- Keeping your data up to date and your rights
In order to update, amend and correct your information, you also have the following rights:
- To erase personal data we hold about you.
- To request us to restrict the processing of the personal data we hold about you.
- Object to us processing personal data relating to you.
- Where you have given us consent to process your personal data, you have the right to withdraw that consent at any time.
- You have the right to obtain certain personal data from us in a format that can be transferred electronically to a third party (also called “data portability”).
Please note that some of these rights are not absolute. In some cases, we may refuse a request to exercise particular rights if complying with it meant that we are no longer able to meet our contractual obligation to provide you with particular services. However, we will keep you informed as to the actions that we can take when you make your request.
- How to get a copy of your personal information
You can get a copy of all the personal information we hold about you by emailing us at the stated address or by writing to us at this address:
The Enterprise Centre
20 Royal Scot Road
Pride Park, Derby
- How personal information is used
Why we use your personal information
Personal information can be anything that identifies and relates to a living person. This can include information that when put together with other information can then identify a person. For example, this could be your name and contact details.
We may need to use some information about you to:
- deliver services and support to you;
- manage those services we provide to you;
- train and manage the employment of our workers who deliver those services;
- help investigate any worries or complaints you have about your services;
- check the quality of services; and
- to help with research and planning of new services.
How the law allows us to use your personal information
There are a number of legal reasons why we need to collect and use your personal information, generally we collect and use personal information for the below purposes:
- you have entered into a contract with us
- it is necessary to perform our statutory duties
- it is necessary to protect someone in an emergency
- it is required by law
- it is necessary for employment purposes
- it is necessary to deliver health or social care services
- you have made your information publicly available
- it is necessary for legal cases
We only use what we need
Where we can, we’ll only collect and use personal information if we need it to deliver a service or meet a requirement.
If we don’t need personal information we’ll either keep you anonymous if we already have it for something else or we won’t ask you for it. We don’t sell your personal information to anyone else.
You can ask to delete information (right to be forgotten)
In some circumstances you can ask for your personal information to be deleted, for example:
- Where your personal information is no longer needed for the reason why it was collected in the first place
- Where you have removed your consent for us to use your information (where there is no other legal reason for us to use it)
- Where there is no legal reason for the use of your information
- Where deleting the information is a legal requirement
Where your personal information has been shared with others, we’ll do what we can to make sure those using your personal information comply with your request for erasure.
We can’t delete your information where:
- we’re required to have it by law
- it is used for freedom of expression
- it is used for public health purposes
- it is for, scientific or historical research, or statistical purposes where it would make information unusable
- it is necessary for legal claims
Limiting what we use your personal data for
You have the right to ask us to restrict what we use your personal information for where:
- you have identified inaccurate information, and have told us of it
- where we have no legal reason to use that information, but you want us to restrict what we use it for rather than erase the information altogether.
When information is restricted it can’t be used other than to securely store the data and with your consent to handle legal claims and protect others, or where it’s for important public interests of the UK.
You have the right to ask us to stop using your personal information. However, if this request is approved this may cause delays or prevent us delivering that service.
You can ask to have your information moved to another provider (data portability)
You have the right to ask for your personal information to be given back to you or another service provider of your choice in a commonly used format. This is called data portability.
Who do we share your information with?
We may share your information with subsidiaries of DD who will help to deliver the services you require to you, there will always be an agreement in place to make sure that the organisation complies with data protection law.
- In order to find and stop crime and fraud; or if there are serious risks to the public, our staff or to
- other professionals;
- to protect a child; or
- to protect adults who are thought to be at risk, for example if they are frail, confused or cannot understand what is happening to them
For all of these reasons the risk must be serious before we can override your right to privacy.
- How long we retain your personal information
We retain your information in accordance with our data retention, deletion and security policies. These set out the criteria we use to determine how long we keep your information, what measures we put in place to keep your information safe and secure. When deciding what to retain, we take into account what information we need to best provide you with services, manage your relationship with us, meet our statutory obligations and meet our customers’ and previous customers reasonable expectations.
We may keep your data for up to 10 years after you stop being a customer. The reasons we may do this are:
- To respond to a question or complaint, or to show whether we gave you fair treatment
- To study customer data as part of our own internal research
- To obey rules that apply to us about keeping records
We may also keep your data for longer than 10 years if we cannot delete it for legal, regulatory or technical reasons.
We will only use your personal information for those purposes and will make sure that your privacy is protected.
- How the law protects you
Data Protection law states that we are allowed to use personal information only if we have a proper reason to do so. This includes sharing it outside of Disability Direct. The law specifies we must have one or more of these reasons:
- To fulfil a contract we have with you, or
- When it is our legal duty, or
- When it is in our legitimate interest, or
- When you consent to it.
When we have a business or commercial reason of our own to use your information, this is called a ‘legitimate interest’. We will tell you what that is, if we are going to rely on it as the reason for using your data. Even then, it must not unfairly go against your interests.
The law and other regulations treat some types of sensitive personal information as special. This includes information about racial or ethnic origin, sexual orientation, religious beliefs, trade union membership, health data, and criminal records. We will not collect or use these types of data without your consent unless the law allows us to do so. If we do, it will only be when it is necessary:
- For reasons of substantial public interest, or
- To establish, exercise or defend legal claims.
Here is a list of all the ways that we may use your personal information, and which of the reasons we rely on to do so. This is also where we tell you what our legitimate interests are:
- Serving you as a customer
- Business improvement
- Managing our operations
- Managing security, risk and crime prevention
- Processing special categories of personal data (Substantial public interest, responding to regulatory requirements, Legal claims, Consent).
- How do we protect your information
We will do what we can to make sure we hold records about you (on paper and electronically) in a secure way, and we will only make them available to those who have a right to see them. Examples of our security include:
- Encryption, meaning that information is hidden so that it cannot be read without special knowledge (such as a password). This is done with a secret code or what’s called a ‘cypher’. The hidden information is said to then be ‘encrypted’
- Pseudonymisation, meaning that we’ll use a different name so we can hide parts of your personal information from view. This means that someone outside of the business could work on your information for us without ever knowing it was yours
- We will store all the personal information that you have provided on our secure (password and firewall protected) servers. All electronic payments made to us will be encrypted using SSL technology.
- Controlling access to systems and networks allows us to stop people who are not allowed to view your personal information from getting access to it
- Training for our staff allows us to make them aware of how to handle information and how and when to report when something goes wrong
- Regular testing of our technology and ways of working including keeping up to date on the latest security updates.
- The control you have
How to withdraw your consent
You can withdraw your consent at any time. This will only affect the way we use information when our reason for doing so is that we have your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. If this is so, we will tell you.
If you want to share your data with outside companies
You have the right to get certain personal information from us as a digital file, so you can keep and use it yourself, and give it to other organisations if you choose to. If you wish, we will provide it to you in an electronic format that can be easily re-used, or you can ask us to pass it on to other organisations for you.
You can object to us keeping or using your personal information. This is known as the ‘right to object’.
You can also ask us to delete, remove, or stop using your personal information if there is no need for us to keep it. This is known as the ‘right to erasure’ or the ‘right to be forgotten’.
There may be legal or other official reasons why we need to keep or use your data. But please tell us if you think that we should not be using it.
We may sometimes be able to restrict the use of your data. This means that it can only be used for certain things, such as legal claims or to exercise legal rights.
You can ask us to restrict the use of your personal information if:
- It is not accurate
- It has been used unlawfully but you don’t want us to delete it
- It is not relevant any more, but you want us to keep it for use in legal claims
- You have already asked us to stop using your data but you are waiting for us to tell you if we are allowed to keep on using it
If we do restrict your information in this way, we will not use or share it in other ways while it is restricted.
If you want to object to how we use your data or ask us to delete it or restrict how we use it or, please contact us.
A cookie, also known as an HTTP cookie, web cookie, or browser cookie, is a small piece of data sent from a website and stored in a user’s web browser while the user is browsing that website. Every time the user loads the website, the browser sends the cookie back to the server to notify the website of the user’s previous activity.
We may use traffic log cookies to identify which pages are being used. This helps us analyse data about web page traffic and improve our website in order to tailor it to customer needs. We only use this information for statistical analysis purposes and then the data is removed from the system.
Overall, cookies help us provide you with a better website, by enabling us to monitor which pages you find useful and which you do not. A cookie in no way gives us access to your computer or any information about you, other than the data you choose to share with us.
You can choose to accept or decline cookies. Most web browsers automatically accept cookies, but you can usually modify your browser setting to decline cookies if you prefer. This may prevent you from taking full advantage of the website.
- Data Breach notifications
As per the GDPR we have a duty to to report certain types of personal data breach (If we accidentally or unlawfully destroy, lose, alter, disclose or give access to, personal data) to the relevant supervisory authority and to clients, we aim to do this within 72 hours of becoming aware of the breach.
- Notification of any change
We may update this policy from time to time, we will do so by updating a new version onto our website. Please check this page to ensure that you are satisfied with any amendments.
- Where can I get advice
If you have any worries or questions about how your personal information is handled please contact our Data Protection Officer at firstname.lastname@example.org or by calling 01332 404025.
For independent advice about data protection, privacy and data sharing issues, you can contact the Information Commissioner’s Office (ICO) at:
Information Commissioner’s Office
Cheshire SK9 5AF
Tel: 0303 123 1113 (local rate) or 01625 545 745 if you prefer to use a national rate number.