Click here to view our Clinical Privacy Notice for OXPIP Clients and Safeguarding and Child Protection Notice.
You can decide not to receive communications or change how we contact you at any time.
If you wish to do so, please email firstname.lastname@example.org or call 01865 778034. We aim to respond to messages within 3 working days.
OXPIP will never sell your personal data and will only ever share it with organisations we work with where necessary and if its privacy and security are guaranteed.
For any questions you have in relation to this notice or how we use your personal data please email email@example.com.
2. Your personal information
OXPIP will only collect, process and store your personal information in accordance with data protection laws. Personal information is information from which an individual’s identity can be ascertained. OXPIP is considered a data controller and is registered with the Information Commissioner’s Office (ICO) www.ico.org.uk
3. Your rights regarding your personal data
OXPIP adheres to data protection legislation (currently the Data Protection Act 2018 and the General Data Protection Regulation (EU) 2016/679 (GDPR)), which provide the following rights for individuals:
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision making and profiling
You can read more about your rights on the Information Commissioner’s Office website.
We will fulfil these rights unless we have a legal or safeguarding reason not to.
If you wish to make a complaint about our data processing activity you can contact the Information Commissioner's Office.
4. The data we collect and store
We collect and store personal information voluntarily supplied by individuals who:
- Visit our website (via cookies and any personal information you choose to send us via the site)
- Make a referral to OXPIP services, request support from our services, or use our services (see also OXPIP’s Privacy Notice for Clinical Service Users)
- Join our mailing lists
- Make a donation or support us through contributions in kind
- Sign up to or express interest in OXPIP training courses or events
- Visit our premises
- Become OXPIP members or sign up as supporters.
- Enquire or apply for paid or voluntary roles within OXPIP
- Contract our services
- Are contracted by OXPIP to deliver services
Visitors to the website & cookies
We use the following persistent and session cookies on our website:
- Drupal (Session & token cookies) – most of which are permanent
- Google Analytics (_ga (lasts 2 years), _gid (lasts 24 hrs), _gat (lasts 1 min))
You can change your browser privacy settings to block cookies and still use the OXPIP website. You can also visit your browser permissions to delete cookies.
You may contact us via email or telephone. When you do this, we do not automatically add your details to our mailing list but may keep your query indefinitely unless you ask us to erase it.
Referrals (Service Users)
We collect personal details about you and your child from the referrer, which may include sensitive personal data (i.e. health information, ethnicity). This information is submitted by you or by third party referrers who confirm that they have received explicit consent to share your details. Our clinician may speak to other organisations already involved in your care. These details allow us to determine if OXPIP therapeutic services are appropriate for you.
If a referral leads to service:
- You will be given our Clinical Privacy Notice before sessions commence with further details about how we collect, process and store personal information. You will be asked for your detailed consent for this and for any information sharing.
If a referral does not lead to service and/or signed consent is not completed:
- Your information will be anonymised upon closure of the referral and then kept indefinitely for statistical purposes. This information is kept on our internal secure systems.
Join our Mailing Lists
You may sign up for our mailing lists by entering your email address in the box at the bottom of each page on our website. We will keep those details indefinitely until you unsubscribe. You may unsubscribe at any time by emailing firstname.lastname@example.org or clicking unsubscribe within one of our newsletters.
Any personal data you provide us with (e.g. when contacting us via our website, making a donation, signing up or expressing an interest in our training courses or events, becoming a member or volunteer) will be stored on Sheep CRM (sheepcrm.com) – our central database for all our supporter and attendee information. We currently predominantly store information securely on Microsoft SharePoint Online. This is a centralised storage and highly resilient area for data storage, with tight levels of access control to stored data, including Multi-Factor Authentication. Alongside this, we have a secondary onsite storage medium which is secured using a business grade Firewall and VPN system, this data is backed up to the Microsoft Azure Cloud. SharePoint Online is hosted and developed by Microsoft as part of their Office 365 suite, the data is held in Microsoft data centres alongside the Cloud backups for our onsite storage. Microsoft are considered the Data Processor under GDPR. For the purposes of support and maintenance we have a secondary data processor Blue Planet IT.
Our SharePoint hosted data is located in Microsoft’s United Kingdom data centre, whilst our onsite medium is backed up to Microsoft’s West Europe data centre. Both locations, although physical, is effectively known as “The cloud”. Our data is constantly replicated onto different servers within the data centres to ensure that our services remain constantly online and available, even if one server, or one part of the data centre fails. Microsoft guarantee that our service and data will be available for at least 99.9% of the year. Microsoft Data Centres are highly secure and resilient and hold hundreds of thousands of companies and their associated services and data. The building has the highest level of security, fire prevention and is constantly monitored for threats (both physical and electronic). Microsoft have over 30 of these locations around the world, and the one in the United Kingdom will adhere to all UK standards for Data Protection & Privacy laws. You can find more information here.
We keep a permanent record of donors for administration purposes.
Making or receiving a payment
Payments (for courses, events or donations) can be made via cash, cheque, credit card, BACS or Paypal. We use Xero (xero.com) for our accounting and store your name and reason for payment. If you have requested an invoice to be posted, your postal address will also be stored. Your financial details are not stored, unless you have set up a direct debit or are one of our creditors, in which case your details will be kept for 6 years, which is a statutory requirement.
Donations can also be processed by Virgin Money Giving. Virgin Money Giving will collect personal details from you in order to process your payment and Gift Aid. You may opt-in to our mailing list via Virgin Money Giving.
All direct payment gateways offered by third party processors and used by our company adhere to the standards set by PCI-DSS as managed by the PCI Security Standards Council. PCI-DSS requirements help ensure the secure handling of credit card information.
We will not share your information with any third parties for the purposes of direct marketing.
In some circumstances we are legally obliged to share information. For example, under a court order, or sharing Gift Aid information with HMRC. In situations where a child or adult may be at risk, information will be exchanged with other relevant agencies in line with good practice around child protection and safeguarding.
We use data processors who are third parties who provide elements of services for us. Details of these third party processors are below in the relevant sections. These data processors may hold your data outside of the EU.
Information held by OXPIP electronically is kept securely according to our Data Protection Policy and IT, Internet & Email Acceptable Use Policy. Some of our data storage providers may transfer data outside of the EU. This may include Google (Gmail), Microsoft, and other third-party processors detailed below.
5. How we keep, process and dispose of your personal information
We keep your personal information in a secure environment and do not pass it on to third parties outside OXPIP unless legally obliged to do so, for example telling HMRC about Gift Aid payments. The information you provide will only be used for the purpose specified when it was collected; such as in association with your on-going support as a donor, to inform you about our services you have requested and/or to keep you informed about upcoming OXPIP training and events.
We keep the data for various lengths of time, depending on the purpose it was collected for:
- Financial data is retained for 6 years
- We keep a permanent record of donors for administration purposes
- Membership data is retained while you are a member and we keep a permanent record (with minimal data) of all alumni
- If you join our mailing list we will retain your data until you unsubscribe from the list
- Training and events data is kept for 12 months after the event, however if you have expressed your interest in other training, it is kept for a further 12 months. After this time the information is anonymised and kept indefinitely for statistical purposes
- Referrals for clinical services that do not lead to services are anonymised upon closure of the referral and then kept indefinitely for statistical purposes. Referrals that lead to services will be retained with your case file while you use the service and until the child’s 25th birthday. For further details please contact us for our retention policy.
6. Lawful Bases for Processing
We rely upon various lawful bases, as set out in the GDPR, to collect and use your data:
- consent of the data subject,
- processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract,
- processing is necessary for compliance with a legal obligation,
- necessary for the purposes of legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests, rights or freedoms of the data subject.
Where we collect Special Category personal data, sensitive or private information such as ethnicity, or health information, we rely on an additional lawful basis. We rely upon your explicit consent to process this information, or the processing is necessary for the purposes of the provision of health or social care or treatment.
7. Access to the information we hold about you (Subject Access Request)
You have the right to know what data we hold about you. We do not charge you for this. Please email email@example.com or write to OXPIP, Suite J, The Kidlington Centre, Kidlington, Oxford, OX5 2DL for more information.
You can complain to OXPIP directly by contacting our data protection lead using the details set out above. If you are not happy with our response, or you believe that your data protection or privacy rights have been infringed, you can complain to the UK Information Commissioner’s Office which regulates and enforces data protection law in the UK. Details of how to do this can be found at www.ico.org.uk
9. Amendment of this notice
We regularly review this privacy notice and may amend the content or wording from time to time to ensure it remains relevant and effective. You can see when it was last updated by checking the date at the end of the notice. The latest published version will be the applicable version.
Last reviewed: 8th September 2020