Headway West Sussex has always taken great care over the data that we hold for the clients and contacts that we work with.

Our Privacy Policy – your information, your rights and how we use it
Headway West Sussex is committed to protecting your personal information.
Our Privacy Policy was last updated on 18 June 2018.
Our Privacy Policy contains important information about what personal details we collect; what we do with that information; who we may share it with and why; and your choices and rights when it comes to the personal information you have given us.
We may need to make changes to our Privacy Policy from time to time. Please check back here. If there are important changes such as changes to where your personal data will be processed, we will contact you to let you know.
If you require access to the data we hold on you, we may require additional information from you to confirm your identity before we release any data we hold.

Who we are
Headway West Sussex works across the county to improve the lives of people of 18 years and over, living with an Acquired Brain Injury. We are an independent charity and Charitable Incorporated Organisation. Our registered charity number is: 1160319.

How to contact us
If you have any questions about our Privacy Policy or the information we collect or use about you, please contact:
FAO Data Controller
Headway West Sussex
Dove Lodge
49 Beach Road
Littlehampton
BN17 5JG
Email: info@headwaywestsussex.org.uk

Information we collect and use
Information about you that we collect and use includes:
• Information about who you are e.g. your name, date of birth, address and contact details
• Information about your contact with us e.g. meetings, emails / letters and phone calls
• Information on your contact points in case of an emergency
• Professional contacts, for liaison purposes if required
• Donor information and sources
• With your consent, information classified as ‘sensitive’ personal information e.g. relating to your health. This information will only be collected and used where it is needed to provide the service you have requested or to comply with our legal obligations
• Information that is automatically collected e.g. via cookies when you visit our website

Where we collect your information
We may collect your personal information directly from you, from a variety of sources, including:
• an application form for a service we provide
• phone conversations with us
• emails or letters you send to us
• meetings with one of our team members
• registering for an event with us e.g. carers programme
• participating in research surveys to help us understand you better and improve our services
• our online services such as websites, social media and mobile device application (‘Apps’)
• making a donation to us
• requesting marketing to be sent to you
• giving us feedback on our work
• Third parties or publicly available sources. We may receive personal information about you from various third parties and public sources as set out below:
o Identity information, and contact and financial details from third party organisations with whom we            fundraise in partnership (for example, when you sign up for an event or fundraise for us though a third          party such as the London Marathon or through fundraising websites such as JustGiving and Virgin                   Money Giving); and
o Identity information, contact and financial details, and health information from third party                                organisations to whom you gave permission to share your details with us, including the NHS or                             charities.

What we collect and use your information for
We take your privacy seriously and we will only ever collect and use information which is personal to you where it is necessary, fair and lawful to do so. We will collect and use your information only where:
• it is necessary to provide the service you have requested e.g. Support Group
• it is necessary for us to meet our contractual, legal or regulatory obligations e.g. accounting for promotional prizes and to tell you about changes to Terms and Conditions or for the detection and prevention of fraud
• it is in the legitimate interests of Headway West Sussex e.g. to deliver appropriate information and guidance so you are aware of the options that will help you get the best outcome from our services
• where we need to process your information to better understand you and your needs so we can send you more relevant communications about the services you use with us and to develop new services into the future
• it is in the legitimate interests of a third party e.g. crime reduction
• it is necessary for us to meet our legal or regulatory obligations e.g. to verify your identity
• it is in the legitimate interests of Headway West Sussex e.g. to understand our user demographics and use of our website and online services
• to send invoices or reminder notices or otherwise notify you of changes to our online services, and any other purpose related to or ancillary to any of the above.
• you have given us your permission [consent] to send you information about services offered by other parts of Headway West Sussex.
• Transaction history of your interactions with us. This will include any donations, Gift Aid or events you have participated in, the services you request, your interests, preferences, feedback and survey responses and how you use our website and services.
• Marketing and communications preferences for receiving information from us about our support services, research, campaigning, volunteering and fundraising activities (including ways to donate) and how you would like us to communicate with you
If you do not wish us to collect and use your personal information in these ways, it may mean that we will be unable to provide you with our services.

Who we may share your information with
We may share your information with third parties for the reasons outlined in ‘What we collect and use your information for.’
These third parties include:
• Headway West Sussex employees and volunteers.
• Companies we have chosen to support us in the delivery of the services we offer to you or companies who can help us in our contact with you, for example an internet service provider.
• HM Revenue & Customs, regulators and other authorities acting as processors or joint controllers based in the United Kingdom who require reporting of processing activities in certain circumstances.
• Health providers across the UK like the NHS or other charities, to whom we might refer you for additional support as part of delivering a service to you.
Where we wish to share your personal information with third parties who are not listed above then we shall seek your consent before doing so, unless the data is anonymised (i.e. it does not identify individuals) – in which case we may share the information without first obtaining your consent.
We will never sell your details to someone else. Whenever we share your personal information, we will do so in line with our obligations to keep your information safe and secure.

How we protect your information
We take information and system security very seriously and we strive to comply with our obligations at all times. Any personal information which is collected, recorded or used in any way, whether on paper, online or any other media, will have appropriate safeguards applied in line with our data protection obligations.
Your information is protected by controls designed to minimise loss or damage through accident, negligence or deliberate actions. Our employees also protect sensitive or confidential information when storing or transmitting information electronically and undertake training on this.
Our security controls are aligned to good practice; providing a control environment that effectively manages risks to the confidentiality, integrity and availability of your information.

Protection of Personal Data
Protection of all client information provided or received by us is of paramount importance to our organisation. Headway West Sussex goes to great lengths to ensure that the information provided to us in the course of our business is kept secure at all times. Headway West Sussex is a Data Controller under the GDPR, in line with the Data Protection Act 2018 (the ‘Act’) and any personal and financial information that we hold about you will be held on secure server/computer and/or in paper files and processed subject to the GDPR. This information will be used to deal with queries and to bring to your attention additional services that may be of benefit to you. If we are advised that the confidentiality of your information is breached, we will inform you as soon as possible if the breach is likely to result in a high risk of adversely affecting your rights and freedoms. We also have a duty to report certain types of personal data breach to the relevant supervisory authority within 72 hours of becoming aware of the breach, where feasible. We will document all breaches regardless of whether or not reporting is required.

How long do we keep your information?
We have detailed in this Privacy Policy the ways in which individuals can have their information erased from our records or request amendments to the data we hold.
The information we hold for individuals will be maintained for the course of our ongoing business to maintain correct client/user records.

The individual rights available to you
You have several rights in relation to how Headway West Sussex uses your information. They are:
Your right of access
You have the right of access to your personal information. If you wish to receive a copy of the personal information we hold on you, you may make a data subject access request.
We reserve the right to charge a small administration fee for requests that are manifestly unfounded or excessive.

Your right to be informed
You have a right to receive clear and easy to understand information on what personal information we have, why and who we share it with, if at all.

Your right to request erasure
We shall, upon receipt of a written request from the Client, return all Client Personal Data at the end of the provision of the Services to which the Client Personal Data relates. This will not apply to any Client Personal Data that we must retain in accordance with any legal and regulatory requirements, and will be directed by any guidance that has been issued in relation to deletion or retention by a Supervisory Authority.
You can ask for your information to be deleted or removed if there is not a compelling reason for Headway West Sussex to continue to have it.
We reserve the right to charge a small administration fee for requests that are manifestly unfounded or excessive.

Your right to request that your personal information be rectified
If your personal information is inaccurate or incomplete, you can request that it is corrected.
We reserve the right to charge a small administration fee for requests that are manifestly unfounded or excessive.

Your right to restrict processing
You can ask that we block or suppress the processing of your personal information for certain reasons. This means that we are still permitted to keep your information – but only to ensure we don’t use it in the future for those reasons you have restricted.

How to make a complaint
We will always strive to collect, use and safeguard your personal information in line with data protection laws. If you do not believe we have handled your information as set out in our Privacy Policy, please contact us directly and we will work to resolve any issues.
If you are still unhappy, you can complain to our Supervisory Authority. Their contact details are:
Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire, SK9 5AF
Tel: 0303 123 1113 (local rate) or 01625 545 745 if you prefer to use a national rate number
Fax: 01625 524 510