1. Introduction
Health in Mind is committed to protecting and respecting individuals’ privacy. This policy explains how Health in Mind processes[1] the personal data we receive from individuals and organisations. By engaging with Health in Mind, you agree to the terms of this policy.
Health in Mind provides services to adults and individuals over the age of 16. If you are under the age of 18 years, you should speak to a caregiver before sending us any personal data.
[1] The term ‘processing’ refers to collecting, recording, storing, using, analysing, combining, disclosing or destroying data.
2. Legal status
Health in Mind is a registered Scottish charity (no. SC004128) and company limited by guarantee (no. SC124090). We are registered with the Information Commissioner’s Office in accordance with the Data Protection Act 2018.
3. Scope
This policy applies to all personal data processed by Health in Mind.
We provide services on behalf of or in conjunction with partner organisations including, but not limited to, the In Care Survivors Alliance and Edinburgh’s Health and Social Care Partnership.
We make content available through social media channels. Counselling sessions and online meetings may be conducted using third-party systems, such as Microsoft Teams. For a complete list of the systems we use, please contact us.
4. Principles
Health in Mind only processes the minimum amount of personal data necessary for service delivery, professional practice and organisational management, in accordance with data protection legislation. Our Information Governance framework of policies explains how personal data is protected and how long it is kept before being destroyed.
5. Legal bases for processing personal data
All personal data processed by Health in Mind is collected under at least one of the Data Protection Act 2018’s lawful bases. We use the following lawful bases:
a. Consent
You have given informed consent for Health in Mind to process your personal data for a specific purpose. You may choose to subscribe to receive regular email newsletters by providing your email address voluntarily. Consent may be withdrawn at any time by clicking the ‘unsubscribe’ link or by contacting us.
b. Contract
Processing your personal data is necessary for Health in Mind to perform a contract to which you are a party or because you have asked Health in Mind to take specific steps before entering into a contract.
c. Legal Obligation
Processing your personal data is necessary for Health in Mind to comply with the law. For instance, our HR staff must verify your identity documents to ensure you have the right to work in the UK before we make a job offer.
d. Vital Interests
Processing your personal data is necessary for Health in Mind to protect someone’s life. For example, contacting emergency services in exceptional circumstances when staff consider there will be a risk of serious harm to self or another person.
e. Legitimate Interests
Processing your personal data is necessary for Health in Mind’s legitimate interests. For instance, to help achieve our mission, supporters raise funds for Health in Mind. We may process supporters’ personal data so we can invite them to participate in similar kinds of fundraising activities in the future. Our legitimate interests will always be balanced against your reasonable expectations of privacy.
6. Collecting personal data
You may choose to provide your personal data to Health in Mind via our websites; social media; email; third-party systems such as TicketTailor; referral and application forms; written correspondence; voice calls; online meetings; and in person conversations.
You provide personal data when you:
- sign-up to receive newsletters and printed materials
- contact us about services
- refer an individual to access our services
- apply to work or volunteer with us
- enquire about training
- order products and services
- donate
- participate in research
- contact us for other reasons
Email is not considered a secure communication channel and we recommend you do not send us sensitive personal data by email, unless it has been encrypted.
Health in Mind’s online services may collect personal data temporarily for technical reasons, to keep them operational. Please refer to Health in Mind’s Cookie Policy at https://www.health-in-mind.org.uk/cookie-policy/.
If you donate money to Health in Mind online your transaction will be processed by a specialist third-party financial provider and your payment card details will not be shared with us. But your name, postal and email addresses will be passed to us unless you choose to donate anonymously.
Third parties share personal data with us in certain situations. For example, a healthcare professional may refer someone to use our services or an employer may register their employee to attend a training course.
7. Collecting sensitive personal data
Health in Mind may collect your name, address, email address, date of birth, phone number and other personal data you provide voluntarily. In certain circumstances, Health in Mind will be legally obligated to collect and process special category data, to protect vulnerable adults and children. Please approach Disclosure Scotland if you require information about disclosures or the Protecting Vulnerable Groups (PVG) scheme.
8. Using personal data
Health in Mind may process your personal data to:
- provide and/or link you with services
- notify you of service changes
- send you information about our products, services and events
- send you information about fundraising activities
- seek your views about our services and wider mental health topics
- inform you about the impact we are making with your help
- process donations and gift aid
- process applications for paid and voluntary work
- perform contracts
- comply with legal requirements
- record unacceptable actions
- keep a record of our relationship with you
9. Storing personal data
Personal data is kept in secure personal files or IT systems. Disclosure information is held securely in lockable, non-portable containers, according to the Secure Handling, Use, Storage and Retention of PVG/Disclosure Information Policy.
10. Protecting personal data
Health in Mind adopts measures to protect personal data:
- staff, students and volunteers receive data protection training
- data protection and records management policies are enforced
- business continuity plans are updated regularly
- ICT and physical security measures are in place
- there are regular internal audits and Care Inspectorate checks
- the organisation is registered with the Information Commissioner’s Office
- special category data can only be accessed by nominated staff
In the unlikely event of a data breach, staff are expected to follow the Data Breach procedure.
11. Retaining personal data
Health in Mind keeps your personal data in accordance with our Information Governance framework policies. In most cases, this is for no longer than is necessary for the purpose(s) it was collected. You can choose to withdraw your consent at any time, but Health in Mind may need to retain some personal data for legal, contractual, or regulatory reasons.
12. Sharing personal data
Health in Mind works with partners and statutory organisations, therefore we may need to share personal data with them, in certain circumstances, so that they can provide you with services. Health in Mind establishes Data Sharing Agreements with organisations in situations when we share personal data on a regular basis. All partner organisations are expected to have their own privacy policy. You can ask us not to share your personal data with partners, but this may prevent them from providing you with services. Health in Mind will never sell personal data.
We use third-party data processors to support our organisation’s work and help us to provide services, for example to enable Health in Mind staff to send email messages or pay staff salaries. Non-disclosure agreements and contracts have been put in place to ensure they do not share personal data with anyone, apart from us. Data processors must process the data securely and retain it according to Health in Mind’s retention schedules. Please note that Health in Mind may use MailChimp for external email distribution.
Appropriate safeguards will be implemented when personal data is shared outside the United Kingdom.
13. Access to personal data
Individuals have the right to request a copy of their personal data. If you would like a copy of some or all your personal data, please email or write to us. In exceptional circumstances, Health in Mind may make a small charge for providing this personal data, according to data protection legislation.
Health in Mind wants all personal data to be accurate and up-to-date. You can ask us to correct personal data you think is inaccurate. You can also ask us to stop using your personal data, except in situations where Health in Mind needs to retain information for legal, contractual or regulatory reasons.
14. Changes to this policy
The laws concerning data protection and privacy continue to evolve. This policy will be updated to incorporate changes to the Data Protection Act and related legislation as they occur.
15. How to complain
If you are unsatisfied with how we have used your personal data, we want to hear from you. Guidance on the complaints process can be found on our website at https://www.health-in-mind.org.uk/about-us/complaints-and-feedback/.
If you remain unsatisfied with our response, you can also complain to the Information Commissioner’s Office (ICO) at:
Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Website: https://ico.org.uk
Telephone: 0303 123 1113
16. How to contact us
Please get in touch with the IT, Cyber Security and Information Governance Manager if you have any questions about our Privacy policy or how Health in Mind processes your personal data.
Last updated: April 2023