Service User Privacy Policy

This policy falls under our group of policies in agreement with current relevant legal guidelines of GDPR:

1. Data Protection Policy – general 
2. Data Privacy Policy-  users service 
3. Data Privacy Policy – users of website, social media and digital marketing
4. Data Privacy Policy-  staff
5. Data Privacy Policy information security
6. Information Security - Incident Management Policy
7. Information Security - Lifecycle Policy

Data controller: Youth First
Data protection officer: Suresh Kumar, suresh.kumar@youthfirst.org.uk

The organisation collects and processes personal data relating to its service users to manage service provision. The organisation is committed to being transparent about how it collects and uses that data and to meeting its data protection obligations.

What information does the organisation collect?

The organisation collects and processes a range of information about you. Some of this information is mandatory in order to use our services, for safeguarding and medical reasons. This includes:

• the name, address and contact details, including email address and telephone number, of both the young person and a parent/guardian
• school/education provision (if under 16 years old), and if eligible for free school meals
• date of birth, ethnicity and gender of young person
• registration of attendance at youth club sessions
• information about medical or health conditions, including whether or not the young person has a disability and/or allergy for which the organisation needs to make reasonable adjustments

We also ask for certain other information about the young person in order to provide the best possible service to our users. None of this information is mandatory:

• details about any care that the already being received (e.g from local authority/other agencies)
• details of doctor’s surgery
• education/employment status (for 16 years old and over)
• interests and hobbies
• goals for achievement through the service provision
• additional needs

The organisation, as well as those third parties with which it works to provide youth services, uses a Membership Form to collect this data, which is then uploaded into Views, a fully GDPR compliant data management system, run by data processing company Substance.  Their own data protection policies can be found here: Substance Substance –.

Why does the organisation process personal data?

In some cases, the organisation needs to process data to ensure that it is complying with its legal obligations. For example to comply with health and safety laws, safeguarding regulations and police/social service referrals.
In other cases, the organisation has a legitimate interest in processing personal data. Processing data allows the organisation to:

• evaluate and improve its services to ensure that the provision is always of the highest standard.
• demonstrate and evidence to funders that their money is being used in an effective and prudent manner.
• obtain occupational health advice, to ensure that it complies with duties in relation to individuals with disabilities and meet its obligations under health and safety law.
• comply with insurance requests.

Parents/guardians will be sent one email asking if they would like to join our Friends of Youth First group. Other than this their information will not be used for any marketing or fundraising purposes.

Who has access to data?

Your information may be shared internally where it is required to provide the service, including with relevant youth workers and members of the management team.

In certain very limited cases the organisation shares your data with external organisations and governmental agencies in order to fulfil its safeguarding legal obligations to the young person or adult members, their families/carers and the safety of the broader community.

The organisation may also share your data with third parties that process data on its behalf, in these instances, a Data Sharing Agreement is set in place according to the law, some examples of DSA in place:

• Lewisham Borough Council
• Phoenix Community Housing

The organisation will not transfer your data to countries outside the European Economic Area.

How does the organisation protect data?

The organisation takes the security of your data seriously. The organisation has internal policies and controls in place to try to ensure that your data is not lost, accidentally destroyed, misused or disclosed, and is not accessed except by its employees in the performance of their duties. Please find our full Data Protection Policy at: https://www.youthfirst.org.uk/privacy.

Where the organisation engages third parties to process personal data on its behalf, they do so on the basis of written instructions, are under a duty of confidentiality and are obliged to implement appropriate technical and organisational measures to ensure the security of data.

For how long does the organisation keep data?

The organisation will hold your personal data for the duration of the time that the young person uses the service, plus a period of three years.

Your rights

As a data subject, you have a number of rights. You can:

• access and obtain a copy of your data on request;
• require the organisation to change incorrect or incomplete data;
• require the organisation to delete or stop processing your data, for example where the data is no longer necessary for the purposes of processing; and
• object to the processing of your data where the organisation is relying on its legitimate interests as the legal ground for processing.

If you would like to exercise any of these rights, please contact suresh.kumar@youthfirst.org.uk.

We do not make decisions on how to process data based solely on automated decision-making.

If you believe that the organisation has not complied with your data protection rights, you can complain to the Information Commissioner.