GDPR Policy



2. The FosterSupport (FS) is the data controller. The FS’s contact information is:
Address: 1st Floor East Suite, Waterfront, Shipley, BD17 7EZ
Phone: 01274 028706
Email: advice@fostersupport.co.uk
Website: fostersupport.co.uk

3. The FS’s Data Protection Team can be contacted at:
Address: 1st Floor East Suite, Waterfront, Shipley, BD17 7EZ
Phone: 01274 028706
Email: advice@fostersupport.co.uk
Website: fostersupport.co.uk

4. As a membership organisation which provides support advice and representation, the FS gathers a fair amount of data. In addition to personal data pertaining to our members, we also gather data on our employees and volunteers, as well as on donors, supporters, and business contacts. Below we set out more information on the information gathered, and reasons for gathering.

5. Our mailing list is processed and controlled using MailChimp. For more information on how MailChimp processes your personal data and your data protection rights, please visit https://mailchimp.com/legal/data-processing-addendum/ and https://mailchimp.com/legal/privacy/

6. We use Stripe to process your payments. More information on how Stripe processes your personal data and your data protection rights, including your right to object, is available at https://stripe.com/gb/privacy

Your Data and How We Use It
As a membership organisation, which provides support advice and representation, the FS gathers a fair amount of data. In addition to personal data pertaining to our members, we also gather data on our employees and volunteers, as well as on donors, supporters, and business contacts. Further information may be found in our Data Protection Policy.

Data Processing
The data processing will mainly take place in the United Kingdom and the EU. However some data processing may occur in the United States as this is where the cloud servers of some of our data processors are located. There is also a slight risk that processing occurs in other non-EU countries if an email account is accessed there. However, the FS discourages this.

Your Rights
You have a number of rights under the GDPR, as summarised below. More detail on all of these rights can be seen in the FS Data Protection Policy. It is important to note that as long as it is clear which right you are attempting to exercise, there is no precise wording in which your request needs to be put.

1. Right of Access. You have the right to access your personal data and supplementary information. If requested, your data will be provided to you within one month, save for exceptional circumstances. For more information on this right, see the FS Data Protection Policy.

2. Right to Rectification. You have the right to have your personal data rectified if it is inaccurate or incomplete. For more information on this right, see the FS Data Protection Policy.

3. Right to Erasure. You have the right, in certain circumstances, to request the deletion or removal of your personal data. For more information on this right, see the FS Data Protection Policy.

4. Right to Restrict Processing. You will have the right to ‘block’ or suppress processing of your personal data in certain circumstances. For more information on this right, see the FS Data Protection Policy.

5. Right to Object. You have the right to object to the processing of your data in certain circumstances. These include if the processing is based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling), if your data is being used for direct marketing (including profiling) and if we are processing your data for the purposes of scientific/historical research and statistics. Your objection must be on grounds relating to your particular situation.

If you wish to exercise your right to object, your objection should be communicated to:

1. If you are an employee, to your line manager;
2. If you are a volunteer, to your main contact at FS;
3. If you are a member and the request relates to membership data, to the DPO (contact information above);
4. If you are a member and the data relates to a case you have or had with the case work team, to your caseworker;
5. For any other reason, or for more than one of the above, to the FS (contact information above).

If an objection is received, the FS will cease processing your data unless:

1. We can demonstrate compelling legitimate grounds for the processing, which override your interests, rights and freedoms; or
2. The processing is for the establishment, exercise or defence of legal claims.

If you feel the FS has not processed your data in compliance with the law, or has in some other way breached your data protection rights, you can make a complaint to the Information Commissioner’s Office (ICO). The ICO’s contact details are:
1. Helpline: 0303 123 1113
2. Live chat: ico.org.uk/global/contact-us/live-chat
3. Email: casework@ico.org.uk
4. Website: ico.org.uk

Reference Version
This policy is reproduced here. The guiding current version may be found here (PDF).GDPR Data Protection Policy Data Protection Policy

What Data We Gather And Why

1. Data Protection And You
As a membership organisation which provides support advice and representation, the FS gathers a fair amount of data. In addition to personal data on our members, we also gather data on our employees and volunteers, as well as on donors and business contacts.

Below we set out more information on the information gathered and reasons for gathering.

2. Membership Data
1. The FS maintains membership records for all members. The records include such things as the member's name, contact details, bank information, and location. This information is provided by the members.

2. An individual's membership records are maintained by us throughout their membership and for six years post-membership.

3. The lawful basis for collecting this data is known as "Legitimate Interests" (GDPR Article 6(1)(f)). The legitimate interest we pursue is running a social enterprise not for profit whose primary purposes are providing support and representation for members, campaigning to improve working conditions and social enterprise activities via the Alliance Foundation.

4. The FS has conducted a Data Protection Impact Assessment (DPIA) and concluded that the above legal bases for processing membership data are appropriate. A copy of the DPIA can be provided to members upon request

.5. The FS engages data processors to assist with the processing of membership data. Types of processors include email servers such as gmail, Direct Debit payments and management using Stripe, and other processors which facilitate communication with members, such as MailChimp. The FS reserves the right to engage other processors as and when is necessary to assist with the processing of membership data in furtherance of the legitimate aims identified above, and suitable information is provided in the privacy policy section above.

3. Casework Data
1. The FS maintains additional records for members who are seeking support advice and/or representation with our case work team. The records include such things as extensive details related to their occupation or licensing and in many cases will include medical records. This information is provided mainly by the members though some may be provided by third parties involved in the member’s case.

2. An individual’s casework records are maintained by us during their case and for six years post-case.

3. The lawful basis for collecting this data is known as “Legitimate Interests” (GDPR Article 6(1)(f)). The legitimate interest we pursue is providing quality advice and representation to FS members.

4. The FS has conducted a Data Protection Impact Assessment (DPIA) and concluded that the above legal bases for processing casework data are appropriate. A copy of the DPIA can be provided to members upon request.

5. The FS engages data processors to assist with the processing of casework data. Types of processors include email servers such as gmail and electronic document storage such as Google Drive. The FS reserves the right to engage other processors as and when is necessary to assist with the processing of casework data in furtherance of the legitimate aims identified above.6. The FS will redact all identifying data in relation to looked after children.

4. Employee Data

1. The FS collects personal data on its employees so as to carry out its function as an employer. The records include such things as contact details, CVs, bank details, and employment records. This information is provided by the employees.

2. This data is maintained by us for two years or as long as is necessary for the defence of potential legal claims.

3. The lawful basis for collecting this data is known as “Legitimate Interests” (GDPR Article 6(1)(f)). The Legitimate interest we pursue is: being a fair employer which provides staff with all relevant statutory rights as well as terms and conditions above and beyond those required by statute.

4. The FS has conducted a Legitimate Interest Assessment (LIA) for this category of data processing and has concluded that legitimate interests is an appropriate lawful basis for the processing. The LIA can be provided to employees upon request.

5. The FS engages data processors to assist with the processing of employee data. Types of processors include email servers such as Gmail, electronic document storage such as Google Drive, and other processors which facilitate the FS’s role as an employer. The FS reserves the right to engage other processors as and when is necessary to assist with the processing of employee data in furtherance of the legitimate aims identified above.

5. Volunteer Data1. The FS collects personal data on its volunteers so as to carry out its function as a voluntary/non-profit organisation which uses volunteers. The records include such things as contact details and CVs. This information is provided by the volunteers.

2. This data is maintained by us for six years after volunteering or as long as is necessary for the defence of potential legal claims.

3. The lawful basis for collecting this data is known as “Legitimate Interests” (GDPR Article 6(1)(f)). The legitimate interest we pursue is being a voluntary/non-profit organisation which depends on the help of volunteers to function.

4. The FS has conducted a Legitimate Interest Assessment (LIA) for this category of data processing and has concluded that legitimate interests is an appropriate lawful basis for the processing. The LIA can be provided to volunteers upon request.

5. The FS engages data processors to assist with the processing of volunteer data. Types of processors include email servers such as Gmail and electronic document storage such as Google Drive. The FS reserves the right to engage other processors as and when is necessary to assist with the processing of volunteer data in furtherance of the legitimate aims identified above.

6. Donor and Supporter Data

1. The FS collects personal data on donors and supporters so as to carry out fundraising activities and obtain support for campaigns and other initiatives. The data concerned are names and contact information. This information is provided by the donors, supporters, or a third party which assists in the fundraising or campaigning efforts.

2. This data is maintained by us indefinitely or until it is requested we delete it.

3. The lawful basis for collecting this data is known as “Legitimate Interests” (GDPR Article 6(1)(f)). The legitimate interest we pursue is to obtain donations and support from individuals in order to help finance the FS as a voluntary/non-profit organisation and support the FS as a campaigning organisation.

4. The FS has conducted a Legitimate Interest Assessment (LIA) for this category of data processing and has concluded that legitimate interests is an appropriate lawful basis for the processing. The LIA can be provided to donors and supporters upon request.

5. The FS engages data processors to assist with the processing of donor and supporter data. Types of processors include email servers such as gmail, electronic document storage such as Google Drive, and other processors which facilitate communication with donors and supporters, such as MailChimp. The FS reserves the right to engage other processors as and when is necessary to assist with the processing of donor and supporter data in furtherance of the legitimate aims identified above.

7. Business Contacts' Data

1. The FS collects personal data on business contacts so as to be able to liaise with other organisations to achieve its aims. The data concerned are names and contact information. This information is provided by the business contacts themselves, by third party mutual contacts, or is publicly available.

2. This data is maintained by us indefinitely or until it is requested we delete it.

3. The lawful basis for collecting this data is known as “Legitimate Interests” (GDPR Article 6(1)(f)). The legitimate interest we pursue is to have a network of like-minded organisations with whom the FS can work to achieve its aims.

4. The FS has conducted a Legitimate Interest Assessment (LIA) for this category of data processing and has concluded that legitimate interests is an appropriate lawful basis for the processing. The LIA can be provided to business contacts upon request.

5. The FS engages data processors to assist with the processing of business contacts’ data. Types of processors include email servers such as gmail, electronic document storage such as Google Drive, and other processors which facilitate communication with business contacts, such as MailChimp. The FS reserves the right to engage other processors as and when is necessary to assist with the processing of business contacts’ data in furtherance of the legitimate aims identified above.

Your Rights

1. Right of Access

1. You have the right to access your personal data and supplementary information. This will allow you to be aware of and verify the lawfulness of the FS’s processing of this data.

2. To request access to your personal data, please send your request to the FS (contact information below) and entitle the request: “Access to Personal Data”.

3. So as to ensure that your data is not accidentally disclosed to a third party, the FS will use reasonable means to verify your identity.

4. Once a request is received, your information will be provided to you free of charge, save for exceptional circumstances. However, the FS does reserve the right to charge a reasonable fee when a request is manifestly unfounded or excessive, particularly if it is repetitive. The FS may also charge a reasonable fee to comply with requests for further copies of the same information. The fee will be based on the administrative costs of providing the requested information.

5. Your information will be provided without delay and at the latest within one month of receipt, save for exceptional circumstances. If your requests are complex or numerous, the FS may extend the period for compliance by a further two months. However, if this is the case, we will contact you within one month of receipt of your request, in order to explain why the extension is necessary.

6. In the unusual event that for some legitimate reason the FS refuses to respond to a request, the FS will, without delay, and no later than one month from receiving the request, write to you to explain the rationale of the refusal and informing you of your right to complain to the Information Commissioner’s Office (ICO) and to a judicial remedy.

2. Right to Rectification

1. You have the right to have your personal data rectified if it is inaccurate or incomplete.

2. If the FS has disclosed the personal data in question to others, we will contact each recipient and inform them of the rectification unless this proves impossible or involves disproportionate effort. If requested, the FS will provide you with information about these recipients.

3. Once a request for rectification is received, the FS will comply within one month unless the request for rectification is complex, in which case the time period may be extended by a further two months.

4. In the unusual circumstance that the FS for some legitimate reason does not take action in response to a request for rectification, we will explain why, and will inform you of your right to complain to the ICO and to a judicial remedy.

5. Your request should be sent to:

1. If you are an employee, to your line manager;

2. If you are a volunteer, to your main contact at FS;

3. If you are a member and the request relates to membership data, to the DPO (contact information below);

4. If you are a member and the data relates to a case you have or had with the case work team, to your caseworker;

5. For any other reason, or for more than one of the above, to the FS (contact information below).

3. Right of Erasure

1. You have the right, in certain circumstances, to request the deletion or removal of your personal data where there is no compelling reason for its continued processing.

2. The right to erasure does not provide an absolute ‘right to be forgotten’. You have a right to have your personal data erased and to prevent processing in the following specific circumstances:

1. When your personal data is no longer needed in connection with the purpose for which it was originally collected/processed;

2. If you object to the processing of your data and it can be demonstrated that there is no overriding legitimate interest for continuing the processing;

3. If your data was unlawfully processed (ie. otherwise in breach of the GDPR); or

4. Your personal data has to be erased in order to comply with a legal obligation.

3. Your right of erasure is not limited to circumstances in which the processing of your data is causing you unwarranted and substantial damage or distress. However, if the processing does cause you damage or distress, this is likely to make the case for erasure stronger.

4. The FS may refuse your request for erasure if we are processing your data for any of the following reasons:

1. To exercise the right of freedom of expression and information;

2. For public health purposes in the public interest;

3. Archiving purposes in the public interest, scientific research, historical research, or statistical purposes; or
4. The exercise or defence of legal claims.

5. If your request for erasure is granted, and the FS has disclosed the data in question to others, we will contact each recipient and inform them of the erasure of the aforementioned personal data – unless this proves impossible or involves disproportionate effort. If requested, we will inform you about these recipients.

4. Right to Restrict Processing

1. You will have the right to ‘block’ or suppress the processing of your personal data in certain circumstances. When this right is engaged, the FS may elect to store your personal data, but we will not further process it. We will retain just enough information about you to ensure that the restriction is respected in future.

2. The FS will restrict the processing of your personal data in the following circumstances:

1. If you contest the accuracy of the personal data we will restrict processing until we have been able to verify that accuracy.

2. If you object to the processing of your personal data (more on which below) and the processing is necessary for the purpose of legitimate interests, the FS will restrict the processing of this data while we consider whether our legitimate grounds override yours.

3. If the processing of our data has been found to be unlawful and you prefer restriction to erasure, we will restrict processing of your data.

4. If the FS no longer needs your personal data but you require the data to establish, exercise or defend a legal claim, then we will restrict processing of your data.

3. If the FS has disclosed your personal data to others, we will contact each recipient and inform them of the restriction on the processing of the personal data- unless this proves impossible or involves a disproportionate effort. If requested, we will also inform you about these recipients.

4. If for some legitimate reason the FS decides to lift a restriction on processing, we will inform you of this.

5. Right to Object

1. You have the right to object to the processing of your data in certain circumstances. These include if the processing is based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling), if your data is being used for direct marketing (including profiling) and if we are processing your data for the purposes of scientific/historical research and statistics. Your objection must be on grounds relating to your particular situation.

If you wish to exercise your right to object, your objection should be communicated to:

1. If you are an employee, to your line manager;

2. If you are a volunteer, to your main contact at FS;

3. If you are a member and the request relates to membership data, to The DPO (contact information below);

4. If you are a member and the data relates to a case you have or had with the case work team, to your caseworker;

5. For any other reason, or for more than one of the above, to the FS (contact information below).

Data Protection Officer

1. The DPO’s role include:

1. To inform and advise the organisation and its employees about their obligations to comply with the GDPR and other data protection laws;

2. To monitor compliance with the GDPR and other data protection laws, including managing internal data protection activities, advise on data protection impact assessments, train staff and conduct internal audits;

3. To be the first point of contact for supervisory authorities and for individuals whose data is processed (employees, customers, etc.).International Access The FS strongly discourages its reps, officials, employees, or volunteers from transferring personal data held by the FS outside of the EU. In other words, accessing FS email, Google Drive, and other FS accounts is discouraged outside of the EU.

Personal Data Breaches
1. The FS will make all reasonable efforts to keep your data secure. However, there may be times when an accidental breach is unavoidable. This section of the policy outlines what actions the FS will take if a breach does occur.

2. A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes. It also means that a breach is more than just about losing personal data. For example, personal data breaches can include:

1. Access by an unauthorised third party;
2. Deliberate or accidental action (or inaction) by a controller or processor;
3. Sending personal data to an incorrect recipient;
4. Computing devices containing personal data being lost or stolen;
5. Alteration of personal data without permission; and
6. Loss of availability of personal data.3. If a breach does occur, or if it’s possible a breach might have occurred, it must be reported immediately to the FS’s data protection team.

The team can be contacted at:

1. Email: advice@fostersupport.co.uk

2. Phone: 01274 028706. If one of our processors becomes aware of a breach they must inform us without delay, and we will then follow the same steps as below.

3. Once aware of the breach a member of the team will immediately take steps to investigate the incident and ascertain whether or not the breach was a result of human error or a systemic issue as well as how a recurrence can be prevented- whether this is through better processes, further training or other corrective steps. All information related to the breach and corresponding investigation will be recorded.

4. However, within 72 hours of becoming aware of the breach, if feasible, the FS will establish- based on the information available to it at the time- the likelihood and severity of the resulting risk to people’s rights and freedoms. If it’s likely that there will be a risk then we will notify the Information Commissioner’s Office (ICO) of the breach. If a risk is unlikely then the incident will not be reported, however we will document this and the reasons for coming to the conclusion that reporting to the ICO was not necessary. It is important to highlight that this assessment will be carried out even if the investigation is not yet complete, due to the strict time limits on reporting breaches under the GDPR.

5. If the breach is likely to result in a high risk to the rights and freedoms of individuals, then the individuals concerned will be informed of the breach without delay.

Handling Membership Data

1. If you are an FS official who handles membership data you need to take all necessary precautions to ensure the data is kept safely and securely. If you have any doubts or questions on how to do this please contact the FS’s Data Protection Officer.

2. If you are transporting any physical copies of personal data - which is strongly advised as not to do - or hardware containing data, you need to be careful to always double check and make sure you have everything with you and do not accidentally leave behind in a public place personal data.

3. If you are an FS official, volunteer, or employee who handles membership or casework data, it is prohibited to use non-FS emails to transmit this data.

Press
The FS actively engages with the press in furtherance of its campaigns. If you are a member there may be times when you are asked to engage with the press. This will always be your choice and you will be asked to sign a consent form before any of your data is shared with the press. There will be no negative consequences for you should you choose not to engage.

Communication with Members
1. If you are an FS official, employee, or volunteer communicating with members via email, you must not reveal email addresses to recipients unless it is for the purpose of an organising initiative where the FS is facilitating collaborative action among recipients. This should be the exception with email communications and members must be given the right to opt out.

2. Similarly, if you are emailing more than 30 members for standard communication you must use a provider such as MailChimp or similar, rather than BCC as the risk of CCing by accident is too great.

Contact Information
1. The FS’s contact information is:
Address: 1st Floor East Suite, Waterfront, Shipley, BD17 7EZ
Phone: 01274 028706
Email: advice@fostersupport.co.uk
Website: fostersupport.co.uk

2. The FS’s Data Protection Team can be contacted at:
Address: 1st Floor East Suite, Waterfront, Shipley, BD17 7EZ
Phone: 01274 028706
Email: advice@fostersupport.co.uk
Website: fostersupport.co.uk

Keeping this Policy Updated
1. If you have feedback on this policy or FS data protection practices, please email us at advice@fostersupport.co.uk.
2. This policy will be kept under review and an updated version issued annually.

Reference Version
1. This privacy notice is supplied in compliance with the FosterSupport (FS)’s data protection obligations under the General Data Protection Regulations (GDPR).

Thank you! You have been subscribed to the FosterSupport mailing list
Oops! Something went wrong while submitting the form.

You may have seen John Lewis Partnership announce their intention to become a  fostering friendly employer.
FosterSupport is one of the organisations who have been working with them over the past year. After many months of collaboration this August we facilitated a series of bespoke training courses to JLP managers to give them an insight into the trauma informed training foster carers use when supporting young people to enable them to better understand how to support their care experienced employees. This collaboration will continue next year as they continue to expand their employment scheme. We have also had meetings to provide advice and information to support their bespoke fostering friendly employer scheme. With our support they plan to make this the gold standard policy for fostering friendly organisations. HERE is the video we made for them to promote the internal training sessions. The feedback we received from them about the training was brilliant.

ALBION MILLS BUSINESS CENTRE,
Albion Rd,
Greengates,
Bradford,

BD10 9TQ

01274 946660
advice@fostersupport.co.uk

VAT No. 426476676

Website by Averment - © 2020 FosterSupport Ltd