Privacy statement

Privacy statement for clients

Hibiscus (Hibiscus Initiatives) is committed to protecting and respecting your privacy. We are committed to protecting your personal information and making every effort to ensure that it is processed in a fair, open and transparent manner.

This policy sets out the basis on which any personal data we collect from you, or that you provide to us, will be processed by us. Please read the following carefully to understand our views and practices regarding your personal data and how we will use it.

For the purpose of the General Data Protection Regulations (GDPR), the data controller is Hibiscus Initiatives (Charity Registration number 1104094) of Resource for London, 356 Holloway Rd. London N7 6PA United Kingdom.

Contents of this policy

PERSONAL DATA WE MAY COLLECT FROM YOU

WHERE WE STORE YOUR PERSONAL DATA

HOW WE USE YOUR PERSONAL DATA

LEGAL BASIS FOR USING YOUR INFORMATION

DISCLOSURE OF YOUR PERSONAL DATA

ACCESS TO YOUR PERSONAL DATA

IP ADDRESSES AND COOKIES

EXTERNAL LINKS ON OUR WEBSITE

CHANGES TO OUR PRIVACY POLICY

CONTACT

COMPLAINTS

 

PERSONAL DATA WE MAY COLLECT FROM YOU

We collect and process the following data about you:

  • Information that you provide to us at your assessment or information that another agency has provided to us following your consent. This information is used to develop your support plan.
  • Further information you provide to us over the course of your support. This will be recorded in your case notes to help us work with you on your support plan.
  • If you contact us, we keep a record.
  • Information you provide when booking for Hibiscus’s events or training courses.
  • Information you provide when responding to a consultation or survey run by Hibiscus.

WHERE WE STORE YOUR PERSONAL DATA

The data that we collect from you will be stored as follows:

  • Within our electronic database which is dual password protected
  • Within our internal computer server on password protected computers and folders
  • In hard copy version in personal folders within locked filing cabinets in secure offices and accessible by only those that have direct responsibility for your case
  • In the events attendance diary

The GDPR only applies to countries that fall within the European Economic Area (EEA). In certain circumstances however, where for example your destination is outside the EEA your data may be processed by staff operating outside the EEA who work for us or for one of our partners or suppliers. Such staff may be engaged in, among other things, the fulfilment of your support service. By submitting your personal data, you agree to this transfer, storing or processing. We will take all steps reasonably necessary to ensure that your data is treated securely and in accordance with this privacy policy.

HOW WE USE YOUR PERSONAL DATA

We use information held about you in the following ways:

  • So that we can jointly identify goals and strategies to achieve in your support plan
  • To maintain contact with you.
  • So that we can report on organizational outputs and outcomes to demonstrate the success and failures of our services overall and to generally maintain our organizational records
  • To provide you with information about support you can receive from public and voluntary organizations and the criminal justice system including our own services that may be of interest to you
  • To allow you to participate in activities, events and training courses
  • To notify you about changes to our service

We may communicate with you by email, telephone, letter or other reasonable means with updates and information about goods and services we believe may be of interest to you.

LEGAL BASIS FOR USING YOUR INFORMATION

In some cases, we will only use your personal information where we have your consent. For example because you want us to share your information with a partner agency who can provide you with additional or complementary services.

However, there are other lawful reasons that allow us to process your personal information and one of those is called ‘legitimate interests’. This means that the reason that we are processing information is because there is a legitimate interest for Hibiscus to process your information to help you achieve the objectives we have together established in your support plan.

As an additional aspect to GDPR we will also obtain your signed agreement to holding your information on a legitimate basis. This will be undertaken at your assessment meeting prior to us recording information to develop your support plan.

Whenever we process your Personal Information under the ‘legitimate interest’ lawful basis we make sure that we take into account your rights and interests and will not process your personal information if we feel that there is an imbalance.

DISCLOSURE OF YOUR PERSONAL DATA

We will only disclose your information to a third party should we believe there is a legal requirement. For example if we identify a safeguarding issue that must be reported to the appropriate authority or if a court of law requires us to disclose certain types of information.

ACCESS TO YOUR PERSONAL DATA

You have various rights in respect of the personal information we hold about you – these are set out in more detail below.  If you wish to exercise any of these rights or make a complaint, you can do so by contacting the Data Protection Officer (DPO) at Hibiscus Initiatives at Resource for London, 356 Holloway Rd. London N7 6PA United Kingdom on 020 7697 4120 or e mailing GDPR@hibiscus.org.uk If you are unhappy with the response we provide you can make a complaint to the data protection supervisory authority, the Information Commissioner’s Office (ICO), https://ico.org.uk/: using the complaints procedure on the ICO web site.

YOUR RIGHTS

Access to your personal information: You have the right to request access to a copy of the personal information that we hold about you, along with information on what personal information we use, why we use it, who we share it with, how long we keep it for and whether it has been used for any automated decision making. You can make a request for access free of charge.  Please make all requests for access in writing and provide us with evidence of your identity.

Right to object: You can object to our processing of your personal information where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your personal information for direct marketing purposes.  Please contact us as noted above, providing details of your objection.

Consent: If you have given us your consent to use personal information (for example, for marketing or to forward your information to another provider), you can withdraw your consent at any time.

Rectification: You can ask us to change or complete any inaccurate or incomplete personal information held about you.

Erasure: You can ask us to delete your personal information where it is no longer necessary for us to use it, you have withdrawn consent, or where we have no lawful basis for keeping it.

Portability: You can ask us to provide you or a third party with some of the personal information that we hold about you in a structured, commonly used, electronic form, so it can be easily transferred.

 

IP ADDRESSES AND COOKIES

Cookies are pieces of data created when you visit a site, and contain a unique, anonymous number. They are stored in the cookie directory of your hard drive, either temporarily or permanently. Cookies do not contain any personal information about you and cannot be used to identify an individual user. The purpose of cookies is to make the interaction between users and websites faster and easier.
The Hibiscus web site uses cookies to record aggregated usage statistics through Google analytics. These cookies enable us:

  • To estimate our audience size and usage pattern
  • To speed up your searches
  • To recognise you when you return to our site.

You may refuse to accept cookies by changing your internet browser settings. However, by doing so you may be unable to access certain parts of our site. Unless you have adjusted your browser setting so that it will refuse cookies, our system will issue cookies when you visit our website.

EXTERNAL LINKS ON OUR WEBSITE

Our site may, from time to time, contain links to external websites. If you follow a link to any of these websites, please note that these websites have their own privacy policies and that we do not accept any responsibility or liability for these policies. Please check these policies before you submit any personal data to these websites.

CHANGES TO OUR PRIVACY POLICY

Any changes we may make to our privacy policy in the future will be posted on this page and, where appropriate, notified to you by email.

CONTACT

Questions, comments and requests regarding this privacy policy are welcomed and should be addressed to the Data Protection Officer at GDPR@hibiscus.org.uk

If you no longer wish to be contacted by Hibiscus, please also email GDPR@hibiscus.org.uk with the word ‘Unsubscribe’ in the email subject.

COMPLAINTS

Should you have a complaint or other concerns about Hibiscus information rights practices please contact Hibiscus in the first instance at GDPR@hibiscus.org.uk, or at our head office on 020 7697 4120. If our response proves unsatisfactory, you have the option of contacting the Information Commissioner’s Office. Please see https://ico.org.uk/concerns for more information.