Privacy notice

At Prison Advice and Care Trust (Pact), respecting your data privacy rights is a top priority. This notice explains why and how we collect personal data about you, how we may process such data, and what rights you have regarding your personal data.

We collect and process your data based on the type of data subject that you are. This notice is laid out such that the general provisions are at the top of this notice. Information specific to the different data subject types are listed in the headings below.

Please read the General Information and then click on the most relevant category(ies) of data subject for your situation.

General information

The information in this section is relevant to all categories of data subject.

Who controls your personal data?

Pact is responsible for your personal data. Our address is:

Prison Advice and Care Trust
29 Peckham Road
London
SE5 8UA

The Data Protection Officer for Pact

Pact has appointed Clarissa Clark-Cottrell as our Data Protection Officer. They can be contacted at the following email address: pactprivacy@prisonadvice.org.uk

Your rights

Under the General Data Protection Regulation (GDPR) you have rights. You can make a request to exercise these rights at any point. There are rules and exceptions in relation to these rights. They may not be exercisable in all situations. The GDPR rights are:

1. The right to be informed

You have the right to be informed about how Pact processes your personal data. Typically, Pact communicates this information through privacy notices such as this one.

2. The right of data access

You have a right to obtain a copy of the personal data we hold about you.

3. The right of data rectification

You have a right to ask for the correction of inaccurate or incomplete personal data which we hold about you.

4. The right of data erasure

You have the right to request that personal data be erased when it is no longer needed, where applicable law obliges us to delete the data, or the processing of it is unlawful. You may also ask us to erase personal data where you have withdrawn your consent or objected to the data processing.

5. The right to restrict data processing

You have the right to restrict the processing of your personal data. Where that is the case, we may still store your information, but not use it further.

6. The right to data portability

You have the right to receive your personal data in a structured, machine-readable format for your own purposes, or to request us to share it with a third party.

7. The right to object to data processing

You have the right to object to our processing of your personal data based on the legitimate interests, where your data privacy rights outweigh our reasoning for legitimate interests. You may also object to our marketing activities or activities related to research.

8. Rights in relation to automated decision making and profiling

You have the right not to be subjected to a decision based solely on automated processing, including profiling, which produces legal or similarly significant effects. Currently, Pact does not perform any automated decision making or profiling.

You may request to enforce your data privacy rights by emailing: pactprivacy@prisonadvice.org.uk

In certain circumstances, we may need to restrict the above rights to safeguard the public interest (e.g., the prevention or detection of crime) or our business interests (e.g., the maintenance of legal privilege).

Consent as a legal basis for processing

For some data processing, Pact uses consent as a legal basis. If you have consented to processing by Pact, please be aware that you have the right to withdraw this consent at any point. If you would like to withdraw consent for a particular type of data processing that Pact performs, please email the following address: pactprivacy@prisonadvice.org.uk

Complaints to a supervisory authority

You have the right to lodge a complaint with a supervisory authority with regards to the way that Pact processes your personal data. Pact recommends lodging a complaint with the ‘Information Commissioner’s Office (ICO)’. This is the UK’s supervisory authority and is the one which Pact is registered with.

How we share your data

We will not share your information with any third parties for the purposes of direct marketing.

We use data processors who are third parties who provide elements of services for us. We have contracts in place with our data processors. This means that they cannot do anything with your personal information unless we have instructed them to do it. They will not share your personal information with any organisation apart from us unless it has been authorised by Pact. They will hold it securely and retain it for the period we instruct.

In some circumstances we are legally obliged to share information. For example under a court order. In any scenario, we will satisfy ourselves that we have a lawful basis on which to share the information and document our decision making and satisfy ourselves we have a legal basis on which to share the information.

How we protect your information - ISMS policy

It is the policy of Pact to maintain an Information management system designed to meet the requirements of ISO 27001:2022 in pursuit of its primary objectives, the purpose and the context of the organisation.

It is the policy of Pact to:

make the details of our policy known to all other interested parties including external where appropriate and determine the need for communication and by what methods relevant to the business management system.
comply with all legal requirements, codes of practice and all other requirements applicable to our activities; therefore, as a company, we are committed to satisfy applicable requirements related to Information security and the continual improvement of the ISMS.
Provide all the resources of equipment, trained and competent staff and any other requirements to enable these objectives to be met.
ensure that all employees are made aware of their individual obligations in respect of this Information security policy:
maintain a management system that will achieve these objectives and seek continual improvement in the effectiveness and performance of our management system based on “risk”.

This information security policy provides a framework for setting, monitoring. reviewing and achieving our objectives, programmes and targets.

To ensure the company maintains its awareness for continuous improvement. the business management system is regularly reviewed by “Top Management” to ensure it remains appropriate and suitable to our business. The Business Management System is subject to both internal and external annual audits.

DOWNLOAD OUR ISMS POLICY

How long we keep your personal data

We only keep your personal data for as long as necessary for the purposes described in this privacy notice, or until you notify us that you no longer wish us to process your data. After this time, we will securely delete your personal data, unless we are required to keep it to meet legal or regulatory obligations, or to resolve potential legal disputes.

Contact and further information

If you have any questions about how we use your personal data or wish to make a complaint about how we handle it, you may contact Pact at: pactprivacy@prisonadvice.org.uk

In case you would like to be provided with information about a specific personal data processing activity, you can request that by submitting a request at: pactprivacy@prisonadvice.org.uk

We collect only the personal data from you that we need for the purposes described above. Certain personal data collected from you relates to your next of kin and emergency contacts. In these cases, you are requested to inform such persons about this Notice.

In case you are working at a third-party site (for example Pact customer location or facility), such third party may need to process your personal data for their purposes acting as a data controller. In these cases, you will receive or may request a separate privacy notice from the relevant data controller.

What happens if you do not provide us with the information we have requested?

Where it concerns processing operations related to your employment (as described above), Pact will not be able to adequately employ you without certain personal data and you may not be able to exercise your employee rights if you do not provide the personal data requested. Although we cannot mandate you to share your personal data with us, please note that this then may have consequences which could affect your employment in a negative manner, such as not being able to exercise your statutory rights or even to continue your employment. Whenever you are asked to provide us with any personal data related to you, we will indicate which personal data is required, and which personal data may be provided voluntarily.

You may obtain a copy of our assessment regarding our legitimate interest to process your personal data by submitting a request to: pactprivacy@prisonadvice.org.uk
In some cases, we process your personal data on the basis of statutory requirements, for example, on the basis of employment law, allowances, tax or reporting obligations, cooperation obligations with authorities or statutory retention periods in order to carry out our contractual responsibilities as an employer.
In exceptional circumstances we may ask your consent at the time of collecting the personal data, for example photos, communications materials, and events. If we ask you for consent in order to use your personal data for a particular purpose, we will remind you that you are free to withdraw your consent at any time and we will tell you how you can do this.

Regarding special categories of personal data we will only process such data in accordance with applicable law and:

with your explicit consent for specific activities in accordance with applicable law.
when necessary for exercising rights based on employment, or social protection law or as authorised by collective agreement, or for preventive and occupational medicine or and evaluation of working abilities; or
where necessary for establishment, exercise, and defence of legal claims.

Regarding personal data concerning criminal convictions and offences, we will only process such data where such processing is permitted by applicable (local) law.

Employees

The information in this section applies to current, past, or potential employees. Depending on your specific circumstances, your data may be used in all, some of, or none of the below listed processes:

Purpose of Processing	Description of Processing	Lawful Basis for Processing	Legitimate Interest
Staff and Volunteer Recruitment	To recruit new staff and volunteers, from receipt of application to decision about recruitment of applicant.	Contract	Not Applicable
Staff and Volunteer Onboarding	To onboard new staff and volunteers into HR systems, after successful application and background checks.	Contract/Legal Obligation	Not Applicable
Life Assurance	To onboard new employees to the Pact Life Assurance Scheme.	Legitimate interest	Performing Standard HR Processes
Inductions & Probations	To conduct induction and probationary reviews for new staff.	Legitimate interest	Performing Standard HR Processes
Support, Supervisions & Appraisals	To conduct Support, Supervisions & Appraisals for staff.	Legitimate interest	Performing Standard HR Processes
Employee Cases	Management of employee cases, including: disciplinaries, grievances, performance, health & capability, restructures, attendance, maternity and paternity leave.	Contract	Not Applicable
Legal Advice and Court Cases	Management of employee cases when legal advice is required, including cases that reach court.	Legitimate interest	Performing Standard HR Processes
Health and Safety Incident Reporting	Management of health and safety reporting relating to staff, volunteers, and service users.	Legal Obligation	Not Applicable
Health Risk Assessments	Management of staff and volunteer health-related risk assessments.	Legal Obligation	Not Applicable
Staff Mediation and Coaches	Management of staff mediation and coaches	Legitimate interest	Not Applicable
Eyecare	Management of staff eyecare voucher system.	Legal Obligation	Not Applicable
Employee Assistance Program	Management of referrals to the Employee Assistance Program.	Legitimate interest	Not Applicable
Electronic Signing	Management of staff electronic signatures and related documents	Legitimate interest	Performing Standard HR Processes
Staff Payroll Submissions	To manage timesheets and monthly payroll submissions of staff.	Contract	Not Applicable
Employee Resignations, Dismissal and Redundancy	Management of employee release, including dismissal, redundancy, and some other substantial reason (SOSR).	Contract	Not Applicable
PACT Academy Training Record	Collecting and processing of training records for staff and volunteers	Legitimate interest	Management of training records.
Employee References (Leavers)	Providing references for current and previous employees to their new employers.	Consent	Not Applicable
Creation/Deletion of User Accounts	Collecting information to enable creation/audit and deletion of unique user accounts. Reporting/auditing of user access and login activity and to enable the postage of IT equipment issued to the users.	Legitimate Interest	Required for the creation of unique user accounts
Data Breach Recording	Reporting of information about data breeches and near misses to enable the Privacy Manager to assess whether the data breech needs to be reported to the ICO. This data is also used to implement remedial actions and to focus data security training.	legitimate interest	For IT security
Secure Email Accounts Creation	Collecting information to enable the creation of unique secure email user accounts.	legitimate interest/ contractual	Required for the creation of unique user accounts
Mobile Phone Usage	Collecting information to enable the issuance of mobile phones to staff and to log mobile phone usage.	Legitimate interest	Required to enable Pact to issue/monitor mobile phones
Data Subject Requests	Responding to and management of GDPR data subject requests	Legal Obligation	Not Applicable
Payroll	To process pay for employees.	Contract	Not Applicable
Expenses	To process the payment of expenses to employees, staff, and volunteers.	Contract	Not Applicable
Online Management of Staff Expenses	Using third-party cloud-based tools to effectively manage expenses and credit cards.	Legitimate interest	For the more efficient and effective management of company expenses
Media recording	To procure or create photographs, video footage and/or audio recordings of individuals for use across Pact’s marketing materials. E.g. Events, photoshoots, mock-ups, team photos, etc.	Consent/Legitimate Interests	To keep records of events.
Survey Management	The management of feedback surveys. This process covers the gathering of data on individuals through surveys to gain insights that can be used to improve services and practice.	Legitimate interest	Necessary for understanding effectiveness and inclusiveness of practice
Security Devices and Escalation Protocols	This process covers the use of security devices to allow effective escalation of safeguarding concerns or emergencies. It allows contact details for points of escalation to be held and used correctly.	Vital interests	Not Applicable

Transfers of personal data to third parties

Pact may transfer your personal data to third parties. Pact may transfer your personal data to the following categories of recipients:

Cloud Storage & Document Management Tools
Employee Management & Training Tools
Government Organisations
Recruiters & Recruitment Management Tools
Insurance Providers
Legal Representatives & Legal Tools
Accountants & Financial Management Tools
Health and Safety Providers & Tools
Healthcare Services
IT Security and Management Tools
Auditors
Computing & Mobile Phone Service Providers
Banks

Pact will ensure that your personal data is hosted in UK and/or EU servers. Pact will also ensure that contracts with these third parties meet all UK-GDPR requirements.

Volunteers

The information in this section applies to current, past, and potential volunteers. Depending on your specific circumstances, your data may be used in all, some of, or none of the below listed processes:

Purpose of Processing	Description of Processing	Lawful Basis for Processing	Legitimate Interest
Staff and Volunteer Recruitment	To recruit new staff and volunteers, from receipt of application to decision about recruitment of applicant.	Contract	Not Applicable
Staff and Volunteer Onboarding	To onboard new staff and volunteers into HR systems, after successful application and background checks.	Contract/Legal Obligation	Not Applicable
Inductions & Probations	To conduct induction and probationary reviews for new staff.	Legitimate interest	Performing Standard HR Processes
Health and Safety Incident Reporting	Management of health and safety reporting relating to staff, volunteers, and service users.	Legal Obligation	Not Applicable
Health Risk Assessments	Management of staff and volunteer health-related risk assessments.	Legal Obligation	Not Applicable
Employee Assistance Program	Management of referrals to the Employee Assistance Program.	Legitimate interest	Not Applicable
Electronic Signing	Management of staff electronic signatures and related documents	Legitimate interest	Performing Standard HR Processes
PACT Academy Training Record	Collecting and processing of training records for staff and volunteers	Legitimate interest	Management of training records.
Creation/Deletion of User Accounts	Collecting information to enable creation/audit and deletion of unique user accounts. Reporting/auditing of user access and login activity and to enable the postage of IT equipment issued to the users.	Legitimate Interest	Required for the creation of unique user accounts
Data Breach Recording	Reporting of information about data breeches and near misses to enable the Privacy Manager to assess whether the data breech needs to be reported to the ICO. This data is also used to implement remedial actions and to focus data security training.	legitimate interest	For IT security
Secure Email Accounts Creation	Collecting information to enable the creation of unique secure email user accounts.	legitimate interest/ contractual	Required for the creation of unique user accounts
Mobile Phone Usage	Collecting information to enable the issuance of mobile phones to staff and to log mobile phone usage.	Legitimate interest	Required to enable Pact to issue/monitor mobile phones
Data Subject Requests	Responding to and management of GDPR data subject requests	Legal Obligation	Not Applicable
Expenses	To process the payment of expenses to employees, staff, and volunteers.	Contract	Not Applicable
Media recording	To procure or create photographs, video footage and/or audio recordings of individuals for use across Pact’s marketing materials. E.g. Events, photoshoots, mock-ups, team photos, etc.	Consent/Legitimate Interests	To keep records of events.
Volunteer Support and Supervision	To keep accurate records of all supervision notes recorded during a volunteer supervision / support session.	Legitimate interest	Supervision offers a vital channel of communication between management and volunteers. They can use it to share useful information with each other and discuss any challenges or issues. This ensures that volunteers feel confident to do their role and can access the support that they need to manage difficult situations.
Providing References for Former & Current Volunteers	Providing factual references for former & current volunteers to potential employers, universities, charities etc.	Consent	Not Applicable
Survey Management	The management of feedback surveys. This process covers the gathering of data on individuals through surveys to gain insights that can be used to improve services and practice.	Legitimate interest	Necessary for understanding effectiveness and inclusiveness of practice
Security Devices and Escalation Protocols	This process covers the use of security devices to allow effective escalation of safeguarding concerns or emergencies. It allows contact details for points of escalation to be held and used correctly.	Vital interests	Not Applicable

Transfers of personal data to third parties

Pact may transfer your personal data to third parties. Pact may transfer your personal data to the following categories of recipients:

Cloud Storage & Document Management Tools
Recruiters & Recruitment Management Tools
Employee Management & Training Tools
Government Organisations
Insurance Providers
Healthcare Services
Health and Safety Providers & Tools
IT Security and Management Tools
Auditors
Computing & Mobile Phone Service Providers
Banks

Pact will ensure that your personal data is hosted in UK and/or EU servers. Pact will also ensure that contracts with these third-parties meet all UK-GDPR requirements.

Contractors & temporary workers

The information in this section applies to current, past, and potential contractors, or workers working under a service contract. Depending on your specific circumstances, your data may be used in all, some of, or none of the below listed processes:

Purpose of Processing	Description of Processing	Lawful Basis for Processing	Legitimate Interest
Staff and Volunteer Recruitment	To recruit new staff and volunteers, from receipt of application to decision about recruitment of applicant.	Contract	Not Applicable
Staff and Volunteer Onboarding	To onboard new staff and volunteers into HR systems, after successful application and background checks.	Contract/Legal Obligation	Not Applicable
Inductions & Probations	To conduct induction and probationary reviews for new staff.	Legitimate interest	Performing Standard HR Processes
Support, Supervisions & Appraisals	To conduct Support, Supervisions & Appraisals for staff.	Legitimate interest	Performing Standard HR Processes
Health and Safety Incident Reporting	Management of health and safety reporting relating to staff, volunteers, and service users.	Legal Obligation	Not Applicable
Health Risk Assessments	Management of staff and volunteer health-related risk assessments.	Legal Obligation	Not Applicable
Eyecare	Management of staff eyecare voucher system.	Legal Obligation	Not Applicable
Employee Assistance Program	Management of referrals to the Employee Assistance Program.	Legitimate interest	Not Applicable
Electronic Signing	Management of staff electronic signatures and related documents	Legitimate interest	Performing Standard HR Processes
Staff Payroll Submissions	To manage timesheets and monthly payroll submissions of staff.	Contract	Not Applicable
Employee References (Leavers)	Providing references for current and previous employees to their new employers.	Consent	Not Applicable
Mobile Phone Usage	Collecting information to enable the issuance of mobile phones to staff and to log mobile phone usage.	Legitimate interest	Required to enable Pact to issue/monitor mobile phones
Supplier Payment	Process for the payment of Pact suppliers and contractors.	Contract	Not Applicable
Media recording	To procure or create photographs, video footage and/or audio recordings of individuals for use across Pact’s marketing materials. E.g. Events, photoshoots, mock-ups, team photos, etc.	Consent/Legitimate Interests	To keep records of events.
Survey Management	The management of feedback surveys. This process covers the gathering of data on individuals through surveys to gain insights that can be used to improve services and practice.	Legitimate interest	Necessary for understanding effectiveness and inclusiveness of practice
Security Devices and Escalation Protocols	This process covers the use of security devices to allow effective escalation of safeguarding concerns or emergencies. It allows contact details for points of escalation to be held and used correctly.	Vital interests	Not Applicable

Transfers of personal data to third parties

Pact may transfer your personal data to third parties. Pact may transfer your personal data to the following categories of recipients:

Cloud Storage & Document Management Tools
Recruiters & Recruitment Management Tools
Employee Management & Training Tools
Government Organisations
Insurance Providers
Health and Safety Providers & Tools
Healthcare Services
Computing & Mobile Phone Service Providers
Banks

Pact will ensure that your personal data is hosted in UK and/or EU servers. Pact will also ensure that contracts with these third-parties meet all UK-GDPR requirements.

Suppliers

This section applies to past, current, and potential third-party suppliers. Depending on your specific circumstances, your data may be used in all, some of, or none of the below listed processes:

Purpose of Processing	Description of Processing	Lawful Basis for Processing	Legitimate Interest
Supplier Payment	Process for the payment of Pact suppliers and contractors.	Contract	Not Applicable

Transfers of personal data to third parties

Pact may transfer your personal data to third-parties. Pact may transfer your personal data to the following categories of recipients:

Banks

Pact will ensure that your personal data is hosted in UK and/or EU servers. Pact will also ensure that contracts with these third parties meet all UK-GDPR requirements.

Supporters, donors, & trustees

This section applies to past, current, and potential supporters, donors, & trustees. Depending on your specific circumstances, your data may be used in all, some of, or none of the below listed processes:

Purpose of Processing	Description of Processing	Lawful Basis for Processing	Legitimate Interest
Creation/Deletion of User Accounts	Collecting information to enable creation/audit and deletion of unique user accounts. Reporting/auditing of user access and login activity and to enable the postage of IT equipment issued to the users.	Legitimate Interest	Required for the creation of unique user accounts
Data Breach Recording	Reporting of information about data breeches and near misses to enable the Privacy Manager to assess whether the data breech needs to be reported to the ICO. This data is also used to implement remedial actions and to focus data security training.	legitimate interest	For IT security
Secure Email Accounts Creation	Collecting information to enable the creation of unique secure email user accounts.	legitimate interest/ contractual	Required for the creation of unique user accounts
Data Subject Requests	Responding to and management of GDPR data subject requests	Legal Obligation	Not Applicable
Expenses	To process the payment of expenses to employees, staff, and volunteers.	Contract	Not Applicable
Donations received	To record donations and related information (stewards, supporters and donors).	Legitimate interest	to acknowledge and process donations and steward donors
Donor Solicitation and Stewardship Events	To manage, invite and host supporters to events.	Consent	Not Applicable
Delivery of Fresh Start Newsletters (Hard Copy)	To manage the delivery of hardcopies of the Pact newsletter.	Consent	Not Applicable
Management of Fresh Start Newsletter and other fundraising campaigns	To manage the database of people who want to receive our newsletter/ campaigns and appeal information	Consent	Not Applicable
Email Marketing List Maintenance	To send requested email updates to Pact supporters who have explicitly requested to receive updates.	Consent	Not Applicable
Social Media Inbox Messages	To respond to messages received via social media (e.g. Facebook, Instagram, Twitter, etc.) and, if needed, to forward to the services team.	Legitimate interest	Necessary to respond to data subject's feedback or request
Media recording	To procure or create photographs, video footage and/or audio recordings of individuals for use across Pact’s marketing materials. E.g. Events, photoshoots, mock-ups, team photos, etc.	Consent/Legitimate Interests	To keep records of events.

Transfers of personal data to third parties

Pact may transfer your personal data to third parties. Pact may transfer your personal data to the following categories of recipients:

Cloud Storage & Document Management Tools
IT Security and Management Tools
Auditors
Government Organisations
Banks
Office Suppliers & Office Management
Sales and Marketing Management Tools
Employee Management & Training Tools
Social Media & Advertisement Platforms

Pact will ensure that your personal data is hosted in UK and/or EU servers. Pact will also ensure that contracts with these third parties meet all UK-GDPR requirements.

Service users

Please read the General Information and then click on the most relevant category(ies) of data subject for your situation.

This section applies to past, current, and potential service users. Depending on your specific circumstances, your data may be used in all, some of, or none of the below listed processes:

Purpose of Processing	Description of Processing	Lawful Basis for Processing	Legitimate Interest
Support, Supervisions & Appraisals	To conduct Support, Supervisions & Appraisals for staff.	Legitimate interest	Performing Standard HR Processes
Data Breach Recording	Reporting of information about data breeches and near misses to enable the Privacy Manager to asses whether the data breech needs to be reported to the ICO. This data is also used to implement remedial actions and to focus data security training.	legitimate interest	For IT security
Data Subject Requests	Responding to and management of GDPR data subject requests	Legal Obligation	Not Applicable
Social Media Inbox Messages	To respond to messages received via social media (e.g. Facebook, Instagram, Twitter, etc.) and, if needed, to forward to the services team.	Legitimate interest	Necessary to respond to data subject's feedback or request
Case studies	To raise awareness of Pact’s work by sharing the stories of those with lived experience of the criminal justice system and/or using Pact’s services.	Consent	Not Applicable
Pact Ambassadors stewardship	To raise awareness of Pact’s work by allowing those with lived experience of the criminal justice system and/or using Pact’s services to speak publicly about those experiences.	Consent	Not Applicable
Media recording	To procure or create photographs, video footage and/or audio recordings of individuals for use across Pact’s marketing materials. E.g. Events, photoshoots, mock-ups, team photos, etc.	Consent/Legitimate Interests	To keep records of events.
Safer custody web forms	To monitor usage of web forms and confirm that participating prisons have acted on safer custody concerns.	Vital Interests	Not Applicable
Listen to Families - Patient & Public Voice (PPV)	A service to build relationships with family and carers to get them involved in improving prison healthcare. This service builds a mailing list to provide newsletters & offer opportunities to contribute to influencing healthcare policy & practice.	Public Task	Not Applicable
Volunteer Support and Supervision	To keep accurate records of all supervision notes recorded during a volunteer supervision / support session.	Legitimate interest	Supervision offers a vital channel of communication between management and volunteers. They can use it to share useful information with each other and discuss any challenges or issues. This ensures that volunteers feel confident to do their role and can access the support that they need to manage difficult situations.
Management of Service User data	Management of Service User data to support successful rehabilitation.	Legal Obligation (when it is part of their sentence plan) Legitimate Interests (when data subject joins voluntarily)	Provision of commissioned services
Safeguarding Relatives of Services User	To record safeguarding concerns related to the service user relatives and acquaintances. To record any related Pact actions.	Vital interests & Consent	Not Applicable
Researching & Evaluation	Researching & evaluating the outcomes of Pact projects.	Consent	Not Applicable
Services Grants	Data processed to support application of welfare grants.	Consent	Not Applicable
Provision of befriending service	Collecting and processing of information to register and provide the befriending support service to Service Users.	Legitimate interest	Not Applicable
Service User Case Management	Collecting and processing of information to register and manage Service User cases.	Consent	Not Applicable
Survey Management	The management of feedback surveys. This process covers the gathering of data on individuals through surveys to gain insights that can be used to improve services and practice.	Legitimate interest	Necessary for understanding effectiveness and inclusiveness of practice
Safeguarding of Service Users	Collecting and processing of information to escalate safety concerns as needed. To ensure that safeguarding concerns are escalated to the prison and that family is contacted.	Consent	Not Applicable
Group Support Sessions	To manage Service User group support sessions. Contact details are taken from consenting service users. The pact staff member then sends invitation to virtual group sessions.	Legitimate interest	Not Applicable

Transfers of personal data to third parties

Pact may transfer your personal data to third parties. Pact may transfer your personal data to the following categories of recipients:

Cloud Storage & Document Management Tools
Social Media & Advertisement Platforms
Employee Management & Training Tools
Government Organisations
Healthcare Services
Charitable & Non-Profit Organisations
Universities & Research Organisations
Sales and Marketing Management Tools

Pact will ensure that your personal data is hosted in UK and/or EU servers. Pact will also ensure that contracts with these third parties meet all UK-GDPR requirements.

Contractual obligations to transfer data to third parties

In some instances, Pact is contractually obliged to transfer your personal data to third parties. For example, we have some grant agreements that require us to transfer your data between Pact and HMPPS. Please see below for the privacy notices of these third parties:

Government Body/Third Party Controller	Link to Privacy Notice
Ministry of Justice (MoJ)	Ministry of Justice (publishing.service.gov.uk)
HM Prison and Probation Service (HMPPS)	NPS-Privacy-Notice.pdf (publishing.service.gov.uk)
NHS	NHS70 Report template (england.nhs.uk)

Other data subject types

This section applies to other data subject types who may not have been captured in the above listed categories. Depending on your specific circumstances, your data may be used in all, some of, or none of the below listed processes:

Purpose of Processing	Description of Processing	Lawful Basis for Processing	Legitimate Interest
Employee References (Leavers)	Providing references for current and previous employees to their new employers.	Consent	Not Applicable
Data Subject Requests	Responding to and management of GDPR data subject requests	Legal Obligation	Not Applicable
Email Marketing List Maintenance	To send requested email updates to Pact supporters who have explicitly requested to receive updates.	Consent	Not Applicable
Social Media Inbox Messages	To respond to messages received via social media (e.g. Facebook, Instagram, Twitter, etc.) and, if needed, to forward to the services team.	Legitimate interest	Necessary to respond to data subject's feedback or request
Media Enquiries	To respond to enquiries from media representatives that may be received by email or through social media channels.	Legitimate interest	To respond to Journalists and to provide them with news stories that may be of interest to them.
Press Release Distribution	To distribute press releases to relevant media contacts and raise brand awareness.	Legitimate interest	Some information may be in the public interest - i.e. related to Governmental decisions or impact on public health
Website Cookie Placement	Use of website cookies to personalise content, to analyse website traffic through Google Analytics and to occasionally deliver tailored advertising on social media (e.g. Facebook, Instagram, LinkedIn, etc.).	Consent	Not Applicable
Media recording	To procure or create photographs, video footage and/or audio recordings of individuals for use across Pact’s marketing materials. E.g. Events, photoshoots, mock-ups, team photos, etc.	Consent/Legitimate Interests	To keep records of events.
Online surveys	To collect survey responses in relation to the success of marketing campaigns.	Legitimate Interests	Not Applicable
Safer custody web forms	To monitor usage of web forms and confirm that participating prisons have acted on safer custody concerns.	Vital Interests	Not Applicable
Website form submissions	To forward forms such as feedback and changes of preferences to the correct Pact department for processing. This applies to both the Pact website and the Prisoners’ Families Helpline website	Legitimate interest	To respond and manage personal data relating to individuals who choose to get in contact/provide feedback to Pact.
Event Management	To register for in-person events that are managed through event management platforms.	Legitimate interest	To effectively organise and manage events.
Listen to Families - Patient & Public Voice (PPV)	A service to build relationships with family and carers to get them involved in improving prison healthcare. This service builds a mailing list to provide newsletters & offer opportunities to contribute to influencing healthcare policy & practice.	Public Task	Not Applicable

Transfers of personal data to third parties

Pact may transfer your personal data to third parties. Pact may transfer your personal data to the following categories of recipients:

Cloud Storage & Document Management Tools
Office Suppliers & Office Management
Sales and Marketing Management Tools
Social Media & Advertisement Platforms
Accountants & Financial Management Tools
Website & Software Development Tools
News Reporters
Healthcare Services

Pact will ensure that your personal data is hosted in UK and/or EU servers. Pact will also ensure that contracts with these third parties meet all UK-GDPR requirements.

Unsolicited personal information

If you send Pact unsolicited personal information, for example a CV, Pact reserves the right to immediately delete that information without informing you or to decide which category of data subject that you appear to be and manage your personal data within the remit of that category as described elsewhere in this Privacy Notice.

Retention schedule

Pact uses the following retention schedule. The following minimum retention periods shall apply:

Category	Item	Retention period
Health and safety documentation	Health and safety policy	Permanent
	Risk assessment reports	Permanent
	Injury records and accident books	3 years from the accident date
Service users	Personally identifiable information relating to service users accessing our programmes, including referral forms and starter and leaver forms	6 years from the end of the relationship, or until scanned and uploaded onto secure IT system if sooner
	Demographic information	6 years
	Service user feedback	6 years
	Prison visitor lists (visitor centres and play)	Normally until used to collate information for monthly reports unless other arrangements apply for a particular service
Grant/contract documentation	Grant funding agreements	Permanent, or until no longer commercially useful as long as at least 6 years from project end
	Contracts including action plans, reviews and exit documents	Permanent, or until no longer commercially useful as long as at least 6 years from contract expiry
	Records relating to interventions delivered, e.g. outcomes start relationship radar, octopus, relationship and parenting course evaluations	6 years from contract expiry, or audit period specified in the contract if longer
Specific contracts	Family services contracts (2017 framework agreement)	12 years beyond contract end date
Specific contracts	HMPPS ESF CFO documentation	12 years beyond contract end date
Supporter relations	Newsletter recipients	3 years, unless ongoing subscription confirmed
	Donor information and correspondence	6 years after the end of the financial year in which the relationship ends
	Legacy information	6 years after the end of the financial year in which the legacy received
	Church lists	5 years unless ongoing engagement confirmed
	Challenge event participant details	1 year after the event
	Challenge event next of kin details	Until the event has taken place
	Corporate partners	5 years after end of partnership
	Corporate prospects	3 years
Communications	E-newsletter recipients	1 year after last engagement
	Children’s Charter signatories	review whether relevant to current campaigns after 5 years
	Photos	10 years after taken, but with selected photos kept for historical archiving purposes
Volunteers	Volunteer applications for unsuccessful candidates	6 months after end of application process
	General volunteer records	6 years from the end of relationship
	Basic volunteer information for reference purposes	Permanent
Staff members	Job applications for unsuccessful candidates	6 months after end of application process, with 6-month extension by consent
	General employee records	6 years from the end of employment
	PAYE and NI records	6 years from the end of financial year
	Maternity, paternity and adoption payment records	3 years from the end of the relevant tax year
	Sickness records	3 years from the end of the relevant tax year
	Basic employee details for reference purposes	Permanent
Charity and company documentation	Company formation documents	Permanent
	Register of directors and company secretaries	Permanent
	Trustee and director details other than those on the register	3 years after ceasing to be a trustee or director
	Minutes of board meetings and general meetings	Permanent
	Accounting and banking records	6 years from the end of the relevant financial year
Tax documents	Corporation tax records	6 years from the end of the relevant financial year
Tax documents	VAT records	6 years from the end of the relevant financial year
Other electronic files	E-mails sent and received, existing volunteers and staff	6 years from sending date; if the e-mail might support supervision or appraisal notes or discussions for a staff member or volunteer, or if it relates to a contractual or other item with a longer retention period, it must be saved to relevant folder in the cloud or printed and filed as appropriate
	E-mails sent and received, former volunteers and staff	Emails are kept in an archive for 3 months after the end of employment or volunteering.
	Other documents, e.g. databases, Word documents, spreadsheets, slides, plans etc.	No retention period unless defined by a specific business need
	Electronic communications, including instant messaging, tweets, posts, news articles, intranet site	No retention period unless covered in categories above
	Phone calls, recorded voicemails, voice messaging etc.	No retention period

Where it is not practical to segregate and manage specific data types uniquely, then a blanket 7-year policy will be applied to all data with a prescribed retention period of 6 years or less.