Privacy Policy

1. Introduction

Our Commitment to Privacy

At the Middlesex Association for the Blind (MAB), we are committed to protecting the privacy and security of personal data.

Consolidation of Policies

To provide greater clarity and transparency around our data protection practices, we have consolidated our Data Protection Policy and GDPR Policy into this comprehensive Privacy Policy. This unified policy outlines how we collect, process, store, and protect personal data in compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

2. Scope of this Policy

Who is Covered

This policy applies to all personal data controlled and processed by MAB, including data related to service users, volunteers, employees, and donors. It covers all staff, volunteers, trustees, and anyone processing personal data on behalf of MAB.

3. The Data We Collect

Types of Personal Data

MAB collects various types of personal data, including:

• Personal Information: Names, addresses, contact details, and medical information (where relevant)
• Volunteer Information: Names, addresses, contact details
• Donor Information: Donation history, Gift Aid declarations, communication preferences
• Interaction Records: Communications, support provided, feedback, and survey responses
• Staff Records: This includes information related to employment such as contact details, payroll information, performance reviews, disciplinary records, and absence records

4. How We Collect and Store Your Data

Collection Methods

Primarily through service user applications, direct interactions, volunteer registration, and donor contributions.

Data Storage

Cloud-Based Storage

MAB uses secure, GDPR-compliant cloud-based systems to store and process personal data.

Paper Records

Some personal data may be stored in paper format, such as printed forms, notes, or correspondence. Typical examples include:

• Client intake forms
• Volunteer applications
• Employee contracts
• Donor pledge forms

Clean Desk & Shredding Procedure

MAB operates a clean desk policy, requiring staff to securely store all paper records containing personal data when not in use. Any paper records containing personal data that are no longer needed are securely shredded in compliance with data protection regulations. For electronic records, all PCs and mobile devices are password protected, and staff are instructed to lock them when away from their desks. All personal data is stored on secure cloud systems that employ their own robust security measures.

5. How We Use Your Data

Purposes of Data Processing

• Managing client support services
• Coordinating volunteer activities
• Managing donor relationships
• Generating reports
• Internal communications
• Maintaining employee and trustee records

6. Data Protection Principles

Core Principles We Follow

MAB adheres to the following key principles:

• Lawfulness, fairness, and transparency
• Purpose limitation
• Data minimisation
• Accuracy
• Storage limitation
• Integrity and confidentiality (security)
• Accountability

7. Lawful Basis for Processing

Legal Grounds for Data Use

MAB processes personal data only with a lawful basis, including:

• Consent
• Contract
• Legal obligation
• Vital interests
• Public task
• Legitimate interests

8. Your Rights

Your Rights under UK GDPR

Under the UK GDPR, you have various rights in relation to your personal data, including:

• The right to be informed about how your data is being used
• The right to access your personal data
• The right to rectify inaccurate or incomplete data
• The right to erase your data (also known as the “right to be forgotten”)
• The right to restrict processing of your data
• The right to data portability (obtaining and reusing your data for different services)
• The right to object to the processing of your data
• Rights related to automated decision making and profiling

For a full understanding of your rights, please visit the Information Commissioner’s Office (ICO) website or contact our Data Protection Officer (DPO).

Subject Access Requests (SARs) and other rights requests are overseen by the DPO.

9. Data Sharing

When and How We Share Data

MAB may share personal data with:

• Local authorities or police (safeguarding concerns)
• Volunteers (to help support service users)
• Relevant bodies (e.g., DBS, Charity Commission) for employee-related safeguarding issues

All sharing is done in compliance with UK GDPR and on a strict need-to-know basis.

10. Data Retention

How Long We Keep Your Data

We retain personal data only as long as necessary to fulfil the purposes for which it was collected, including satisfying any legal, accounting, or reporting requirements.

11. Security

Protecting Your Data

We prioritise the security of sensitive data through a multi-layered approach:

• Access Control: Secure logins with strong password policies, coupled with Two-Factor Authentication (2FA) for added protection against unauthorised access
• Threat Prevention: Robust antivirus and anti-malware software to proactively detect and neutralise potential threats
• Data Protection: Regular backups of business-critical data to ensure its availability and integrity in the event of system failures, cyber-attacks, or other disruptions
• Ongoing Security: Continuous monitoring and updates to our security protocols to address evolving threats and vulnerabilities

12. Data Breaches

What Happens if There’s a Breach

• Suspected breaches must be reported immediately to the Data Protection Officer (DPO)
• The DPO will assess the breach and, if necessary, report it to the Information Commissioner’s Office (ICO) within 72 hours
• MAB will communicate with affected individuals and document all breaches

13. Data Protection Impact Assessments (DPIAs)

Assessing High-Risk Processing

MAB will carry out DPIAs when using new technologies or processing likely to result in high risk. DPIAs will include a description of processing and purposes, necessity and proportionality assessment, risk assessment, and measures to address risks.

14. Training and Awareness

Educating Our Team

MAB provides appropriate data protection training to all staff and volunteers, with regular refreshers.

15. Data Protection Officer (DPO)

Our DPO and Contact Information

Valerie Hill (CEO) is MAB’s designated DPO. She is responsible for:

• Informing and advising on GDPR obligations
• Monitoring compliance
• Advising on DPIAs
• Cooperating with the ICO

16. Policy Review and Availability

Keeping the Policy Updated

This policy is reviewed annually or as needed to stay current. It is available to all MAB Trustees, Employees, Volunteers, and the public upon request.

Appendix: Cookie Policy

What Are Cookies

Cookies are small text files that are stored on your device when you visit our website. They help us provide you with a better experience by remembering your preferences and improving our services.

Types of Cookies We Use

Essential Cookies

These cookies are necessary for our website to function properly and cannot be switched off. They include:

• Session Management Cookies: These help maintain your session while browsing our website
• Security Cookies: These help protect against fraudulent activity and enhance website security

Analytics Cookies

We use Google Analytics to help us understand how visitors use our website. These cookies collect anonymised information about:

• Pages you visit and how long you spend on them
• How you found our website
• What device and browser you’re using
• General location information (country/city level)

Important: We do not collect or store any personal information such as names, email addresses, or phone numbers through cookies. The only personal data processed is IP addresses, which are automatically anonymised by Google Analytics (the last part of your IP address is removed). This data processing is carried out under our legitimate interests for website improvement and service enhancement. Google Analytics processes this data on our behalf, and we do not directly access or store personal information beyond what Google’s service provides in anonymised form.

Cookie Consent

When you first visit our website, you will see a cookie consent banner. You can choose to:

• Accept all cookies (essential and analytics)
• Accept only essential cookies
• Manage your cookie preferences

Cookie Retention

Our cookies are typically stored for 365 days, after which they automatically expire. Essential cookies may have shorter retention periods based on their specific function.

Managing Your Cookie Preferences

You can manage your cookie preferences in several ways:

• Through our website: Use our cookie consent banner to change your preferences
• Through your browser: Most browsers allow you to control cookies through their settings
• Opt-out of Google Analytics: You can install the Google Analytics opt-out browser add-on

Impact of Disabling Cookies

If you choose to disable cookies:

• Essential cookies: Some website functionality may not work properly
• Analytics cookies: This will not affect your browsing experience, but helps us improve our services

Updates to This Cookie Policy

We may update this cookie policy from time to time. Any changes will be reflected in the main privacy policy review schedule.