Your Privacy Notice – Key Facts about Data Protection
This Notice provides you with important information about how we keep your personal information secure and to inform you of your rights under the General Data Protection Regulations (GDPR).
Identity and contact details of our Data Controller / Data Protection Officer
West Sussex Mediation Service is the Data Controller and the Data Processor is any staff member or person handling your data, within the organisation. Tel: 01403 258900 or Email: firstname.lastname@example.org
What information do we collect about you?
- We collect basic information such as names, addresses, email addresses and contact telephone number(s).
- In addition to that, there can be much more data required for the type of mediation you are involved in.
- If it involves children and child access arrangements, it will be necessary to record their information.
- NB. Any child, aged 13 years and above, has to give consent to their data being processed.
- If it involves finances we will record some significant data on funds, pensions, mortgages, assets, etc., in order to draw up necessary documents.
- WSMS has never recorded more sensitive personal data such as racial or ethnic origin and religion – this will continue to be the case.
- WSMS has never used personal data for the purposes of fundraising campaigns and marketing, and never will.
Under what authority do we hold data?
We believe that we have ‘legitimate interest’ as a lawful reason for holding your data. (Depending upon the type of mediation, we may also have contractual authority). We could not provide the services we offer without having means of communication with clients and only hold such data as is necessary to carry out that process. We have carried out a Legitimate Interest Assessment (LIA) to reach this decision.
How will your information be used?
We use this information to enable us to carry out our function as a mediation service. The use of your data does not go beyond that activity. The limit is contacting you to seek feedback on our service, at the conclusion of a case.
Who receives your information
Your information may be handled by various staff members in our office. Your information is also passed to our specific mediators, who are allocated to your case. Correspondence between the office staff may be either by telephone or via an encrypted email service. Mediators are obliged to keep relevant personal data secure when they visit you. This is achieved by written information being anonymised, i.e. information that could identify you is removed. We do not share your data with any third party.
Transfers to other countries and safeguards in place
Not applicable to us.
How long your information will be held
In the case of our community and intergenerational mediation service, we hold your information for two years (however, we may retain it for six years where it is deemed necessary to comply with our responsibilities under the Statute of Limitations). In the case of family mediation, because of possible legal considerations, we retain the data for 6 years. In respect of civil or commercial cases we retain information for 6 years also.
Where your information is stored and how it is kept secure
- We store client information securely ‘on the cloud’ using Progress Mediation 4 All.
- Data is stored on a Virtual Private Server – VPS, in the UK.
- The servers are located within the Rackspace ® data centre.
- Restricted physical and remote access to the servers is under strict control within the data centre.
- Protocol IT staff, with access to the database, have signed data protection and confidentiality agreements.
- Remote access to the database is secured using https access – for privacy and integrity of the exchanged data while in transit over the internet.
- Key passwords and passcodes are stored encrypted within the system.
- Client data is not currently encrypted as this is not essential to comply with GDRP and ensures that the system is as fast as possible for searching for client details
- Invalid attempts to log onto the system are monitored, resulting in account lock out after 5 attempts.
- Locked accounts result in warning emails to be generated to support desk.
- The operating system is kept up to date with latest patches.
- The right to be informed (about the collection/use of your data).
- The right of access (to your data).
- The right of rectification (of errors).
- The right to erasure (the right to be forgotten).
- The right to restrict processing (conditions on how your data is used).
- The right to data portability (not really relevant to our organisation).
You have the right to have your personal data erased if:
- your personal data is no longer necessary for the purpose which we originally collected or processed it for;
- we are relying on consent as our lawful basis for holding the data, and you can withdraw your consent;
- we are relying on legitimate interests as our basis for processing, you object to the processing of your data, and there is no overriding legitimate interest to continue this processing;
- we are processing your personal data for direct marketing purposes and the individual objects to that processing (not applicable in our case);
- we have processed your personal data unlawfully (i.e. in breach of the lawfulness requirement of the 1st principle); and
- we have to do it to comply with a legal obligation.
Please note: We will retain your data, for a period of time determined by the type of service we are providing and any legal obligations for us to retain data. We are happy to disclose this according to your circumstances.
How to make a complaint to us and our supervisory authority
You may submit your complaint to us in writing. We will respond to any complaint within a reasonable time and explain the reasons for our decision. If you remain dissatisfied, you have the right to complain to our supervisory authority. We are supervised by the Information Commissioners Office (ICO) whose contact details will be supplied to you in this instance.