

Disciplinary, Capabilities, Warning, Grievances
How we collect the data	Electronically and in Hardcopy retained on BreatheHR
Where we get it from,	Meeting notes, documents, letters
Why we collect it	Retained to conduct operational activities & procedural staff support.
The lawful basis / bases	Contractual Obligation

Timesheets for working time regulations.
How we collect the data	Electronically
Where we get it from,	Emailed from Data subject
Why we collect it	Retained as a legal obligation under working time regulations and for Toil monitoring and application
The lawful basis / bases	Contractual Obligation

Sick certificates SSP
How we collect the data	Electronically and in hardcopy
Where we get it from,	Doctors Certificates provided by Data Subject
Why we collect it	To pay correct benefits and retained as a contract obligation
The lawful basis / bases	Contractual Obligation

Statutory Maternity Pay records, certificates (Mat B1s) Maternity, Paternity data, Parental leave.
How we collect the data	Electronically and in hardcopy
Where we get it from,	Doctor and midwife letters / forms MATB1 maternity paternity request forms
Why we collect it	Retained to ensure correct payment and as a requirement of HMRC
The lawful basis / bases	Contractual Obligation

Parental Leave
How we collect the data	Electronically and in hard copy
Where we get it from,	Parental leave request forms
Why we collect it	Retained as a Legal Obligation
The lawful basis / bases	Legal Obligation

Community -Customers – names addresses phone number, mobile number, email addresses Facebook, Twitter, and Instagram
How we collect the data	Electronically and in hardcopy
Where we get it from,	Membership forms accident book, social media
Why we collect it	Retained to enable us to inform them of events, deliver services, contact them in an emergency
The lawful basis / bases	Consent

Records relating to children & young adults gathered at events e.g. parental permission membership, names address emergency contact etc.
How we collect the data	Electronically and hardcopy
Where we get it from,	Membership forms
Why we collect it	Retained to enable us to conduct operational activities
The lawful basis / bases	Consent

Volunteers – names addresses phone number, mobile number, email addresses.
How we collect the data	Electronically and hard copy
Where we get it from,	Data subjects volunteer application form
Why we collect it	Retained as part of their volunteer contract and to enable us to plan operationally and communicate regarding volunteering opportunities
The lawful basis / bases	Contractual Obligation

Stakeholder organisations staff (e.g. BCP council) – names addresses phone number, mobile number, email addresses.
How we collect the data	Electronically and via hardcopy by phone
Where we get it from,	Data subject verbally from room hire documentation, emails invoices, paperwork
Why we collect it	Retained to share information regarding the HB centre, to work collaboratively. Shared regarding our services and letting out space in the Henry Brown
The lawful basis / bases	Consent

Suppliers (goods & services) e.g. stores supplies and Bookkeeping – names addresses phone number, mobile number, email addresses.
How we collect the data	Electronically and via hardcopy by phone Data subject verbally from documentation, emails invoices, paperwork
Where we get it from,	Data subject documentation, emails invoices, paperwork
Why we collect it	Retained to maintain supplier record to communicate and conduct repeat business
The lawful basis / bases	Consent

COSHH Control of Substances Hazardous to Health Regulations Medical records as specified by COSHH.
How we collect the data	Electronically and hardcopy
Where we get it from,	COSHH Record Book
Why we collect it	Retained as a legal requirement to record The Control of Substances Hazardous to Health Regulations 1999 and 2002 (COSHH) (SIS 1999/437 and 2002/2677)
The lawful basis / bases	Legal Obligation

Accident / incident book entries – names addresses phone number, mobile number, email addresses.
How we collect the data	hardcopy
Where we get it from,	Accident Book
Why we collect it	Retained as a legal requirement to record accidents and incidents on the premises i.e. The Reporting of Injuries, Diseases and Dangerous Occurrences Regulations. 2013 (RIDDOR) + (B1510) under Social security Law.
The lawful basis / bases	Legal Obligation

Team Meetings.
How we collect the data	Electronic notes hand written notes
Where we get it from,	Meeting notes
Why we collect it	Retained for organisational planning, development and reference purposes
The lawful basis / bases	Legitimate interest

Trustee Meetings.
How we collect the data	Electronically and hardcopy
Where we get it from,	Trustee Meeting Minutes
Why we collect it	Retained as to evidence compliance and transparency
The lawful basis / bases	Public Task

Staff & Volunteers criminal offences & DBS – (separate category requiring additional lawful bases to process).
How we collect the data	Electronically and Hard copy
Where we get it from,	Job Application forms
Why we collect it	Retained as WHCE works with vulnerable adults & children in the local community. WHCE DBS Check all staff & Volunteers. A conviction does number prevent an individual working with us but our Policies & Procedures require a DBS Risk Assessment Positive Disclosure 19.04.20 to be completed to assess the risk.
The lawful basis / bases	Vital Interest and Contractual Obligation as working with vulnerable adults and young people, (special category and criminal convictions need a lawful basis and an additional condition.

Redundancy details – calculations of payments, dates, names.
How we collect the data	Electronically
Where we get it from,	Redundancy calculations and documentation letters and emails
Why we collect it	Retained as a legal requirement HMRC.
The lawful basis / bases	Legal Requirement,

Under the General Data Protection Regulation (GDPR), the lawful bases we rely on for processing this information are:

(a) Your consent. You are able to remove your consent at any time. You can do this by contacting The Charity Manager
(b) We have a contractual obligation.
(c) We have a legal obligation.
(d) We have a vital interest.
(e) We need it to perform a public task.
(f) Legitimate interests:

How to apply to withdraw Consent

Where we have relied on your consent to process your data you have the right to request to withdraw your consent. To do this complete the Individual Rights Request Form GDPR that can be found on BreatheHR once completed return to the Charity Manager who will respond within 1 month.

What we do with the information and who we share it with.

This addresses the GDRP 2^nd requirement of “What we do with the information and who we share it with” We use the information that you have given us in order to conduct a range of activities. We may also share this information with other organisations and individuals on a recorded, need to know basis only. See the table below.

Type of Data – This addresses the 1st GDPR requirement of (“What we Hold”)	“What we Do with it ” & who we share it with – This addresses the 2nd GDPR Requirement
Recruitment and Selection Data – names, NI number, addresses, email ,phone number , mobile number, eligibility to work in the UK, education and training , Professional Membership, Employment History, References , Disability, Driving , Criminal convictions, Equality Form Data: gender, ethnicity, marital status, sexual orientation, age, disability, religion, pregnancy and maternity, Refugee- Asylum seeker, Language,	What we do with it We retain for 1 year electronically or in in a locked filing cabinet in case needed for discrimination claim then shredded confidentially Who we share it with no one
Staff Data at on boarding :– Application Form Data, Equality Form Data,	What we do with it We use it to populate our HRIS BreatheHR and provide contracts of employment. We retain on BreatheHR our HRIS Who we share it with Shared with Payroll and HMRC
Staff Data – References (Inward)	What we do with it We use it to seek references subject to making job offers. We check the references are acceptable and save on the Data subjects BreatheHR Personnel file. Who we share it with no one
Staff Data – References (Outward’s)	What we do with it We use it to provide references as support of your application for roles with other organisations Outward references retain on BreatheHR our HRIS for 6 year in cases of discriminatory claim then we confidentially shred Who we share it with The requesting organisation
Staff Data – Bank account details , NI number	What we do with it We use it to Pay salaries expenses tax and NI deductions pensions and benefits.it is stored on BreatheHR Data subjects personal file Who we share it with Provided to payroll
Staff Income tax/ Inland revenue, NI returns, HMRC	What we do with it We use it to meet legal compliance to pay staff pensions and to comply with the requirements of HMRC this data is retained by payroll who email payslips to the Data subjects monthly Who we share it with Payroll, HMRC, salaries and expenses are recorded on budget period report and included in reports to our funders and charity commission
National minimum wage records	What we do with it We keep Contracts with remuneration on BreatheHR to meet National minimum wage compliance Who we share it with Salary data retain by payroll Retain by payroll under the requirements of National Minimum Wage Act 1998
Pension & Retirement Data – Benefits Schemes – + notifiable events,	What we do with it Payroll retains for us to Meet our legal obligation set out in the contracts Who we share it with Share with our payroll provider who retains
Salaries, overtime & expense’s	What we do with it We save on our server and track for toil accrued and to ensure we do not exceed working time regulations. To Meet our Contractual obligation set out in the contracts Who we share it with Retain on our server and by our Payroll provider
Contract of employment,	What we do with it We share with the Data Subject and save on BreatheHR To meet operational needs in respect of supporting staff and delivering our services. Who we share it with Salary element shared with Payroll
S&S / performance, Appraisals, RTW, training	What we do with it We retain it on BreatheHR on the Data subject personnel file We need to record S&S / performance, Appraisals, RTW, training as part of our policy and procedural requirements. Who we share it with We may share if asked for a reference
Disciplinary , capabilities , warning , grievances,	What we do with it We retain it on BreatheHR on the Data subject personnel file. We need to record disciplinary capabilities warnings and staff grievances as part of our policy and procedural requirements. Who we share it with We may share if asked for a reference
Timesheets for working time regulations	What we do with it We keep timesheet to meet working time regulations they are retained on the Server. Who we share it with Share with payroll and HMRC
Sick certificates SSP	What we do with it We use the data to work out sick pay, to record sickness absence and entitlements in respect of in house benefits and statutory benefits. The sick certificates are stored on THE Data Subjects personnel file in BreatheHR Who we share it with Shared with payroll and HMRC
Statutory Maternity Pay records, certificates (Mat B1s) Maternity, Paternity data, Parental leave	What we do with it We use the data to work out maternity, paternity pay. The Mat B1 etc. are stored on the Data Subjects personnel file in BreatheHR. To record entitlements to in house benefits and statutory benefits relating to maternity and paternity pay. Who we share it with Retain on BreatheHR our HRIS. Share with payroll and HMRC
Parental Leave	What we do with it We use the data to work out parental leave Retain on BreatheHR. Share with payroll and HMRC. We store it on BreatheHR Who we share it with Payroll and HMRC
Community -Customers – names addresses phone number, mobile number, email addresses Facebook, Twitter, Instagram	What we do with it We retain on our Customer spreadsheet to enable us to inform them of events and so we can contact them in an emergency. This is saved on the server. We may from time to time share details of participants who sign up to participate in training, events and activities. Who we share it with Training and activity providers.
Records relating to children & young adults gathered at events e.g. parental permission membership, names address emergency contact etc.	What we do with it We save the membership forms on the Young people spreadsheet on the server to deliver services and meet safeguarding requirements. and medical emergencies Who we share it with No one
Volunteers – names addresses phone number, mobile number, email addresses	What we do with it We retain on the volunteer spreadsheet on the server. To enable us to offer you volunteering opportunity’s We may from time to time share details of participants who sign up to participate in training, events and activities. Who we share it with Training and activity providers.
Stakeholder organisations staff (e.g. BCP council) – names addresses phone number, mobile number, email addresses,	What we do with it Saved to mobile phone contacts and Outlook 365 email directory Hard copy paperwork stored in lockable filing cabinet. To enable us to communicate with BCP Council regarding use of the Henry Brown and lease holder regarding the Inspiring Change shop. Who we share it with No one
Suppliers (goods & services) e.g. stores supplies and Bookkeeping – names addresses phone number, mobile number, email addresses	What we do with it Saved to mobile phone contacts and Outlook 365 email directory Hard copy paperwork stored in lockable filing cabinet. Used to purchase goods and services to run the charity Who we share it with No one
COSHH Control of Substances Hazardous to Health Regulations Medical records as specified by COSHH	What we do with it Kept in a folder in office filing cabinet Who we share it with COSHH if requested
Accident / incident book entries – names addresses phone number, mobile number, email addresses	What we do with it We record Data subject information in the accident/ incident book kept in a secure filing cabinet Who we share it with H/S if requested
Team Meetings	What we do with it Minutes are stored on the Outlook 365 server Hard copy paperwork stored in lockable filing cabinet Who we share it with Team and Trustees
Trustee Meetings	What we do with it The meeting minutes are saved on the server redacted versions posted on the website. We need to keep minutes of the trustee meetings to meet the requirements of the Charity Commission. Who we share it with Redacted version shared on website no personnel data included
Staff & Volunteers criminal offences & DBS – (separate category requiring additional lawful bases to process);	What we do with it This is Sensitive data and is kept with the trustees as we need to keep evidence of declared convictions and DBS Risk Assessment Positive Disclosure to meet our safeguarding procedures. R/A retained in personnel file BreatheHR DBS doc shown to Charity Manager Number only is recorded and returned to employee. Record of number is retained in locked filing cabinet Who we share it with Trustees only
Redundancy details – calculations of payments, dates, names	What we do with it We retain on the Data subjects Breathe HR personnel file. We need to keep redundancy information for HMRC Who we share it with HMRC

We may share this information with:

Our payroll department to enable them to pay your salary expenses, and deduction
With Nest our pension provider
External organisations who have asked for a references as you have accepted a new role.
BCP Council and Lease holders of Inspiring Change
We may need to report and COSHH or RIDDOR incidents
We need to share information with the DBS for safe guarding purposes.
HMRC
Training Providers, activity providers

How to withdraw Consent

Where we have relied on “Consent” to process your data you have a right to withdraw that consent. To do this

Please contact:

Charity Manager

West Howe Community Enterprises

32 Cunningham Crescent,

Bournemouth,

BH11 8DU

Charity Manager

Email: admin@westhowe.net

Mobile: 07483 442015

In respect of your data the right to object only applies in certain circumstances. Whether it applies depends on the purposes for processing and the lawful basis for processing. Please see the ICO website for further information. https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-object/

How we store your information

Your information is securely stored at:

West Howe Community Enterprises

32 Cunningham Crescent,

Bournemouth,

BH11 8DU

Electronically data is stored securely on our server which is remotely accessed to process.
Electronic data is also retained in BreatheHR our HRIS

Hard copy data is kept in a locked filing cabinet

We keep your personal information for varying time periods depending on the nature of the information. Please refer to the “GDPR Retention Policy” and the WHCE “What we collect Tracker” for a breakdown relating to the specific type of information and retention periods.

At the retention date, we will then securely dispose your information by deleting from any electronic records and deleting the deleted files.

If the data is stored in hard copy it will be shredded and confidentially disposed of.

Your data protection rights

Under data protection law, you have rights these differ according to the lawful basis for processing The lawful basis page of our Guide to the GDPR has a useful table that shows the varying rights that apply depending on the lawful basis. Under data protection law, you have:

Your right of access – You have the right to ask us for copies of your personal information.

Your right to rectification – You have the right to ask us to rectify information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.

Your right to erasure – You have the right to ask us to erase your personal information in certain circumstances.

Your right to restriction of processing – You have the right to ask us to restrict the processing of your information in certain circumstances.

Your right to object to processing – You have the the right to object to the processing of your personal data in certain circumstances.

Your right to data portability – You have the right to ask that we transfer the information you gave us to another organisation, or to you, in certain circumstances.

You are not required to pay any charge for exercising your rights. If you make a request, we have one month to respond to you.

Please contact:

Charity Manager

Address: West Howe Community Enterprises

32 Cunningham Crescent,

Bournemouth,

BH11 8DU

Email: Admin@westhowe.net

Mobile: 07483 442015

How to complain

In the first instance contact WHCE if you have a complaint to enable us to investigate your complaint.

Contact: The Charity Manager

Address: West Howe Community Enterprises

32 Cunningham Crescent,

Bournemouth,

BH11 8DU

Email: Admin@westhowe.net

Mobile: 07483 442015

If we are unable to resolve your complaint you can also complain to the ICO if you are unhappy with how we have used your data.

The ICO’s address:

Information Commissioner’s Office

Wycliffe House

Water Lane

Wilmslow

Cheshire

SK9 5AF

Helpline number: 0303 123 1113

ICO website: https://www.ico.org.uk

Signed by:

Trustee

Policy agreed: Sept 2020

Reviewed: Sept 2021

Basket