Privacy Notice

You Decide Ltd, t/a Space Unlimited

 

 

  1. Introduction

 

You Decide Ltd t/a Space Unlimited is a social enterprise and registered charity, working across Scotland and beyond.  We facilitate experiences to help young people, organisations (eg schools) and communities to design and take action together.

 

You Decide Ltd t/a Space Unlimited collects and processes personal data which relates to clients (including young people), staff, and other individuals to allow the organisation to fulfil its functions.  We keep personal information only for as long as is necessary to perform our functions.

 

We are committed to complying with the European Union’s General Data Protection Regulations (GDPR), May 2018, and the UK’s Data Protection Act 2018. 

 

 

  1. Data Controller/Processor

 

Sometimes Space Unlimited is a data controllerand other times a data processor. In some projects, Space Unlimited may move between the roles of data processorand data controller. In both roles we will use certain data for specific purposes which are outlined below.

 

Space Unlimited generally acts in one of two ways:

 

  • School projects and partnerships– Generally, schools engage Space Unlimited on a specific project and use their own consent forms to collect information from pupils and parents. We then provide the services as engaged by the schools, and we only retain records of the pupils in an anonymised form for reports to funders or for internal records.  In these circumstances, Space Unlimited is a processoron behalf of the schools, who are the controllers.

 

  • Community-based projects and partnerships– Sometimes, Space Unlimited provides services via a partner with the arrangement that we use our own consent forms to obtain details from pupils and parents.  In these circumstances, Space Unlimited may be a controlleralong with the partner organisation. However, this would be considered on an individual project basis.

 

  1. Data controller

 

The data controller is You Decide Ltd, t/a Space Unlimited.  The main contact for GDPR/Data Protection enquiries is Gill Gracie:

 

Email:  gill@spaceunlimited.org

Post:     You Decide Ltd t/a Space Unlimited, 101 Rose Street South Lane, Edinburgh, EH2 3JG.

 

If you require any further information about GDPR, you can contact the Information Commissioner’s Office (ICO) at https://ico.org.uk.

  

  1. Your data protection rights

 

You have the following rights:

  • the right to access the personal data held about you by making a subject access request in accordance with the Data Protection Legislation;
  • the right to have your personal data rectified if it is inaccurate or incomplete;
  • the right to request to have your personal data deleted in certain specific circumstances as set out in the Data Protection Legislation;
  • the right to request to restrict the processing of your personal data in certain specific circumstances as set out in the Data Protection Legislation;
  • the right to ask us not to process your personal data for marketingpurposes or for purposes based on our legitimate interests; 
  • the right to ask us to not undergo automated decision making; and
  • where you have provided consent, to request to withdraw such consent at any time.

 

 

  1. What types of information and data are collected and why? What is the legal basis for collecting the information and data? How long do we retain the data?

 

INFORMATION

WHY WE COLLECT IT

LEGAL BASIS

DATA RETENTION

Consent forms (consent of young person and parent).  Personal details which identify the family and pupil for the purposes of demonstrating consent, e.g. family name, child or young person’s date of birth, address, telephone number(s), email address.

 

Occasionally, eg for long, community-based projects, the consent form will include a request for the young person’s mobile number.

To make sure we have consent to provide our service.

 

 

 

 

 

 

Young person’s mobile number - only ever for reminders about forthcoming events.

Our contract with the school, the young person and the parent/carer.

For the duration of the project. Thereafter all information is anonymised and only utilised for reporting obligations to funders and for organisational records.

Consent forms (consent of young person and parent). 

Any medical condition and medication.

To manage any risk regarding medical conditions while we are working with the young person

Legitimate interest

For the duration of the project.

Equalities data.  We collect data about sex, ethnicity and disability/additional support needs.

To allow us to collate anonymized statistical data on equalities for reporting to funders.

Legitimate interest

For the duration of the project. Thereafter all information is anonymised and only utilised for reporting obligations to funders and for organisational records.

Information from third parties.  We may also collect information about the young person from third parties, e.g. school staff, other professionals.

To discuss with the school or other professional if required. To help us provide our services to you.

Consent of the young person and parent/carer

For the duration of the project. Thereafter all information is anonymised and only utilised for reporting obligations to funders and for organisational records.

   

Board of trustees.  Trustees are asked to provide:  name, address, phone number, date of birth, passport number, national insurance number, and information for the ‘Directors’ Register of Interests’.  These details are forwarded to Companies House. When being recruited, they may also choose to provide a CV. 

We forward name, address, phone number, date of birth, passport number, and national insurance number to Companies House, and the organisation’s banking provider (currently CAF Bank

Legal obligation

For the duration of their tenure as a trustee. 

If the trustee gives permission, when they cease to be a trustee, we keep name, address and email address.

Information about employees, associates and applicants. 

Name, address, phone number, email address, PVG record and CV.

 

Employees’ salary and pension information

Associates’ fee information

For the purpose of staff administration.

Contract

 

 

 

 

 

Legal obligation (salary and pension)

 

For the duration of their time as an employee, associate or applicant. 

If they give permission, when they cease to be an employee, associate or applicant, we keep name, address and email address.

Client and potential client enquiries. Name and contact details of person who has made an enquiry via the ‘Contact’ page on website, or via email, or via Twitter

 

For the purpose of responding to the enquiry.

Consent

With permission of the client or prospective client, we will keep this information in password-protected files electronically.

 

6.   Our website

 

Analytics  Our website uses Google Analytics to track website traffic, which does not collect or store any personal information about you. 

 

Cookies   Cookies are text files placed on your computer when you use a website. Our website does not use cookies for collecting or storing personal information about you. It uses temporary cookies called “session cookies” which allow our website to function effectively.  Session cookies only store a "session ID" - a string of random characters - which allows the website to group together and distinguish page requests from your browser during each browsing session. They are not stored on your computer's hard disk and are held in memory, expiring automatically when you close down your browser. 

 

7. Data security

 

We are committed to ensuring that your information is secure, and we store the information in line with the General Data Protection Regulation guidelines. Access to information is limited to only those who need to know, and we take appropriate measures to ensure that our people are aware that such information is only to be used in accordance with this privacy notice.  We do not sell, share, or disclose personally identifiable information with any other party. We undertake regular reviews of who has access to information that we hold, to ensure that your information is only accessible by appropriately trained employees and associates. We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

 

 

 

  1. Changes to our privacy notice

 

We keep our privacy notice under regular review.  This version was last updated in February 2019.

 

 

Date approved by Board: 7th February 2019