OXPIP Privacy Notice
You can decide not to receive communications or change how we contact you at any time.
If you wish to do so, please email firstname.lastname@example.org or call 01865 778034. We aim to respond to messages within 3 working days.
OXPIP will never sell your personal data and will only ever share it with organisations we work with where necessary and if its privacy and security are guaranteed.
For any questions you have in relation to this notice or how we use your personal data please email email@example.com.
2. Your personal information
OXPIP will only collect, process and store your personal information in accordance with data protection laws. Personal information is information from which an individual’s identity can be ascertained. OXPIP is considered a data controller and is registered with the Information Commissioner’s Office (ICO) www.ico.org.uk
3. Your rights regarding your personal data
OXPIP adheres to data protection legislation (currently the Data Protection Act 2018 and the General Data Protection Regulation (EU) 2016/679 (GDPR)), which provide the following rights for individuals:
The right to be informed
The right of access
The right to rectification
The right to erasure
The right to restrict processing
The right to data portability
The right to object
Rights in relation to automated decision making and profiling
You can read more about your rights on the Information Commissioner’s Office website.
We will fulfil these rights unless we have a legal or safeguarding reason not to.
If you wish to make a complaint about our data processing activity you can contact the Information Commissioner’s Office.
4. The data we collect and store
We collect and store personal information voluntarily supplied by individuals who:
Visit our website (via cookies and any personal information you choose to send us via the site)
Make a referral to OXPIP services, request support from our services, or use our services (see also OXPIP’s Privacy Notice for Clinical Service Users)
Join our mailing lists
Make a donation or support us through contributions in kind
Sign up to or express interest in OXPIP training courses or events
Visit our premises
Become OXPIP members or sign up as supporters.
Enquire or apply for paid or voluntary roles within OXPIP
Contract our services
Are contracted by OXPIP to deliver services
Visitors to the website & cookies
We use the following persistent and session cookies on our website:
Wix (Session & token cookies) – most of which are permanent
Google Analytics (_ga (lasts 2 years), _gid (lasts 24 hrs), _gat (lasts 1 min))
You can change your browser privacy settings to block cookies and still use the OXPIP website. You can also visit your browser permissions to delete cookies.
You may contact us via the Ask Us form. When you do this, we do not automatically add your details to our mailing list but may keep your query indefinitely unless you ask us to erase it.
Referrals (Service Users)
We collect personal details about you and your child from the referrer, which may include sensitive personal data (i.e. health information, ethnicity). This information is submitted by you or by third party referrers who confirm that they have received explicit consent to share your details. Our clinician may speak to other organisations already involved in your care. These details allow us to determine if OXPIP therapeutic services are appropriate for you.
If a referral leads to service:
You will be given our Clinical Privacy Notice before sessions commence with further details about how we collect, process and store personal information. You will be asked for your detailed consent for this and for any information sharing.
If a referral does not lead to service and/or signed consent is not completed:
Your information will be anonymised upon closure of the referral and then kept indefinitely for statistical purposes. This information is kept on our internal secure systems.
Join our Mailing Lists
You may sign up for our mailing lists by entering your email address (your name is optional). We will keep those details indefinitely until you unsubscribe. You may unsubscribe at any time by emailing firstname.lastname@example.org or clicking unsubscribe within one of our newsletters.
Any personal data you provide us with (e.g. when contacting us via our website, making a donation, signing up or expressing an interest in our training courses or events, becoming a member or volunteer) will be stored on Sheep CRM (www.sheepcrm.com) – our central database for all our supporter and attendee information. We also currently store this information securely on our Remote Desktop. The remote desktop (RDS) is used to access files saved centrally. It is provided by a third-party IT company, Blue Planet, which acts as a Data Processor under GDPR.
Our data and servers are located in Microsoft’s West Europe datacentre which is located in the Netherlands. This location, although physical, is effectively “The cloud”. Our data is constantly replicated onto different servers within this data centre to ensure that our services remain constantly online and available, even if one server, or one part of the data centre fails. Microsoft guarantee that our service will be available for at least 99.95% of the year. Microsoft Data Centres are highly secure and resilient and hold hundreds of thousands of companies and their associated services and data. The building has the highest level of security, fire prevention and is constantly monitored for threats (both physical and electronic). Microsoft have over 30 of these locations around the world, and the one in West Europe will adhere to all European standards for Data Protection & Privacy laws. You can find more information here.
We keep a permanent record of donors for administration purposes.
Making or receiving a payment
Payments (for courses, events or donations) can be made via cash, cheque, BACS or Paypal. We use Xero (xero.com) for our accounting and store your name and reason for payment. If you have requested an invoice to be posted, your postal address will also be stored. Your financial details are not stored, unless you have set up a direct debit or are one of our creditors, in which case your details will be kept for 6 years, which is a statutory requirement.
Donations can also be processed by Virgin Money Giving. Virgin Money Giving will collect personal details from you in order to process your payment and Gift Aid. You may opt-in to our mailing list via Virgin Money Giving.
All direct payment gateways offered by third party processors and used by our company adhere to the standards set by PCI-DSS as managed by the PCI Security Standards Council. PCI-DSS requirements help ensure the secure handling of credit card information.
We will not share your information with any third parties for the purposes of direct marketing.
In some circumstances we are legally obliged to share information. For example, under a court order, or sharing Gift Aid information with HMRC.
In situations where a child or adult may be at risk, information will be exchanged with other relevant agencies in line with good practice around child protection and safeguarding.
We use data processors who are third parties who provide elements of services for us. Details of these third party processors are below in the relevant sections. These data processors may hold your data outside of the EU.
Information held by OXPIP electronically is kept securely according to our Data Protection Policy and IT, Internet & Email Acceptable Use Policy. Some of our data storage providers may transfer data outside of the EU. This may include Google (Gmail), Microsoft, and other third-party processors detailed below.
5. How we keep, process and dispose of your personal information
We keep your personal information in a secure environment and do not pass it on to third parties outside OXPIP unless legally obliged to do so, for example telling HMRC about Gift Aid payments. The information you provide will only be used for the purpose specified when it was collected; such as in association with your on-going support as a donor, to inform you about our services you have requested and/or to keep you informed about upcoming OXPIP training and events.
We keep the data for various lengths of time, depending on the purpose it was collected for:
Financial data is retained for 6 years
We keep a permanent record of donors for administration purposes
Membership data is retained while you are a member and we keep a permanent record (with minimal data) of all alumni
If you join our mailing list we will retain your data until you unsubscribe from the list
Training and events data is kept for 12 months after the event, however if you have expressed your interest in other training, it is kept for a further 12 months. After this time the information is anonymised and kept indefinitely for statistical purposes
Referrals for clinical services that do not lead to services are anonymised upon closure of the referral and then kept indefinitely for statistical purposes. Referrals that lead to services will be retained with your case file while you use the service and until the child’s 25th birthday. For further details please contact us for our retention policy.
6. Lawful Bases for Processing
We rely upon various lawful bases, as set out in the GDPR, to collect and use your data:
consent of the data subject,
processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract,
processing is necessary for compliance with a legal obligation,
necessary for the purposes of legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests, rights or freedoms of the data subject.
Where we collect Special Category personal data, sensitive or private information such as ethnicity, or health information, we rely on an additional lawful basis. We rely upon your explicit consent to process this information, or the processing is necessary for the purposes of the provision of health or social care or treatment.
7. Access to the information we hold about you (Subject Access Request)
You have the right to know what data we hold about you. We do not charge you for this. Please email email@example.com or write to OXPIP, Suite J, The Kidlington Centre, Kidlington, Oxford, OX5 2DL for more information.
You can complain to OXPIP directly by contacting our data protection lead using the details set out above. If you are not happy with our response, or you believe that your data protection or privacy rights have been infringed, you can complain to the UK Information Commissioner’s Office which regulates and enforces data protection law in the UK. Details of how to do this can be found at www.ico.org.uk
9. Amendment of this notice
We regularly review this privacy notice and may amend the content or wording from time to time to ensure it remains relevant and effective. You can see when it was last updated by checking the date at the end of the notice. The latest published version will be the applicable version.
Last reviewed: 9th August 2019