Privacy Policy

Midlothian Sure Start’s Privacy Notice

Midlothian Sure Start
Colliery Court, McSence Business Park
32 Sycamore Road
Mayfield, Dalkeith, EH22 5TA
Phone: 0131 654 0489

Data Protection Officer: Claire Young (Business Support Manager)

Introduction
When we are carrying out our work, we process personal data about people who receive advice or services from us; about those who attend our training course; and about those who support us through campaigning, giving donations, or volunteering.

At Midlothian Sure Start, we are committed to protecting your personal information and being transparent about what information we hold. We have developed the following policy to help you understand how your personal information will be treated as you engage with us both online and off. It’s important that you know how we record your personal data when you do things like visit our website, donate to us or use our services so that you can trust us with that information.

We ensure that we use your information in accordance with all applicable laws concerning the protection of personal information. This privacy policy explains all you need to know about:

• what information we may collect about you;
• why we collect it;
• what we do with it;
• when we may share it with others; and
• how you can access and update your information.

By supporting us as a donor or volunteer, or using our services, you accept this privacy policy and authorise Midlothian Sure Start to collect, store and process your information in the ways explained.

If you have any questions about this privacy policy or would like more information on our legal basis for processing your data, or to change how we use your personal data, please contact us using the details below. You are in control of how we contact you. If you want to stop receiving email, make changes to the type of communications you get from us, or if your personal details change, please get in touch using the details in the ‘Contact us’ section below.

Who we are
Midlothian Sure Start is a charity registered in Scotland. Our charity No: SC031038.
Midlothian Sure Start is registered as a data controller with the Information Commissioner’s Office under the Data Protection Act 1998. Within the context of this privacy policy, ‘we’, ‘us’, ‘our’ or ‘MSS’ refers to Midlothian Sure Start.

Where we collect information about you from
We collect information in the following ways:
When you give it to us DIRECTLY

We collect personal information for many reasons, including to provide you with services, communicate with you and send you information that you have requested, and to process donations. Depending on how you interact with us, we may process data when you:

• register on our website to receive updates from us;
• request a service from us through agreeing to a third party completing a referral and registration form;
• become a member;
• sign up to our courses;
• fundraise on our behalf;
• donate to us or allow us to claim Gift Aid on your donations;
• apply for jobs or volunteer placements, or act as a freelancer for us;
• complete a survey or take part in research; or
• give personal data to us.

This information may be collected via any paper forms you complete, telephone conversations, emails, face-to face interactions, digital forms completed via our website, online surveys, third-party companies and websites such as Just Giving, Survey Monkey, Mail Chimp, publicly available sources, or communication via social media. Our donations and payment pages are provided by third-party secure payment processors.

When we collect it as you use our WEBSITE
Like most websites, we use cookies to help us make our website better. Cookies mean that a website will remember you. They’re small text files that websites transfer to your computer, phone or tablet. They make your visits to websites faster and easier, for example by automatically filling your name and address in the text fields.

We use cookies, like most websites, to help us provide you with the best experience when you visit our site. Some cookies are essential to the smooth running of our website, for example our donations pages rely on them.

Other cookies allow us to understand how visitors are interacting with our website, so that we can improve it. All browsers allow you to control which cookies you accept and which you delete. For more information about cookies, please see http://www.allaboutcookies.org/.

What types of information do we collect?
Non-personal information
This type of information does not tell us who you are, but it does help us to improve our services. When you visit and look around our website, we record things like your IP (internet protocol) address – the unique number of the device you are using to access our website, which pages you visit (on our website only), when they were visited, and the type of device you were using. This information helps us create a better experience for everyone who uses our website. Examples of the type of information that can be collected using your IP address include the type and version of your browser, and the location from which you are accessing our site. This helps us improve how our page templates appear and change content to make it relevant to our website visitors.

Personal information
This means any information that may be used to identify you, such as your name, telephone number, postal and email addresses, and your bank details if you are supporting us financially or purchasing services.

• Your full name, your child(ren)’s name(s), date(s) of birth, address(es), health and medical needs, development needs, and any special educational and support needs
• Where applicable we will obtain child protection plans from social care and health care plans from health professionals.
• We will also ask for information about who has parental responsibility for your child and any court orders pertaining to your child.
• Contact details including your postal address, telephone number(s), emergency contact details, family details and email address
• Records of your correspondence and engagement with us
• Donation history and Gift Aid details
• Information you may enter on the MSS website
• Occupation or other biographical information
• Other information you share with us

We also collect sensitive information about individuals. This includes information about health, religion, sexuality, ethnicity, political and philosophical beliefs, and criminal records. We will normally only record and share this information with our funders in an anonymised format to ensure that we are targeting our services at families who need our services.

How we use your personal data
Supporters
We would love to keep you up to date with our events and fundraising activity. We may use a range of methods to contact our supporters, including our website, email, direct mail, and occasional telephone calls. We will always gain your consent to contact you. We will send you marketing by post, on the basis of it being within our legitimate interests (see below section on ‘Our legal basis for processing your data’ for more information) to do so, unless you opt out. And we will also contact existing supporters by phone on this basis; unless they are have opted out of receiving marketing communications.

Why should you sign up for supporter communications from us?
If you don’t let us know your contact preferences, you could miss out on hearing about ways to get involved, fundraising events, success stories, and updates on the incredible work you’re supporting. You’ll hear from us how you want to, whether by post, phone, or email. You could choose all of these options, or just one or two. It’s up to you.

We send the following supporter marketing email communications from time to time:

• updates about MSS’s work, including newsletters, magazines, and other publications informing you about our work;
• appeals and fundraising activities, including requests for donations, information about how you can leave us a gift in your will, how you can raise money on our behalf, and invitations to attend or take part in fundraising events;
• information about how you can support MSS by volunteering.

We will never share or sell your personal data to a third-party organisation for its campaigning, marketing or fundraising purposes.

You can withdraw your consent, unsubscribe, or update your marketing preferences at any point by using the contact details in the ‘Contact us’ section below. If you make any changes to your consent, we will update your record as soon as we possibly can. Marketing email communications will be stopped immediately. Updates to contact preferences sent by email may take up to one week to process.

Administrative communications to supporters
In addition to the supporter communications that you receive, we will also communicate with you by post, telephone, and email to deal with any administrative matters. Even if you opt out of supporter communications from us, we may still need to communicate with you occasionally for administrative purposes. For example, we may contact you when you set up or cancel a Direct Debit to confirm your details. We may also need to contact you if there is a problem with a payment or in relation to your Gift Aid declaration. If you sign up to an event, we may contact you to provide all the information you need and to ask for details of your fundraising pages.

Business services and professional contacts
We may collect data about the professional contacts and partners we work with, or who have used our services
such as attending training courses or making referrals. Personal data collected in this way will be processed
according to data protection law and this policy.

We may send our professional contacts information and updates about our work by email and by post. You can opt out of receiving this information at any time. You can withdraw your consent, unsubscribe, or update your preferences at any point by using the contact details in the ‘Contact us’ section below. If you make any changes to your consent, we will update your record as soon as we possibly can. Email communications will be stopped within 1 week.

We keep a record of information relating to MPs, Peers, and other holders of public office, to help us carry out our campaigning activity. This will include keeping a record of contact details such as address, telephone number and email address, as well as publicly available information such as committee memberships.

As a member, we will send you information about your membership, including any voting opportunities and/or
member meetings, e.g. the Annual AGM. If you sign up to become a member of MSS, we have a contractual
obligation to provide you with the membership benefits you have signed up for. If you do not wish to receive
these benefits, let us know by getting in touch using the details in the ‘Contact us’ section below.

Services for families
We use personal data about your family in order to provide services and fulfil the contractual arrangement you
have entered into. This includes using your data to:

• contact you in case of an emergency
• to support your child(ren)’s wellbeing and development
• to manage any special educational, support, health or medical needs of your child(ren) whilst at our setting
• to carry out regular assessment of your child(ren)’s progress and to identify any areas of concern
• to maintain contact with you about your child(ren)’s progress and respond to any questions you may have
• to provide your family with holistic support
• to keep you updated with information about our service

With your consent, we will also record your child(ren)’s activities for their individual learning record (called This is Me). This may include photographs and videos. You will have the opportunity to withdraw your consent at any time, for images taken by confirming so in writing.

We have a legal obligation to process safeguarding related data about your child should we have concerns about their welfare. We are guided by best practice and will support your child(ren)’s transition to nursery and/or other services by sharing information with that setting, with your consent. You will have the opportunity to withdraw your consent at any time, by doing so in writing.

Our legal basis for processing personal data
We need a lawful basis to collect and use your personal data under data protection law. The law allows for six ways to process personal data (and additional ways for sensitive personal data). Five of these are relevant to the types of processing that we carry out at MSS. This includes information that is processed on the basis of:

• a person’s consent, for example, to use pictures in marketing materials;
• a contractual relationship, for example, to provide you with Early learning and childcare
• processing that is necessary for compliance with a legal obligation, for example accounting data, information needed to process a Gift Aid declaration, child protection concerns
• MSS’s legitimate interests (see below)

MSS’s legitimate interests:
Personal data may be legally collected and used if it is necessary for a legitimate interest of the organisation
using the data, if its use is fair and does not adversely impact the rights of the individual concerned. When we
use your personal information, we will always consider if it is fair and balanced to do so, and if it is within your
reasonable expectations. We will balance your rights and our legitimate interests to ensure that we use your
personal information in ways that are not unduly intrusive or unfair. Our legitimate interests include:

• charity governance: including delivery of our charitable purposes, statutory and financial reporting and
other regulatory compliance purposes;
• administration and operational management: including responding to solicited enquiries (referrals),
providing information and services, research, events management, administrating recruitment processes
for staff, volunteers and freelancers; and
• fundraising and campaigning: including administering campaigns and donations, and sending direct
marketing by post (and in some cases making marketing calls), sending thank you letters, analysis,
targeting and segmentation to develop communication strategies, and maintaining communication
suppressions (which we use to avoid sending materials to those who don’t want them).

If you would like more information on our uses of legitimate interests, or to change our use of your personal data in this manner, please get in touch with us using the details in the ‘Contact us’ section below.

When we may disclose your personal data
We will not share any of your personal data to any third party – except where:

• the transfer is to a secure data processor, which carries out data processing operations on our behalf, for example to process a Direct Debit or credit card payment or to manage a fundraising mailing;
• we are required to do so by law, for example to law enforcement or regulatory bodies where this is required or allowed under the relevant legislation;
• it is necessary to protect the vital interests of an individual – i.e. where a child is at risk of significant harm or to protect someone’s life; or we have obtained your consent.

Who we share your data with
In order for us to deliver services we will also share your data as required with the following categories of recipients:

• The Care Inspectorate – during an inspection or following a complaint, incident or accident related to our service

• banking services to process chip and pin and/or direct debit payments (as applicable)
• the Local Authority (if you are entitled to free childcare)
• our insurance underwriter (if applicable)
• the nursery or other services that your child(ren) will be attending

We will also share your data if:

• We are legally required to do so, for example, by law, by a court or the Charity Commission;
• to enforce or apply the terms and conditions of your contract with us;
• to protect your child and other children; for example by sharing information with social care, health or the police;
• it is necessary to protect our/others rights, property or safety
• We transfer the management of the setting, in which case we may disclose your personal data to the prospective operator so they may continue the service in the same way.

We will never share your data with any other organisation to use for their own purposes.

Management information, research, and learning analytics
We may analyse data on referrals, survey responses, attendance and engagement, and service utilisation data in order to: understand the relationship between our services and outcomes for families; support service and programme quality assurance; enhance the quality of the Organisation’s learning and development; enhance the Organisation’s support services; and to enable families, stakeholders and funders to understand the reach and impact of our services. While we will where possible use anonymised data for these purposes, in some cases we will use personal data where there is a legitimate interest in doing so. Where we use personal data for these purposes, we will ensure that any published information is anonymised.

How do we protect your data?
We protect unauthorised access to your personal data and prevent it from being lost, accidentally destroyed, misused, or disclosed by:

• Complying with Data Protection Legislation, through our Data Protection Policy, which ensures we:
• Keep all paperwork containing your personal data securely stored at all times
• Password protect all electronic record, and only share these records securely with the appropriate people
• Follow the Data Retention Schedule which outlines how long we need to keep information for
• Destroy data when we are no longer required to keep it in a secure way
• Staff are confident in their Data Use and Protection knowledge and practice
• We use appropriate technical and organisational measures and precautions to protect your personal data and to prevent the loss, misuse or alteration of your personal data. For example, we use trusted thirdparty suppliers to provide secure pages for financial transactions taking place on our website, meaning that your details are safe when you buy products from our shop or give us a donation.
• Unfortunately, sending information via the internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of the data sent to our website on standard pages (any pages other than when you are buying products or when you’re making a donation). Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access.

How we use data processors
We use third-party suppliers to provide secure pages for transactions and donations, website hosting and database hosting. This means that your data will be captured and processed by these suppliers. We may also use a third-party supplier to manage campaigns and fundraising appeals, or conduct surveys. We actively check these companies to ensure your privacy and security is protected. These third-party suppliers are only permitted to use the data in accordance with data protection law, under instruction from us, and in accordance with a data processing agreement made between MSS and the supplier.

It may sometimes be necessary to transfer personal information overseas. When this is needed, any transfers made will be in full compliance with all aspects of data protection law.

You can find out more about the suppliers we use by getting in touch with us using the details in the ‘Contact us’ section below.

How long we keep your data
The length of time we keep your data may depend on the reasons we are processing it, on the law or regulations that the information falls under, such as financial regulations, Limitations Act, Health and Safety regulations, or on any contractual obligation we might have, such as with government contracts. For business case data, we will anonymise the data so no individual is identifiable.

We retain your child’s personal data for up to 25 years after your child no longer uses our setting. Registration and referral forms, client consent forms and contracts, medication records, risk benefit analyses, attendance registers and accident/incident records are kept for longer according to legal requirements. Your child(ren)’s learning and development records are maintained by us and handed to you when your child leaves.

In some instances (child protection, or other support service referrals) we are obliged to keep your data for longer if it is necessary to comply with legal requirements (see our Data Protection Policy and Data Retention Schedule).

Once the retention period has expired, we will confidentially dispose of or permanently delete your information.

If you ask not to be contacted by us, we will keep some basic information about you on our suppression list to avoid sending you unwanted materials in the future.

Automated decision-making
We do not make any decisions about your child based solely on automated decision-making.

Your rights to your personal information
You have a right to request a copy of the personal information we hold about you, and to have any inaccuracies corrected. You also have the right to request that we erase your personal information, restrict our processing of your personal information or to object to our processing of your personal information. You have the right to request that we transfer your, and your child(ren)’s personal data to another person. If you wish to exercise these rights, we may need you to prove your identity with two pieces of approved identification. Please submit requests using the contact details below and we will respond within 28 days. Please provide as much information as possible about the nature of your contact with us to help us locate your records, including all of the email addresses you have used when in contact with us.

Where you have provided your consent for us to use your personal information, you always have a right to withdraw your consent at any time.

Your ability to edit and delete your account information preferences
The accuracy of your personal information is important to us. You can edit your account information, including your address and contact details at any time. If you would like to change your preferences or update the details we hold about you, please get in touch using the details in the ‘Contact us’ section below. If you would like changes to be made to your personal details, please tell us all of the email addresses you have used when in contact with us so we can locate all of your details.

How MSS protects children’s privacy
We collect and manage information from children, and aim to manage it in a way which is appropriate to the age of the child. Information is usually collected as above when we talk about working with families.

Where possible and appropriate we will seek consent from a parent or guardian, if the child is under 13, or consent from the young person, if they are aged 13-17, before collecting information.

How you can find out more about your rights
The way we collect and use personal data on this site is in accordance with the General Data Protection Regulation (GDPR) and the Data Protection Act. Your rights will be observed and honoured at all times. Please visit the Information Commissioner’s Office for further information at http://www.ico.org.uk.

If you wish to exercise any of these rights at any time or if you have any questions, comments or concerns about this privacy notice, or how we handle your data please contact us.

If you continue to have concerns about the way your data is handled and remain dissatisfied after raising your concern with us, you have the right to complain to the Information Commissioner Office (ICO). The ICO can be contacted at Information Commissioner’s Office, 45 Melville Street, Edinburgh, EH3 7HL or ico.org.uk.

Contact us
If you have any questions about this policy, would like more information, or want to exercise any of your rights in relation to data protection, you can get in touch with us in the following ways:

• Email us at dataprotection@midlothiansurestart.org.uk
• Telephone us at 0131 654 0489
• Write to us at Midlothian Sure Start, McSense, Colliery Court, 23 Sycamore Road, Mayfield, EH22 5T

Changes to this notice
We keep this notice under regular review. You will be notified of any changes where appropriate.