Skip to content

Privacy statement

Privacy statement for clients

Hibiscus Initiatives (Hibiscus) is committed to protecting and respecting your privacy. We are committed to protecting your personal information and making every effort to ensure that it is processed in a fair, open, and transparent manner.

This policy sets out the basis on which any personal data we collect from you, or that you provide to us, will be processed by us. Please read the following carefully to understand our views and practices regarding your personal data and how we will use it. 

For the purpose of the Data Protection Act 2018 (General Data Protection Regulations (GDPR), the data controller is Hibiscus Initiatives (Charity Registration number 1104094of Resource for London, 356 Holloway Rd. London N7 6PA United Kingdom.  


We collect and process the following data about you: 

  • Information that you provide to us at your assessment or information that another agency has provided to us following your consent. This information is used to develop your support plan.  
  • Further information you provide to us over the course of your support. This will be recorded in your case notes to help us work with you on your support plan. 
  • If you contact us, we keep a record. 
  • Information you provide when booking for Hibiscus’s events or training courses. 
  • Information you provide when responding to a consultation or survey run by Hibiscus. 


The data that we collect from you will be stored as follows: 

  • Within our electronic database which is dual password protected. 
  • Within our internal computer server on password-protected computers and folders. 
  • In hard copy version in personal folders within locked filing cabinets in secure offices and accessible by only those that have direct responsibility for your case. 
  • In the events attendance diary. 

The GDPR only applies to countries that fall within the European Economic Area (EEA). In certain circumstances, however, where for example your destination is outside the EEA your data may be processed by staff operating outside the EEA who work for us or for one of our partners or suppliers. Such staff may be engaged in, among other things, the fulfilment of your support service. By submitting your personal data, you agree to this transfer, storing, or processing. We will take all steps reasonably necessary to ensure that your data is treated securely and in accordance with this privacy policy. 


We use information held about you in the following ways: 

  • So that we can jointly identify goals and strategies to achieve in your support plan. 
  • To maintain contact with you.  
  • So that we can report on organizational outputs and outcomes to demonstrate the success and failures of our services overall and to generally maintain our organizational records. 
  • To provide you with information about support you can receive from public and voluntary organizations and the criminal justice system including our own services that may be of interest to you. 
  • To allow you to participate in activities, events, and training courses. 
  • To notify you about changes to our service. 

We may communicate with you by email, telephone, letter, or other reasonable means with updates and information about goods and services we believe may be of interest to you. 


In some cases, we will only use your personal information where we have your consent. For example, because you want us to share your information with a partner agency who can provide you with additional or complementary services.  

 However, there are other lawful reasons that allow us to process your personal information and one of those is called ‘legitimate interests’. This means that the reason that we are processing information is because there is a legitimate interest for Hibiscus to process your information to help you achieve the objectives, we have together established in your support plan. 

 As an additional aspect to GDPR, we will also obtain your signed agreement to holding your information on a legitimate basis. This will be undertaken at your assessment meeting prior to us recording information to develop your support plan. 

 Whenever we process your Personal Information under the ‘legitimate interest’ lawful basis we make sure that we take into account your rights and interests and will not process your personal information if we feel that there is an imbalance


We will only disclose your information to a third party should we believe there is a legal requirement. For example, if we identify a safeguarding issue that must be reported to the appropriate authority or if a court of law requires us to disclose certain types of information.


You have various rights in respect of the personal information we hold about you – these are set out in more detail below.  If you wish to exercise any of these rights or make a complaint, you can do so by contacting the Data Protection Officer (DPO) at Hibiscus Initiatives at Resource for London, 356 Holloway Rd. London N7 6PA United Kingdom on 020 7697 4120 or emailing If you are unhappy with the response we provide you can make a complaint to the data protection supervisory authority, the Information Commissioner’s Office (ICO) the complaints procedure on the ICO web site. 


Access to your personal information: You have the right to request access to a copy of the personal information that we hold about you, along with information on what personal information we use, why we use it, who we share it with, how long we keep it for and whether it has been used for any automated decision making. You can make a request for access free of charge.  Please make all requests for access in writing and provide us with evidence of your identity.

  • Right to object: You can object to our processing of your personal information where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your personal information for direct marketing purposes.  Please contact us as noted above, providing details of your objection. 
  • Consent: If you have given us your consent to use personal information (for example, for marketing or to forward your information to another provider), you can withdraw your consent at any time. 
  • Rectification: You can ask us to change or complete any inaccurate or incomplete personal information held about you. 
  • Erasure: You can ask us to delete your personal information where it is no longer necessary for us to use it, you have withdrawn consent, or where we have no lawful basis for keeping it. 
  • Portability: You can ask us to provide you or a third party with some of the personal information that we hold about you in a structured, commonly used, electronic form, so it can be easily transferred. 


Cookies are pieces of data created when you visit a site and contain a unique, anonymous number. They are stored in the cookie directory of your hard drive, either temporarily or permanently. Cookies do not contain any personal information about you and cannot be used to identify an individual user. The purpose of cookies is to make the interaction between users and websites faster and easier.                                                  
The Hibiscus website uses cookies to record aggregated usage statistics through Google analytics. These cookies enable us: 

  • To estimate our audience size and usage pattern. 
  • To speed up your searches. 
  • To recognise you when you return to our site. 

You may refuse to accept cookies by changing your internet browser settings. However, by doing so you may be unable to access certain parts of our site. Unless you have adjusted your browser setting so that it will refuse cookies, our system will issue cookies when you visit our website. 


Our site may, from time to time, contain links to external websites. If you follow a link to any of these websites, please note that these websites have their own privacy policies and that we do not accept any responsibility or liability for these policies. Please check these policies before you submit any personal data to these websites. 


Any changes we may make to our privacy policy in the future will be posted on this page and, where appropriate, notified to you by email. 


Questions, comments, and requests regarding this privacy policy are welcomed and should be addressed to the Data Protection Officer at 

If you no longer wish to be contacted by Hibiscus, please also email with the word ‘Unsubscribe’ in the email subject. 


Should you have a complaint or other concerns about Hibiscus information rights practices please contact Hibiscus in the first instance at, or at our head office on 020 7697 4120. If our response proves unsatisfactory, you have the option of contacting the Information Commissioner’s Office. Please see for more information.