Privacy policy

Introduction

At Step One Charity (SOC), we are committed to protecting your privacy. We will respect any personal information you share with us, or that we receive from other organisations at all times and we will keep it safe.

This Privacy Policy explains what personal data SOC collects from you, through our contact with you, working together with other people and organisations and through the website.

In this policy, you’ll find important information about your personal rights to privacy, and how and why we use your personal information. If you have any questions, queries or concerns about any information on this page, please contact us; you can find our contact details at the bottom of the page.

This policy sets out how we are compliant with the UK General Data Protection Regulation (the “UK GDPR”) and includes:

a. The rights you have regarding your data, such as to access or amend it.

b. Details of how we collect, store, share and use personal data and why.

c. The lawful grounds we rely on to process your data.

d. How long we retain information.

e. Clarifies that we may collect sensitive personal information, if we have a valid reason to do so and if permitted under the UK GDPR.

Scope

This policy specifically covers:

a. How we process your data.

b. The information we collect.

c. How we use your personal information.

d. How long we keep it.

e. Our lawful grounds for processing your information.

f. Processing sensitive data.

g. Where we may share your personal data.

h. Security, storage and access to your personal information.

i. Your rights.

j. How to contact us.

About SOC

In this Privacy Policy, SOC means registered charity (235434) with ICO registration number Z6133110. When we refer to our website, we are referring to this site; https://www.steponecharity.co.uk.

What we do:
  • Rehabilitation at Cypress Hospital. Cypress Hospital is a 24/7 inpatient rehabilitation service that provides specialist support to people with complex mental health recovery needs in southern and western Devon on their journey to recovery. Our team of experienced and compassionate professionals work closely with people and their families to develop a personalised treatment plan that meets individual needs and goals. The goal of our service is to help people recover, achieve their full potential and live fulfilling lives in the community. This means that we take referrals from external statutory partners within the NHS.
  • Supported living housing. Our supported living houses provide a safe and supportive environment for people with mental health concerns and/or autism spectrum conditions to live more independently. We tailor our support to each person’s individual needs, helping them to develop the skills and confidence they need to thrive in the community. This means that we take referrals from external statutory partners in the local authority and NHS.
  • Community support. Our one-to-one support service provides individually tailored support to people with mental health issues, autism spectrum conditions, or learning disabilities, helping them to live more independently in their communities. We offer a wide range of services, including community support, in-home support, employment support, housing support, and mental health support. We work closely with each person to understand their unique needs and develop a personalised support plan to help them reach their goals. This means that we take referrals from external statutory partners in the local authority and NHS.
  • BeWell@StepOne. BeWell@StepOne is a mental health support service that offers a variety of support options for people and businesses across Devon, including online workshops, in-person courses, support groups, activities, and learning opportunities. For individuals, we offer group-based support for a variety of mental health conditions. For businesses, we offer training and support to help create a mentally healthy workplace. Individuals and organisations self-refer into this service.
  • Devon Mental Health Alliance. The Devon Mental Health Alliance (DMHA) is a partnership between five local organisations in the voluntary, community and social enterprise (VCSE) sector providing support for people living with mental health problems across Devon. Launched in 2022, the DMHA leads on the implementation of the community portion of the Community Mental Health Framework (CMHF). The DMHA works closely with statutory partners in Devon — the Devon Partnership NHS Trust and Livewell Southwest — to design and deliver improved services across all areas of Devon to support people with moderate to severe mental illness. As part of this, SOC has Recovery Practitioners who provide psychologically-informed interventions through one-to-one and group work, as well as acting as a link to the wider community to ensure people have access to effective, local, and sustainable support. Recovery Practitioners also link with GPs, primary care networks, and mental health teams to help reduce waiting times and ensure that service users have access to the right support as their needs change. This means that we take referrals from external statutory partners in the local authority, primary care and NHS.

How we process your data

This policy sets out how we handle your data. It also explains your rights and options around how we use your personal information. We collect information about you when you:

a. Interact with us online.

b. Communicate with us.

c. Apply to work or volunteer for us.

d. Give us your personal information in any other way, for example, if you’re receiving support from SOC.

e. Register for training and workshops.

f. Fundraise for us.

g. Make a donation to SOC.

We also collect information about you when:

a. Others give it to us. This is when your personal information is given to us by third parties, such as other organisations that are supporting you – for example, NHS and Social Care providers, employers and other organisations.  It could also be if you provide a donation through a third party such as Just Giving or one of the other third parties that we work with.

b. You are referred to us. As set out above, SOC provides a variety of services for people who are referred to us through a number of different external organisations such as statutory partners within the NHS and authorities. This may result in us processing your health data in order to engage you with our services.

c. When you visit this website. When you visit the SOC website, we may collect the following personal information:

(1) Technical information, including:

  • The internet protocol (IP) address used to connect your computer to the internet.
  • Your browser type and version.
  • Your time zone setting.
  • Browser plug-in types and versions.
  • Your operating systems and platforms.

(2) Information about your visit to our website, including:

  • The uniform resource locator (URL) clickstream to, through and from this site (including date and time)
  • Page response times.
  • Download errors.
  • Length of visits to certain pages.
  • Referral sources (how you arrived at the website).
  • Page interaction information (such as scrolling and clicks).
  • Methods used to browse away from the page.

d. We use cookies and similar technologies to enhance your browsing experience, analyse site traffic and serve targeted content. Some cookies are essential for the website to function properly and do not require your consent. For all other types of cookies, we obtain your consent before placing them on your device. You can manage or withdraw your consent at any time by adjusting your cookie preferences through our cookie banner or settings. We collect and use your personal information by using cookies on our website.

e. CCTV and Surveillance. We operate CCTV systems on some of our premises for the purpose of ensuring the safety and security of our staff, visitors, and property. These systems are used in accordance with data protection laws and are intended to prevent and detect crime, promote a safe environment and support investigations when necessary. CCTV footage is retained securely for a limited period unless required for an ongoing investigation or legal obligation. Access is strictly limited to authorised personnel.

f. Other information that is made available to the public. In order to tailor our communications with you to your background and interests we may collect information about you from publicly available sources or through third party subscription services or service providers.

The personal information we collect

We collect, store and use the following kinds of personal information:

a. Essential details such as your name and contact details.

b. Information about your computer/mobile device and your visits to and use of the website, including for example your IP address and geographical location.

c. Information about our services which you use/which we consider of interest to you.
d. Personal information we collect includes details such as your name, date of birth, email address, postal address, telephone number and credit/debit card details (if you are making a purchase or donation), as well as information you provide in any communications between us. You will have given us this information whilst making a donation or registering for an event, or any of the other ways to interact with us.

If you are receiving support from SOC or using our services:

a. Essential information such as date of birth, your NHS number and details of your next of kin.

b. Any contact we have had with you, for example when you have stayed in one of our services, visited us at one of our offices, or when we have visited you at home.

c. Details of the support that we provide for you, and any information that we may need to give this support, for example, any health conditions or disabilities, medicines that you may take, your employment history, your bank details (if we are supporting you with your finances), or any criminal convictions.

d. Relevant information from your relatives or those who care for you and know you well

e. Any other personal information shared with us as needed for us to provide high quality and safe services.

f. Sensitive personal information (special category data) as set out in paragraph 14 below.

If you are applying for roles with us, further details on the information we collect is covered as part of the Applicant Privacy Policy.

If you work with us, further details on the information we collect is covered as part of the Employee Privacy Policy. If you volunteer with us, we collect and process your personal information to manage and support your volunteering activities. This may include your contact details, availability, experience, and any necessary background checks (where applicable). We use this information to coordinate volunteer schedules, ensure safety and safeguarding, and stay in touch with you about your volunteering role.
Our lawful basis for processing volunteer data is our legitimate interests in managing our volunteer programmes, and, where applicable, your consent.

Sensitive personal information (special category data)

UK GDPR recognises specific categories of personal information as sensitive and therefore requiring more protection. For example, this includes information about your health, religious beliefs, and ethnicity. In the course of providing support to people who use our services, SOC routinely processes sensitive personal data. In other limited cases, we may collect and use your sensitive personal information. In each case, we will only do so if we have a valid reason and the UK GDPR permits it, as described in how and why we will we use your personal information.

How we use your personal information

We may use your personal information to:

a. Provide you with services or information you’ve asked us for or where it is provided as a necessity.

b. To follow up a referral made by the Devon Partnership Trust, Devon County Council, Torbay and South Devon NHS Foundation Trust , Primary Care or other professionals.

c. Give more information about our work, services, or activities.

d. Process your donations and other payments for events and services.

e. Further our charitable aims.

f. Research the impact and effectiveness of our work and services.

g. Register and administer your participation in events you’ve registered for.

h. Manage and keep our website safe and secure and for internal operations, including troubleshooting, data analysis, testing, research, statistical and survey purposes.

i. Improve your interactions with our website, for example by making sure that we present content most relevantly and effectively for you and your computer/mobile device.

j. Report on the results and impact of our work, services and events.

k. Analyse and improve our work, services, activities or information (including our website) or for our internal records.

l. Use IP addresses and monitor website use to identify locations, block disruptive use, record website traffic or personalise the way information is presented to you.

m. To process your application for a job or volunteer role with us.

n. Training and quality control.

o. Audit and administer our accounts.

p. Satisfy legal obligations which are binding on us, for example, arising from contracts entered into between you and us or concerning regulatory, government or law enforcement bodies with whom we may work.

q. Provide information for funders, where this is contractually required, and so that we can be paid for providing a service to you.

r. Prevent fraud, misuse of services or money laundering and to perform due diligence.

s. Reduce credit risk.

t. Communicate with you in any other way.

u. The establishment, defence and enforcement of legal claims.

If you are receiving support from SOC as a person who is using our services, we use your personal information to:

a. Plan your support and provide you with a high standard of service.

b. Provide health, social care and employment professionals who are involved in your support with relevant, accurate and up-to-date details about your support needs, including any mandatory regulatory reporting.

c. Investigate any concerns or complaints you may have, either about your support or the standards of service you are receiving.

d. Check and make improvements to our services.

e. In some cases, use your anonymised information (by removing anything that identifies you) to help us improve the quality of our services, and make sure that our services can be planned to meet the future needs of people.

If you are looking to / have supported SOC by way of fundraising or making a donation:

a. We use your details to give you information about our work, services, events, and fundraising opportunities which we think might interest you. We will only do this if you have given us consent to contact you about this.

b. To process your donations or other payments, to claim Gift Aid on your donations and verify any financial transactions.

c. To provide the services or goods that you have requested.

d. To update you with important administrative messages about your donation, an event or services or goods you have requested.

e. To comply with the Charities (Protection and Social Investment) Act 2016 and follow the recommendations of the official regulator of charities, the Charity Commission, which require us to identify and verify the identity of supporters who make major gifts so we can assess any risks associated with accepting their donations.

f. To keep a record of your relationship with us.

g. Where you volunteer with us, to administer the volunteering arrangement.

We may also use your information:

a. To contact you about our work and how you can support SOC.

b. To invite you to participate in surveys or research.

Events and Training

If you register for or attend one of our events, workshops, or training sessions (in person or online), we may collect and process your personal information such as your name, contact details, dietary or accessibility requirements, payment information (if applicable) and feedback. We use this information to manage your participation in the event, communicate with you, improve future events, and fulfil any legal or reporting requirements. For any paid or externally funded events, we may also need to share information with our partners or funders, but only where necessary and appropriate.
Our lawful basis for this processing may include the performance of a contract, legitimate interests (in delivering and improving events), and, where applicable, your consent.

How long we keep your personal information

In general, if we no longer need your information for the reasons you gave it to us, we remove your personal information from our records seven years after the date it was collected. However, we’ll remove it sooner if:

a. Your personal information is no longer required for the purpose you shared it with us.

b. We’re no longer lawfully entitled to process it.

c. You ask us to remove it.

Please note that special rules apply to records that we keep when we support you. We are bound by certain laws and guidelines concerning how long we must keep these records. These are set out in our Data Retention Policy.

Our lawful grounds for processing your information

The UK GDPR requires us to rely on one or more lawful grounds to process your personal information. These are the grounds that are relevant to the services that we offer:

a. Where you’ve given your consent for us to use your personal information in a certain way.  For example, if you are happy to share your story to help us to highlight the work we do, we will always ask for your consent to use your personal information in this way.

b. When it is necessary to process your health related data we will ensure that this is with your consent or alternatively and in limited circumstances when this is in your vital interest.

c. Where necessary so that we can comply with a legal obligation (for example, where we need to share your personal information with regulatory bodies which govern our work and services, or where we are bound by certain laws, such as the Mental Health Act).

d. Where necessary for the performance of a contract.

e. Where it is in your/someone else’s vital interests (for example, in case of a medical emergency).

f. Where there is a legitimate interest in us doing so.

What we mean by legitimate interests

The UK GDPR allows us to collect and process your personal information if it is reasonably necessary to achieve ours or others’ legitimate interests, as long as that processing is fair, balanced and does not unduly impact your rights.

a. SOC’s legitimate interests. In broad terms, our legitimate interests means running SOC as a charitable entity in pursuit of our aims and ideals. For example, by:

(1) Providing information about our services including fundraising events and initiatives.

(2) Providing training courses, seminars and other wellbeing events.

(3) Taking applications for staff and volunteers.

b. Your legitimate interests. Legitimate interests can also include your interests, such as when you have requested information or services from us.

c. How we balance these interests. When we legitimately process your personal information in this way, we consider and balance any potential impact on you (both positive and negative), and your rights under data protection laws. We won’t use your personal information for activities where the impact on you overrides our interests.

d. We will only contact you about our work and how you can support SOC by phone, email or text message, if you have provided consent for us to contact you in this manner. However, if you have provided us with your postal address we may send you information about our work and how you can support SOC by mail unless you have told us that you would prefer not to hear from us in that way.

e. You can update your choices or stop us sending you these communications at any time by contacting privacy@steponecharity.co.uk or by clicking the unsubscribe link at the bottom of the relevant communication. Please note that when you update your communication preferences it can take up to 28 days to take effect across all of our systems.

Where we may share your personal data

We never share, sell or rent your information to third parties for marketing purposes. However, we may disclose your personal information to selected third parties to achieve the other purposes set out in this policy. These may include (among others):

a. We may share personal data including health related information to other
professionals and organisations involved in your care and support (for example, we currently share information with referring organisations including Devon County Council, Devon Partnership Trust, Torbay and South Devon NHS Foundation Trust, various Primary Care Networks and other NHS Trusts).

b. To provide care and support, where it is necessary we may use third-party vendors to process health related information.

c. Business partners, suppliers and sub-contractors, such as other organisations that make up the Devon Mental Health Alliance.

d. Analytics and search engine providers.

e. IT service providers.

f. Other beneficiaries, executors and legal advisers.

In particular, we reserve the right to disclose your personal information to third parties:

g. In the event that we sell or transfer any part of our business, in which case we will disclose your personal information, where it is relevant, to the prospective seller or buyer of such business, under the terms of this Privacy Policy. They will be permitted to use the data for the purposes for which we originally collected it.

h. If we are under any legal or regulatory duty to do so.

i. To protect the rights, property or safety of SOC, its employees, people who use its services, visitors or others.

Security, storage and access to your personal information

We will always keep your personal information safe and secure. We might store your information in paper or electronic records, or a combination of both. We restrict all our records so that only those individuals who need to know the information can get access. We have appropriate and proportionate security policies and organisational and technical measures in place to help us do this.

Unfortunately the transmission of information using the internet is not completely secure. Although we do our best to protect your personal information sent to us this way, we cannot guarantee the security of data transmitted to our site. Our websites may contain links to other sites. While we try to link only to sites that share our high standards and respect for privacy, we are not responsible for the content or the privacy practices employed by other sites. Please be aware that advertisers or Web sites that have links on our site may collect personally identifiable information about you. This privacy statement does not cover the information practices of those websites or advertisers. Any debit or credit card details which we receive on our website are passed securely to Stripe our payment processing partner, according to the Payment Card Industry Security Standards.

Who can see my personal information?

Only appropriately trained staff, bank workers, agency, volunteers and contractors can access your information. It is stored on secure servers with features to prevent unauthorised access.

Where is my personal information stored?

We may store your contact details within a US based mail service provider such as Mailchimp. If we do this, we will ensure that the appropriate data protection impact assessment (DPIA) takes into account the context of the processing including for example the type of data and the risk to the data subject. We would typically rely on Standard Contractual Clauses to ensure the safeguarding of this data and any supplemental measures deemed required will also be applied. It is important to remember that no transmission of your personal information over the internet can be guaranteed to be 100% secure and so we advise you to take suitable precautions when transmitting data to us via the internet.

Your rights

These are your rights concerning how we process your personal information:

a. Right to be informed. You have the right to be told how we will use your personal information. This policy and other policies and statements used on this website and in our communications provide you with a clear and transparent description of how we may use your personal information.

b. Right of access. You can write to us to ask for confirmation of what information we hold on you and to request a copy of that information. Provided we are satisfied that you are entitled to see the information requested, and we’ve successfully confirmed your identity, we’ll give you your personal information (subject to any exceptions that apply).

c. Right of erasure. You have the right to ask us to delete your personal information. We will always look to comply with this request although this is not an absolute right and there may be legitimate reasons for declining the request. This may include for example where we are legally required to retain your information (for example, in the case of health records).

d. Right of rectification. If you believe our records of your personal information are inaccurate, you have the right to ask us to update those records. You can also ask us to check the personal information that we hold about you if you are unsure whether it is up to date.

e. Right to restrict processing. You have the right to ask us to restrict the processing of your personal information if there is disagreement about its accuracy or legitimate usage.

f. Right to object. You have the right to object to processing where we are:

(1) Processing your personal information on the grounds of legitimate interest.

(2) Using your personal information for direct marketing.

(3) Using your personal information for statistical purposes.

(4) Where we rely on your consent to use your personal information, you have the right to withdraw that consent at any time.

g. Right to data portability. Where we are processing your personal information:

(1) Because you gave us your consent.

(2) Because such processing is necessary for the performance of a contract to which you are party you may ask us to provide it to you – or another service provider – in an electronic format, such as PDF.

h. How to exercise your rights. To exercise any of these rights, please send a description of the personal information in question using the contact details below. Please note that you may only use/benefit from some of these rights in limited circumstances. For more information, we suggest that you consult guidance from the Information Commissioner’s Office (ICO).

i. Making a complaint. If you have any concerns about anything we have told you in this policy, please contact us (using any of the contact details below).
You have the right to make a complaint if you feel unhappy about how we hold, use or share your information. We recommend contacting us initially to talk through any concerns that you have. If you wish to complain, we will tell you about the process for doing this. You may also raise a concern or complaint here.

j. If you remain dissatisfied following the outcome of your complaint, you may wish to contact the Information Commissioners Office:

(1) Post. Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.

(2) Web. https://ico.org.uk/concerns/

(3) Telephone. 0303 123 1113.

Please note that the Information Commissioner will not normally consider an appeal until you have exhausted your rights of complaint to us directly. Please see the website above for further advice.

k. Changes to this policy. We may update this Policy to make sure it meets the needs of people that we support, people who use this website, and any changes in the law, so please check back periodically. We will notify you of significant changes by placing a notice on our website.

l. Links and third parties. We link our website directly to other sites. This Policy does not cover external websites, and we are not responsible for the privacy practices or content of those sites. We encourage you to read the privacy policies of any external websites you visit via links on our website.

How to contact us

Please let us know if you have any questions or concerns about this policy or about the way in which we are processing your personal information. You can contact us in the following ways:

a. Post. Chief Executive Officer, SOC, The X Centre, Commercial Road, Exeter, EX2 4AD.

b. Web. privacy@steponecharity.co.uk

c. Telephone. 01392 255428.

Get in touch

Find support

Urgent help
Our services
Courses & workshops
Peer support groups
Step One stories

Get involved

Join our team
Fundraise for us
Leave a gift in your will
Take on a challenge
Make a donation

Follow us

Contact us
Latest news
Our impact
Newsletter sign up

Reference

Terms & conditions
Privacy policy
Complaints policy
Safeguarding Adults policy
Staff email

Find support

Urgent help
Our services
Courses & workshops
Peer support groups
Step One stories

Get involved

Join our team
Fundraise for us
Leave a gift in your will
Take on a challenge
Make a donation

Follow us

Contact us
Latest news
Our impact
Newsletter sign up

Reference

Terms & conditions
Privacy policy
Complaints policy
Staff remote
Staff email

Find support

Urgent help
Our services
Courses & workshops
Peer support groups
Step One stories

Get involved

Join our team
Fundraise for us
Leave a gift in your will
Take on a challenge
Make a donation

Follow us

Contact us
Latest news
Our impact
Newsletter sign up

Reference

Terms & conditions
Privacy policy
Complaints policy
Safeguarding adult policy
Staff remote
Staff email

©️ Copyright 2024 – Step One. Registered Charity Number: 235434 Company Number 393477 in England. X Centre, Commercial Road, Exeter, EX2 4AD. Web Design by The Ambitions Agency