Member Privacy Notice

Member Privacy Notice – Solent Youth Action (SYA)

1. Who we are

  • Name: Solent Youth Action (SYA)
  • Registered Address: 16 Romsey Road, Eastleigh, Hampshire. SO50 9AL.
  • Company Registered in England and Wales Number: 05307086 and Registered Charity in England and Wales number 1108361
  • E-mail us
  • Date Created/Updated: 1st August 2021

We take the privacy, including the security, of personal information we hold about you seriously. This privacy notice is designed to inform you about how we collect personal information about you and how we use that personal information. You should read this privacy notice carefully so that you know and can understand why and how we use the personal information we collect and hold about you.

We have appointed our Chief Executive Officer, Kailea Hurcombe, as our data protection manager (DPM). You can contact them using the details set out above.

We may issue you with other privacy notices from time to time, including when we collect personal information from you. This privacy notice is intended to supplement these and does not override them.

We may update this privacy notice from time to time.

2. Key definitions

The key terms that we use throughout this privacy notice are defined below, for ease:

In this privacy notice we will refer to ourselves as ‘we’, ‘us’ or ‘our’. We are the Data Controller of the personal information we collect, hold, and use about you.

Activities and Services: refers to any youth club, trip, workshop, volunteering, training or other provision offered to members by Solent Youth Action and includes face to face, remote, and hybrid delivery.

Data Controller: under UK data protection law, this is the organisation or person responsible for deciding how personal information is collected and stored and how it is used.

Data Processor: a Data Controller may appoint another organisation or person to carry out certain tasks in relation to the personal information on behalf of, and on the written instructions of, the Data Controller. (This might be the hosting of a site containing personal data, for example, or providing an email marketing service that facilitates mass distribution of marketing material to a Data Controller’s customer base.)

Personal Information: in this privacy notice, we refer to your personal data as ‘personal information’. ‘Personal information’ means any information from which a living individual can be identified. It does not apply to information that has been anonymised.

Special Category Information – certain very sensitive personal information requires extra protection under data protection law. Sensitive data includes information relating to health, racial and ethnic origin, political opinions, religious and similar beliefs, trade union membership, sex life and sexual orientation and also includes genetic information and biometric information.

SYA Member – a young person signed-up to participate in activities and services provided by Solent Youth Action.

3. Details of personal information that we collect and hold about you

Set out below are the general categories and details of retention periods in relation to those categories (see below for more details about retention) and in each case the types of personal information that we collect, use and hold about you:

General Category Types of Personal Data in that category Retention Periods – How Long We Keep Your Information
Identity information / personal identifiers This is information relating to your identity such as your name (including any previous names and any titles that you use), gender, marital status and date of birth.

This may also include information about parents/guardians where they are required to provide consent to participate.

6 yrs after last attendance or after reaching age 25 (whichever is later)
Contact information This is information relating to your contact details such as email address, addresses, telephone numbers.

This may also include information about parents/guardians where they are required to provide consent to participate.

6 yrs after last attendance or after reaching age 25 (whichever is later)
Electronic identifiers  

This includes information such as your email address, user name, IP address.

This may also include information about parents/guardians where they are required to provide consent to participate.

6 yrs after last attendance or after reaching age 25 (whichever is later)
Emergency Information This is information relating to your next of kin, including their names and contact details. Until 1 year after your last attendance at an SYA activity or event in case you decide to return.
Family information Information about other family members such as parents and siblings where this is necessary to enable us to provide an appropriate service and an adequate level of support for the young person. Until 1 year after your last attendance at an SYA activity or event in case you decide to return.
Your image / moving image / voice This is information stored in image, video, or audio file formats such as photographs, recordings etc. that may be used for reporting purposes (sending reports to our funders) or for communications purposes (talking about and promoting our work). During your membership and for so long as images are being actively used by us for any of the stated reasons.
Interests and hobbies This is information about your interests and hobbies that helps us ensure that our service is able to meet your needs and the needs of other members and potential members. Until 1 year after your last attendance at an SYA activity or event in case you decide to return.
Support needs This is information about your behaviour, abilities, and needs that helps us understand how to support you to engage in our activities and services whilst keeping you safe and fulfilling our safeguarding responsibilities. Until 1 year after your last attendance at an SYA activity or event in case you decide to return.
Permitted payment information This is information relating to the methods by which you provide payment to us such as [bank account details, credit or debit card details] and details of any payments (including amounts and dates) that are made between us and as permitted under PCI DSS.

This may also include parent/guardian payment information where they are the person making the payment.

Payment method until final payment is made and cleared.

Payment amounts inc. invoices and receipts: 6 years.

Transaction information This is information relating to transactions between us such as details of the activities and services provided to you.

This may also include parent/guardian payment information where they are the person carrying out the transaction.

6 years
Survey information This is information that we have collected from you or that you have provided to us in respect of surveys and feedback.

This may also include parent/guardian survey information where they are the person completing the survey.

2 years from last use unless we have anonymised the data in which case we may continue to use it.
Marketing information This is information relating to your marketing and communications preferences.

This may include parent/guardian marketing information where they are the primary point of contact with SYA.

1 year after the date of last marketing interaction.

The types of personal data we collect about you may differ from person to person, depending on who you are and the relationship between us.

4. Details of special information that we collect and hold about you

Special information is explained above.

Type of Special Category Information and Reason for Processing Retention Periods – How Long We Keep Your Information
Physical and Mental Health and Wellbeing – Details of any support needs you may have that need to be met in order for you to be able to participate in SYA activities. 6 yrs after last attendance or after reaching age 25 (whichever is later)
Criminal record and related information – we ask you to tell us this information so we can ensure our activities and services are appropriate for your needs and so we can fulfil our obligation to safeguard all the children, young people, and vulnerable adults we work with. 6 yrs after last attendance or after reaching age 25 (whichever is later)
Equality monitoring information (e.g. gender, race, ethnicity, religion) – We ask you to voluntarily provide this information anonymously and we store it alongside other individual’s anonymous information. For this reason, it is not considered to be special category information held about you. As this information is not classified as special category information we may continue to hold it for as long as it has a useful value to us in monitoring the effectiveness of our equality, diversity, and inclusion policy and procedures.
Other special category information – in the course of working with you, you may tell us other information about yourself that is considered special category information such as about your sex life, sexual orientation, political views, and your trade union membership. We will only record this information if it is relevant to us providing a service that meets your needs and to use fulfilling our safeguarding obligations to you and others. 6 yrs after last attendance or after reaching age 25 (whichever is later)

5. Details of how and why we use personal information

We are only able to use your personal information for certain legal reasons set out in data protection law. There are legal reasons under data protection law other than those listed below; but, in most cases, we will use your personal information for the following legal reasons:

  1. Contract Reason: this is in order to perform our obligations to you under a contract we have entered into with you;
  2. Legitimate Interests Reason: this is where the use of your personal information is necessary for our (or a third party’s) legitimate interests, so long as that legitimate interest does not override your fundamental rights, freedoms or interests;
  3. Legal Obligation Reason: this is where we have to use your personal information in order to perform a legal obligation by which we are bound; and
  4. Consent Reason: this is where you have given us your consent to use your personal information for a specific reason or specific reasons.

So that we are able to provide you with activities and services, we will need your personal information. If you do not provide us with the required personal information, we may be prevented from supplying the activities and services to you.

It is important that you keep your personal information up to date. If any of your personal information changes, please contact us as soon as possible to let us know. If you do not do this, then we may be prevented from supplying the activities and services to you.

Where we rely on consent for a specific purpose as the legal reason for processing your personal information, you have the right under data protection law to withdraw your consent at any time. If you do wish to withdraw your consent, please contact us using the details set out at the beginning of this notice. If we receive a request from you withdrawing your consent to a specific purpose, we will stop processing your personal information for that purpose, unless we have another legal reason for processing your personal information – in which case, we will confirm that reason to you.

We have explained below the different purposes for which we use your personal information and, in each case, the legal reason(s) allowing us to use your personal information. Please also note the following:

  1. If we use the Legitimate Interests Reason as the legal reason for which we can use your personal information, we have also explained what that legitimate interest is; and
  2. For some of the purposes, we may have listed more than one legal reason on which we can use your personal information, because the legal reason may be different in different circumstances. If you need confirmation of the specific legal reason that we are relying on to use your personal data for that purpose, please contact us using the contact details set out at the start of this privacy notice.
Purpose Legal Reason(s) for using the personal information
To sign you up as a SYA member and provide our activities and services to you. Contract Reason

Legitimate Interests Reason (in order to offer you other activities and services in keeping with our charitable aims and objectives

To share information about the work we are doing with others such as our funders, supporters, and other interested parties. Consent

Legitimate Interest Reason (to enable us to report on and promote the work of SYA to help with funding and sustainability in keeping with our charitable aims and objectives)

To fulfil our safeguarding and other legal obligations Legal Obligation Reason

Vital Interest

To comply with audit and accounting matters Legal Obligation Reason
To improve the activities and services we provide Legitimate Interests Reason (in order to improve the activities and services we are able to provide in keeping with our charitable aims and objectives)
To recommend and send communications to you about activities and services that you may be interested in. More details about marketing are set out below Legitimate Interests Reason (in order to better enable us to fulfil our charitable objectives by reaching more people)

Consent Reason

Sometimes we may anonymise personal information so that you can no longer be identified from it and use this for our own purposes. In addition, sometimes we may use some of your personal information together with other people’s personal information to give us statistical information for our own purposes. Because this is grouped together with other personal information and you are not identifiable from that combined data we are able to use this.

Under data protection laws, we can only use your personal information for the purposes we have told you about, unless we consider that the new purpose is compatible with the purpose(s) we told you about. If we want to use your personal information for a different purpose that we do not think is compatible with the purpose(s) we told you about, then we will contact you to explain this and what legal reason is in place to allow us to do this.

6. Safeguarding Information

As part of our obligation to safeguard the children, young people, and vulnerable adults we work with, we may collect and share safeguarding information where we have reason to believe that abuse or harm has already occurred or that there is a risk of abuse or harm taking place. This is a legal obligation and we do not need to obtain consent before sharing safeguarding information with other agencies.

 

Safeguarding Information Retention Periods – How Long We Keep Your Information
Details of safeguarding concerns that do not result in a referral. 1 yr after the concern raised has been resolved providing it did not result in any further action being taken, such as a referral.
Details of safeguarding referrals, including incident reports. 6 yrs after the last activity related to the referral or after they reach the age of 25, whichever is later.

7. Details of how we collect personal information

We usually collect your personal information directly from you when you fill out a form or questionnaire, register for SYA activities and services, contact us by email, telephone, in writing or otherwise. This includes the personal information that you provide to us when you subscribe to our mailing list or enter a competition or survey we run.

We may receive some of your personal information from third parties or publicly available sources. This includes:

  1. Contact Information and Payment Information from our third-party suppliers, as Lloyds Bank..
  2. Information you make available through profiles on sites such as Google, Facebook, Instagram, Twitter, and others.
  3. Information shared with us by other agencies who have referred you to Solent Youth Action.

8. Details about who personal Information may be shared with

We may need to share your personal information with other organisations or people. These may include:

  1. Our own contractors, subcontractors, trainers, and others that are directly involved in the delivery of our activities and services
  2. Third parties who are not part of our group. These may include:
    1. Suppliers: such as IT services and IT support services, payment providers, administration providers.
    2. Government bodies and regulatory bodies: such as HMRC and Companies House
    3. Our advisors: such as lawyers, accountants, auditors, insurance companies
    4. Our bankers
    5. Any organisations that propose to merge with or take over our organisation and its assets.

Depending on the circumstances, the organisations or people who we share your personal information with will be acting as either Data Processors or Data Controllers. Where we share your personal information with a Data Processor, we will ensure that we have in place contracts that set out the responsibilities and obligations of us and them, including in respect of security of personal information.

We do not sell or trade any of the personal information that you have provided to us.

9. Details about transfers to countries outside of the EEA

If any transfer of personal information by us will mean that your personal information is transferred outside of the EEA, then we will ensure that safeguards are in place to ensure that a similar degree of protection is given to your personal information as is given to it within the EEA and that the transfer is made in compliance with data protection laws (including, where relevant, any exceptions to the general rules on transferring personal information outside of the EEA that are available to us – these are known as ‘derogations’ under the data protection legislation). We may need to transfer personal information outside of the EEA to other organisations within our group or to the third parties listed above who may be located outside of the EEA.

The safeguards set out in data protection laws for transferring personal information outside of the EEA include:

  1. Where the transfer is to a country or territory that the EU Commission has approved as ensuring an adequate level of protection;
  2. Where personal information is transferred to another organisation within our group, under an agreement covering this situation which is known as ‘binding corporate rules’;
  3. Having in place a standard set of clauses that have been approved by the EU Commission;
  4. Compliance with an approved code of conduct by a relevant data protection supervisory authority (in the UK, this is the Information Commissioner’s Office (ICO);
  5. Certification with an approved certification mechanism;
  6. Where the EU Commission has approved specific arrangements in respect of certain countries.

10. Details about how long we will hold your personal information

We will only hold your personal data for as long as is necessary. How long is necessary will depend upon the purposes for which we collected the personal information and whether we are under any legal obligation to keep the personal information (such as in relation to accounting or auditing records or for tax reasons). You’ll find our retention periods detailed earlier in this document. We may also need to keep personal information in case of any legal claims and for safeguarding purposes.

11. Automated decision making

We do not carry out any automated decision making.

12. Your rights under data protection law

Under data protection laws, you have certain rights in relation to your personal information, as follows:

  1. Right to request access: (this is often called ‘subject access’). This is the right to obtain from us a copy of the personal information that we hold about you. We must also provide you with certain other information in response to these requests to help you understand how your personal information is being used.
  2. Right to correction: this is the right to request that any incorrect personal data is corrected and that any incomplete personal data is completed.
  3. Right to erasure: (this is often called the ‘right to be forgotten’).This right only applies in certain circumstances. Where it does apply, you have the right to request us to erase all of your personal information.
  4. Right to restrict processing: this right only applies in certain circumstances. Where it does apply, you have the right to request us to restrict the processing of your personal information.
  5. Right to data portability: this right allows you to request us to transfer your personal information to someone else.
  6. Right to object: you have the right to object to us processing your personal information for direct marketing purposes. You also have the right to object to us processing personal information where our legal reason for doing so is the Legitimate Interests Reason and there is something about your particular situation that means that you want to object to us processing your personal information. In certain circumstances, you have the right to object to processing where such processing consists of profiling (including profiling for direct marketing).

In addition to the rights set out here, where we rely on consent as the legal reason for using your personal information, you have the right to withdraw your consent.

If you want to exercise any of the above rights in relation to your personal information, please contact us using the details set out at the beginning of this notice. If you do make a request, then please note:

  1. We may need certain information from you so that we can verify your identity;
  2. We do not charge a fee for exercising your rights unless your request is unfounded or excessive; and
  3. If your request is unfounded or excessive, then we may refuse to deal with your request.

Please contact us by email if you wish to make a request.

13. Marketing

You may receive marketing from us about other Solent Youth Action activities and services that are dissimilar to the activities and services you already take part in.

Where either you have consented to this, or we have another legal reason by which we can contact you for marketing purposes, we are able to do this. However, we will give you the opportunity to manage how or if we market to you.

To change your marketing preferences, and/or to request that we stop processing your personal information for marketing purposes, you can always contact us using the details set out at the beginning of this notice.

If you do request that we stop marketing to you, this will not prevent us from sending communications to you that are not to do with marketing (for example in relation toactivities that you have registered to participate in already).

We do not pass your personal information on to any third parties for marketing purposes.

14. Complaints

You can contact us using the details set out at the beginning of this privacy notice.

If you are unhappy about the way that we have handled or used your personal information, you have the right to complain to the UK supervisory authority for data protection, which is the Information Commissioner’s Office (ICO).

Please do contact us in the first instance if you wish to raise any queries or make a complaint in respect of our handling or use of your personal information, so that we have the opportunity to discuss this with you and to take steps to resolve the position.