Privacy policy – beneficiaries and tenants
This privacy policy was last updated on 9 February 2023.
At the Blind Veterans UK Group, we respect the privacy of our stakeholders, this version of our privacy policy is targeted at our beneficiaries (commonly referred to as Members), our domestic tenants and our commercial tenants. This policy explains how and why we collect, manage, use and protect personal data. It also makes clear how individuals can exercise control over their personal information. This policy should be read in conjunction with our terms of use for the website and the cookies policy.
Our privacy promise
We take our duties when processing personal data very seriously. We promise that we will tell individuals what data we are collecting and why. We will make every reasonable effort to collect, process, store and share personal data safely and securely. We will also make sure that our trusted partners do the same. We also promise that we will be open and clear with all stakeholders about our use of personal data and that individuals will be able to control the use of their personal information with ease.
In order to provide support and or relevant services, we need to collect and make use of personal data, such as names, contact details, preferred means of communication or, when appropriate, payment details. Some of this data we may need to share with 3rd parties such as payment agencies or government departments or our trusted partners, such as event organisers, specialist service providers and professional advisors. The purpose of this is to provide our beneficiaries and tenants with the support and services required and expected from us.
We use data to deliver our services
As a Beneficiary, we use personal data to provide individuals with the tailored, lifelong practical and emotional support that would be expected while in our care and we also use personal data to support our beneficiary’s wider interests. We may also, with an individual’s consent, use personal data to help us to market the charity and fundraise so that we can offer our support to even more blind veterans.
As a domestic or commercial tenant, we use personal data to manage our estate services safely, to comply with the law and any regulations and to meet your tenancy contractual obligations.
Individuals are in control
If the personal data we are processing needs to be changed if it is believed to be inaccurate or incomplete, or there are any concerns regarding how it is being processed this can corrected/ amended by discussing these needs with us. This includes any previously stated communication or opted into preferences. For a beneficiary we suggest contacting an assigned CSW, if a domestic or commercial tenant, please contact and Estates team representative. Alternatively, anyone can make use of the contact details located in Section 9 of this policy “How to Contact Us”
If an individual wishes to discuss how personal data is processed/used or wants to make an individual rights request, e-mail or call our Data Protection Officer whose details are also in Section 9.
Changes to this policy
We may change this document from time to time to reflect the latest information on what we do, how we manage personal data and what is necessary to comply with data protection law and any associated regulations. Please check back frequently, it is possible to identify when a change has been made by referring to the date the document was last updated.
Our privacy policy in detail
1. Who we are
Our privacy policy applies to personal data collected and used by the Blind Veterans UK Group. Under data protection law and regulation, we are a ‘data controller’ and are registered as such with the Information Commissioner’s Office (Registration Number: Z6040633).
Since 1915, the Blind Veterans UK Group has held to the belief that no-one who has served our country should battle blindness alone. That's why we're here to help with lifelong practical and emotional support for blind veterans, regardless of when they served or how they lost their sight. We help veterans recover their independence and discover a life beyond sight loss.
References to "Blind Veterans UK Group", ‘the charity’, “our’, ‘us’ and "we" mean Blind Veterans UK registered charity 216227 in England and Wales and SCO39411 in Scotland.
This also includes: our wholly owned subsidiary charitable trading company, Four Seasons NWMC Housing Limited (registered company No. 01882050); managing our properties and tenants; the St Dunstan’s Retirement Benefits Plan (1973). For the purposes of the pension plan scheme we are Joint Controllers with St Dunstan’s Retirement Benefits Plan (1973).
2. What personal data we collect and why
What we need to collect
We need to collect and use (process) personal data about our beneficiaries, domestic and commercial tenants to allow us to provide the support and services that are required as a beneficiary or as a tenant.
For data to be considered ‘personal’ it must relate to an identified or identifiable individual. An individual can be identifiable either directly, or indirectly. What specific data is used is significant, especially as not all data is equal. The more unique a piece of data relates to an individual the easier it is to identify that individual. An individual is directly identifiable when using common identifiers such as a name, an address, or an assigned email address. Directly identifiable data now includes digital information, such as online identifiers or an IP address which can be related to an individual. An individual can be indirectly identifiable due to association with unique or uncommon personal data, an example is a unique job title within a workplace. If there is only one individual with a specific job title, that individual is indirectly identifiable by that job title. Where we use data that is insufficient to identify an individual (from a group) this is not considered use of personal data within UK law. If identifiable data is used but the use does not specifically relate to an individual, then this processing is also not considered the use of personal data. An example of this would be the email footer of a trustee’s assigned email account, while the footer includes identifiable data, the name of the trustee, the purpose of any emails sent is related to the duties of serving as a trustee, it is not related to the individual.
As a Beneficiary, we will collect personal data in order to establish eligibility to join us, and then to provide the appropriate services and support and to safeguard our staff and volunteers. This information may include:
- Name.
- Contact details (Postal address, telephone number, email address).
- Date and place of birth.
- Service record, war pension,
- National insurance number.
- Payment details (if there is a requirement for financial transactions).
- Whether individuals have pets or smoke (as a duty of care to our staff and volunteers when home visiting)
- A statement of communication preference.
- Voluntary information to assist us in building an understanding about our beneficiaries, such as an individual’s early life, professional career, military background, hobbies, interests and aspirations.
As a Domestic tenant of one of the charity’s properties, we will collect personal data in order to manage an agreed tenancy and to provide the appropriate services and support. This information may include:
- Name.
- Contact details (Postal address, telephone number, email address).
- Payment details (if there is a requirement for financial transactions).
- References and credit rating analysis.
We will be very clear when we wish to collect such personal data, we will tell individuals of our reason for collecting such information and we will only do so when we have a lawful basis for processing the personal data. Individuals retain the right to change communication preferences at any time.
As a Commercial tenant of one of a charity’s owned properties, we will collect personal data of a named individual to be our point of contact. Where applicable we collect non-personal company information in order to manage a tenancy agreement to provide our customers with the appropriate services and support. This information will at a minimum include:
- Tenant’s Name or Trading Name and a point of contact Name
- Contact details (Postal address, telephone number, email address).
- Payment details (as there is a requirement for financial transactions).
- References and credit rating analysis (where necessary)
We will be very clear if we need to collect additional personal data, we will provide a reason for collecting this data and we will only do so if we have a lawful basis for processing it. Customers retain the right to change communication preferences at any time.
UK data protection law and regulation recognises certain information as being ‘special category’ data and as being particularly sensitive. This includes racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, genetic data, certain biometric data, data concerning physical and mental health or a person's sex life or sexual orientation. Sometimes we may need to collect or may indirectly obtain special category personal data. For example:
• As a beneficiary, individuals will be asked to provide us with ‘special category’ personal data regarding health matters to allow us to provide appropriate care provision, support services and where necessary medical treatments to safeguard an individual’s welfare. This will include data regarding: current visual impairment; general health (including mental health) if there are any specific medical conditions, any disabilities; and specific social and health care needs that we need to know.
While providing our care provision we will create additional special category data to keep health and welfare records up to date. Examples include but not limited to, standard care observations, records of illness, infection or injury etc. which are added to medical notes/files. An additional example of record creation is our use of medical photography. This is used for the purpose of recording the healing and treatment of wounds, injuries, or pressure sores actively treated while an individual is in our care. As this is specific to an individual, beneficiaries will be asked to separately consent for us to capture, use and share medical images, this is in addition the consent necessary to enable treatment, or medical intervention (known as medical consent).
- We will require beneficiaries to provide contact details of emergency or carer contacts, eye care and health professionals, other care or health agencies they have received services from.
- An individual may reveal some of this sensitive information if they share photos or personal information in our Review magazine, on our website or make use of our social media channels.
- As a domestic tenant, health related data could be directly or indirectly revealed during the management of a tenancy, especially where additional adaptations to a leased building are necessary in order to meet specific needs.
- As a commercial tenant, the only special category’ personal data requested would be to comply with a legal or regulatory requirement, such as equality monitoring purposes. Once processed for this purpose this data will be anonymised or deleted.
The accuracy of personal data is really important to us. If it is necessary to change, amend or make an update to any personal data we hold, please contact us on using the contact details in Section 9 “How to Contact Us” at the end of this policy.
Alternately as a beneficiary or domestic tenant, please speak with an assigned community support worker (CSW) or as commercial tenant speak to an assigned estate team representative.
Why we need it
We need personal data in order to perform functions such as:
- Comply with applicable legal requirements and regulations. As Landlord and data controller we need to use personal data provided to us to comply with our legal obligations, for example health and safety obligations such obtaining gas safety certifications or to a third party.
- To manage our ongoing relationship. Personal data is necessary to establish eligibility criteria and an individual’s suitability to receive our support and or services. We need to keep a record of our business relationship and any directions collected on how we are to comply with stated preferences and individual rights. We need personal date to deliver, administer and manage the services and support required as a beneficiary or necessary to provide property maintenance services to a tenant whether domestic or commercial. Personal data is also necessary to safeguard all stakeholder’s welfare and interests
- To communicate with beneficiaries and tenants. We need to know how individuals prefer to be contacted and to make adjustments as required. To provide specific and, where appropriate, personalised services, products, updates, newsletters, feedback and information. To assist with technical problems related to our services or the occupancy of one of our leased properties.
- Manage a broader relationship with us. If after an initial engagement as a beneficiary or a tenant an individual chooses to support the charity through marketing or fundraising, then we will keep a record of this new relationship with us and any interests or preferences stated. This will also enable the administration of Gift aid linked to any donations or fundraising.
- To personalise and improve the beneficiary experience. We will use personal data of our beneficiaries in order to celebrate our charity’s successes, or to acknowledge personal celebrations, such as milestone birthdays or anniversaries with other beneficiaries of our charity. We may use personal data to ask individual stakeholders how we can improve our information and services. To understand how we can improve our services, products or information. Where appropriate, to provide communication in a way that allows individuals to control what they do and do not receive.
- To improve our services and administration as a customer or a commercial tenant. We will personal data in order to ensure the most efficient and appropriate use of the resources we have and to improve efficiency through statistical and market analysis.
If a stakeholder was to choose to withhold certain personal data, we may not be able to provide a full range of service information, support or services an individual would like and expect.
3. How we collect personal data
We collect data about individuals in a variety of ways. We collect personal data provided both directly to us as well as data we collect indirectly available from other sources, such as care or health agencies or previous landlords or letting agencies.
Direct from individuals
Individuals will give us personal data directly when communicating with us. When engaging with us as a beneficiary or when agreeing a domestic or commercial tenancy. We will directly gather personal data in the following situations. If an individual makes use of our websites, mobile applications or portals to communicate with us. If an individual was to make an on-line donation or was to sign up for one of our events these activities will require us to collect personal data. When a payment is made to us, by either purchasing one of our products, such as merchandise from our on-line shop, buying tickets, raffles, or when paying rent for a leased property. If a beneficiary or tenant was to choose to support us via a 3rd party organisation, website or application their personal data would be collected on our behalf. (e.g. an event organiser or agency contractor).
Indirectly from other sources
We also obtain beneficiary or tenant’s personal data indirectly when consent has been provided to a 3rd party organisation to forward share collected data with us. We will also indirectly obtain personal data where it is publicly available:
Third party organisations or individuals. We may obtain information from third parties if there is consent that we can approach them. For example, to confirm beneficiary eligibility we need data from the NHS, Ministry of Defence, eye health specialists and other care or health agencies. As a domestic or commercial tenant, we will obtain data from former landlords or letting agencies (for the purpose of seeking references). We will seek a confidential reference from a 3rd party before agreeing or confirming a domestic or commercial tenancy. This process may be performed automatically where an individual has provided consent for a secondary company, other organisation or agency to share personal data with third parties. This could apply when a product or service has been purchased from a website and the agreed T&Cs allow data sharing. When registering or signing up to a donor website it is common for data sharing to be within the agreement. It is to be noted, we can only use this personal data where we have either been named as a recipient of the personal data or the third party has specifically named a charity subsection into which we fit. We may also be provided limited personal data when we are the recipient of a credit/debit card transaction.
- Independent event organisers. Personal data may be shared with us by independent event organisers, for example the London Marathon or fundraising sites like Just Giving. These independent third parties will only pass on personal data when an individual has indicated they wish to support the Blind Veterans UK Group with their consent.
- Digital, On-line and social media. Like all companies and charities, we may collect an individual’s personal data if use is made of our website and mobile apps. We may also collect data about what browser is being used, an individual’s IP address and which computer operating system is being used, this data will be used to improve the services we offer. Depending on an individual’s privacy settings on social media platforms and messaging services like Facebook or Twitter, and individual might give us permission to access information from their accounts or services.
- Publicly available sources. Public information may include personal data from places such as Companies House, the electoral register and information that has been published in articles / newspapers. Additionally, the Post Office’s National Change of Address database allows us to keep our personal data up to date.
4. The lawful bases for processing
UK Data protection law and regulation requires us to have a lawful basis for processing your personal information. These include:
- To protect the vital interests of an individual or another person. If we believe that the safety and or security of an individual, or a third party is at imminent risk of harm, UK law allows a controller to use personal data specifically to minimise this harm to protect life. We acknowledge, we have a duty to protect individuals, this lawful basis permits us to process personal data in these specific and unusual circumstances. This lawful basis will only be used when necessary.
- To comply with a legal obligation. We will process personal data where UK legislation requires us to do so. Examples include, complying with employment, social security or social protection law, such as Health and Safety, conducting a criminal offence check or financial due diligence requirements. We will process personal data where we are required to do so by a UK court, or a regulatory authority, such as the Information Commissioner’s office, (ICO) or the Care Quality Commission (CQC) the police or the UK security services.
- The performance of a contract. If we are in the process of setting up or have a contract with an individual, we will process personal data necessary to comply with the obligations of that contract.
- Where we as a charity possess a legitimate interest. Where we have a legitimate interest, we must ensure that we are not harming an individual’s interests or rights and only use personal data in a manner that would reasonably be expected. For example, we possess a legitimate interest to use beneficiary and tenants’ data, to deliver the services and support which is reasonably expected based on the relationship and individual has with us as a beneficiary or as a tenant.
- We have a legitimate interest to use personal data in fraud prevention and informing authorities about possible criminal acts or security threats.
- Where consent has been given for a specific purpose(s).
- Where we need consent, it will be clearly identifiable as a request for consent for a specific purpose. This may include marketing material sent via e-mail or SMS or to provide individuals with a product, service or information that may have been requested. Individuals are able to withdraw their consent at any time by contacting us. It is to be noted if an individual chooses this action it may affect our continuing relationship as some services may no longer be able to be supplied if consent to process personal data is withdrawn.
- Special category. Where we process ‘special category’ personal information (such as health) we will ensure we do so in accordance with a lawful basis under Art. 6 and the additional “exception” condition for processing special category data under Art. 9 of UK-GDPR 2020. An example is Art. 9(2)(b) where the law allows special category personal data to be processed for the purposes of “employment and social security and social protection law”. This allows us to make reasonable adjustments where the law requires us to.
5. Protecting/sharing personal data
How we protect personal data
We ensure there are reasonable and appropriate technical and organisational controls in place to protect personal data against unauthorised or unlawful processing and against accidental loss, corruption, destruction or damage. If we believe if it is likely processing will pose a risk of harm to individuals we will complete a risk assessment process known as a DPIA to identify and minimise these risks. For example, our IT architecture is actively protected and routinely monitored. We have policies and procedures in place which staff and volunteers are expected to comply with and for which they receive training. A data back-up and recovery process to prevent permanent loss of data in the event of corruption, damage or accidental loss, is in place across our IT network.
- Online security. The Blind Veterans UK Group will ensure that when collecting personal data over the internet that this is done securely. Our online forms are always encrypted in transit and our network is protected and routinely monitored. Our Microsoft 365 network enables us to send point to point encrypted emails. If you use a credit or debit card to donate to us, buy something or make a booking online, we pass the card details securely to our payment processing partners. We are Payment Card Industry (PCI) Data Security Standard (DSS) compliant (for more information go to: https://www.pcisecuritystandards.org/pci_security/) and use external compliant providers to collect this data on our behalf. We and our partners use TLS (Transport Level Security) to encrypt data sent between you and us or our partners. We do not use cookies to store this type of data nor do we store credit or debit card details following completion of your transaction. To protect any sensitive data sent to us please ensure the device being used is running a supported operating system that is regularly updated / patched and has anti-virus and anti-malware protection. Only connect business (or personal) devices to networks that are trustworthy. For example, do not connect to free public open (unsecured) Wi-Fi hotspots unless the device is protected with VPN software). We cannot guarantee the security of data disclosed or transmitted over public / open networks.
- Password security. Where we have provided an individual (or where an individual has chosen) a password which enables access certain parts of our IT systems, sites and applications the individual is responsible for keeping the password confidential. The password is not to be shared with anyone else. Our IT support staff will never ask to be told an assigned password, a user may be asked to enter it themselves, but it is not to be shared. If asked, decline politely and report the request.
- Third party website links. Our website and apps may include links to other third-party websites, not owned or managed by Blind Veterans UK. Whilst we try our best to only link to reputable websites we cannot be held responsible for the privacy of data collected by sites not managed by the Blind Veterans UK Group, nor can we accept responsibility or liability for the implications to you of those policies. For this reason, we suggest any site visitor should consult the privacy policy of any external website linked to before submitting any personal data.
Everyone should be aware that the use of the Internet is not entirely secure and although we will do our best to protect personal data we cannot guarantee the security or integrity of any personal information which is transferred to us via the Internet. Any transmission is at an individual’s own risk.
Managing access and sharing of personal data
We undertake reviews of who has access to the personal data that we hold to ensure that personal data is accessible only when necessary and by appropriately trained employees and trusted third parties that possess a business need to do so. We require all third parties that process personal data on our behalf to have appropriate, technical and organisational measures in place to protect personal data at the same standard that we apply ourselves. If we share personal data with a third party or require personal data to be shared directly with a third party working on our behalf the data will be secure to the best of our knowledge.
At the Blind Veterans UK Group, we treat all references, either received by us or provided to others by us, as confidential references. Confidentiality is applied to references because knowing the content will not be shared with the individual to which it refers or with a third party allows a referee to provide a candid reference. This is important to us as a charity, as we have a particular focus on safeguarding our charitable assets. Confidential references allow us to make informed business choices and decisions which will prevent potential tenants who may have a detrimental effect on our charitable activities and by extension our beneficiaries from engaging with us. The UK’s Data Protection Act 2018 includes an exemption for confidential references, the content of a confidential reference whether provided or received is exempted from the right of access and will not be shared.
There are circumstances when we may be compelled by law to disclose personal data to third parties as outlined above in section 4. We have limited control over how personal data will be processed by these parties once it leaves our control. We therefore recommend that an individual consults the privacy policies of these third parties. There are also circumstances when we will consider sharing personal data voluntarily, without consent but doing so within the law. These situations include the following:
- Where we believe a crime has been committed or,
- Where necessary to assist with the apprehension of an offender.
- Where we need to respond to an individual Right of Access Request (known as SAR), in some circumstances we will share third party personal data without consent to assist with our responsibility to provide the materials in an accessible, concise, and intelligible format. Any sharing of personal data is managed on a case-by-case basis and is limited to being shared only if necessary and if reasonable to do so.
- Solicitors acting within our interest, the UK courts.
We may in certain circumstances share personal data without consent for the purpose of fulfilling our safeguarding responsibilities. This doesn’t happen often, but we may share personal data:
- If we believe there is a serious risk to the public, our beneficiaries, our domestic or commercial tenants’ our staff or to other professionals,
- To protect a vulnerable person, (child or adult) who we believe may be at risk, for example if they are frail, confused or cannot understand what is happening to them,
- We will share personal and health data in an emergency situation which is vital to health or well-being or where an individual is incapable or unable to provide consent.
Occasions, other than by law, when we may share personal data include:
- If an individual has agreed that we may do so.
- When we use external service providers to collect or process personal data on our behalf, (a list of processors is included the end of this policy).
- As a regulated care provider for our beneficiaries, to provide personal care services it will be necessary on some occasions for us to share personal and health data with health care professionals for the purposes of ensuring an individual’s health and wellbeing. As this is special category data we will ask for your consent to do this. This may include a name, updated details of general health, updates on any permanent conditions, food intolerance, allergies and medical photography. The sharing of this data is limited to parties that have a specific need for health and medical data, such as NHS institutions, other Health Services, an individual’s GP practice, other social care and trusted partner organisations which process personal data on our behalf.
- As a landlord operating nationally, we will make use of local specialist service providers. If we need to share personal data with a 3rd party provider, we will inform individuals during our engagement. The following examples identify when this applies. We use external service providers on our behalf to provide property maintenance services; property and contractor agencies and advisors, such as local surveyors and solicitors; the processing/ mailing of product orders; answering questions about our products or services; sending mail and emails; when using auditors/advisors, when processing credit/debit card payments or using online tracking and analysis software.
- As a customer signing a domestic or commercial tenancy agreement, we will share personal data with the local authority for the purposes of a calculating any obligations to pay council tax on the property and or business rates for the duration of a contracted tenancy.
- With our subsidiaries within the Blind Veterans UK Group, where relevant and appropriate.
- If a data sharing agreement process has been completed between Blind Veterans UK and another controller. Such a document allows two organisations to have a collaborative relationship while being separate legal entities.
- If we receive a complaint about any inappropriate content which has been posted or transmitted to or from one of our sites, forums, social media pages or apps we may share an individual’s personal data with an internet provider or law enforcement agencies.
- To enforce or apply the Terms of Use for our website or other agreements or if we believe that we need to protect the rights, property or personal safety of Blind Veterans UK, our supporters, beneficiaries, visitors or websites and for other lawful purposes.
- We may disclose aggregate statistics about our beneficiaries and tenants to describe our services and operations to prospective supporters, partners, advertisers and other reputable third parties and for other lawful purposes, but these statistics won’t include any personally identifying data without explicit consent.
- If we run an event in partnership with other named organisations specific personal data will need to be shared, for examples to provide dietary requirements or accessibility requirements. We will be very clear what will happen to an Individual’s personal data on registration.
- If we merge with, or diversify, forming a separate/new organisation with its own legal identity, information including personal data may be transferred to the new entity subject to a data protection risk assessment (DPIA).
We will never rent or sell personal data of our beneficiaries or tenants. We will not share or swap it with other organisations for our or their own purposes or benefit or to make money out of stakeholder’s personal data without additional specific consent.
Where we store personal data
Personal data provided to us whether in paper or electronic format will be stored securely meeting the requirements of this policy. Where we store personal data will differ depending on the purpose for which we are processing it for, as indicated above. Personal data will be held within in our Microsoft 365 Cloud Environment or within a number of bespoke databases or specialist applications. Personal data may also be stored within a number of systems of trusted third-party processors who process personal data on our behalf. (Details of these can be found in the third-party processors list at the end of this document)
Cross-border transfers of personal data
As a data controller, we may on occasions require the services of a third-party processor. Not all of these processors will be based or will conduct processing within the UK, if a processor is based outside of the UK these cross-border (transfer) requirements will be applied. If this is required, we will conduct an appropriate mandatory international transfer risk assessment and put in to place appropriate “additional measures” to safeguard personal data and individual data rights. Controllers in the UK now have a choice of whether to use the UK’s IDTA (International Data Transfer Agreement) or use the EU’s updated Standard Contractual Clauses (SCC). If the latter choice is selected this will also require the use of the international data transfer addendum to the EU’s SCCs. Note, if the required transfer is a one off or an infrequent occurrence we may ask for explicit consent to conduct the transfer.
The EU have recently agreed a data transfer agreement with the USA. The EU-US Data Privacy Framework (DPF) is a bespoke, opt-in certification scheme for US organisations, similar to the privacy shield. From 12 October 2023, organisations in the UK can start to transfer personal data to US organisations certified with the “UK Extension to the EU-US Data Privacy Framework”. However, this new framework is not an adequacy decision, it does not allow for the free transfer of personal data to the US. The operation of the framework has restrictions, e.g. it cannot be used by banking, insurance, and telecommunication organisations. Where the new framework cannot be used to transfer personal data to the US, Blind Veterans UK will continue to use either the SCCs or the UK’s IDTA.
The UK Government has recognised some countries and all of the EEA states as possessing data protection “adequacy” for the purposes of data transfers to these countries. The UK Government has decided no additional safeguards are needed to conduct data transfers to the EEA as these states have equivalent standards of data protection as the UK-GDPR 2020.
The EU has recognised the UK as possessing data protection “adequacy” for the purposes of personal data transfers of EU subject’s personal data into the UK. No additional safeguards are needed as the UK has an equivalent level of protection to that guaranteed under EU law. (EU-GDPR 2016).
In cases when we use or link to external websites provided by other organisations such as Twitter or Facebook, we recommend an individual consults the privacy policies, of these 3rd party organisations to determine how personal data shared with these organisations will be processed.
6. Retaining personal data
The law requires we hold personal data for only as long as is necessary. This is to fulfil the purposes for which the data was collected and our legitimate interests or in order to comply with legal or regulatory rules and requirements.
At the Blind Veterans UK Group, we manage the retention of personal data with the use of a Retention and Disposal Policy. The policy uses a 2-step process to determine how long we retain documents which may contain personal data. The criteria we use for this process is to identify the “Business Function” the document was used for, then to apply a “Purpose of Retention” (from the list below). Identifying the business function allows us to group similar documents together and assign corporate ownership to proactively manage data retention. Applying a retention purpose ensures we only retain personal data for a transparent period of time necessary to meet statutory, contractual or best practice requirements.
- Retained as Live data only……………….………. 1 year
- Record(s) of Activity and or a Process………….. 3 years
- Evidence or Compliance………………………….. 6 years
- Governance Purposes……………………………. 7 years
- Legal (Pensions, Property, Safeguarding)…..… 12 years
- Permanent retention (subject to review)…….… (Life of charity)
In the event of a beneficiary or tenant relationship ending or being terminated, the Blind Veterans UK Group / Four Seasons NWMC Housing Limited will need to retain some basic personal data to comply with our legal and regulatory obligations. This retention of basis contact details is also necessary for us to maintain a (prevent contact) suppression list, if a request was made from a beneficiary or exiting tenant for us to cease further contact. The suppression as opposed to the deletion of personal data to prevent further contact if an individual has opted out is the accepted best practice of the UK data protection regulator the ICO.
7. Data captured from the Internet and our website
Like most organisations, our website and apps use “cookies” and other tracking software to help us make our site and the way it is used more relevant to our stakeholders. We will not be able to personally identify an individual from the data gathered but it may help us improve our online services.
- Cookies allow a website to remember a visitor. Cookies are small text files that are transferred to a computer (or phone or tablet). They make interacting with a website faster and easier, for example by automatically filling in parts of an online form with a user’s name and address in text fields. Please read our cookies policy for more information. Cookie preferences can be changed and or amended whenever you wish.
- When visiting our website or apps we may collect data about the type of device an individual is using to access these services and may collect the individual settings for a device. This might also include the IP address, details of what operating systems a device is using as well as diagnostic information.
8. What are Individual Rights?
UK data protection legislation includes UK General Data Protection Regulations 2020 (UK-GDPR) and Data Protection Act 2018, these two authorities are to be jointly considered as the authority of UK data protection law. This legislation gives everyone a number of very important rights. In abbreviated form these are:
• The right to be informed. Transparency over how we use personal data. This privacy policy falls under this right.
• The right of access. Request confirmation of processing and to be provided with copies of personal data we hold about an individual.
• The right of rectification. The ability to request update or amending of personal data we hold about an individual, this includes if it is incomplete or inaccurate.
• The right to erase or ‘right to be forgotten'. This provides a qualified right to ask a controller to erase personal data from held records where there is no compelling reason for its continued processing, subject to a number of conditions.
• The right to restrict processing. An individual can request of a controller to temporarily stop / supress the processing of personal data, subject to a number of conditions.
• The right to object. An individual can object to the processing of personal data for certain purposes (such as marketing, research, statistics or our legitimate interests).
• The right to data portability. An individual can request a controller collects and enables the reuse of personal data for similar purposes with a different controller, subject to a number of conditions.
• Rights in relation to automated decision making and profiling.
To find out more about individual rights under the data protection law see the Information Commissioner’s Office (ICO) website.
Remember, an individual can exercise their rights in relation to the processing of personal data at any time, beneficiaries can contacting their assigned community support worker whereas tenants can contact their estate team representative. All contact details set out in the ‘How to contact us’ section of this policy.
If any stakeholder is not satisfied with our response or believes after engaging with us we are not processing personal data in accordance with the law and their individual rights, there is an option to complain directly to the Information Commissioner’s Office.
9. How to contact us
To raise any comments or ask any questions regarding this Privacy Policy or to discuss how we process personal data an individual is welcome to do so. As a beneficiary in the first instance, refer to a CSW or as a tenant contact an Estates dept. representative. Alternatively, the following individuals can be contacted:
If you are a Beneficiary of the charity:
Post: C/O Member Services,
The Blind Veterans UK Group, 126 Fairlie Road, Slough, SL1 4PY
Phone: Please call an assigned Community Support Worker.
Email: Please email an assigned Community Support Worker.
If you are a Domestic or Commercial tenant:
Post: C/O Estates Department,
The Blind Veterans UK Group, 126 Fairlie Road, Slough, SL1 4PY
Phone: 020 7723 5021 (Main switchboard, please ask for the Estates Team)
Email: enquiries@blindveterans.org.uk (please add ‘For Estates Team’ in subject header)
To enquire further about how personal data is processed, or to make an individual rights request, ask for information to be provided, or to raise a data protection related complaint, please contact our Data Protection Officer.
Post: C/O Data Protection Officer
The Blind Veterans UK Group, 126 Fairlie Road, Slough, SL1 4PY
Phone: 020 4534 1127 (direct dial)
Email: dpo@blindveterans.org.uk
Appendix-List of data processors
Data Processor’s Name | Purpose / service provided | Link to privacy policy |
Assa Abloy | Security door system | Privacy Notice - ASSA ABLOY Opening Solutions |
Assemble | Managing volunteer data | Privacy Policy - Assemble |
Betsi Cadwallader Health board | Care Sector Requirement | Privacy Policy - Betsi Cadwaladr University Health Board |
Betsi Cadwallader Health board | Covid testing | Privacy Policy - Betsi Cadwaladr University Health Board |
British Gas (Centrica Group) |
Mandatory Landlord Safety testing | Privacy Policy - British Gas |
Care Inspectorate | Scottish Care regulator | Care Inspectorate (Scotland) |
Care Inspectorate Wales | Sector regulator | Privacy Policy | Care Inspectorate Wales |
Clarient Research | Member Satisfaction Survey | Privacy Policy - Clarient Research |
Colliers International | A global real estate consultancy | Privacy Policy - Colliers |
Courtney Thorne | Internal alarm call system | Privacy Policy - Nurse call systems |
DAMS (Digital Asset management) | Image Database | Privacy Policy - Bright |
D Tech Europe Ltd | Site CCTV maintenance | Privacy Policy |
icabbi.com | Preferred supplier - Taxi services | Privacy Policy - icabbi.com |
Lantec Security | Brighton Site CCTV Supplier | Privacy Policy |
Marks & Spencer | Food delivery service | Privacy policy Marks and Spencer |
Metropolitan Police | Law enforcement Cenotaph | Privacy notice | Metropolitan Police |
NHS - Hospitals, Brighton General | Care of beneficiaries | Privacy Policy - Sussex Community NHS |
NHS - Hospitals, Sussex County | Care of beneficiaries | Privacy Policy - Sussex Community NHS |
NHS - Hospitals, Princess Royal | Care of beneficiaries | Privacy Policy - Sussex Community NHS |
Ocado | Food delivery service | Privacy policy - Ocado |
Optelec | Equipment supplier | Privacy Policy |
PCS | Care provision software | Privacy Policy - Person Centred Software |
Public Health Wales | Care Sector Requirement | Privacy Notice - Public Health Wales |
Quality Care Commission | Sector regulator | Privacy Policy Statement - CQC |
Re-leased | Property management software | Privacy Notice |
Royal British Legion | Cenotaph Memorial | British Legion Privacy Policy |
Site Doctor | Care of beneficiaries | Woodingdean Medical Centre |
Site Doctor | Care of beneficiaries | Saltdean and Rottingdean Medical Practice |
Site Dentist | Care of beneficiaries | N/A |
Social Care Conwy | Care Sector Requirement | Privacy notice | Social Care Wales |
Synapptic | Equipment supplier | Privacy Notice |
Thomas Franks Ltd | Catering Contractor | Privacy Notice |
Tradeshift | NHS data processing system | Privacy policy | Trade shift |
Read more
About us
Find out about what our charity does, who we are and the impact we have on blind veterans' lives.
Help & info
Find out what we do for veterans, if you're eligible for our support, and get advice on dealing with sight loss.
Support us
We need your help to change blind veterans' lives. Find out more about how you can donate, fundraise or volunteer.
Sign up for email updates
We would love to send you updates about our work and how you can support us.
You can change your contact preferences at any time by calling us on 0300 111 2233 or emailing us. See our privacy policy for more details.