This page features separate privacy notices for:
General Privacy Notice
Introduction
This is Milestones Trust’s general Privacy Notice. If you are an employee, volunteer or Trustee, or an applicant/candidate, or a person we currently support, please refer to those separate Employee Privacy Notices.
Milestones Trust is a charitable trust limited by guarantee, registered in England under company number 2011021. Registered Charity No: 294377.
Milestones Trust is the controller for the personal information we process, unless otherwise stated.
Registered address: Unit 10, Eclipse Office Park, High Street, Staple Hill, Bristol BS16 5EL.
The Data Protection Officer for Milestones Trust can be contacted via email: dpo@milestonestrust.org.uk or by telephoning 0117 970 9300.
Definitions
We are required to process personal data as part of the services we offer and as an employer.
‘Processing’ can mean collecting, recording, organising, storing, sharing or destroying data.
‘Personal data’ is defined by Data Protection legislation as “any information relating to an identifiable person who can be directly or indirectly identified”. In simpler terms, it is any information about you that enables you to be identified. Personal data covers obvious information such as your name and contact details, but it also covers less obvious information such as identification numbers and CCTV images.
‘Special Category’ data is defined as personal data that is likely to be more sensitive and has extra protection under data protection law. It includes personal data about:
- racial or ethnic origin
- political opinions
- religious or philosophical beliefs
- trade union membership
- genetic data
- biometric data (where used for identification purposes)
- health
- sex life
- sexual orientation
We are committed to being transparent about why we need your personal data and what we do with it. This information is set out in this Privacy Notice. It also explains your rights in relation to your data.
The lawful bases we rely on
We have to have a lawful basis under GDPR for processing personal data and a separate lawful basis for processing any ‘Special Category’ data.
Our lawful basis for processing will depend on the processing. For example, we will rely on Legal Obligation to process personal data where we are required by law to do that. If we are taking steps to enter, or are entering a contract with you, Contract is likely to be the lawful basis we rely on. We may have a ‘Legitimate Interest’ where the processing is necessary for us to carry out our core business aims, and we couldn’t do that otherwise. We may also sometimes rely on Consent e.g., if we collected personal data for one purpose but would like to use if for something else.
The Special Category data we process includes that which is related to our management of health and social care services and as employers or as our management of the charity. Some special category information is processed in the Substantial Public Interest, such as checks we carry out around suitability of our Trustees. We also process criminal offence/convictions data where necessary (GDPR Article 10) and this includes for people providing one-to-one complementary therapy sessions with people we support. We have an Appropriate Policy Document in place for these purposes.
People we support
We have a separate Privacy Notice for the people we are currently supporting, including an Easy Read version available but the key points are given here, as you may be thinking about being supported by the Trust:
What personal data we process
So that we can provide a safe and professional service, we need to keep certain records about you. We may process the following types of data (including special category data):
- Basic details and contact information e.g. your name, address, date of birth and next of kin.
- Financial details, for example details of how you pay us for your care or your funding arrangements, and where we support you to manage your money.
- Health and social care information about you, which might include both your physical and mental health data. This includes information provided by other services, such as Health and care workers, voluntary agencies.
- We may also record data about your race, ethnic origin, sexual orientation or religion to support us delivering a person-centred service.
- Information about the support and care we deliver, such as daily diaries, support plans and risk assessments.
- Information about meetings we have with you and / or that are about your support e.g., when we plan activities, if we have Best Interests meetings.
- Information you or other people who know you have given us.
- Information we have given you.
Why and how we process this data
We need this data so that we can provide high-quality care and support. We process your data (including special category data) because:
- It’s necessary in order for us to provide you with person-centred care and support using information that is accurate and up to date.
- We have legal obligations to keep records of care and support, and financial transactions.
- It is necessary for our proper management of health and social care services.
- We are required to provide data to our regulator, the Care Quality Commission (CQC).
- We can refer to this information if you have a complaint about the serviced you’ve received.
- We use a digital care planning system called Nourish for care and support planning and a system for referrals and also have some paper records.
We may also process your data with your explicit consent. This will happen if we want to use your information for a reason that’s different from why we collected it in the first place e.g., a photo to go in our internal magazine or if you wanted to be in a video for the website. If we need to ask for your consent we will offer you a clear choice and ask that you confirm consent to us before we use that information. We will also explain clearly to you what we need the data for and how you can withdraw your consent at any time.
Who we share personal data about you with
Third parties are people or organisations we might lawfully ask for or share your data with. These include:
- Other parts of the health and care system such as local hospitals, the GP, the pharmacy, social workers, clinical commissioning groups, and other health and care professionals.
- The Local Authority.
- Housing Associations where you have or are looking to have a tenancy or licence with them.
- Organisations or people who you have a legal relationship with, for example DWP Appointeeship, Power of Attorney or Deputyship.
- Third party organisations like Access Social Care – with your permission.
- Complementary Therapists – with your permission or as part of a Best Interests decision.
- Nourish – where we keep care and support planning information.
- Your family or friends – with your permission unless already stated and/or as part of Best Interests decision making where appropriate.
- Organisations we have a legal obligation to share information with i.e. for safeguarding, the Care Quality Commission (CQC).
- The police or other law enforcement agencies if we have to by law or court order.
- Our solicitors, where we have a legitimate interest in doing so.
Where we process your data
We process data in the UK. This includes face to face, phone, email, website, post, application/referral forms, Connecting Care portal, systems that record information about incidents and accidents (AssessNet, CCTV) and may also do this via apps.
So that we can provide you with high quality care and support we need specific data. This is collected from or shared with:
- The individual or their legal representative(s).
- Third parties including as part of the referral process.
Friends/relatives
What personal data we have
As part of our work providing high-quality care and support, it might be necessary that we hold the following information on you:
- Your basic details and contact information e.g. your name and address, phone number/s and email address.
- Information on your relationship to the person we support including any legal relationship e.g., Power of Attorney, Deputyship.
Why and how we process this data
By law, we need to have a lawful basis for processing your personal data.
We process personal data about you because we have a legitimate business interest in holding next of kin and lasting power of attorney or other legal relationship information about the individuals who use our service so that we are confident we are only communicating with the right people. We may ask for proof of identity before disclosing information to you.
We may also process your data with your consent. If we need to ask for your permission, we will offer you a clear choice and ask that you confirm to us that you consent. We will also explain clearly to you what we need the data for and how you can withdraw your consent.
Who we share personal data about you with
Third parties are people or organisations we might lawfully ask for or share your data with include:
- Other parts of the health and care system such as local hospitals, social workers and other health and care professionals.
- The Local Authority.
- Third party organisations like Access Social Care – with your permission.
- Organisations we have a legal obligation to share information with, for example for safeguarding, the Care Quality Commission (CQC).
- Organisations where you have a legal relationship with the person we support, for example DWP Appointeeship, Power of Attorney or Deputyship.
- The police or other law enforcement agencies if we have to by law or court order.
- Our solicitors if we have a legitimate interest in doing so
Where we process personal data
We process your data in the UK. We do this face to face, and/or via phone, email, our website, post, application/referral forms, Connecting Care portal, systems that record information about referrals, and incidents and accidents (AssessNet, CCTV), and may also do this via apps.
Information is collected from or shared with:
- You
- Third parties, for example as part of the referral process
Contractors, people on work placements who are unpaid, corporate volunteers, Complementary Therapists
What personal data we process
We need to keep certain records about you or your company in order to ensure services are safe and we are fulfilling any obligations and responsibilities. We may have a contract in place or we may have a Legitimate Interest in doing this as processing is necessary in helping us be sure the services we deliver to people we support (including through visiting contractors, student placements etc.) are safe, and we could not do so otherwise. We also have a Legal Obligation to process some data.
We may process the following types of data (including special category data):
- Basic details and contact information e.g. your name, address, contact details, company name and details, date of birth.
- Identity verification documents.
- Financial details, for example funding arrangements or how we pay you for services delivered.
- Health information which might include both physical and mental health data only if appropriate, for example to support a placement.
- We may also record data about your race, ethnic origin, sexual orientation or religion, where this is required.
- We also process Criminal Conviction data where necessary, for example for students or complementary therapists who work 1-1 with people we support. We have an Appropriate Policy Document in place for this processing.
Why and how we process this personal data
We need this data so that we can provide safe and high-quality care and support. We process your special category data because:
- It is necessary in order for us to provide person-centred care and support.
- It is necessary for our management of health and social care services.
- We are required to provide data to our regulator, the Care Quality Commission (CQC).
- We have to fulfil legal obligations.
- To fulfil contractual obligations.
- Basic information that relates to you may be held in Nourish.
Who we share personal data about you with
People or organisations we might lawfully ask for or share your data with include:
- Other parts of the health and care system if necessary.
- The Local Authority.
- Organisations we have a legal obligation to share information with i.e. for safeguarding, the Care Quality Commission (CQC), the Health and Safety Executive (HSE).
- The university you are a student at or company you volunteer through.
- The police or other law enforcement agencies if we have to by law or court order.
- Our solicitors where this is necessary.
Where we process personal data
We process data face to face, and/or via phone, email, our website, post, application forms, Nourish, systems that record information about incidents and accidents (AssessNet, CCTV), Dayforce and may also do this via apps.
We may also use a US based company as a data processor to carry out background checks as part of our screening processes. Sterling has self-certified against the UK Extension to the EU-U.S. Data Privacy Framework.
The data we collect about you is collected from or shared with:
- You
- Third parties
On a need-to-know basis.
Employees, volunteers and Trustees
We have separate Employee and Applicant/Candidate Privacy Notices, which cover our processing for applicants, candidates and staff, volunteers and Trustees.
Our website
In order to provide you with the best experience while using our website, we process some data about you. When someone visits www.milestonestrust.org.uk we use a third-party service, Google Analytics, to collect standard internet log information and details of visitor behaviour patterns. We do this to find out things such as the number of visitors to the various parts of the site. This information is only processed in a way which does not identify anyone. We do not make, and do not allow Google to make, any attempt to find out the identities of those visiting our website. You can find more information on how cookies are used on this website in our Cookies Policy here.
If we do want to collect personally identifiable information through our website, we will be up front about this. We will make it clear when we collect personal information and will explain what we intend to do with it.
Getting in touch
On our get in touch page we ask you to supply personal information, which allows us to get back in touch with you. Your enquiry is received by our reception team, who then forward the email on to the relevant person, depending on your enquiry. Your personal information isn’t stored and the emails are deleted by the reception team once they have been forwarded on.
Newsletter sign up
As part of the registration process for our Recruitment and Friends of Milestones e-newsletters, we collect personal information.
For our Recruitment e-newsletter, we use that personal information to let you know about the current Milestones Trust job opportunities. If you no longer wish to receive this, you can let us know by clicking ‘unsubscribe’ at any time.
For our Friends of Milestones e-newsletter, we use that personal information to let you know about what we’ve been up to and our upcoming events. If you no longer wish to receive this, you can let us know by clicking ‘unsubscribe’ at any time.
We may also use the information from both e-newsletters to contact you if we need to obtain or provide additional information; to check our records are right and to check every now and then that you’re happy and satisfied. We don’t rent or trade email lists with other organisations and businesses.
We use a third-party provider, MailChimp, to deliver our newsletter. We gather statistics around email opening and clicks using industry standard technologies to help us monitor and improve our e-newsletter. For more information, please see MailChimp’s privacy notice.
You can unsubscribe to general mailings at any time by clicking the unsubscribe link at the bottom of any of our emails or by emailing our marketing team on marketing@milestonestrust.org,uk
Links to other websites
This privacy notice does not cover the links within this site linking to other websites. Those sites are not governed by this Privacy Notice, and if you have questions about how a site uses your information, you’ll need to check that site’s privacy statement.
How we protect your personal data
We have technical and organisational measures in place to protect your personal data and keep it secure. These include GDPR-compliant contracts with our processors, policies and procedures, setting access controls and permissions to folders and systems, using password protection, using secure email and making sure all staff are trained to understand their obligations around data protection. Information is stored, retained and disposed of in line with our policies and Retention Schedule and we do not keep your information any longer than we need to.
How long we process data for
Our Retention Schedule sets out the retention timescales for the different information we process. In line with data protection regulations we will not ask for more information than we need and do not keep data any longer than we have to.
Your rights
You have the following rights when it comes to your data:
- Right to be informed: We are transparent about how and why we collect and use your data and this Privacy Notice tells you about this.
- Right of access: You have the right to request a copy of the data we keep about you. Email your request to our data protection officer on dpo@milestonestrust.org.uk You may need to provide adequate information for identification, for example, a passport or driver’s licence. This is to make sure that data is not shared with the wrong person inappropriately. We will always respond to your request as soon as possible and at the latest within one month.
- Right to rectification: You have the right to ask us to correct any data we have which you believe to be inaccurate or incomplete. You can also request that we restrict the processing of your data while we consider your rectification request.
- Right to erasure: You have the right to ask that we erase any of your personal data which is no longer necessary for the purpose we originally collected it for. This is not an absolute right and we may need to continue using your information. We will tell you if this is the case.
- You can also ask for your data to be erased if we have asked for your consent to process any of your data. You can withdraw consent where it has been provided at any time – please contact us to do so.
- Right to restrict processing: You may request that we restrict processing if we no longer require your personal data for the purpose we originally collected it for but you do not wish for it to be erased.
- Right to portability: You have the right to request your personal data in a way that is accessible and machine-readable, for example as a csv file. You also have the right to ask us to transfer your data to another organisation.
- Right to object: If we are processing your data as part of our legitimate interests as an organisation or in order to complete a task in the public interest, you have the right to object to that processing. This is not an absolute right and we may need to continue using your information. We will tell you if this is the case.
- Rights related to automated decision-making including profiling: Where any activities involve this, e.g., as part of the recruitment process, we ask for explicit consent and do not rely solely on this information.
Further information
If you have any concerns or questions please contact the DPO by emailing dpo@milestonestrust.org.uk or phoning 0117 970 9300.
If you wish to complain about how we have dealt with your request, please contact:
Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Changes to this Privacy Notice
We keep our privacy notice under regular review. This privacy notice was last updated on 25th March 2024.
Applicants and Candidates Privacy Notice
Introduction
This is Milestones Trust’s Privacy Notice for applicants and candidates. It covers paid and unpaid roles.
Milestones Trust is a charitable trust limited by guarantee, registered in England under company number 2011021. Registered Charity No: 294377
Milestones Trust is the controller for the personal information we process, unless otherwise stated.
Registered address: Unit 10, Eclipse Office Park, High Street, Staple Hill, Bristol BS16 5EL
The Data Protection Officer for Milestones Trust can be contacted by emailing dpo@milestonestrust.org.uk or calling 0117 970 9300.
Definitions
We are required to process personal data about our people applying for roles with Milestones Trust.
‘Processing’ can mean collecting, recording, organising, storing, sharing or destroying data.
‘Applicant’ The term ‘applicant’ applies to anyone applying for a post (paid or unpaid) with Milestones Trust and covers successful and unsuccessful applications.
‘Candidate’ The term Candidate refers to ‘active applicants’ that have been screened and verified as qualifying for the requirements of the job or role opening and therefore likely to proceed to interview.
‘Personal data’ is defined by Data Protection legislation as “any information relating to an identifiable person who can be directly or indirectly identified”. In simpler terms, it is any information about you that enables you to be identified. Personal data covers obvious information such as your name and contact details, but it also covers less obvious information such as identification numbers and CCTV images.
‘Special Category data’ is defined as personal data that is likely to be more sensitive and has extra protection under data protection law. It includes personal data about:
- racial or ethnic origin
- political opinions
- religious or philosophical beliefs
- trade union membership
- genetic data
- biometric data (where used for identification purposes)
- health
- sex life
- sexual orientation
‘Verification’ The term “verification” refers to the process of checking that details supplied by applicants (e.g. identity, qualifications) are accurate and complete.
We are committed to being transparent about why we need your personal data and what we do with it and this Privacy Notice explains that and advises you of your rights in relation to the information we process. We will only ask you for the information we need from you at each stage of the recruitment process and will securely store it whilst in use then securely dispose of it in line with our retention schedule.
We have a separate Privacy Notice for Employees, Volunteers and Trustees which includes anyone employed by Milestones Trust including on a casual ‘Bank’ contract, volunteers (excluding corporate volunteers) and Trustees, and others. Successful candidates will be issued with the Employee, Volunteer and Trustee Privacy Notice during the onboarding process.
The lawful bases we rely on
As we’re taking steps towards potentially entering into a contract with you, we rely on ‘Contract’ as our lawful basis for much of the pre-recruitment data processing we carry out (the stages at which you’re an applicant or candidate). We may also have a Legitimate Interest or a Legal Obligation in processing information about you when you apply for a role (paid or unpaid) with Milestones Trust and where that’s the case we use those bases. We may also ask your Consent for the provision of some information.
We process Special Category data and Criminal Conviction data as part of our obligations in managing health and social care services and as employers and have an Appropriate Policy Document in place. We are required by the Government to provide statistics on vaccinations so we ask for this information and provide it in anonymous format where this has been given to us.
What personal data do we process?
As above, in addition to the personal data you provide as part of your application and give us as part of any interview process we may also request special category and criminal offence and conviction data from you at certain stages of the application and recruitment process. We will only do this where asking for it is necessary and relevant to the role you’re applying for and in line with the Rehabilitation of Offenders Act 1974. We process this data as part of our obligations in managing health and social care services and our legal obligations as employers.
As part of the application and onboarding process (for successful candidates) we may record the following types of data:
- Your basic details and contact information e.g. your name, address, contact number/s / email, date of birth, National Insurance number
- Education and employment history
- Financial information so payroll can set successful candidates up on our systems
- Financial details so that we can pay authorised expenses to volunteers and Trustees
- HMRC information (for due diligence purposes – Trustees)
The Special Category data we ask for may include:
- Information about disabilities – to ensure reasonable adjustments are considered at interview and where possible to facilitate adaptations in the workplace/volunteering environment for successful candidates. We will only collect this if it is necessary for us to know and so we can support Occupational Health referral where appropriate for successful candidates.
- Evidence of your right to work in the UK.
- Whether you’ve had some vaccinations.
- We may also, with your permission, record data about your race, ethnic origin, sexual orientation or religion – to monitor equality of opportunity.
- Special category biometric data, that is, biometric data used for unique identification purposes.
- Criminal offences and convictions where necessary to assess suitability in relation to the role you’re applying for. Depending on the role being applied for you may be required to undergo a Disclosure and Barring Service (DBS) check (Criminal Record Check) as part of the recruitment process and for update checks. We do not keep this data once we’ve seen it but keep enough so we can evidence we’ve seen it.
Why and how we process your personal data
We require this data so that we can facilitate a fair and transparent process of screening applications for role suitability based on the job/role description and person specification, to comply with the law and to make sure we provide safe services to the people we support in line with our contracts and regulations.
We process your data (including special category and criminal conviction data) because:
- We are taking the steps necessary prior to entering into a contract with you and / or entering into a contract with you
- We have Legal Obligations under UK employment law and the Health and Social Care Act
- We have Legal Obligations in relation to the Charities Act
- We have a Legitimate Interest in asking about vaccinations e.g., because the government ask us to report on how many employees have said they’ve had these (this is provided in an anonymous format)
- You have chosen to provide us with personal / special category information
- We are required to provide data to our regulator, the Care Quality Commission (CQC), as part of our public interest obligations
- It is necessary to support Occupational Health referrals
- We have a legal requirement to do so
- Processing some information e.g., on suitability for trustee roles, is in the substantial public interest
Recruitment newsletter sign up
As part of the registration process for our Recruitment e-newsletters, we collect personal information and, where you’ve opted in to receive it, use it to let you know about the current Milestones Trust job opportunities. If you no longer wish to receive this you can let us know by clicking ‘unsubscribe’.
Where we process your data
We process your data in the UK. We do this face to face as well as via phone, email, post, online application forms, website and via our systems including the HR ‘Dayforce’ system. Some sites have CCTV.
We may also use a US-based company as a data processor to carry out background checks as part of our recruitment processes. Sterling has self-certified against the UK Extension to the EU-U.S. Data Privacy Framework. You may also use Yoti for this reason. Yoti and Sterling work together to process background checks and provide the information from the checks to us.
The personal data we process about you as an applicant/candidate is collected from:
- You – as part of your application and/or newsletter sign up
- Third parties e.g. reference information, government bodies (Home Office) regarding rights to work in the UK.
Who we share your personal data with
In order to process your application, and, where successful, to support the onboarding process, the information you provide will be shared with the following:
- Our recruitment team who will liaise with you about the next steps in the process
- Trustee application information is reviewed by the Executive Assistant and then the Recruitment Manager to process DBS applications and refresh applications
- VZLA Ltd. who we use in relation to profiling exercises which are part of selection for some roles
- The person responsible for interviewing you (special category information will not be provided at that point)
- Our onboarding and payroll team if you are successful so we can get you set up on our systems
- Her Majesty’s Revenue and Customs (HMRC)
- Home Office in relation to rights to work in the UK. We retain this evidence for the duration of employment and for two years afterwards. It is then securely destroyed.
- BHSF for Occupational Health clearances
- The police for the prevention and detection of crime (if necessary)
- DDC (Due diligence Checking) for our Disclosure and Barring Service (DBS) checks if you are offered a role and the role requires these checks to be carried out.
We will not share more information than we need to for the purpose we collect it.
How we protect your personal data
When we receive your application, we save it in our Dayforce system and share what we need to with Sterling for the background checks process. We have technical and organisational measures in place to protect your personal data and keep it secure. These include having GDPR compliant contracts in place with processors, setting controls and permissions to folders and systems, our policies and procedures, using password protection, using secure email and making sure all staff are trained to understand their obligations around data protection. Information is stored, retained and disposed of in line with our policies and Retention Schedule and we do not keep your information any longer than we need to. Milestones Trust has a Caldicott Guardian as well as a Data Protection Officer to support the protection of personal data.
How long we process your data for
Our Retention Schedule sets out the retention timescales for the different documents we process. For example, in relation to rights to work in the UK, we retain evidence for the duration of employment and for two years afterwards. It is then securely destroyed. In line with data protection regulations we will not ask for more information than we need and do not keep data any longer than we have to. All unsuccessful applications will be destroyed after a maximum of 6 months.
Your rights
You have the following rights when it comes to your data:
- Right to be informed: We are transparent about how and why we collect and use your data and this Privacy Notice tells you about this
- Right of access: You have the right to request a copy of the data we keep about you. Email your request to our data protection officer on dpo@milestonestrust.org.uk. You may need to provide adequate information for identification, for example, a passport or driver’s licence. This is to make sure that data is not shared with the wrong person inappropriately. We will always respond to your request as soon as possible and at the latest within one month.
- Right to rectification: You have the right to ask us to correct any data we have which you believe to be inaccurate or incomplete. You can also request that we restrict the processing of your data while we consider your rectification request
- Right to erasure: You have the right to ask that we erase any of your personal data which is no longer necessary for the purpose we originally collected it for. This is not an absolute right and we may need to continue using your information. We will tell you if this is the case.
- You can also ask for your data to be erased if we have asked for your consent to process any of your data. You can withdraw consent where it has been provided at any time – please contact us to do so.
- Right to restrict processing: You may request that we restrict processing if we no longer require your personal data for the purpose we originally collected it for but you do not wish for it to be erased.
- Right to portability: You have the right to request your personal data in a way that is accessible and machine-readable, for example as a csv file. You also have the right to ask us to transfer your data to another organisation
- Right to object: If we are processing your data as part of our legitimate interests as an organisation or in order to complete a task in the public interest, you have the right to object to that processing. This is not an absolute right and we may need to continue using your information. We will tell you if this is the case.
- Rights related to automated decision-making including profiling: Where any activities involve this, e.g., as part of the recruitment process, we ask for explicit consent and do not rely solely on this information.
Further information
If you have any concerns or questions please contact the Data Protection Officer by emailing dpo@milestonestrust.org.uk or phoning 0117 970 9300.
If you wish to complain about how we have dealt with your request, please contact:
Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Changes to this Privacy Notice
We keep our privacy notice under regular review. This privacy notice was last updated on 25th March 2024.
Employees, Volunteers and Trustees Privacy Notice
Introduction
This is Milestones Trust’s Privacy Notice for Employees, Volunteers and Trustees.
Milestones Trust is a charitable trust limited by guarantee, registered in England under company number 2011021. Registered Charity No: 294377.
Milestones Trust is the controller for the personal information we process, unless otherwise stated.
Registered address: Unit 10, Eclipse Office Park, High Street, Staple Hill, Bristol BS16 5EL.
The Data Protection Officer for Milestones Trust can be contacted via email: dpo@milestonestrust.org.uk or by telephoning 0117 970 9300.
Definitions
‘Processing’: As part of the services we offer, we are required to process personal data about our employees, volunteers and Trustees. “Processing” can mean collecting, recording, organising, storing, sharing or destroying data. Employees include anyone employed by Milestones Trust including on a casual ‘Bank’ contract. This Privacy Notice covers our processing of information for volunteers (excluding corporate volunteers) and Trustees as well as employees. We have separate Privacy Notices for candidates/applicants and others.
‘Employee’: An employee is someone who works under an employment contract. This Privacy Notice also covers Bank and Casual staff.
‘Volunteer’: A volunteer undertakes unpaid activities that benefit Milestones Trust
‘Trustee’: Milestones Trust Trustees are the people who share ultimate responsibility for governing the charity and directing how it is managed and run.
‘Personal data’ is defined by Data Protection legislation as “any information relating to an identifiable person who can be directly or indirectly identified”. In simpler terms, it is any information about you that enables you to be identified. Personal data covers obvious information such as your name and contact details, but it also covers less obvious information such as identification numbers and CCTV images.
‘Special Category data’ is defined as personal data that is likely to be more sensitive and has extra protection under data protection law. It includes personal data about:
- racial or ethnic origin
- political opinions
- religious or philosophical beliefs
- trade union membership
- genetic data
- biometric data (where used for identification purposes)
- health
- sex life
- sexual orientation
‘Verification’: The term “verification” refers to the process of checking that details supplied by employees (for example identity, right to work, qualifications) are accurate and complete.
We are committed to being transparent about why we need your personal data and what we do with it. This information is set out in this Privacy Notice. It also explains your rights in relation to your data.
The lawful bases we rely on
We have to have a lawful basis for processing your personal data and a separate lawful basis for processing ‘Special Category’ data.
For example, we have Legal Obligations under UK employment law and the Charities Act and we also have a ‘Legitimate Interest’ in processing some information e.g. where the processing is necessary in order for us to carry out our core business aims of providing safe services to the people we support and we couldn’t do that otherwise. Sometimes there may be contractual changes where we rely on Contract under GDPR and on occasion we may ask for your consent to specific processing activities.
We process Special Category data as part of our obligations using the lawful basis of Employment, Social Security and Social Protection (with a basis in law) and using the lawful basis relating to the management of health and social care services where applicable. This includes our processing of Criminal Offence/Convictions data. We have an Appropriate Policy Document in place where we rely on the Employment lawful basis.
What personal data do we process?
So that we can provide a safe and professional service to you and the people we support, we need to process certain personal data about you. This may include:
Employees
- Your basic details and contact information e.g. your name, address, date of birth, National Insurance number and next of kin.
- Identity verification documents.
- Your financial details e.g. detail so that we can pay you, insurance, pension and tax details.
- Your employment Terms and Conditions.
- Your training records, work experience, qualifications.
- Information about any disciplinary action.
- Information related to accidents connected with work.
Volunteers
Volunteers are clearly distinct from employees in terms of responsibilities and rights however we still require certain personal information including:
- Your basic details and contact information e.g. your name, address, date of birth
- Identity verification documents
- Emergency Contact details
- Your financial details so that we can pay you expenses
Trustees
Being a Trustee is a voluntary role with particular duties and responsibilities as laid out in charity law. The Trustee information we’re required to process includes:
- Name, address, date of birth
- Identity verification documents
- Financial details so that we can pay authorised expenses
- Declarations e.g. interests, conflicts of interest, and eligibility as this is in the Substantial Public Interest
- Qualification/disqualification data (for due diligence purposes)
- HMRC and Companies House checks information (for due diligence purposes)
Depending on role and responsibilities the following types of Special Category data may also be processed for employees, volunteers and Trustees:
- Health data, which might include both your physical and mental health information. We will only collect this if it is necessary for us to know for your job or role, e.g. fit notes or in order for you to claim statutory maternity/paternity pay or occupational health referrals
- Vaccination data, because the government ask us to report on how many employees have said they’ve had these (this is provided in an anonymous format if you tell us about your vaccinations)
- Trade Union membership e.g., some people request subscription to be automatically deducted (this is only done with your consent)
- We may also, with your permission, record data about your race, ethnic origin, sexual orientation or religion, trade union membership
- Special category biometric data, that is, biometric data used to uniquely identify you, for example to help establish your right to work in the UK.
Depending on your job or role you may also be required to undergo a Disclosure and Barring Service (DBS) check (Criminal Record Check) as part of the recruitment process for paid and unpaid roles and for update checks. We do not keep this data once we’ve seen it but keep enough so we can evidence we’ve seen it.
Why and how we process your personal data
We require your personal data so that we can comply with the law, contact you, pay you and make sure you receive any training and support you need to perform your job or role, support your wellbeing and make sure we are providing safe governance and services to the people we support in line with our contracts and legal obligations and regulations.
We process your data because, for example:
- We have a contract of employment with you
- We have a legal obligation under UK employment law, Charity and common law and Health and Safety law
- We have a Legitimate Interest. Processing your personal data is necessary for us to be able to carry out our core business functions
- You have given us consent to do so in situations where this is relied on
- We are required to provide data to our funders and regulator, the Care Quality Commission (CQC), as part of our public interest obligations
- We need to undertake due diligence checks for potential Trustees.
We process ‘Special Category’ data about you because, for example:
- It is necessary for us to process requests for sick pay or maternity pay etc.
- It is necessary to support Occupational Health referrals
- We have a legal obligation in relation to trade unions
- It is necessary to evidence compliance
- The government have asked us to provide anonymised data and we ask you for it to support that request e.g., vaccination data
- We have a legal obligation in relation to right to work in the UK
- It is in the Substantial Public Interest to check Trustees continuing eligibility to act
If we request your criminal records data, e.g., an update of your DBS, it is because we have a legal obligation to do this due to the type of work you do or the role you have with us. This is set out in the Data Protection Act 2018 and the Rehabilitation of Offenders Act 1974 (Exceptions) Order 1975. We do not keep a record of your criminal records information (if any).
We process your data in the UK. We do this face to face as well as via: phone, email, staff intranet, post, application forms, via systems including the HRIS ‘Dayforce’ (Ceridian Dayforce) system, training portals, AssessNet, CCTV, File Maker and CM2000 and our 3rd party managed service provider and first line support providers for IT related issues.
We also use a US-owned company as a data processor to carry out background checks as part of our screening processes. Sterling has self-certified against the UK Extension to the EU-U.S. Data Privacy Framework. Yoti is an app also used for this reason. Yoti and Sterling work together to process background checks and provide the information from the checks to us.
The personal data we process is collected from:
- You or your legal representative(s) e.g. as part of your application or an Occupational Health referral
- The systems we use e.g. Dayforce
- Third parties for example references, screening checks
Who we share your personal data with
Third parties are organisations we have a legal reason to share your data with. These include:
- Her Majesty’s Revenue and Customs (HMRC)
- Our pension scheme (TPT Retirement Solutions) regarding pension auto-enrolment, prior to the employee deciding whether they wish to opt-out
- Our Healthcare scheme / Health Cash Plan / Occupational Health Provider and Employee Assistance Programme (BHSF)
- Sodexo and Vivup – providers of our discount platform (consent)
- NHS Pension Scheme (not available for new employees)
- Organisations we have a legal obligation or legitimate interest in sharing information with e.g. for safeguarding, the CQC, the Department of Health and Social Care, Charity Commission, Companies House
- Trustee information is reviewed by the Executive Assistant to process refresher DBS applications
- The police or other law enforcement agencies if we have to by law e.g., the prevention and detection of unlawful acts, or court order
- DDC (Due diligence Checking) for our Disclosure and Barring Service (DBS) checks
- Nourish – some basic information that relates to you is held in Nourish, the digital care planning tool we use
- Ceridian Dayforce as data processor for payroll
- The Home Office for right to work in the UK
- Sterling, for background screening purposes
- There are occasions where we would share information with our solicitors regarding individual cases where it may be necessary to share personal or special category data, in the Trust’s legitimate interest
We will not share more information than we need to for the purpose we’ve collected it.
How we protect your personal data
We have technical and organisational measures in place to protect your personal data. These include policies and procedures, having GDPR-compliant contracts in place with processors like Ceridian and Sterling, setting access controls and permissions to IT folders and systems like Dayforce, using password protection, using secure email and making sure all staff, volunteers and Trustees are trained to understand their obligations around data protection. Information is stored, retained, and disposed of in line with our policies and Retention Schedule and we do not keep your information any longer than we need to. Milestones Trust has a Caldicott Guardian as well as a Data Protection Officer to support the protection of personal data.
How long we process data for
Our Retention Schedule, which can be found on the staff document library on the intranet and by request, sets out the retention timescales for the different documents we process. In line with data protection regulations and employment law requirements we will not ask for more information than we need and do not keep data any longer than we have to.
Your rights
You have the following rights when it comes to your data:
- Right to be informed: We are transparent about how and why we collect and use your data and this Privacy Notice tells you about this
- Right of access: You have the right to request a copy of the data we keep about you. Email your request to our data protection officer on dpo@milestonestrust.org.uk. You may need to provide adequate information for identification, for example, a passport or driver’s licence. This is to make sure that data is not shared with the wrong person inappropriately. We will always respond to your request as soon as possible and at the latest within one month
- Right to rectification: You have the right to ask us to correct any data we have which you believe to be inaccurate or incomplete. You can also request that we restrict the processing of your data while we consider your rectification request
- Right to erasure: You have the right to ask that we erase any of your personal data which is no longer necessary for the purpose we originally collected it for. This is not an absolute right and we may need to continue using your information. We will tell you if this is the case
- You can also ask for your data to be erased if we have asked for your consent to process any of your data. You can withdraw consent where it has been provided at any time – please contact us to do so
- Right to restrict processing: You may request that we restrict processing if we no longer require your personal data for the purpose we originally collected it for but you do not wish for it to be erased.
- Right to portability: You have the right to request your personal data in a way that is accessible and machine-readable, for example as a csv file. You also have the right to ask us to transfer your data to another organisation
- Right to object: If we are processing your data as part of our legitimate interests as an organisation or in order to complete a task in the public interest, you have the right to object to that processing. This is not an absolute right and we may need to continue using your information. We will tell you if this is the case.
- Rights related to automated decision-making including profiling: Where any activities involve this, e.g., as part of the recruitment process, we ask for explicit consent and do not rely solely on this information.
Further information
If you have any concerns or questions please contact the Data Protection Officer by emailing dpo@milestonestrust.org.uk or phoning 0117 970 9300. If you wish to complain about how we have dealt with your request, please contact:
Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Changes to this Privacy Notice
We keep our privacy notice under regular review. This privacy notice was last updated on 25th March 2024.
People we support Privacy Notice
Introduction
This is Milestones Trust’s Privacy Notice for people we support. It is taken from our general Privacy Notice and just includes information relevant to people we deliver support services to. There is also an Easy Read version of this. The general Privacy Notice is available on our website: www.milestonestrust.org.uk
Milestones Trust is a charitable trust limited by guarantee, registered in England under company number 2011021. Registered Charity No: 294377
Milestones Trust is the controller for the personal information we process, unless otherwise stated.
Registered address: Unit 10, Eclipse Office Park, High Street, Staple Hill, Bristol BS16 5EL
The Data Protection Officer for Milestones Trust can be contacted via email: dpo@milestonestrust.org.uk or by telephoning 0117 970 9300.
Definitions
We are required to process personal data as part of the services we offer
‘Processing’ can mean collecting, recording, organising, storing, sharing or destroying data.
‘Personal data’ is any information about you that enables you to be identified. It includes obvious information such as your name and contact details, but it also covers less obvious information such as identification numbers and CCTV images.
‘Special Category’ data is defined as personal data that is likely to be more sensitive and has extra protection under data protection law. It includes personal data about:
- racial or ethnic origin
- political opinions
- religious or philosophical beliefs;
- trade union membership;
- genetic data;
- biometric data (where used for identification purposes);
- health;
- sex life
- sexual orientation
We are committed to being transparent about why we need your personal data and what we do with it. This information is set out in this Privacy Notice. It also explains your rights in relation to your data.
The lawful bases we rely on
We have to have a lawful basis for processing personal data and a separate lawful basis for processing any ‘Special Category’ data.
We rely on the lawful basis of ‘Legal Obligation’ to process data about you where we are required by law e.g., the Health and Social Care Act to process information.
Where we process data about you but there is no legal obligation to do that, we may do so because we have a ‘Legitimate Interest’; the processing is necessary for us to be able to provide a service to you and we couldn’t do that otherwise.
The Special Category data we process includes what we need to manage our health and social care services and deliver support to you.
Examples of the information we process about you are listed below.
What data we process
We need to keep certain records about you so that we can provide a safe and professional service. We may process the following types of data (including special category data):
- Your basic details and contact information e.g. your name, address, date of birth and next of kin;
- Your financial details e.g., details of how you pay us for your care or your funding arrangements.
- Health and social care information about you, which might include both your physical and mental health data. This includes information provided by other services that may be working with you, e.g., Health and care workers, voluntary agencies.
- We may also record data about your race, ethnic origin, sexual orientation or religion to support us delivering a person-centred service.
- Information about the support and care we deliver to you e.g., daily diaries, support plans and risk assessments.
- Information about meetings we have with you and / or that are about your support e.g., when we plan activities, if we have Best Interests meetings.
- Information you or other people who know you have given us.
- Information we have given you.
Why and how we process this data
We need this information about you so that we can provide high-quality care and support. We process your data (including special category data) because, for example:
- It is necessary in order for us to provide you with person-centred care and support using information that is accurate and up to date.
- It is necessary for our proper management of health and social care services.
- We have legal obligations to keep records of care and support.
- We are required to provide data to our regulator, the Care Quality Commission (CQC)
- We can refer to this information if you have a complaint about the service you’ve received
- We use a digital care planning system called Nourish as well as some paper records
We may also process your data with your consent. This will happen if we want to use your information for a reason that’s different from why we collected it in the first place e.g., a photo to go in our internal magazine or if you wanted to be in a video for the website. If we need to ask for your consent, we will offer you a clear choice and ask that you confirm consent to us before we use that information. We will also explain clearly to you what we need the data for and how you can withdraw your consent at any time.
Who we may share your personal data with
Third parties are people or organisations we might lawfully ask for or share your data with. These include:
- Other parts of the health and care system such as local hospitals, the GP, the pharmacy, social workers, Integrated Care Services or equivalent, Connecting Care, and other health and care professionals;
- The Local Authority;
- Housing Associations where you have or are looking to have a tenancy or licence with them
- Organisations or people who you have a legal relationship with, for example DWP Appointeeship, Power of Attorney or Deputyship
- Our solicitors when we need support from them in relation to the support, we provide you or in connection with your tenancy/licence
- Third party organisations like Access Social Care – with your permission
- Complementary Therapists – with your permission or as part of a Best Interests decision
- Nourish – our digital care planning system
- Your family or friends – with your permission unless already stated and/or as part of Best Interests decision making where appropriate
- Organisations we have a legal obligation to share information with i.e. for safeguarding, the Care Quality Commission (CQC)
- The police or other law enforcement agencies if we have to by law or court order.
We will not share more information than is necessary for the reason we’re sharing it.
At this time, we do not share any data for planning or research purposes for which the national data opt-out would apply. We review all of the confidential patient information we process to see if this is used for research and planning purposes. If it is, then individuals can decide to stop their information being shared for this purpose. You can find out more information at https://www.nhs.uk/your-nhs-data-matters/
Where we process your data
We process data in the UK. This includes face to face, phone, email, website, post, referral forms, Connecting Care portal, systems that record information about incidents and accidents (AssessNet, CCTV) and Nourish (our digital care planning system). We may also do this via apps.
So that we can provide you with high quality care and support we need specific data. This is collected from or shared with:
- You or your legal representative(s);
- Third parties including as part of the referral process.
How we protect your personal data
We have technical and organisational measures in place to protect your personal data and keep it secure. These include having GDPR-compliant contracts in place, setting controls and permissions to folders and systems, policies and procedures, using password protection, using secure email and making sure all staff are trained to understand their obligations around data protection. Information is stored, retained and disposed of in line with our policies and Retention Schedule and we do not keep your information any longer than we need to.
Milestones Trust has a Caldicott Guardian as well as a Data Protection Officer to support the protection of personal data.
How long we process data for
Our Retention Schedule sets out the retention timescales for the different information we process. In line with data protection regulations, we will not ask for more information than we need and do not keep data any longer than we have to.
Your rights
You have the following rights when it comes to your data:
- Right to be informed: We are transparent about how and why we collect and use your data and this Privacy Notice tells you about this.
- Right of access: You have the right to request a copy of the data we keep about you. Ask your service or home manager or email your request to our data protection officer on dpo@milestonestrust.org.uk. You may need to provide adequate information for identification, for example, a passport or driver’s licence. This is to make sure that data is not shared with the wrong person inappropriately. We will always respond to your request as soon as possible and at the latest within one month.
- Right to rectification: You have the right to ask us to correct any data we have which you believe to be inaccurate or incomplete. You can also request that we restrict the processing of your data while we consider your rectification request.
- Right to erasure: You have the right to ask that we erase any of your personal data which is no longer necessary for the purpose we originally collected it for. This is not an absolute right and we may need to continue using your information. We will tell you if this is the case.
- You can also ask for your data to be erased if we have asked for your consent to process any of your data. You can withdraw consent where it has been provided at any time – please contact us to do so.
- Right to restrict processing: You may request that we restrict processing if we no longer require your personal data for the purpose we originally collected it for but you do not wish for it to be erased.
- Right to portability: You have the right to request your personal data in a way that is accessible and machine-readable, for example as a csv file. You also have the right to ask us to transfer your data to another organisation.
- Right to object: If we are processing your data as part of our legitimate interests as an organisation or in order to complete a task in the public interest, you have the right to object to that processing. This is not an absolute right and we may need to continue using your information. We will tell you if this is the case.
- Rights related to automated decision-making including profiling: Where any activities involve this, e.g., as part of the recruitment process, we ask for explicit consent and do not rely solely on this information.
Further information
If you have any concerns or questions please contact the Data Protection Officer by emailing dpo@milestonestrust.org.uk or phoning 0117 970 9300. If you wish to complain about how we have dealt with your request, please contact:
Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Changes to this Privacy Notice
We keep our privacy notice under regular review. This privacy notice was last updated on 25th March 2024.