At Step One, we are committed to protecting your privacy. We will respect any personal information you share with us (or that we receive from other organisations) at all times, and we will keep it safe.
This Privacy Notice explains what personal data Step One collects from you, through our contact with you, working together with other people and organisations, and through this website.
In this notice, you’ll find important information about your personal rights to privacy, and how and why we use your personal information.
If you have any questions, queries or concerns about any information on this page, please contact us; you can find our contact details at the bottom of the page.
This notice sets out how we are compliant with the UK General Data Protection Regulation (the “UK GDPR”) and includes:
- The rights you have regarding your data, such as to access or amend it
- Details of how we collect, store, share and use personal data and why
- the lawful grounds we rely on to process your data
- how long we retain information
- clarifies that we may collect sensitive personal information, if we have a valid reason to do so and if permitted under the UK GDPR
What this notice covers
- How we process your data
- The information we collect
- How we use your personal information
- How long we keep it
- Our lawful grounds for processing your information
- Processing sensitive data
- Where we may share your personal data
- Security, storage and access to your personal information
- Your rights
- How to contact us
About Step One
In this Privacy Notice, “Step One” means Step One, a registered charity (235434) with ICO registration number Z6133110. When we refer to our website, we are referring to this site; https://www.steponecharity.co.uk
How we process your data
This notice sets out how we handle your data. It also explains your rights and options around how we use your personal information.
We collect information about you:
- Interact with us online
- communicate with us
- apply to work or volunteer for us
- give us your personal information in any other way, for example, if you’re receiving support from Step One
- register for training
- fundraise for us
- make a donation to Step One
When others give it to us
This is when your personal information is given to us by third parties, such as other organisations that are supporting you, for example, NHS and Social Care providers, employers, and other organisations. It could also be if you provide a donation through a third party such as Just Giving or one of the other third parties that we work with.
When you visit this website
When you visit this website, we may collect the following personal information:
Technical information, including:
- the internet protocol (IP) address used to connect your computer to the internet
- your browser type and version
- your time zone setting
- browser plug-in types and versions
- your operating systems and platforms
Information about your visit to our website, including:
- the uniform resource locator (URL) clickstream to, through and from this site (including date and time)
- page response times
- download errors
- length of visits to certain pages
- referral sources (how you arrived at the website)
- page interaction information (such as scrolling and clicks)
- methods used to browse away from the page.
We collect and use your personal information by using cookies on our website.
Other information that is made available to the public
In order to tailor our communications with you to your background and interests we may collect information about you from publicly available sources or through third party subscription services or service providers.
The personal information we collect
We collect, store and use the following kinds of personal information:
- Essential details such as your name and contact details.
- Information about your computer/mobile device and your visits to and use of this website, including for example your IP address and geographical location.
- Information about our services which you use/which we consider of interest to you.
- Personal information we collect includes details such as your name, date of birth, email address, postal address, telephone number and credit/debit card details (if you are making a purchase or donation), as well as information you provide in any communications between us. You will have given us this information whilst making a donation or registering for an event, or any of the other ways to interact with us.
If you are receiving support from Step One or using our services:
- Essential information such as date of birth, your NHS number and details of your next of kin.
- Any contact we have had with you, for example when you have stayed in one of our services, visited us at one of our offices, or when we have visited you at home.
- Details of the support that we provide for you, and any information that we may need to give this support, for example, any health conditions or disabilities, medicines that you may take, your employment history, your bank details (if we are supporting you with your finances), or any criminal convictions.
- relevant information from your relatives or those who care for you and know you well
- Any other personal information shared with us as described above.
What is sensitive personal information (special category data)?
The UK GDPR recognises specific categories of personal information as sensitive and therefore requiring more protection.
For example, this includes information about your health, religious beliefs, and ethnicity.
In the course of providing support to people who use our services, Step One routinely processes sensitive personal data. In other limited cases, we may collect and use your sensitive personal information.
In each case, we will only do so if we have a valid reason and the UK GDPR permits it, as described in how and why we will we use your personal information.
How do we use your personal information?
We may use your personal information to:
- provide you with services or information you’ve asked us for
- give more information about our work, services, or activities
- process your donations
- further our charitable aims
- research the impact and effectiveness of our work and services
- register and administer your participation in events you’ve registered for
- manage and keep our website safe and secure and for internal operations, including troubleshooting, data analysis, testing, research, statistical and survey purposes
- improve your interactions with our website, for example by making sure that we present content most relevantly and effectively for you and your computer/mobile device
- report on the results and impact of our work, services and events
- analyse and improve our work, services, activities or information (including our website) or for our internal records
- use IP addresses and monitor website use to identify locations, block disruptive use, record website traffic or personalise the way information is presented to you
- to process your application for a job or volunteer role with us
- training and quality control
- audit and administer our accounts
- satisfy legal obligations which are binding on us, for example, arising from contracts entered into between you and us or concerning regulatory, government or law enforcement bodies with whom we may work
- provide information for funders, where this is contractually required, and so that we can be paid for providing a service to you
- prevent fraud, misuse of services or money laundering and to perform due diligence
- reduce credit risk
- communicate with you in any other way
- for the establishment, defence and enforcement of legal claims
If you are receiving support from Step One as a person who is using our services, we use your personal information to:
- plan your support and provide you with a high standard of service
- provide health, social care and employment professionals who are involved in your support with relevant, accurate and up-to-date details about your support needs
- investigate any concerns or complaints you may have, either about your support or the standards of service you are receiving.
- check and make improvements to our services
- in some cases, use your anonymised information (by removing anything that identifies you) to help us improve the quality of our services, and make sure that our services can be planned to meet the future needs of people.
If you are looking to / have supported Step One by way of fundraising or making a donation or:
- We use your details to give you information about our work, services, events, and fundraising opportunities which we think might interest you. We will only do this if you have given us consent to contact you about this.
- To process your donations or other payments, to claim Gift Aid on your donations and verify any financial transactions.
- To provide the services or goods that you have requested.
- To update you with important administrative messages about your donation, an event or services or goods you have requested.
- To comply with the Charities (Protection and Social Investment) Act 2016 and follow the recommendations of the official regulator of charities, the Charity Commission, which require us to identify and verify the identity of supporters who make major gifts so we can assess any risks associated with accepting their donations.
- To keep a record of your relationship with us.
- Where you volunteer with us, to administer the volunteering arrangement.
We may also use your information:
- To contact you about our work and how you can support Step One.
- To invite you to participate in surveys or research.
How long do we keep your personal information?
In general, if we no longer need your information for the reasons you gave it to us, we remove your personal information from our records seven years after the date it was collected.
However, we’ll remove it sooner if:
- your personal information is no longer required for the purpose you shared it with us
- we’re no longer lawfully entitled to process it
- you ask us to remove it.
Please note that special rules apply to records that we keep when we support you. We are bound by certain laws and guidelines concerning how long we must keep these records.
Our lawful grounds for processing your information
The UK GDPR requires us to rely on one or more lawful grounds to process your personal information. These are the grounds that are relevant to the services that we offer.
- Where you’ve given your consent for us to use your personal information in a certain way. For example, if you are happy to share your story to help us to highlight the work we do, we will always ask for your consent to use your personal information in this way.
- Where necessary so that we can comply with a legal obligation (for example, where we need to share your personal information with regulatory bodies which govern our work and services, or where we are bound by certain laws, such as the Mental Health Act).
- Where necessary for the performance of a contract.
- Where it is in your/someone else’s vital interests (for example, in case of a medical emergency).
- Where there is a legitimate interest in us doing so.
What do we mean by ‘legitimate interests’?
The UK GDPR allows us to collect and process your personal information if it is reasonably necessary to achieve ours or others’ legitimate interests, as long as that processing is fair, balanced and does not unduly impact your rights.
Step One’s legitimate interests
In broad terms, our “legitimate interests” means running Step One as a charitable entity in pursuit of our aims and ideals. For example, by:
- providing information about our services including fundraising events and initiatives
- running events
- taking applications for staff and volunteers.
Your legitimate interests
“Legitimate interests” can also include your interests, such as when you have requested information or services from us.
How do we balance these interests?
When we legitimately process your personal information in this way, we consider and balance any potential impact on you (both positive and negative), and your rights under data protection laws. We won’t use your personal information for activities where the impact on you overrides our interests.
We will only contact you about our work and how you can support Step One by phone, email or text message, if you have provided consent for us to contact you in this manner.
However, if you have provided us with your postal address we may send you information about our work and how you can support Step One by mail unless you have told us that you would prefer not to hear from us in that way.
You can update your choices or stop us sending you these communications at any time by contacting privacy@steponecharity.co.uk or by clicking the unsubscribe link at the bottom of the relevant communication. Please note that when you update your communication preferences it can take up to 28 days to take effect across all of our systems.
Where we may share your personal information
We never share, sell or rent your information to third parties for marketing purposes.
However, we may disclose your personal information to selected third parties to achieve the other purposes set out in this policy.
These may include (among others):
- other professionals and organisations involved in supporting you (for example, we currently share information with referring organisations including the NHS, County Councils, and where we have contracts with Shaw Trust)
- business partners, suppliers and sub-contractors
- analytics and search engine providers
- IT service providers
- other beneficiaries, executors and legal advisers.
In particular, we reserve the right to disclose your personal information to third parties:
- in the event that we sell or transfer any part of our business, in which case we will disclose your personal information, where it is relevant, to the prospective seller or buyer of such business, under the terms of this Privacy Policy. They will be permitted to use the data for the purposes for which we originally collected it.
- if we are under any legal or regulatory duty to do so.
- to protect the rights, property or safety of Step One, its employees, people who use its services, visitors or others.
Security, storage and access to your personal information
We will always keep your personal information safe and secure.
We might store your information in paper or electronic records, or a combination of both. We restrict all our records so that only those individuals who need to know the information can get access. We have appropriate and proportionate security policies and organisational and technical measures in place to help us do this.
Unfortunately the transmission of information using the internet is not completely secure. Although we do our best to protect your personal information sent to us this way, we cannot guarantee the security of data transmitted to our site.
Our websites may contain links to other sites. While we try to link only to sites that share our high standards and respect for privacy, we are not responsible for the content or the privacy practices employed by other sites. Please be aware that advertisers or Web sites that have links on our site may collect personally identifiable information about you. This privacy statement does not cover the information practices of those websites or advertisers.
Any debit or credit card details which we receive on our website are passed securely to Stripe our payment processing partner, according to the Payment Card Industry Security Standards.
Who can see my personal information?
Only appropriately trained staff, volunteers and contractors can access your information. It is stored on secure servers with features to prevent unauthorised access.
Where is my personal information stored?
We may store your contact details within a US based mail service provider such as Mailchimp. If we do this, we will ensure that the appropriate risk assessment takes into account the context of the processing including for example the type of data and the risk to the data subject. We would typically rely on Standard Contractual Clauses to ensure the safeguarding of this data and any supplemental measures deemed required will also be applied.
It is important to remember that no transmission of your personal information over the internet can be guaranteed to be 100% secure and so we advise you to take suitable precautions when transmitting data to us via the internet.
Your rights
These are your rights concerning how we process your personal information:
Right to be informed
You have the right to be told how we will use your personal information. This notice and other policies and statements used on this website and in our communications provide you with a clear and transparent description of how we may use your personal information.
Right of access
You can write to us to ask for confirmation of what information we hold on you and to request a copy of that information.
Provided we are satisfied that you are entitled to see the information requested, and we’ve successfully confirmed your identity, we’ll give you your personal information (subject to any exceptions that apply).
Right of erasure
You have the right to ask us to delete your personal information., We will always look to comply with this request although this is not an absolute right and there may be legitimate reasons for declining the request. This may include for example where we are legally required to retain your information (for example, in the case of health records).
Right of rectification
If you believe our records of your personal information are inaccurate, you have the right to ask us to update those records.
You can also ask us to check the personal information that we hold about you if you are unsure whether it is up to date.
Right to restrict processing
You have the right to ask us to restrict the processing of your personal information if there is disagreement about its accuracy or legitimate usage.
Right to object
You have the right to object to processing where we are:
- processing your personal information on the grounds of legitimate interest.
- using your personal information for direct marketing.
- using your personal information for statistical purposes.
Where we rely on your consent to use your personal information, you have the right to withdraw that consent at any time.
Right to data portability
Where we are processing your personal information:
- because you gave us your consent
- because such processing is necessary for the performance of a contract to which you are party you may ask us to provide it to you – or another service provider – in an electronic format, such as PDF.
How to exercise your rights
To exercise any of these rights, please send a description of the personal information in question using the contact details below.
Please note that you may only use/benefit from some of these rights in limited circumstances. For more information, we suggest that you consult guidance from the Information Commissioner’s Office (ICO).
Making a complaint
If you have any concerns about anything we have told you in this policy, please contact us (using any of the contact details below).
You have the right to make a complaint if you feel unhappy about how we hold, use or share your information. We recommend contacting us initially to talk through any concerns that you have. If you wish to complain, we will tell you about the process for doing this. You may also raise a concern or complaint here.
If you remain dissatisfied following the outcome of your complaint, you may wish to contact the Information Commissioners Office:
Post: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Telephone: 0303 123 1113
Please note that the Information Commissioner will not normally consider an appeal until you have exhausted your rights of complaint to us directly. Please see the website above for further advice.
Changes to this notice
We may update this Policy to make sure it meets the needs of people that we support, people who use this website, and any changes in the law, so please check back periodically. We will notify you of significant changes by placing a notice on our website. This Policy was last updated in September 2023.
Links and third parties
We link our website directly to other sites. This Policy does not cover external websites, and we are not responsible for the privacy practices or content of those sites. We encourage you to read the privacy policies of any external websites you visit via links on our website.
How to contact us
Please let us know if you have any questions or concerns about this policy or about the way in which we are processing your personal information. You can contact us:
01392 255428
Step One
X Centre
Commercial Road
Exeter
EX2 4AD