The privacy and security of your personal information is extremely important to us. This privacy promise explains how and why we use your personal data, to make sure you stay informed and can be confident about giving us your information.
We’ll keep this promise updated to show you all the things we do with your personal data. This promise applies if you’re a supporter of Seashell; member, donor, volunteer, supplier, contractor, customer, supporting parent/carer or legal guardian, employee, ex- employee, employee family member, governor, trustee, supplier, facilities user, health, education or social care partner, placement trainee, student, pupil, child, young person.
Additionally when you use any of our services, visit our website, message us on social media, email, call or write to us. In certain circumstances we may also provide an additional privacy notice, which will always refer to this promise.
We will only provide this privacy promise to you once, generally at the start of our relationship with you. However if this privacy promise is updated substantially, then we may provide you with details of the updated version. You are encouraged to check back regularly for updates.
Collecting specific, relevant personal information is a necessary part of us being able to provide you with any services you may request from us or just managing our relationship with you.
You have certain rights in relation to your personal information, for example the right to be provided with the personal information held about you and details of its use and the right to have certain of your personal information either erased or anonymised, commonly referred to as the right to be forgotten.
We will never sell your personal data that we hold to another party and will only share it with organisations we work with when it’s necessary and the privacy and security of your data is assured.
When we hold or use your personal information we do so as data controller, in the majority of circumstances.
A data controller is a person or organisation which controls how personal information is processed and used. A data processor is a person or organisation which processes and uses personal information in accordance with the instructions of another party, i.e. the data controller.
In this promise, whenever you see the words ‘we’, ‘us’, ‘our’, ‘Seashell ’, it refers to the legal entity, Seashell Trust, Company Registration number 042216714
Seashell is an education & care charity founded in 1823 in Manchester; originally for the education of deaf children.
Seashell is a charity dedicated to providing a creative, happy and secure environment for children and young people with complex needs and additional communication challenges from across the UK.
Across our school, college and residential care homes, and through the work we do beyond our own facilities, we deliver programmes of education, care and support that are individually tailored, promote independence and help build confidence and self-esteem in the children and young people we work with.
We also provide Sport services – Seashell Active, Seashell Sensory, Seashell Health, Seashell Start, Family services, and Fundraising.
Seashell Trust is a registered charity (Reg. Charity number 1092655) and our ICO registration number is Z1633500.
If you have any questions in relation to this privacy promise or how we use your personal data they should be sent to the Data Lead : Seashell, Stanley Road, Cheadle Hulme, Cheshire, SK8 6RQ Tel 0161 6100100, email: firstname.lastname@example.org
Processing can mean:
Collecting, assessing, recording, holding, viewing, analysing, storing, adapting, altering, deleting, disclosing, retaining, and sharing.
At Seashell this is both in paper and electronic forms.
How we process your data safely and securely
- We have policies and procedures in place for data protection and information security.
- We have staff who are responsible for data protection and information security.
- Confidentiality clauses are included in staff, third party and volunteer
- All authorised users of Seashell data complete training for data protection and information security.
- Restricted access to physical data and access to systems, and therefore data is defined by the role of the authorised user.
- Internal reporting systems ensure any incidents are recorded and managed, by those responsible with serious incidents reported to the information Commissioner’s office.
- IT protection systems are in place to identify and respond to Cyber security threats.
- We assess the suppliers that we engage with to ensure that they provide acceptable levels of data security and protection when processing Seashell information.
- Additionally in order to protect Seashell information we perform and meet an annual assessment/accreditation to ensure that our systems meet the standards defined in the NHS Data Security and Protection toolkit, and Cyber Essentials.
What personal data do we process?
Information which identifies you, or which can be identified as relating to you personally will be collected and used by us. We will only collect the personal data that we need.
The personal data you give us may include the following classifications: personal details, family details, lifestyle and social circumstances, membership details, goods and services details, financial details, education and employment details, including background checks and work place welfare, health details.
Due to the nature of the services that we provide we do collect special categories of personal data in addition to other personal data. These may include: physical or mental health details, racial or ethnic origin, religious or other beliefs of a similar nature, sexual orientation, criminal history, occupational health information, dietary requirements, medical diagnosis/history, family medical details and description, behaviour details, GP details etc. We have further safeguards in place for these special categories of data.
We collect personal data in connection with members, staff, volunteers, customers, trustees and governors, complainants, supporters’ enquirers, advisers and representatives of other organisations, event attendees, facilities users, vendors and suppliers, clinical and teaching work placement professionals.
Personal data provided by you
Your personal data can be provided to us in many ways, communicating with us: by phone, email or post, through our website or social media, and meetings. Additionally you may give us your personal data by completing forms, and using forms on our website and other applications when booking for events.
- Personal details (name, date of birth, email, address, telephone, and so on) when applying for our products and services;
- Financial information (payment information and whether donations are gift-aided);
- Becoming a student or applying to live at Seashell Trust (or being part of a child or young person’s support network) – medical history, medical diagnosis, current prescriptions etc.
- Your image for demonstrating achievements in any of our services
If you are the parent /carer/ legal guardian or a member of a team around a child or young person who uses our services, or who volunteers for us, your details and your relationship with that child/ young person will also be recorded.
Personal data created by your involvement with us
Your activities and involvement with us will result in personal data being created. This could include details of how you’ve helped us by volunteering or participating in our activities or if you have provided further health education, care related information for one of our children and young people etc.
When you Interact with an email sent ‘centrally’ by Seashell to advise you of our News, products and services we will receive information about that interaction. We use that to ensure we understand how our news, and information about our products and services is being received.
Information we generate
Whilst you maintain a relationship with us we could supplement the data initially collected at the start of our relationship. For example, this may be through completion of forms, collection of additional registration details, by provision of documentation by you from other parties that you are involved with that are relevant to the provision of additional services you choose toaccess.
Use of information for Research and Evaluation
Our Heads of Service and professional services partners might use personal and personal sensitive data to evaluate the effectiveness of our services. This evaluation allows us to ensure our services support our users as effectively as possible and to potentially scale up the provision of and identify other areas for Evaluation and Research.
Use of your personal data in automated decision making and profiling
We do not currently put your personal information through any automated decision making or profiling process. This means we do not make decisions about you using only computers without any human involvement.
We do analyse the information we hold, which can in turn generate personal data. For example, by analyzing your interests and involvement with our work we may be able to build a communication profile which helps us decide what items are likely to be of most interest to you. If this changes in the future, we will update this notice in order to explain how we do this to you, including your right to object to it.
Information from third parties
As part of the application process to join our Education, and Residential Care Services, Health and Sensory support, Active services we request information via you from any combination of previous Education, Medical, Therapy and Residential Care providers and additional information we feel would contribute to the provision of our services to you. We may seek further clarification with those parties regarding this information.
Sensitive personal data
At times we will collect sensitive personal data to enable us to provide our services to you and to allow us to comply with relevant employment, equal opportunities and similar legislation.
For students, residents and visitors to Seashell systems we also record the MAC address and IP address of their own devices when connecting to our services.
Staff, Volunteers, Governors and Trustees, Health and Education placements, Suppliers – people ‘working ‘with our Children and Young People
We collect extra information about you (e.g. references, criminal records checks, details of emergency contacts, medical conditions etc.). This information will be retained for legal or contractual reasons, to protect us and for safeguarding purposes.
Collection and use of images
Seashell is using the lawful basis of ‘legitimate interests’ for photos including people, with the exception of:
Photographs / filming for identification and security purposes, health and safety purposes and learning, teaching, service assessment purposes. In these circumstances the lawful basis is ‘for the performance of contract’
Where people will be named or quoted in the photographs / film and it is not part of their contract with us. In this circumstance the lawful basis is ‘consent’. We only ask for consent where other lawful basis are not applicable, and do so considering the additional requirements of current Mental Capacity Legislation.
Handling your payment card information
Where we collect this sensitive information over the internet, or when using hand held card processing terminals we use partner services that encrypt the data sent. Seashell uses external Payment Card Industry (PCI) compliant providers to collect this data on our behalf. We do not hold any PCI data on our systems.
How we use your personal data
We’ll only use your personal data on relevant lawful grounds as permitted by the UK General Data Protection Regulation, the UK Data Protection Act (2018) and Privacy of Electronic Communication Regulation 2003, Caldicott Principles
Why are we allowed to use your data?
Most commonly, this is where:
- We need to comply with a law for example but not exhaustive ( Education Act 1996, 2002 and 2011, The Care Act 2014, Mental Capacity Act 2005, Deprivation of Liberty Safeguards, The Children’s Act 1989 and 2004, Education and Skills Act 2008 and the Equalities Act 2010, Crime and disorder Act 1998, Working together to Safeguard Children)
- We have a duty to provide it as part of a contract (such as your local authority – education/social care or NHS)
- We have a legitimate interest to use your data. There will be a minimal impact on your privacy and we have a strong reason to use it (e.g. to support your learning/care services placement, use of CCTV for security monitoring purposes, and, except where we rely on consent, for fundraising, development and engagement purposes).
- When completing research and evaluation of our services we do not seek consent to use your personal data for this purpose but rely on legitimate interest as our lawful basis.
- Public Interest – to perform a task in the public interest that is set out in law. For example collaboration to deliver immunisations for school learners, prevention of the spread of infectious diseases
Less commonly, we may also collect and use your personal data in situations where:
- We have obtained you or your parents’/guardian’s consent to use it in a certain way, in line with the requirements of the Mental Capacity Act, depending upon your age.
- We need to protect yours (or another persons’) vital interests (i.e. in a medical emergency).
Where we have obtained consent to use your personal data, this consent can be withdrawn at any time. We will make this clear when we ask for consent, and explain how consent can be withdrawn.
Our basis for using special category data
For ‘special category’ data (more sensitive personal information), we only collect and use it when we have both a lawful basis, as set out above, and one of the following conditions for processing as set out in data protection law:
- We have obtained your explicit consent to use your information in a certain way, or that of your parent/guardian in line with the requirements of the Mental Capacity Act, depending upon your age.
- We need to protect an individual’s vital interests (i.e. protect your life or someone else’s life), in situations where you’re physically or legally incapable of giving consent
- The information has already been made obviously public by you
- We need to use it to make or defend against legal claims
- We need to use it for health or social care purposes, and it’s used by, or under the direction of, a professional obliged to confidentiality under law
- We need to use it for public health reasons, and it’s used by, or under the direction of, a professional obliged to confidentiality under law
We will notify you at the time of collection of the personal data of how we intend to use that data and will only use that data in accordance with that notification and any preferences you express.
Our Fundraising activities may sometimes include competitions or ideas involving children about how to raise money. Where this is the case we will ensure that any communication/application will also include an adult parent/carer.
Our external communications content is about our work, events and activities and is published in line with relevant lawful reason and in line with current Mental Capacity legislation.
As our data is collected from various different sources, for data quality purposes we will analyse your data to ensure we do not have multiple versions of information about you in our databases.
Additionally if you are one of our supporters we will decide on the relevant information for you based on looking at similar people to you, and how likely you are to respond to invitations so that you receive suitable communications.
We also hold information about you so that we can respect your preferences for being contacted by us. You can update this at any point, please email email@example.com or via post to Data Lead: Seashell, Stanley Road, Cheadle Hulme, SK8 6RQ.
Keeping your information up to date
To make sure that we always have the most up to date information about you, we may from time to time request that you confirm your personal details in the records that we hold.
How long will we keep your personal information?
We will not retain any information for longer than is necessary in relation to the purposes for which it was originally collected, or for which it was further processed, subject to all relevant legal obligations of the Trust for example the collection of Gift Aid or to support certain financial transactions. We retain personal data in accordance with our data retention schedules.
Where do we store your information?
We store the majority of your data on our own servers. This is held in line with our Information Security and Data Protection policies.
Where we work with service providers to process and hold your data for us we will ensure this is defined in a contract/sharing agreement and we will take reasonable steps to make sure that your data is treated securely in accordance with this privacy promise. We will endeavor to protect your personal data and ensure that it will be held in compliance with European data protection regulations.
The personal information collected from you may be transferred to, and stored at a destination outside of the European Economic Area (EEA). By submitting your personal data, you agree to this transfer, storing and processing outside of the EEA. Where in-country accreditation certificates are available for Data Protection and Information Security we will seek to use the companies holding these certifications.
In cases where we use external websites provided by other organisations e.g. Twitter, Facebook, Blue Octopus, Kinetic then we would ask that you consult their privacy policies.
Posting or sending content online
We have the right to disclose your identity to any third party claiming to own any content that you post or send.
If we believe that any content sent or posted by you is inappropriate or the content is in breach of any laws, (e.g. potentially defamatory content), we may use your personal information to inform relevant third parties, such as Internet Service Providers, or law enforcement agencies).
When we use an external service provider to process data on our behalf, we disclose only the personal information that is necessary to deliver the service and will have a contract in place that requires the provider to comply with Seashell and GDPR data protection and information security requirements.
We may disclose your personal information to third parties if we are legally obliged to; or other agreements; or to protect the rights, property, or safety of the Seashell and persons associated with Seashell.
- Sometimes we cannot keep information confidential as we have an obligation to ensure that all children, young people and vulnerable adults are safe.
- Sometimes a court order may direct us to share your information.
- Sometimes you might ask us to share information on your behalf.
Additionally we share details with various other parties:
Whilst you are living at Seashell: Local and Central Government, Ofsted, Public Health, CQC, Activity providers, Department of Health, Department for Work and Pensions, Health and Safety Executive, NHS services, multi- disciplinary teams around a child/young person, activity providers, safeguarding boards, Seashell Trust staff and representatives. Families, Advocates, Shared care providers, professional services, Trust fund providers where applications are made specifically for you.
Whilst you are learning at Seashell: Local and Central Government, Department for Education, Public Health, Health and Safety Executive, Department of Health, Ofsted, NHS Services, exam and course accreditation organisations, multi-disciplinary teams around a child/young person for competency, activity providers, our governors, technology solution providers, safeguarding boards, Seashell Trust staff and representatives, professional services consultants, regulatory body inspectors. professional services.
Whilst you are working at Seashell: Ofsted, HMRC, Public Health, Disclosure and Baring Service, Health and Safety Executive ( HSE) Local and Central Government, Department for Work and Pensions, Payroll services, Financial Audit services, Staff benefit package providers, Occupational Health/Physio service providers, Learning and development providers, apprenticship scheme providers, qualification accreditation providers, activity providers, reference service providers, Legal Services, Law Enforcement bodies, Trade union –where you are a member, Safeguarding boards, current, past and prospective employers, work experience – for references, parents and prospective parents, Professional Services consultants, regulatory body inspectors, Professional bodies that you are registered with, Partner organisations
As a service provider/partner/agency working with Seashell:
Ofsted, CQC, Local Authorities, Government Departments, Public Health, Health and Safety Executive, Legal Services, Law enforcement bodies, Safeguarding Boards, professional services, Disclosure and Baring Services, financial checking services, service accreditation providers, customers, Seashell employees, software providers, credit and fraud prevention check providers
As a Visitor/or accessing our Facilties services to Seashell
Public Health, Seashell employees, partner organisations, law enforcement authorities, External catering providers
Whilst you are volunteering at Seashell: Volunteer portal provider, Public Health, background check and reference providers, Disclosure and Baring Service, Seashell Trust staff and representatives, Safeguarding Boards, law enforcement bodies, regulatory body inspectors, Health and Safety Executive, Professional services.
Whilst you are supporting us at Seashell: HMRC – Gift Aid, shared with our authorised users, helping at events where applicable, event partners, external catering services, Trust fund providers where applications are made, Government departments – when bidding for funding offsite location providers for Health and Safety purposes, email marketing systems ,Fundraising Regulators, Health and Safety Executive, Seashell Trust staff and representatives. We may also share your personal data with third parties who help us with fundraising and engagement, for example, we may use a third-party to help us manage your participation in one of our events.
Whilst you are using Seashell sports and community services: Seashell Trust staff and representatives, Public Health, NHS Services, activity providers, background check and reference providers, , law enforcement bodies, regulatory body inspectors, partnership activity providers, safeguarding boards, Health and Safety Executive, Software providers, multi teams around a child or young person
Whilst you are using Seashell Sensory, Start and Health services as a customer: Seashell Trust staff and representatives, Public Health, Service Commissioners, Local Authority MDT teams where commissioned by a Local Authority, Health and Safety Executive, Safeguarding Boards, NHS Services, NHS Research projects, activity providers, learning and development providers, accreditation providers, offsite location providers for Health and Safety purposes.
If you wish to exercise any of your rights as listed below please write to us via the firstname.lastname@example.org email address, or to the Data Lead at our postal address on the website:
- Access your personal data – ask for a copy of your personal data at any time
- Ask us to correct, delete or update your personal information
- Ask to send your personal information to you or another organisation
- To object to automated decision making
- To restrict processing if this is contested or unlawful
Any request that you make will be considered in accordance with all applicable data protection laws and regulations. No administration charge will be made for considering or complying with a request, unless it is deemed to be excessive in nature.
Once verification of identity and entitlement to obtain or exercise the rights has been completed by us, we will complete the request to timescale.
During this time we will be
- processing testing information for staff, visitors and our students and residents.
- Additional health information has been provided voluntarily to risk assess students, residents and employees and others, and support individuals whilst onsite.
- Help to support infection prevention and control
- Provide statistical information to commissioners and partners
Vaccination status data
- This is being provided on a voluntary basis by employees, alongside health data to Seashell during the Pandemic in our services to risk assess employees and others, and support individuals whilst onsite.
From 11th November 2021
All employees, professionals, consultants, contractors, volunteers, casual workers and agency workers who are required to access Seashell’s CQC registered care homes need to provide evidence of vaccination status or exemption and cannot access the home until this has been provided and validated.
Seashell are processing this under Legal Obligation as detailed in the Health and Social Care Act 2008 (Regulated Activities) (Amendment) (Coronavirus) Regulations 2021 (Health and Social Care and Amendment Regs.) that come into force on 11 November 2021.
Some of the personal data is special category (sensitive) data concerning health. We are processing that data because it is necessary for reasons of substantial public interest and the exercise of a function conferred on the Trust by an enactment or rule of law, in accordance with Article 9(2)(g) of UK GDPR and Schedule 1 Part 2(6) of the Data Protection Act 2018
Details to be processed are:Name, Job role ( employees), whether you are vaccinated and the date we checked that, whether you are medically exempt ( we will not record the clinical reason/s for your exemption)
The regulations permit some persons to enter care homes in emergency situations without showing evidence of vaccination. In those circumstances we will record name, job role, company or organisation, the date of visit, and the nature of the emergency.
We will only collect the data from you.
Your data may be shared internally within the team of Seashell staff responsible for the care home, or with more senior managers for monitoring purposes.
We will not share your data with any other person or organisation, unless we are legally required to do so, for example in response to a court order or request from a lawful authority.
If you have any questions and concerns about this policy and our practices, or if you wish to file a complaint, please contact our Data Lead via email@example.com or calling 0161 610 0100. Or in writing to: Data Lead, Seashell, Stanley Road, Cheadle Hulme SK8 6RQ.
You also have the right to lodge a complaint with the Information Commissioners Office (ICO) if you believe your data has been processed in a way that does not comply with existing data protection legislation. You can do so by calling the ICO helpline on 0303 123 1113 or via their website https://ico.org.uk. However we are here to help and would encourage you to contact us to resolve your complaint first.