This Privacy Notice covers the following:
· Who we are
· What is the General Data Protection Regulation (GDPR) and why is it important
· What are your Rights
· Legal basis for processing
· What personal and special category data is collected
· Why we need your information
· How we collect your personal data
· What we ask from you
· Disclosure of personal data
· How long we retain personal data
· Data Protection Notification
· How to make a complaint
· The Information Commissioners Office
Bryson Charitable Group (we) is committed to taking your privacy very seriously and protecting and respecting your information. We aim to be clear about how we use your personal information and this Privacy Notice will inform you about how we look after your information, what information we process and the reasons why. It will also explain the conditions under which we may share it with others and how we keep it secure.
Who we are
We deliver a wide range of services through our five Group Companies; Bryson Care, Bryson Energy, Bryson FutureSkills, Bryson Intercultural, Bryson LaganSports and Bryson Recycling to people throughout Northern Ireland, although we have expanded our Recycling services with recycling centres in County Donegal and Conwy in Wales. To be able to provide these services in an effective way, we are required to collect and use personal data.
We are a ‘data controller’ which makes us responsible for the personal data that we gather from our service users, internal staff, external organisations and stakeholders and other individuals who interact with us.
We have a dedicated Data Protection Officer for the Bryson Group who you can contact should you have any queries relating to this privacy notice or any other query relating to your data.
by email: email@example.com
or write to:
28 Bedford Street
BT 2 7FE
Alternatively ask for the Data Protection Champion or Manager of your service who may also be able to help you with your query.
What is the General Data Protection Regulation and why is it important?
The General Data Protection Regulation (GDPR) regulates the processing of personal data and replaces the Data Protection Act 1998. It becomes law on 25 May 2018 and places legal obligations on us to comply with a number of data protection principles.
We will ensure that we meet with the following 6 principles:
1. Process all personal information lawfully, fairly and in a transparent manner.
2. Collect personal information for a specified, explicit and legitimate purpose.
3. Ensure that the personal information processed is adequate, relevant and limited to the purposes for which it was collected.
4. Ensure the personal information is accurate and up to date.
5. Retains personal data for no longer than necessary for the purpose for which it is processed.
6. Keep your personal information safe and secure and protect its integrity and confidentiality.
What are your Rights
The GDPR is a rights base law and it is about restoring the rights of the individual and giving them more control over how their information is process. It is important that you are made aware of these rights.
1. Right to be informed – we are obligated to provide you with a privacy notice whenever we collect information from you. Each of our individual services will have a specific privacy notice which reflects the information processed for that service. There must be transparency at the point of collection on how the information will be used and there is an emphasis on providing you with a clear and concise notice.
2. Right of access – individuals must be able to access their data to ensure that it is being processed lawfully. This is commonly referred to as a subject access request. If you wish access to your personal data you must submit a request in writing and we will respond within 28 days. Please make contact with the Manager / Data Protection Champion of your service to exercise this right or contact the Data Protection Officer above. We may seek clarification as to your identity and there is no fee for this service.
3. Right of rectification – individuals have a right to have personal data corrected. The accuracy of you information is important to us. We would really appreciate if you let us know if your contact details change or if any other pieces of information that we hold on you is inaccurate.
4. Right to erasure or right to be forgotten (is not absolute and only applies in certain circumstances).
5. Right to restrict processing – you have the right to ask to restrict what we use your personal information for, for example we will stop processing your information where we have no legal reason to use the information. However, this is not an absolute right and will only apply in certain circumstances.
6. Right to data portability – this is a new right enabling individuals to reuse and transfer their personal data (held in electronic form) for their personal use to another data controller without affecting its usability.
7. Right to object – where the processing of personal data is subject to consent, individuals can object to certain types of processing such as direct marketing or processing for research purposes.
8. Right not to be subject to a decision based solely on automated processing, including profiling that significantly affect the individual.
Legal basis for processing personal data
We process personal data for specific purposes and these purposes will determine the legal basis for the processing. This is addressed under Article 6 and Article 9 of GDPR. The legal bases (Article 6) are detailed below:
1. Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
2. Processing is necessary for compliance with a legal obligation to which we are subject.
3. Processing is necessary in order to protect the vital interests of the data subject or of another natural person.
4. Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in us.
5. Processing is necessary for the purposes of the legitimate interests pursued by us or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject, which require protection of personal data, in particular where the data subject is a child.
6. Consent: the individual has given clear consent for you to process their personal data for a specific purpose.
We will seek your consent where it is the only basis on which we can collect or use your personal information. Where consent is needed we will seek your explicit consent which you can withdraw at any time.
Bryson has carefully selected the appropriate legal base for processing in relation to the information that we process for our service users and staff. For example the information that we process to deliver our services will sometimes be based on the performance of a contract to which our service users have agreed, we may also use legitimate interest as there will be a reasonable expectation that we process certain pieces of information in order to deliver and monitor the success of our services. Other information processed by our HR Department or Finance Department on behalf of our staff will be based on a legal requirement and will also be necessary as part of a contract.
What personal and special category data is collected?
We collect the following type of personal data and this list is not exhaustive but provides a general guide. Every service or department will collect different information, specific information collected will be provided in the service or employee privacy notice.
· first name
· family name or surname
· telephone numbers
· date of birth
· training records
· financial information
· complaint information
· national insurance number
Special category data
This is personal data, which GDPR considers sensitive and deserving of extra attention:
· racial or ethnic origin
· religious or other philosophical beliefs
· political opinions
· physical or mental health or condition
· offences (including alleged offences)
Therefore, we will apply additional security and access measures to this type of personal data.
Why we need your information
· To provide you with a Bryson service in compliance with our contracts
· By keeping your records up to date helps us make inform decisions about the service that we provide to you
· To support us in ensuring that the service is safe, effective and tailored to your needs.
· To monitor and review the service that it is provided to you regularly
· To work well with other organisations who may be involved in the service provided to you
· To be able to provide necessary training relevant to meet your needs
· To demonstrate compliance to our funders
· To contact you for monitoring purposes in person, by telephone, post or email
· To produce outcome analysis reports to assess the impact of our services
· To be able to provide advice services
· To produce statistical reports which will be anonymised and may be made publicly available
· To ensure we meet our legal obligations including those related to diversity and equality
· Where the processing is necessary to comply with legal obligations, for example, the prevention and/or detection of crime
· To assist us in responding to emergencies or major accidents related to the services we provide.
How we collect your personal data
The following are examples of how we collect your personal data:
· When you apply for a job with us
· When we meet with you to agree participation on one of our services
· When you attend our premises for a specific purpose and provide your details
· When your information is referred to us from an external organisation or funder which you have agreed to
· When you telephone us
· When you email us
· When you use our website
· When we receive and investigate complaints
· Working in partnership with us
· CCTV covering our property and land
The personal data may be held in paper and electronic format, but will always be managed in a safe and secure manner.
Some areas of our website require you to actively submit personal data in order for you for example, email, online forms or online payments. You will be informed at each of these personal data collection points what data is required.
Some of this personal data may uniquely identify you, such as your name, address, email address, phone number, but we will only collect the personal data it needs.
Personal data may be gathered without you actively providing it, through the use of various technologies and methods such as Internet Protocol (IP) addresses and cookies. An IP address is a number assigned to your computer by your Internet Service Provider (ISP), so you can access the internet. We collect IP addresses for the purposes of system administration and to audit the use of our site. Each time you log onto our site and each time you request one of our pages, our server logs your IP address.
Although we log your session, it will not normally link your IP address to anything that can enable us to identify you. However, we can and will use IP addresses to identify a user when we feel it is necessary to enforce compliance with our rules or terms of service or to protect our service, site, users or others.
What we ask from you
· That you provide us with accurate and up to date personal data.
· That you inform us of any changes to your personal data.
· That you inform us if you find any error or inaccuracies.
Disclosure of personal data
We will not disclose your personal data to any external organisation or person unless it is satisfied that it has a legal basis to do so and proper measures are in place to protect the data from unlawful and unauthorised access.
However, we may be required to share your personal data with other departments within Bryson such as the Finance Department who may need to process a payment or to our HR Department to respond to a complaint. But this will be on a need to know basis and limited to the purpose of processing. We may also need to share your personal information with stakeholders who are part of the delivery, monitoring and funding of our services. But this will be explained through the privacy notices related to the service you are using.
We may also use external organisations to carry out services on its behalf and this requires providing them with access to personal data. Such as the IT Support company we use or confidential waste disposal companies. These organisations will act as Data Processors for us and they are legally obliged to keep your personal data secure and only process it under the specific direct instructions of us and in line with the GDPR.
In certain circumstances you information may have to be shared without your consent. This would be the case if there is a legal duty to provide personal information for example:
We must give information to courts if there are legal proceedings or to another party under a court order.
If there are serious concerns relating to a child or anyone else using our services which would present a risk to safety then we will share the relevant information without your agreement, this can include anything with reference to preventing risk and/ or detecting a crime.
How long we retain personal data
We are required to keep personal data for specified time periods to meet statutory obligations, regulatory and business needs and to comply with GDPR. We have developed a retention and disposal schedule which we use to record all of the retention periods relating to the records we store. Your personal data will only be held as long as necessary and permitted by law and will be disposed of in a secure manner when no longer needed.
You can request that we delete and destroy your data, by writing to the relevant department (if known) or directly to our Data Protection Officer asking for this to happen. Your personal data will be reviewed to establish if the law permits its destruction and deletion.
Data Protection Notification
As a Data Controller, we must notify the Information Commissioner's Office. You may view our Data Protection Notification by searching for each of the Group Company; Bryson Care, Bryson Energy, Bryson FutureSkills, Bryson Intercultural, Bryson LaganSports and Bryson Recycling and also separately registered under the Bryson Group on the Information Commissioners website www.ico.org.uk
How to make a complaint
If you wish to make a complaint on how we have handled your personal data, you can contact the Data Protection Officer or Manager of the service you are using who will investigate the matter. If you are not satisfied with our response or believe we are not processing your information in accordance with the law, you can contact the Information Commissioners Office details below.
The Information Commissioners Office
The Information Commissioner's Office (ICO) regulates compliance with GDPR within the UK. If you consider us to have breached any of the requirements of the GDPR, you may contact the ICO who may carry out an assessment, audit or investigation to establish whether we are compliant with the GDPR.
The ICO can be contacted at:
Information Commissioner’s Office
14 Cromac Place
Telephone: 0303 123 1114
If you require further information about the use of your data or wish to make a subject access request for copies of your personal data held by us, please contact the relevant department directly or the Bryson Data Protection Officer.