GDPR Compliance Statement

We use personal data (information that relates to and identifies living people) and other information to help us to carry out our role as a provider of work placement opportunities in the local community.

About our purpose and role

We will always make sure that your information is protected and treated securely. Any information about you that we hold, or details you give us, will be held in accordance with:

• The General Data Protection Regulation (GDPR)
• Independence Matters Information Management Policy
• Independence Matters Policy on Confidential Personal Information.

Information about people who use our work placement services

As a business providing work placement opportunities and training and development, we must record and pass on certain events and incidents, including where there have been allegations of abuse, or where someone using the service is seriously injured. We are also required by our parent company, Independence Matters CIC, (IM) to record statistics including the number of compliments and complaints they have received.

Contact details of people who use services will be held to ensure we provide the service required.

Personal data that we receive from other sources

We receive information from people who use the services we provide, their families, friends and carers. These often contain personal data.

We also receive information that sometimes contains personal data from other sources, such as Employment Coaches, IM, JobCentre Plus, Care Providers, NCC and the police.

We use this information to directly support people on work placements and staff.

Data and statistics

The data we hold will include the following:

• date of birth
• address and postcodes
• information about disabilities

Some of this information is unique to a person and others cannot uniquely identify a person (e.g. a postcode), but all data is stored and processed with the same robust security applied to identifiable data.

We need this information to help meet our purpose of ensuring safe, effective and compassionate, high-quality services.

Information about our own staff and people applying to work for or with us

We need to process personal data about our own staff (and people applying to work for us) so that we can carry out our role (for example, by ensuring that we have the right staff to perform our roles) and so we can meet our legal and contractual responsibilities as an employer.

The personal data that we process includes information about racial or ethnic origin, religion, disability, gender and sexuality. We use this information to check we are promoting and ensuring diversity in our workforce and to make sure we are complying with equalities legislation.

Our employees decide whether or not to share this monitoring data with us and can choose to withdraw their consent for this at any time. Employees who wish to withdraw their consent for us to process this data can contact the IM HR team.

Other personal data that we are required to process includes information on qualifications and experience, pay and performance, contact details, bank details, and service records (including records of continuous service and pension contributions/entitlements).

We check that people who work for us are fit and suitable for their roles. This may include asking people to undertake Disclosure and Barring Service (DBS) checks.

We share information about our employees as required to meet our contractual obligations to them – for example, by sharing relevant information with pension service administrators.

We have a legal obligation to comply with the Freedom of Information Act 2000 and this may include the requirement to disclose some information about our employees – especially those in senior or public facing roles.

Information about people who use our website

We will only collect personal information volunteered by you via our website, such as:

• Feedback from surveys and online forms
• Email addresses
• Preferred means of communication

This personal information about you will be used to exercise our functions. This privacy statement covers the Norfolk Industries site. This does not cover external links.

Signing up to our e-newsletter

If you subscribe to this service, your name and email address will be held by us. You can unsubscribe at any point by emailing sales@norfolkindustries.co.uk with your request.

How we share information with other organisations

We only share personal data with other organisations where it is lawful to do so and in accordance with our Code of Practice on Confidential Personal Information. We do not use personal data for direct marketing (promoting or selling goods, services etc.) or share information with anyone else who will use it for direct marketing.

We sometimes use other organisations to process personal data on our behalf. Where we do this, those companies are required to follow the same rules and information security requirements as us and are not permitted to reuse the data for other purposes.

Retention and disposal of personal data

We publish a retention and disposal schedule which explains how long we keep different types of records and documents for, including records and documents containing personal data. Personal data is deleted or securely destroyed at the end of its retention period.

Changes to the law – the General Data Protection Regulation (GDPR)

The GDPR came into force in May 2018 and has replaced the Data Protection Act 1998. We will ensure that we will process personal data in accordance with the requirements of the GDPR and Data Protection Act 2018.

Your rights

Your right to access information about you

If you think we may hold your personal data and you want to see it, you need to make a subject access request. We will ask you for proof of identity before responding to your request.

Correcting or deleting your personal data

If you think that we may already hold your personal data, and you want us to correct information that you believe is wrong, or if you want us to delete your personal data or to stop processing it, then you have the right to object to the data being used or to ask for it to be corrected.

Please make your objection in writing by sending an email to: imdpo@independencematters.org.uk or send it by post to:

Data Protection Officer (DPO)

Independence Matters CIC

Dereham Community Hub

Rashes Green

Dereham

NR19 1JG

Sometimes we may need to refuse a request to delete, correct or stop processing personal data. For example, this may be when we need to protect a vulnerable person from harm, or as a result of our legal obligations, or to help us carry out our functions.

Complaints about how we process personal data

If you feel that we have not met our responsibilities under the Data Protection Act 2018 and GDPR, you have a right to request an independent assessment from the Information Commissioner’s Office (ICO). You can find more details on their website www.ico.org.uk.

Independence Matters Data Protection Officer (DPO) under Article 37 of the GDPR is Rachel Miller. The DPO’s role is to monitor and advise Independence Matters on meeting its data protection responsibilities. The DPO can be contacted using the details above.

We may update this notice from time to time and will publish an up to date copy on our website and ensure you have the most up to date information.

Last updated: 07/06/2022