We do this not just because we are legally required to do so in line with data protection regulations but because we believe it is the right thing to do.
At Zebra Access CIO we want to be trusted with your information and your support and be respected for our professionalism.
As an organisation, Zebra Access CIO is registered with the Information Commissioner’s Office (ICO) in accordance with the General Data Protection Regulations (GDPR).
Our registered CIO charity number is 1149181.
Under data protection regulations, we are required to appoint a Data Protection Officer who ensures your information is always handled securely and in accordance with the law.
Our Data Protection Officer is Chris Beech, Project Development Manager. Email: firstname.lastname@example.org
Should you wish to contact us about the way we use your information, you can contact our Data Protection Officer by telephone on 01902 421919, by email email@example.com or by post at Zebra Access CIO, Creative Industries Centre, Wolverhampton Science Park, Glaisher Drive, Wolverhampton, WV10 9TG.
You can always update the way in which we communicate with you, or ask us to stop contacting you by emailing us at: firstname.lastname@example.org
If you, or someone you know, wish to receive this privacy notice in a different format, such as large print, braille, audio recording, or translated into a different language, please contact us by telephone on 01902 421919, by email at email@example.com or by post at Zebra Access CIO, Creative Industries Centre, Wolverhampton Science Park, Glaisher Drive, Wolverhampton, WV10 9TG. 6JR.
Your individual rights
Under data protection regulations, you have rights over how your personal information is used by others.
Right to access: You have the right to access the personal information we hold about you. If you wish to see it, you can submit a request to our Data Protection Officer who will respond within one month. Depending on the nature of your request, we may need to seek further clarification from you or gain confirmation of your identity before the information can be provided.
Right to rectification: If the information we hold about you contains errors; you have the right for it to be corrected. We have measures in place to keep our information updated, but if you notice anything wrong with the information we are using, please let us know and we will update it as soon as we can.
Right to erasure: You have the right to request we erase the information we hold about you from our records if you think it is no longer required. Where possible, we will always comply with a request for erasure, however in many cases it will not be possible to erase all information about you, because there may be legal or contractual reasons why we need to keep certain details. If any of your details cannot be erased, we will tell you and explain the reasons.
Right to restriction: If you think your personal information is being used for things it shouldn’t be, you have the right to request we stop using it that way. As with erasure, there may be legal or contractual obligations why we need to continue using information in particular ways.
Right to portability: There may be times when you want a particular portion of the information, we hold about you to be moved or made portable. For example, if you’re an employee, you might want us to give you a list of all the training courses you have attended, to put on your CV perhaps. You have a right to receive information you have provided to us in a structured, commonly used and machine-readable format. This right only applies when the information has been collected and used on the basis of consent or a contract.
Right to objection: You have the right to object to us collecting and using your information when it is being done on the basis of legitimate interests, or for direct marketing, or research. We will inform you at the point we start collecting your information if this right applies. Any objections will be considered and complied with, unless there is a lawful exemption.
We will endeavour to inform you about your rights and uphold them at all times. If you believe we have infringed your rights, we encourage you to contact our Data Protection Officer who will work with you to resolve the matter in a way that satisfies both you and the law. If for any reason you are unable to resolve the matter with us, you can escalate your concerns to the Information Commissioner’s Office, who is the UK’s independent authority responsible for upholding information rights in the public interest.
What information do we collect and how do we use it?
Personal information is any information that can be used to identify you, such as a name, address, telephone number, email address, or more rarely - bank account details, NHS number, and even electronic identifiers such as your internet protocol (IP) address.
The amount of information we collect and use about you will vary depending on your relationship with Zebra Access CIO. We always make sure there is a legal basis in data protection law before we start collecting and using your information.
The main legal bases we rely on are:
Consent - Where you have given us clear and informed permission.
Contractual - Where there is a contract between you and us.
Legal obligation - Where a law says we must.
Legitimate interests - Where it is necessary for our charitable aims and the benefits have been carefully balanced against respect for your privacy, your information rights and your expectations.
We review individual consents on a rolling three-year basis.
In line with best practice if you have not updated your consent (sometimes known as Opting In), during the last three years, we will contact you to ask if you wish to renew this.
Where we use legitimate interest to maintain contact with you, we will review this on a seven-year rolling basis.
If you have not engaged with us in the last seven years, we will contact you to discuss if you wish your contact details to remain on our system.
Sharing your Information
We will only share your information if:
We are legally required to do so, for e.g. to ensure we are safeguarding our participants, clients, service users or, we are required by a law enforcement agency, or if compelled by a Court Order, or because it is a condition of a contract we hold with a statutory partner, e.g. a CCG who is paying specifically for your care.
We believe it is necessary to protect or defend our rights, property or the personal safety of our staff and volunteers, or visitors to our premises or websites.
We are working with a carefully selected partner that is carrying out work on our behalf.
Partners may include our payroll services, lottery agency, marketing agencies, IT specialists, data systems maintenance, and research firms. The kind of work we may ask them to do includes processing, packaging, mailing and delivering purchases, answering questions about products or services, sending postal mail, emails and text messages, carrying out research or analysis, and processing card payments.
We only choose partners we can trust, and we will only pass personal data to them if they have signed a contract that requires them to:
Abide by the requirements of the Data Protection Act 2018 (The UK Implementation of the General Data Protection Regulations)
Treat your information as carefully as we would
Only use the information for the purposes it was supplied (and not for their own purposes or the purposes of any other organisation)
Allow us to carry out checks to ensure they are doing all these things.
Where we have indicated information may be shared, we always ensure the people receiving your information uphold the same information security standards as we do. This will often be specified in writing as part of a contract or information sharing agreement. All staff, volunteers and agents of Zebra Access CIO are bound by strict duties of confidentiality.
In rare circumstances, we may be obliged to share your information without forewarning. For example, if we believe you may be at risk of harm or there is a public health risk, we may have a legal or professional duty to share information about you with the authorities.
There may also be times when we are legally required to share information about you with the authorities. For example, if you come to harm due to a work-related accident at our events/workshops/drop in sessions, we are required to give your name, address and age to the Health & Safety Executive under the Reporting of Injuries, Diseases and Dangerous Occurrences Regulations (RIDDOR).
We affirm here that your information will never be swapped, shared with or sold to any third parties for the purpose of marketing or monetisation.
Keeping your information secure
We take the security of your personal information very seriously. All staff and volunteers who handle personal information are required to complete training on information security once per year at a minimum. We also carry out regular audits and inspections to make sure our security controls are effective and reliable. Within the organisation, access to information is controlled, so that no one can use personal information unless they have a business reason to do so. If information needs to be taken outside our premises, we take extra precautions to keep it as safe as we can. When information is no longer required, it is archived or securely destroyed in accordance with the law.
Only staff who have been appropriately trained are allowed to handle credit or debit card information. Credit and debit card details are used immediately and securely destroyed as soon as the payment has been processed.
Responsibilities and accountabilities for information security are clearly defined. We have a Data Protection Officer responsible for compliance with data protection regulations.
We value transparency and improvement. If we think your personal information may have been misused, we will investigate the incident and let you know about it. In the most severe cases, we may also notify regulatory bodies such as the Information Commissioner’s Office or the Care Quality Commission, as required by law. As a regulated healthcare provider, we have a Duty of Candour to inform you about mistakes, apologise for them, and support you while we work to resolve them.
Keeping your information
We only keep information as long as is necessary for the purpose it was collected for. Depending on the details, your information could be used and securely disposed of very quickly, or it could be necessary for us to keep your information for many years to comply with archiving or insurance requirements.
As a general guideline:
Personal information about participants, clients and service users will be kept for seven years from the date of registration
Financial information about donors, supporters, customers and suppliers will be kept for seven years from the date of last entry into the record
Publicity photographs and case studies will be kept for three years from the date permission was granted to use them by the subjects
Employment and volunteering information about staff and volunteers will be kept for six years from the date employment or volunteering ceases.
There may be exceptions to these timeframes, such as certain employment and incident records which we have to keep for 25 years.
A third party may be involved in the storage or destruction of your records. For example, we may use a company to digitise paper records so they can be retained more securely and easily, or we may use a company to collect and securely dispose of paper records in bulk. Whenever we use a third party, the companies are vetted and are bound by contracts containing strict confidentiality and data protection requirements.
However long we need to keep information, we ensure that only the minimum amount of data required will be kept.
Participants, Clients and Service Users
We collect health information on the basis of your consent when you choose to access our services. Using this information enables us to deliver the best possible care to you and your loved ones, and improve our services going forward.
You have the right to object to us collecting and using this information, however it may not be possible to continue providing care and support services to you and your family without it.
If you are accessing our care services, we collect information in order to help us tailor our services to effectively meet your specific need and safety. This may include details about your needs, issues and notes from other service providers about support they have given you in the past.
Other service providers who have referred you to our services usually provide this information to us. You can only be referred to us if you or legal guardian has provided consent for the referral.
When you are referred to us and start accessing our services, we check the information with you to make sure it is accurate, and we ask your permission to continue sharing health information with other service providers into the future, so that everyone involved in your holistic support has accurate details about them. The types of care providers we normally share with include GPs, hospitals, consultants, community nursing services, counsellors, therapists, social workers and care co-ordinators.
We may also need to share some of your details with local NHS partners, such as Clinical Commissioning Groups, to support planning of local health services and funding. Where possible, information shared with NHS partners will be anonymised or pseudonymised to protect your privacy.
This may include details about your emotional wellbeing, mental health, family circumstances and welfare entitlements.
We will only collect this information from you directly, and we won’t share it with anyone unless you give us your permission.
We recognise your information is sensitive and take great care to keep it secure. Only those who need to use your information to deliver effective and high-quality care are allowed access to it. When sharing your information with other service providers, we make sure the recipient needs that information for support purposes before doing so, and only send it using secure channels.
We may also share information with local organisations, or commissioners, to gain funding.
In rare circumstances, we may be obliged to share your information without forewarning or without your consent. For example, if we believe you may be at risk of harm or there is a public health risk, we may have a legal or professional duty to share information about you with the authorities.
We have a Data Protection Officer responsible for compliance with data protection regulations.
As a regulated healthcare provider, we have a Duty of Candour to inform you about mistakes, apologise for them, and support you while we work to resolve them.
Donors, Supporters and Customers
If you donate money or goods to us or participate in fundraising or publicity activities in aid of Zebra Access CIO, we collect administrative information about the support you have provided to us.
This may include contact details, payment history (including bank details in some cases), communication history, event participation details, pledges you have made and publicity photos or case studies you have provided. This information is always given to us by you, either directly or indirectly (with your permission) and via online giving services (such as GoldenGiving).
We collect your information on the basis of consent and legitimate interests. Using this information enables us to build a lasting relationship with you and the community at large. You have the right to object to us collecting this information or restricting the way we use it, although this may limit the amount of fundraising you are able to do for us.
Many of our supporters who participate in events to raise funds for Zebra Access CIO set up a personal page on a specialist website (e.g. GoldenGiving) designed to help individuals and charities raise money and maximise the use of Gift Aid. Personal data provided by Zebra Access CIO supporters for this purpose to their chosen online fundraising platform is passed to Zebra Access CIO. We store this information in our database and use it to communicate with our supporters about their fundraising activities.
We will never send marketing materials to a child.
Only trained staff can process your payment card details for payments you make to Zebra Access CIO.
We may ask you if you wish to register for Gift Aid as a way of increasing the value of your donation. This can apply to either the monetary sales value of a stock donation, or a straightforward monetary donation. These are managed through two separate Gift Aid systems. For your Gift Aid registrations to be valid, we will require your name and address details. Information from Gift Aid forms is only ever shared with HM Revenue and Customs.
We may share your fundraising information (but not publicity information) with companies who support us in our fundraising activities, such as mailing houses who are acting on our behalf to circulate our publicity materials. We will never sell your information.
To keep your information up to date, we may from time to time use publicly available sources. For example, the Royal Mail’s National Change of Address Update if we get a piece of direct mail returned to us marked as gone away/not at this address.
To help build a snapshot of the type of people who support us currently or may support us in the future and to help us with our planning and fundraising, we may profile you or your company based on publicly available data, such as your demographics, your geographical location and, in rare cases, your estimated wealth. If you don’t wish to be included in this, you can opt out at any time by contacting us by telephone on 01902 421919, by email firstname.lastname@example.org or by post at Zebra Access CIO, Creative Industries Centre, Wolverhampton Science Park, Glaisher Drive, Wolverhampton, WV10 9TG.
If you choose to support us by getting involved in publicity work, we collect your photographs and case studies on the basis of consent. Using this information helps us communicate our charitable aims to the public and build support. You can withdraw your consent for your photographs or case studies to be used at any time by contacting us. We will not use a photograph or case study for longer than three years without renewing your consent.
We like to keep our donors and supporters updated with news about the charity and upcoming events.
You can always update the way in which we communicate with you, or ask us to stop contacting you by emailing us at: email@example.com
Alternatively please contact us by telephone on 01902 421919, by email firstname.lastname@example.org or by post at Zebra Access CIO, Creative Industries Centre, Wolverhampton Science Park, Glaisher Drive, Wolverhampton, WV10 9TG.
We will give you the opportunity to update your communication preferences whenever we send you marketing by email or post.
Information about website visitors
We love cookies. And we think that you should too. Cookies are not just tasty snacks, but also very clever pieces of code that help us provide a better experience to you on our website. Cookies allow us to improve our website, in turn; improving our fundraising to help us raise the £15 million needed each year to run our services.
There are four broad types of cookies, these include:
Necessary – Necessary cookies help make our website usable by enabling basic functions like page navigation and access to secure areas of the website. The website cannot function properly without these cookies. These are set automatically. They contain no information about you as an individual.
Statistics – Statistics cookies are used to track visitors on our website. They allow for reports to be generated on user behaviour, on what pages are accessed, interaction with the site and session duration, as well as general demographic data that is not personally identifiable. These are only set if you choose to ‘accept’ cookies to be set on your device.
Marketing cookies are used to track visitors across different websites. To measure the effectiveness of our advertising. And, to display ads that are more relevant and engaging for you as a user on third party websites. These are only set if you choose to ‘accept’ cookies to be set on your device.
Preference cookies help store a user’s preferences after leaving a website. This is to help provide a better experience when they return, such as their language preferences. These are only set if you choose to ‘accept’ cookies to be set on your device.
You can learn more about cookies by visiting www.allaboutcookies.org.
As well as our own website cookies, we also use Analytics to allow us to track how popular our website is and record visitor trends over time. We analyse this data to help us improve the way that our website works and provide you with a better experience. Analytics uses a cookie to help track which pages are accessed. This information will only be shared with Google if you choose to accept cookies on our website.
Find out more about Google Analytics.
Some of the pages on our website may have embedded features from third-party services, such as Facebook or YouTube. These services may collect their own cookies. For information about how these other third parties use their cookies, and how you can disable them if you wish, please refer to their own Privacy Notices, available on their websites.
We collect information from your cookies on the basis of consent. You can withdraw your consent at any time by updating your cookie preferences on our website. Your cookies will only last 30 days from the date you last visited our website, so we may need to ask for your consent again if you visit after this timeframe.
Staff and volunteers
If you work or volunteer for us, as a staff member or a volunteer, we collect information during your recruitment and ongoing work.
This may include your contact details and those of your next-of-kin, bank details (for paying salaries or out-of-pocket expenses), personnel references and background checks, sickness and occupational health records, pension information and disciplinary records.
This information is mainly provided directly by you but may be obtained from your manager or a past employer. We only share your work information when it is necessary for the fulfilment of your employment contract and to provide the benefits and support promised to you as a worker. For example, if you are a staff member, your bank details will be shared with our payroll provider, so your salary is always accurate and arrives on time. In order to comply with pension automatic enrolment legislation, we will supply our pension provider with information on all employees in order for them to assess pension eligibility.
We collect work information about paid staff on the basis of contractual obligation. Using this information enables us to comply with employment law and act as a responsible and supportive employer. In most cases you do not have the right to object to us collecting your work information, or restricting how we use it, because to do so would cause a breach of the employment contract between you and us. However, in the rare cases where you do have this right, we will inform you and give you the choice.
We collect work information about volunteers on the basis of legitimate interests. Using this information enables us to build a lasting relationship with you and maximise the benefits of your volunteering. You have the right to object to us collecting your work information or restricting the way we use it, although this may limit the ways in which you are able to volunteer for us.
If you are under 18 years of age and volunteer with us, we will record your details on our data base as a volunteer, but will not use your details for any other form of communication.
During recruitment, you may be asked to provide sensitive personal details, such as your ethnicity, religious belief or sexual orientation. This information is collected solely for the purpose of equality monitoring, helping us ensure we have an inclusive and diverse workforce. Only authorised staff may access this type of information, and whenever it is used, we make sure it is kept anonymous.
You are under no obligation to provide this information, and if you choose not to do so your application will not be affected.
Information about Business Associates
If you are a company who has a business relationship with us, we collect administrative information about your representatives, plus your payment details and history. This may include contact information, communication history and bank details. This information is always provided by you directly. We do not share your information with anyone externally, except our external financial auditors who may need to look at payment histories to carry out their regulatory audit.
We collect your information on the basis of purchase agreements, which are a type of contract. Using this information ensures the goods and services we are buying from you, or selling to you, are delivered in the agreed way and paid as required. You do not have the right to object to us collecting this information, or restricting how it is used, because you have already agreed to us having and using it as part of the purchase agreement.
Protecting children and vulnerable adults
As an organisation who supports Deaf, Deaf Blind, Hard of Hearing and Deafened people, we are acutely aware of the risks faced by these people. All our staff are trained to notice the signs of vulnerability in Deaf, Deaf Blind, Hard of Hearing and Deafened people and respond appropriately.
We take extra care to make the information we give to Deaf, Deaf Blind, Hard of Hearing and Deafened people easy to understand. When a Deaf, Deaf Blind, Hard of Hearing and Deafened people gives their consent for us to use their information, we double-check they have understood what they are consenting to, or we seek consent from those who has responsibility for the person.
Marketing material will never be sent to a child.
The recruitment of all volunteers under 18 years of age is subject to risk assessment and adequate support. The recruitment of all volunteers under 16 years of age would also require parental permission. This information will only be used by Volunteering staff and the child’s supervisor. In the event of a child participating in a scheme such as work experience, or Duke of Edinburgh, information may be required by the organiser of the scheme in relation to hours and tasks carried out and risk assessment processes. We do not employ anyone under the age of 16.
Changes to this notice
From time to time, we may need to change this notice in response to different ways of working, or new regulations. The version number and revision date at the bottom of this notice will tell you when it was last reviewed. As a matter of course, we will review the notice once per year.
We will notify you if there are any substantial changes to this notice that could affect your information rights.
Version 1. Last updated 14/07/2021
Zebra Access CIO provides services and support to Deaf, Deaf Blind and Hard of Hearing people with thanks to The National Lottery Community Fund. Services includes Employment Services, English/Maths tutorials, Advocacy, Community Development, BSL/Deaf Awareness, drop-in sessions dealing with a range of queries, complaints, form filling, and many more. Zebra Access staff and volunteers have the right to work in a safe and abuse free environment. The organisation will not tolerate any kind of abuse against its staff, volunteers or property.find out More