Listen. Believe. Empower.

 

Privacy Policy

Privacy Policy
RASA Education Student
Adult SERVICE USER
Child SERVICE USER
Anti-racism Policy

General PRIVACY NOTICE

Sensitivity: PUBLIC

  1. INTRODUCTION
  2. WHO ARE WE?
  3. COMPANIES AND WEBSITES WITHIN SCOPE.
  4. DATA COLLECTION DISCLOSURE TABLES.
  5. STORAGE OF PERSONAL DATA.
  6. SECURITY MEASURES.
  7. YOUR RIGHTS AS A DATA SUBJECT.
  8. CONTACT US.
  9. COMPLAINTS.
  10. CHANGES TO THIS PRIVACY NOTICE.

  1. INTRODUCTION

    RASA Merseyside is strongly committed to protecting personal data.

    This privacy statement describes who, how and why we collect and use personal data and also provides information about individuals’ rights. It applies to personal data provided to us, both by individuals themselves or by others.

    We may use personal data provided to us for any of the purposes described in this privacy statement or as otherwise stated at the point of collection.

    Personal data is any information relating to an identified or identifiable living person.

    We processes personal data for numerous purposes, and the means of collection, its lawful basis of processing, use, disclosure, and retention periods for each purpose may differ.

    When collecting and using personal data, our policy is to be transparent about why and how we process personal data.

    We do not sell your personal information to anyone under any circumstances.

    To find out more about our specific processing activities, please go to the relevant sections of this statement below.

  2. WHO ARE WE

    RASA Merseyside is a UK Registered charity whose offices are in the UK.

    “RASA Merseyside” (and “we”, “us”, or “our”) refers to Rape and Sexual Abuse (RASA) Centre Limited.
    We are a Registered Charity, Registration No: 1094462 and a Company Limited by Guarantee Reg No: 4538556

    and our registered office address is

    15 Morpeth Close
    Wirral
    Merseyside
    CH46 6HQ

    For the purpose of the EU General Data Protection Regulation 2018 (“Data Protection Law”) and the Data Protection Act 2018 we are a “data controller”.

    This means that we are responsible for, and control the processing of your personal information.

  3. COMPANIES AND WEBSITES within SCOPE.

    The following companies and websites are within scope for this privacy policy:

    RASA Merseyside: https://www.rasamerseyside.org.

  1. DATA COLLECTION DISCLOSURE

    We collect and use Personal and Special Category data from our service users and other agencies in order to manage and maintain our services and relationship with those individuals.  
    Our policy is to collect only the data necessary for agreed purposes and we ask our service users only to share personal data with us where it is strictly needed for those purposes. 

    Sensitive Data Held By Our Organisation  

    The EU-GDPR and DPA 2018 recognises that some categories of personal information are more sensitive and have therefore been defined as SPECIAL CATAGORIES of Personal Data and therefore they require more protection.  
    In our case these SPECIAL CATAGORIES of Personal Data can include information about a person’s Race, Religion, Sexual Orientation or Health. 
    If you contact us through our online or helpline services or complete a registration/referral form (both online, on the phone or in person) to access one of our services, you may get asked for details of a sensitive nature.  
    It is your right not to disclose any of those details, except basic contact details which will allow us to get in touch and complete the referral process.  
    We may need to disclose your details if required to the police, regulatory bodies or legal advisors.
      
    The EU-GDPR and DPA 2018 states that we must disclose: 
    • WHAT data we collect. 
    • WHY we collect that data. 
    • Our LEGAL BASIS for collecting it 
    • WHO the data is SHARED WITH? 
    • What its RETENTION PERIOD is.  

    For further information, please read the “DATA COLLECTION DISCLOSURE TABLE” below.
      

    Data Collection Disclosure Table

    1.

    GENERAL COMMUNICATIONS

    WHAT:

    Name, Telephone Number, Email and Physical Address's.

    WHY:

    To discuss with you about any issue that you raise with us or which follows from an interaction between us.

    LEGAL BASIS:

    Legitimate Interest.

    SHARED WITH:

    Internally Only.

    RETENTION PERIOD:

    30 days

       

    2.

    TELECOMMUNICATIONS

    WHAT:

    FIXED LINE: Telephone numbers.

    WHY:

    To comply with our legal obligations.

    LEGAL BASIS:

    Legitimate Interests.

    SHARED WITH:

    Internal Only.

    RETENTION PERIOD:

    12 Months

       

    WHAT:

    FIXED LINE: Voice messages, Fax messages.

    WHY:

    To discuss with you about any issue that you raise with us or which follows from an interaction between us.

    LEGAL BASIS:

    Legitimate Interests.

    SHARED WITH:

    Internal Only

    RETENTION PERIOD:

    30 Days

       

    WHAT:

    MOBILE LINE: Voice messages.

    WHY:

    To discuss with you about any issue that you raise with us or which follows from an interaction between us.

    LEGAL BASIS:

    Legitimate Interests.

    SHARED WITH:

    Internal Only

    RETENTION PERIOD:

    7 Days

       

    WHAT:

    MOBILE LINE: Text Messages.

    WHY:

    To discuss with you about any issue that you raise with us or which follows from an interaction between us.

    LEGAL BASIS:

    Legitimate Interests.

    SHARED WITH:

    Internal Only

    RETENTION PERIOD:

    7 Days

       

    3.

    SECURITY

    WHAT:

    Technical Information plus any other information that may be required for this purpose.

    WHY:

    To protect our websites and infrastructure from cyber attack etc and to report and deal with any illegal acts.

    LEGAL BASIS:

    legitimate interests

    SHARED WITH:

    Internally and at times with Law enforcement departments.

    RETENTION PERIOD:

    60 days from cessation of contract

       

    4.

    FUND RAISING

    WHAT:

    Justgiving.com: Name, Email Address, Gift Aid, Amount donated

    WHY:

    For the purpose of the transaction.

    LEGAL BASIS:

    legitimate interests

    SHARED WITH:

    Internal, Public website

    RETENTION PERIOD:

    2 Years

  1. STORAGE OF PERSONAL DATA.

    All our paper based documents are stored and secured in the UK.

    Our Web applications are hosted in the UK/EU and are accessed only by UK based staff.

    We operate a data retention policy in respect of all data, whether paper-based or digital.

    We use a number of CSP’s (cloud service providers) as part of our digital processing enviroment, in respect of these CSP’s, unless we specifically state otherwise we are the DATA Controller.

  2. SECURITY MEASURES.

    We have what we believe are appropriate physical and cyber security controls in place to protect personal data.

    We have a framework of policies, procedures and training in place covering data protection, confidentiality and security and regularly review the appropriateness of the measures we have in place to keep the data we hold secure.

    We use encryption and/or Pseudonymisation where it is appropriate to do so.

    All our digital data is encrypted whilst at rest and in transit.

    We ensure that any data processor we use also implements appropriate technical and organisational measures.

    We do not have any control over what happens between your device and the boundary of our information infrastructure, therefore you should be aware of the many information security risks that exist and take appropriate steps to safeguard your own information as we accept no liability in respect of breaches that occur beyond our sphere of control.

  1. YOUR RIGHTS AS A DATA SUBJECT.

    As a data subject whose personal information we hold you have certain rights.
    If you wish to exercise any of these rights, please contact us using the information supplied in 8. Contact Us below.
    To process your request, we will ask you to provide two valid forms of identification for verification purposes. 

    Your rights are as follows:
    1. The right to be informed:
    As a data controller, we are obliged to provide clear and transparent information about our data processing activities. This is provided by this privacy policy and any related communications we may send you. 

    2. The right of access:
    You may request a copy of the personal data we hold about you free of charge.
    Once we have verified your identity and, if relevant, the authority of any third-party requestor, we will provide access to the personal data we hold about you as well as the following information:
    a) The purposes of the processing.
    b) The categories of personal data concerned.
    c) The recipients to whom the personal data has been disclosed.
    d) The retention period envisaged for that data.
    e) When personal data has been collected from a third party, the source of the personal data.
    If there are exceptional circumstances that mean we can refuse to provide the information, we will explain them.
    If requests are frivolous or vexatious, we reserve the right to refuse them.
    If answering requests is likely to require additional time or occasions unreasonable expense (which you may have to meet), we will inform you. 

    3. The right to rectification:
    When you believe that we hold inaccurate or incomplete personal information about you, you may exercise your right to correct or complete this data. This may be used with the right to restrict processing to make sure that incorrect/incomplete information is not processed until it is corrected. 

    4. The right to erasure (the ‘right to be forgotten’):
    Where no overriding legal basis or legitimate reason continues to exist for processing personal data, you may request that we delete the personal data.
    This includes personal data that may have been unlawfully processed. We will take all reasonable steps to ensure erasure. 

    5. The right to restrict processing:
    You may ask us to stop processing your personal data.
    We will still hold the data, but will not process it any further.
    This right is an alternative to the right to erasure. If one of the following conditions applies you may exercise the right to restrict processing:
    a) The accuracy of the personal data is contested.
    b) Processing of the personal data is unlawful.
    c) We no longer need the personal data for processing but the personal data is required for part of a legal process.
    d) The right to object has been exercised and processing is restricted pending a decision on the status of the processing.

    6. The right to data portability:
    You may request your set of personal data be transferred to another controller or processor, provided in a commonly used and machine-readable format.
    This right is only available if the original processing was on the basis of consent, the processing is by automated means and if the processing is based on the fulfilment of a contractual obligation. 

    7. The right to object:
    You have the right to object to our processing of your data where
    a) Processing is based on legitimate interest.
    b) Processing is for the purpose of direct marketing.
    c) Processing is for the purposes of scientific or historic research.
    d) Processing involves automated decision-making and profiling.

    8. Rights relating to automated decision making and profiling:
    RASA Merseyside does not apply any automatic decision making or profiling to any of your personal data.
  2. CONTACT US.

    If you have any comments, questions or suggestions about this privacy policy or our handling of your personal data then these should be directed to:

    The Data Protection Officer

    Email: This email address is being protected from spambots. You need JavaScript enabled to view it.

    Telephone: 0151 558 1801

    Alternatively, you can contact us using the following Postal Address:

    RASA Merseyside
    Units 2 and 3 Stella Nova
    Washington Parade
    Bootle
    L20 4TZ

  1.  COMPLAINTS.

    We hope that you won’t ever need to, but if you do want to complain about our use of personal data then please contact us using the details provided in item 8 above whereby all complaints will be treated in a confidential manner.

    Should you feel unsatisfied with our handling of your data, or about any complaint that you have made to us about our handling of your data, you are entitled to escalate your complaint to a supervisory authority.

    In the UK the supervisory authority is the ICO (Information Commissioner’s Office), which is also our lead supervisory authority.

    Its contact information can be found at https://ico.org.uk/global/contact-us/

  1. CHANGES TO THIS PRIVACY NOTICE.

    We recognise that transparency is an ongoing responsibility so we will keep this privacy statement under regular review.

    This privacy statement was last updated on 15th July 2024.

    For the latest version of this and all of our Privacy Notices and Supplements visit https://www.rasamerseyside.org/privacy

.

We are here to help you through this, towards recovery, wellbeing and independence. 

Get Help