We at Hebron Trust may hold personal data about you so that we can provide you with the services or information you need.

We will ask for your consent before storing data about you.

We will never sell any data about you.

We will only share it with others where we must, to provide services. If you explicitly allow us to we may share it with other organisations to help them provide you with continuation services.

If you ask, we will give you what we hold about you, as far as we are allowed. We will correct any errors you identify.

You may opt not to receive marketing information from us and we will honour your request.

We take great care of that data and have a Privacy Policy which describes how we handle and protect it.

When we no longer need it, we will delete it.

Privacy Policy

In this policy, whenever you see the words ‘we’, ‘us’ or ‘our’, it refers to Hebron Trust, a charity registered in England and Wales with number 1020095. We are also a company limited by guarantee, registered in England and Wales with number 2802742.

We provide Recovery and Rehabilitation services for women aged over 18 struggling with addiction, particularly drug and alcohol addiction, and the life-dominating problems that serious substance misuse can cause.

Our Rehab activities are regulated by the Care Quality Commission.

To deliver this service, we collect and use data about a range of people:

  • The people we help – our clients come from all kinds of situations.
  • Many are referred by social work caseworkers and are funded by local authorities.
  • We receive donations from individuals, organisations and grant-making trusts.
  • Our company is owned by members of the company limited by guarantee, and directed by Trustees.
  • We employ people and are helped by volunteers.

We keep personal data that could be used to identify individuals across this range of people, such as name and address, phone numbers and email address.

We collect non-personal data (such as IP addresses, pages accessed etc) that does not identify individuals to improve how our website operates.

As part of our treatment records, we may keep the names of people involved in the lives of our clients, and their relationship to the client. These people may include children. We do not keep any other information about these people.

This policy describes how we collect, use and delete personal data. We may change this policy from time to time, and we publish the current policy on our website.

Summary of the policy

  1. We only collect data that we need or that would be useful to us to help us provide services
  2. We keep all personal information secure. To do this we may use third party service providers
  3. We only share client-related information with the explicit consent of the client and only to provide continuing care. We never share it for marketing purposes
  4. We never sell data or information
  5. You may ask us to show you what we hold about you, and we will provide that in transportable form for you. We may be obliged to redact it first. We will correct any errors that you point out
  6. We will delete data about you in line with our data retention schedule, which is part of the detail of the policy
  7. Where other organisations provide data processing services for us, we will ensure they are aware of this policy and adopt appropriate safeguards
  8. You may opt not to receive marketing information from us and we will honour your request

If you use our website or social media pages and provide information about yourself, then there will be an explicit requirement that you consent to us collecting and using that information in the way(s) set out in this policy.

If you telephone, call or otherwise ask us for information, and provide your name and address to help us respond, then you consent to us collecting and using that information in the way(s) set out in this policy.

If you do not agree to this policy please do not use our services, web site or social media pages.

The policy

This policy applies to all our operations, including our websites and social medias.

Hebron Trust will hold and process all data in line with the relevant data and tax legislation and the best practice advice from the Information Commissioner’s Office.

  1. We only collect data that we need or that would be useful to us to help us provide services. This includes information about clients and about others, for example staff members and donors to the organisation
  2. We keep all personal data secure. All the computers we use have up-to-date firewall and virus protection, and our network is properly safeguarded. We may use third party providers to help us do this
  3. We only share client-related data with the explicit consent of the client and only to provide continuing care. We never share it for marketing purposes
  4. We never sell data or information
  5. You may ask us to show you what we hold about you, and we will provide that in transportable form for you. We will correct any errors that you point out
  6. You may opt not to receive marketing information from us and we will honour your request
  7. We will delete information about you in line with our data retention schedule, which is below
  8. Where other organisations provide data processing services for us, we will ensure they are aware of this policy and adopt appropriate safeguards

We collect non-personal data (such as IP addresses, pages accessed etc) that does not identify individuals to improve how our website operates.

All our services are for adults. As part of our treatment records, it may be appropriate to record the names of those people involved in the lives of our clients, and their relationship to the service user. This may include the names of children. Other than age (if appropriate) and name we not keep any other information.

We will only share data about you without your permission if

  • we are legally required to do so, e.g. by a law enforcement agency legitimately exercising a power or if compelled by an order of the Court
  • we believe it is necessary to protect or defend our rights, property or the personal safety of our team, residents, visitors to our premises or websites

Breaches of this policy should be reported to the Chair of the Trustees initially.

The information we collect, why we hold it, how we would share it with you or others

We only collect information we need to provide our services. We think of this information as five collections. Each collection is held for a different purpose.

  1. Service users. We hold information about potential, current and past service users. We hold this to ensure that we provide appropriate and effective services, and we use the data in aggregated, anonymised form for statistical reporting to the regulator and others. As part of our treatment records, we may keep the names of people involved in the lives of our clients, but we do not keep any other information about them. All of this data form “Social Work and related activities records”. It is in our legitimate interest to hold and process this data; during your time with us it is in your vital interest that we hold and process this data.

If you are a service user:

  • you explicitly consent to this policy when we start delivering services to you
  • sharing all this data with you could be likely to “prejudice the carrying out of social work by causing serious harm to the physical or mental health or condition of the requester or any other person”, and if you ask us for the data we hold, we may redact it before giving it to you.
  • we will share redacted information with other care organisations you may become involved with after Hebron, but only to assist them provide care for you.
  • we will provide simple facts about the service we provide to you, for example, how many groups you attended, to those who are paying for those services. We will not share any details of what happens during your involvement with us.
  1. Team. We hold information about potential, current and past members of the team who deliver services to our clients. This includes employed staff, bank staff and volunteers. This collection includes appraisal, disciplinary and 1:1 records. We hold this data to ensure your personal development is properly managed, that you are correctly rostered, paid if appropriate, and contacted if necessary. We hold and process this data as part of our contract with you.

If you are a team member:

  • we will keep enough data to meet our legal obligations as an employer, to ensure that our operations run smoothly and to ensure your personal development is properly managed, and no more
  • other agencies (for example, our payroll service provider) may use and process this data. We will ensure they are aware of this policy and adopt appropriate safeguards
  • we will share all this data with you. We may redact information relating to our management intentions, and we will carefully redact information from disciplinary and grievance records to ensure that statements etc are not attributable
  • we will not share this information with any other organisation. Should you ask us to give an employment or other reference we will release the minimum of factual information, for example, start date, end date, salary and job title upon leaving.
  • Supporters. We hold information about potential, current and past supporters of the organisation so that we can make them aware of future activities and needs. This collection includes all present and past members of the Company Limited by Guarantee, present and past donors, and people who have attended the company’s AGMs. It is in our legitimate interest to hold and process this data. If you are a supporter, or you have expressed interest in learning more about Hebron Trust, then:
    • we will communicate with you in the ways you have agreed, for example by email or post
    • we will never pass on any information about you to any other organisation
    • you may opt not to receive information from us at any time, and we will then delete any data we do not need to keep to meet statutory and HMRC requirements.
  1. Service commissioners. We may hold personal information about those who commission our services on behalf of service users. We hold and process this data as part of our contract with you.

If you are a commissioner,

  • we will assume that any requests for tenders that your organisation has sent to Hebron Trust means that you have explicitly opted in to marketing communications. We state this in all tender documents we submit
  • wherever possible, we will communicate with you in the ways you have agreed, for example by email or post
  • you may opt not to receive marketing information from us at any time, and we will then delete any data we do not need to keep to meet our business, statutory and HMRC requirements
  • we will never pass on any information about you to any other organisation
  1. Trustees. We hold information about potential, current and past trustees of Hebron Trust. We hold extensive information about Trustees, including records of their participation in Trustee meetings, other internal meetings, and about their skills and qualifications. If you are a Trustee, you have access to all this information about yourself and about the other Trustees. When you cease as a Trustee, this information will remain in our data collection as part of the Trust’s audit trail of good governance. It is in our legitimate interest to hold and process this data.

Marketing

Marketing consists of two aspects: marketing our services to current and potential service commissioners, to make them aware of what we can provide; and marketing our services to past, potential and current supporters.

Service commissioners

We will use public domain information, and information from any tenders or similar documents your organisation may issue to Hebron Trust, to market our services to you

Supporters and donors

We only send marketing information to people who have specifically said that they agree to us doing this, and we will only do so in the way(s) they have agreed.

People visiting our website or social media pages, either as a potential service user or as a supporter, may wish us to provide more information. To do this, they will provide personal information, and there will be an explicit requirement that consent to us collecting and using that information in the way(s) set out in this policy.

Donors visiting us or our website or social media pages may wish to make Gift Aided donations. By completing a Gift Aid declaration, they are explicitly consenting to us holding information about them to meet our HMRC obligations; this will survive any opt-out.

If anyone telephones, calls or otherwise asks us for information, and provides personal information to help us respond, then they consent to us collecting and using that information in the way(s) set out in this policy.

People can opt out of receiving this information at any time, and we will delete any data we do not need to keep to meet statutory and HMRC requirements.

Breach of this policy

Anyone suspecting a breach of personal data (via unauthorised access, disclosure or data destruction) should inform the chairman of Hebron Trust.

The chair will ensure that we:

  1. identify the data collection affected
  2. carry out investigations to establish whether a breach has occurred
  3. plan and execute mitigation actions
  4. if it is likely to result in a risk to people’s rights and freedoms, make the first skeleton notification to the ICO within 72 hours
  5. conduct further investigation if necessary, ensuring appropriate learning takes place to reduce the likelihood of a recurrence
  6. complete the notification to the ICO if appropriate
  7. inform the data owner as appropriate.

It is only mandatory to report a breach to the ICO under the GDPR if it is likely to result in a risk to people’s rights and freedoms. It is likely that breach of the service user collection falls into that category, depending on which data items were breached.

The chair of the Trustees will ensure that appropriate records are maintained.

Data retention schedule

We will retain and delete personal information according to the table below

CollectionBasis for lawful processingKeep untilDeleteNotes
Service usersVital interest of service user

Legitimate interest for ex-service users and prospective service users

Keep in full until three years after last service use

Keep in skeleton until death or data owner requests deletion

One year after last service use, anonymise all data relating to others involved in service user’s life

Delete all detailed therapy notes three years after last service use

Social Work and related activities records
Team memberLegitimate interestRetain forever a skeleton record of employment (name, last known address, NI number, start date, end date, salary and job title at termination)

Keep payroll, pensions and expenses data in line with HMRC requirements.

Delete all 1:1 and appraisal notes 12 months after termination

Delete all disciplinary records 2 years after termination

SupportersLegitimate interest and consentData owner requests deletion (if appropriate, supporter must resign as a member of the Company Limited by Guarantee)2 years after last donation or expression of interestAGM minutes, including list of those present, are kept forever
Service CommissionersLegitimate interestKeep all payments information in line with statutory and HMRC requirements2 years after last invoice settled
TrusteesLegitimate interestRetain forever