At Prison Advice and Care Trust (Pact), respecting your data privacy rights is a top priority. This notice explains why and how we collect personal data about you, how we may process such data, and what rights you have regarding your personal data. 

This notice is laid out such that the general provisions are at the top of this notice and you can then select the data subject type that you wish to view the relevant information.

We collect and process your data based on the type of data subject that you are. Please click on the most relevant category(ies) of data subject for your situation and this will take you to the section that describes what data we collect and the reason and justification for processing for that data subject category.

Please read the General Information and then click on the Data Subject Type that you are, as set out below.

Privacy Notice Contents

General Information

The information in this section is relevant to all categories of data subject.

Who controls your personal data?

Pact is responsible for your personal data.

Prison Advice and Care Trust
29 Peckham Road
London
SE5 8UA

You can contact a representative by sending an email to the following address:

[email protected]

The Data Protection Officer for Pact

Pact has appointed a third party GDPR specialist (Tacita) as our Data Protection Officer. They can be contacted at the following email address:

[email protected]

Your rights

You have the following rights:

  1. The right to be informed.
    • You have the right to be informed about how Pact processes your personal data. Typically, Pact communicates this information through privacy notices such as this one.
  2. The right of data access
    • You have a right to obtain a copy of the personal data we hold about you, subject to certain exceptions.
  3. The right of data rectification
    • You always have a right to ask for immediate correction of inaccurate or incomplete personal data which we hold about you.
  4. The right of data erasure
    • You have the right to request that personal data be erased when it is no longer needed, where applicable law obliges us to delete the data or the processing of it is unlawful. You may also ask us to erase personal data where you have withdrawn your consent or objected to the data processing. However, this is not a general right to data erasure – there are exceptions.
  5. The right to restrict data processing
    • You have the right to restrict the processing of your personal data in specific circumstances. Where that is the case, we may still store your information, but not use it further.
  6. The right to data portability
    • You have the right to receive your personal data in a structured, machine-readable format for your own purposes, or to request us to share it with a third party.
  7. The right to object to data processing
    • You have the right to object to our processing of your personal data based on the legitimate interests, where your data privacy rights outweigh our reasoning for legitimate interests.
  8. Rights in relation to automated decision making and profiling.
    • You have the right not to be subjected to a decision based solely on automated processing, including profiling, which produces legal or similarly significant effects. Currently, Pact does not perform any automated decision making or profiling.

You may request to enforce your data privacy rights by emailing [email protected]

In certain circumstances, we may need to restrict the above rights to safeguard the public interest (e.g., the prevention or detection of crime) or our business interests (e.g., the maintenance of legal privilege).

Consent as a legal basis for processing

For some data processing, Pact uses consent as a legal basis. If you have consented to processing by Pact, please be aware that you have the right to withdraw this consent at any point. If you would like to withdraw consent for a particular type of data processing that Pact performs, please email the following address:

[email protected]

Complaints to a Supervisory Authority

You have the right to lodge a complaint with a supervisory authority with regards to the way that Pact processes your personal data. Pact recommends lodging a complaint with the ‘Information Commissioner’s Office (ICO)’. This is the UK’s supervisory authority and is the one which Pact is registered with.

How we share your data

We will not share your information with any third parties for the purposes of direct marketing.

We use data processors who are third parties who provide elements of services for us. We have contracts in place with our data processors. This means that they cannot do anything with your personal information unless we have instructed them to do it. They will not share your personal information with any organisation apart from us unless it has been authorised by Pact. They will hold it securely and retain it for the period we instruct.

In some circumstances we are legally obliged to share information. For example under a court order. In any scenario, we will satisfy ourselves that we have a lawful basis on which to share the information and document our decision making and satisfy ourselves we have a legal basis on which to share the information.

How we protect your information

We implement appropriate technical and organisational measures to protect personal data that we hold from unauthorised disclosure, use, alteration, or destruction. Where appropriate, we use encryption and other technologies that assist in securing the data you provide. We also require our service providers to comply with strict data privacy requirements where they process your personal data.

How long we keep your personal data

We only keep your personal data for as long as necessary for the purposes described in this privacy notice, or until you notify us that you no longer wish us to process your data. After this time, we will securely delete your personal data, unless we are required to keep it to meet legal or regulatory obligations, or to resolve potential legal disputes.

Contact and further information

If you have any questions about how we use your personal data or wish to make a complaint about how we handle it, you may contact Pact at: [email protected]

In case you would like to be provided with information about a specific personal data processing activity, you can request that by submitting a request at [email protected]

We collect only the personal data from you that we need for the purposes described above. Certain personal data collected from you relates to your next of kin and emergency contacts. In these cases, you are requested to inform such persons about this Notice.

In case you are working at a third-party site (for example Pact customer location or facility), such third party may need to process your personal data for their purposes acting as a data controller. In these cases, you will receive or may request a separate privacy notice from the relevant data controller.

What happens if you do not provide us with the information we have requested?

Where it concerns processing operations related to your employment (as described above), Pact will not be able to adequately employ you without certain personal data and you may not be able to exercise your employee rights if you do not provide the personal data requested. Although we cannot mandate you to share your personal data with us, please note that this then may have consequences which could affect your employment in a negative manner, such as not being able to exercise your statutory rights or even to continue your employment. Whenever you are asked to provide us with any personal data related to you, we will indicate which personal data is required, and which personal data may be provided voluntarily.

  • You may obtain a copy of our assessment regarding our legitimate interest to process your personal data by submitting a request to [email protected]
  • In some cases, we process your personal data on the basis of statutory requirements, for example, on the basis of employment law, allowances, tax or reporting obligations, cooperation obligations with authorities or statutory retention periods in order to carry out our contractual responsibilities as an employer;
  • In exceptional circumstances we may ask your consent at the time of collecting the personal data, for example photos, communications materials, and events. If we ask you for consent in order to use your personal data for a particular purpose, we will remind you that you are free to withdraw your consent at any time and we will tell you how you can do this.

Regarding special categories of personal data we will only process such data in accordance with applicable law and:

  • with your explicit consent for specific activities in accordance with applicable law;
  • when necessary for exercising rights based on employment, or social protection law or as authorised by collective agreement, or for preventive and occupational medicine or and evaluation of working abilities; or
  • where necessary for establishment, exercise, and defence of legal claims.

Regarding personal data concerning criminal convictions and offences, we will only process such data where such processing is permitted by applicable (local) law.

Employees or Potential Employees

Purpose of Processing

Description of Processing

Categories of Personal Data

Lawful Basis for Processing

Legitimate Interest

Staff and Volunteer Recruitment

To recruit new staff and volunteers, from receipt of application to decision about recruitment of applicant.

Name
Date of Birth
Address
Email address
Contact number
Employment history
Curriculum vitae information
Interview Notes
Data relating to employment references (Referee name, relationship to applicant, phone, email address, company/institution, job title)
Previous employment information (e.g. where they worked/studied)

Contract

Not Applicable

Staff and Volunteer Onboarding

To onboard new staff and volunteers into HR systems, after successful application and background checks.

Name

Date of Birth

Address

Next of Kin (Name, relationship, contact details)

Email address

Contact number

Curriculum Vitae

Pact application form

Bank details

Driving licence information

HMRC information (National Insurance number, student loan information)

Gender identity

Marriage status

Caring responsibilities

Lived experience status

Previous volunteer experience

Eligibility to work status & sponsorship licence (nationality, passport and permit information)

Health data (vaccination history)

Race and ethnicity

Religion

Sexual orientation

Contract/Legal Obligation

Not Applicable

Life Assurance

To onboard new employees to the Pact Life Assurance Scheme.

Employee no.
Name
Job title
Department
Location
Line manager
Phone no.
Contract Status
Insurance beneficiary information (name, relationship, date of birth, % pay-out to beneficiary)

Legitimate interest

Performing Standard HR Processes

Inductions & Probations

To conduct induction and probationary reviews for new staff.

Name
Work plan
Training records
Job details
Management notes
Name and job title of manager

Legitimate interest

Performing Standard HR Processes

Support, Supervisions & Appraisals

To conduct Support, Supervisions & Appraisals for staff.

Name

Work plan

Training records

Job details

Management notes

Name and job title of manager

Case notes

Illness & health records in supervision notes

Legitimate interest

Performing Standard HR Processes

Employee Cases

Management of employee cases, including: disciplinaries, grievances, performance, health & capability, restructures, attendance, maternity and paternity leave.

Name
Work plan
Training records
Job details
Management notes
Name and job title of manager
Case notes
Service user information
Complaints
Criminal record and safeguarding information
Attendance records
Data relating to child's birth

Contract

Not Applicable

Legal Advice and Court Cases

Management of employee cases when legal advice is required, including cases that reach court.

Name

Address

Date of birth

Work plan

Training records

Job details

Management notes

Name and job title of manager

Case notes

Service user information

Complaints

Criminal record and safeguarding information

Attendance records

Redundancy pay

Settlement agreements

Correspondence records

Illness & health records

Trade union information

Sexual orientation

Race and ethnicity

Religion

Legitimate interest

Performing Standard HR Processes

Health and Safety Incident Reporting

Management of health and safety reporting relating to staff, volunteers, and service users.

Name

Job role

Address

Gender

Date of birth

Phone number

Email address

Notes relating to incident

Health records

Legal Obligation

Not Applicable

Health Risk Assessments

Management of staff and volunteer health-related risk assessments.

Name

Training records

Job details

Management notes

Name and job title of manager

Case notes

Illness & health records

Legal Obligation

Not Applicable

Staff Mediation and Coaches

Management of staff mediation and coaches

Name
Email
Contact number
Reason for mediation or coaching referral

Legitimate interest

Not Applicable

Eyecare

Management of staff eyecare voucher system.

Name
Email address

Legal Obligation

Not Applicable

Employee Assistance Program

Management of referrals to the Employee Assistance Program.

Name

Email address

Contact Number

Reason for referral

Health data

Legitimate interest

Not Applicable

Electronic Signing

Management of staff electronic signatures and related documents

Name
Email address
Electronic Signature
Relevant letters/communication

Legitimate interest

Performing Standard HR Processes

Staff Payroll Submissions

To manage timesheets and monthly payroll submissions of staff.

Name
Date of Birth
Address
Email address
Bank details
HMRC information (National Insurance number, student loan information)
Marriage status
Hours of work
Salary
Job title
Location of work

Contract

Not Applicable

Employee Dismissal and Redundancy

Management of employee release, including: dismissal, redundancy, and some other substantial reason (SOSR).

Name

Work plan

Training records

Job details

Management notes

Name and job title of manager

Case notes

Service user information

Complaints

Criminal record and safeguarding information

Attendance records

Redundancy pay

Settlement agreements

Correspondence records

Illness & health records

Trade union information

Sexual orientation

Race and ethnicity

Religion

Contract

Not Applicable

Creation/Deletion of User Accounts

Collecting information to enable creation/audit and deletion of unique user accounts. Reporting/auditing of user access and login activity and to enable the postage of IT equipment issued to the users.

Name,
Email address
Address

Legitimate Interest

Required for the creation of unique user accounts

Data Breach Recording

Reporting of information about data breeches and near misses to enable the Privacy Manager to assess whether the data breech needs to be reported to the ICO. This data is also used to implement remedial actions and to focus data security training.

Name
Date of Birth
Prison number
Offense history
Email address
Address
Location in prison

legitimate interest

For IT security

Secure Email Accounts Creation

Collecting information to enable the creation of unique secure email user accounts.

Name
Email address

legitimate interest??/ contractual

Required for the creation of unique user accounts

Mobile Phone Usage

Collecting information to enable the issuance of mobile phones to staff and to log mobile phone usage.

Name                                                     
Email address
Address
Contact number

Legitimate interest

Required to enable Pact to issue/monitor mobile phones

Payroll

To process to pay for employees.

Name
Bank details
National Insurance Number

Contract

Not Applicable

Expenses

To process the payment of expenses to employees, staff, and volunteers.

Name
Bank details
Email
Potentially criminal offense data

Contract

Not Applicable

PACT Academy Training Record

Collecting and processing of training records for staff and volunteers

Name
Email
Employee ID number
Passport Photo
Contact Number 
Training Record 

Legitimate interest

Management of training records.

Transfers of Personal Data to Third Parties

Pact may transfer your personal data to third-parties. Pact may transfer your personal data to the following categories of recipients:

  • Cloud based storage providers & storage systems
  • Banks and financial management systems
  • Human resources management systems
  • Customer relationship management systems
  • Health insurance companies & related medical companies
  • Government bodies for the purposes employment obligations and background checks
  • Lawyers and related legal bodies.
  • Mediation services
  • Mobile phone service providers

Pact will ensure that your personal data is hosted in UK and/or EU servers. Pact will also ensure that contracts with these third-parties meet all UK-GDPR requirements.

Volunteers or Potential Volunteers

Purpose of Processing

Description of Processing

Categories of Personal Data

Lawful Basis for Processing

Legitimate Interest

Staff and Volunteer Recruitment

To recruit new staff and volunteers, from receipt of application to decision about recruitment of applicant.

Name
Date of Birth
Address
Email address
Contact number
Employment history
Curriculum vitae information
Interview Notes
Data relating to employment references (Referee name, relationship to applicant, phone, email address, company/institution, job title)
Previous employment information (e.g. where they worked/studied)

Contract

Not Applicable

Staff and Volunteer Onboarding

To onboard new staff and volunteers into HR systems, after successful application and background checks.

Name

Date of Birth

Address

Next of Kin (Name, relationship, contact details)

Email address

Contact number

Curriculum Vitae

Pact application form

Bank details

Driving licence information

HMRC information (National Insurance number, student loan information)

Gender identity

Marriage status

Caring responsibilities

Lived experience status

Previous volunteer experience

Eligibility to work status & sponsorship licence (nationality, passport and permit information)

Health data (vaccination history)

Race and ethnicity

Religion

Sexual orientation

Contract/Legal Obligation

Not Applicable

Inductions & Probations

To conduct induction and probationary reviews for new staff.

Name
Work plan
Training records
Job details
Management notes
Name and job title of manager

Legitimate interest

Performing Standard HR Processes

Health and Safety Incident Reporting

Management of health and safety reporting relating to staff, volunteers, and service users.

Name

Job role

Address

Gender

Date of birth

Phone number

Email address

Notes relating to incident

Health records

Legal Obligation

Not Applicable

Health Risk Assessments

Management of staff and volunteer health-related risk assessments.

Name

Training records

Job details

Management notes

Name and job title of manager

Case notes

Illness & health records

Legal Obligation

Not Applicable

Employee Assistance Program

Management of referrals to the Employee Assistance Program.

Name

Email address

Contact Number

Reason for referral

Health data

Legitimate interest

Performing Standard HR Processes

Electronic Signing

Management of staff electronic signatures and related documents

Name
Email address
Electronic Signature
Relevant letters/communication

Legitimate Interest

Required for the creation of unique user accounts

Creation/Deletion of User Accounts

Collecting information to enable creation/audit and deletion of unique user accounts. Reporting/auditing of user access and login activity and to enable the postage of IT equipment issued to the users.

Name,
Email address
Address

legitimate interest

For IT security

Data Breach Recording

Reporting of information about data breeches and near misses to enable the Privacy Manager to assess whether the data breech needs to be reported to the ICO. This data is also used to implement remedial actions and to focus data security training.

Name
Date of Birth
Prison number
Offense history
Email address
Address
Location in prison

legitimate interest??/ contractual

Required for the creation of unique user accounts

Secure Email Accounts Creation

Collecting information to enable the creation of unique secure email user accounts.

Name
Email address

Contract

Not Applicable

Mobile Phone Usage

Collecting information to enable the issuance of mobile phones to staff and to log mobile phone usage.

Name                                                     
Email address
Address
Contact number

Legitimate interest

Supervision offers a vital channel of communication between management and volunteers. They can use it to share useful information with each other and discuss any challenges or issues. This ensures that volunteers feel confident to do their role and can access the support that they need to manage difficult situations.

Expenses

To process the payment of expenses to employees, staff, and volunteers.

Name
Bank details
Email
Potentially criminal offense data

Vital interests

n/a

Volunteer Support and Supervision

To keep accurate records of all supervision notes recorded during a volunteer supervision / support session.

Name
Volunteer support needs (such as disability, health concern)
Criminal record information
Service User case notes
Safeguarding Concerns

Legitimate interest

Necessary for understanding effectiveness and inclusiveness of practice

PACT Academy Training Record

Collecting and processing of training records for staff and volunteers

Name
Email
Employee ID number
Passport Photo
Contact Number 
Training Record 

Legitimate interest

Supervision offers a vital channel of communication between management and volunteers. They can use it to share useful information with each other and discuss any challenges or issues. This ensures that volunteers feel confident to do their role and can access the support that they need to manage difficult situations.

Survey Management

The management of feedback surveys. This process covers the gathering of data on individuals through surveys to gain insights that can be used to improve services and practice.

Job Role
Email
Name                                                                                         Age
Ethnicity
Religion/belief
Gender
Sexuality
Health/disability

Legitimate interest

Management of training records.

Security Devices and Escalation Protocols

This process covers the use of security devices to allow effective escalation of safeguarding concerns or emergencies. It allows contact details for points of escalation to be held and used correctly.

Names
Contact number
Personal description (hair colour, glasses, etc.)
Car registration

Legitimate interest

Necessary for understanding effectiveness and inclusiveness of practice

 Transfers of Personal Data to Third Parties

Pact may transfer your personal data to third-parties. Pact may transfer your personal data to the following categories of recipients:

  • Cloud based storage providers & storage systems
  • Banks and financial management systems
  • Human resources management systems
  • Customer relationship management systems
  • Health insurance companies & related medical companies
  • Government bodies for the purposes employment obligations and background checks
  • Mobile phone service providers

Pact will ensure that your personal data is hosted in UK and/or EU servers. Pact will also ensure that contracts with these third-parties meet all UK-GDPR requirements.

Contractors or Potential Contractors or Workers Working Under a Service Contract

Purpose of Processing

Description of Processing

Categories of Personal Data

Lawful Basis for Processing

Legitimate Interest

Staff and Volunteer Recruitment

To recruit new staff and volunteers, from receipt of application to decision about recruitment of applicant.

Name
Date of Birth
Address
Email address
Contact number
Employment history
Curriculum vitae information
Interview Notes
Data relating to employment references (Referee name, relationship to applicant, phone, email address, company/institution, job title)
Previous employment information (e.g. where they worked/studied)

Contract

Not Applicable

Staff and Volunteer Onboarding

To onboard new staff and volunteers into HR systems, after successful application and background checks.

Name

Date of Birth

Address

Next of Kin (Name, relationship, contact details)

Email address

Contact number

Curriculum Vitae

Pact application form

Bank details

Driving licence information

HMRC information (National Insurance number, student loan information)

Gender identity

Marriage status

Caring responsibilities

Lived experience status

Previous volunteer experience

Eligibility to work status & sponsorship licence (nationality, passport and permit information)

Health data (vaccination history)

Race and ethnicity

Religion

Sexual orientation

Contract/Legal Obligation

Not Applicable

Inductions & Probations

To conduct induction and probationary reviews for new staff.

Name
Work plan
Training records
Job details
Management notes
Name and job title of manager

Legitimate interest

Performing Standard HR Processes

Support, Supervisions & Appraisals

To conduct Support, Supervisions & Appraisals for staff.

Name

Work plan

Training records

Job details

Management notes

Name and job title of manager

Case notes

Illness & health records in supervision notes

Legitimate interest

Performing Standard HR Processes

Health and Safety Incident Reporting

Management of health and safety reporting relating to staff, volunteers, and service users.

Name

Job role

Address

Gender

Date of birth

Phone number

Email address

Notes relating to incident

Health records

Legal Obligation

Not Applicable

Health Risk Assessments

Management of staff and volunteer health-related risk assessments.

Name

Training records

Job details

Management notes

Name and job title of manager

Case notes

Illness & health records

Legal Obligation

Not Applicable

Eyecare

Management of staff eyecare voucher system.

Name
Email address

Legal Obligation

Not Applicable

Employee Assistance Program

Management of referrals to the Employee Assistance Program.

Name

Email address

Contact Number

Reason for referral

Health data

Legitimate interest

Not Applicable

Electronic Signing

Management of staff electronic signatures and related documents

Name
Email address
Electronic Signature
Relevant letters/communication

Legitimate interest

Performing Standard HR Processes

Staff Payroll Submissions

To manage timesheets and monthly payroll submissions of staff.

Name
Date of Birth
Address
Email address
Bank details
HMRC information (National Insurance number, student loan information)
Marriage status
Hours of work
Salary
Job title
Location of work

Contract

Not Applicable

Mobile Phone Usage

Collecting information to enable the issuance of mobile phones to staff and to log mobile phone usage.

Name                                                     
Email address
Address
Contact number

Legitimate interest

Required to enable Pact to issue/monitor mobile phones

Supplier Payment

Process for the payment of Pact suppliers and contractors.

Name
Bank Details
Email
Telephone number

Contract

Not Applicable

Transfers of Personal Data to Third Parties

Pact may transfer your personal data to third parties. Pact may transfer your personal data to the following categories of recipients:

  • Cloud based storage providers & storage systems
  • Banks and financial management systems
  • Human resources management systems
  • Customer relationship management systems
  • Health insurance companies & related medical companies
  • Government bodies for the purposes employment obligations and background checks
  • Mobile phone service providers

Pact will ensure that your personal data is hosted in UK and/or EU servers. Pact will also ensure that contracts with these third-parties meet all UK-GDPR requirements.

Supporters, Donors and Trustees

Purpose of Processing

Description of Processing

Categories of Personal Data

Lawful Basis for Processing

Legitimate Interest

Creation/Deletion of User Accounts

Collecting information to enable creation/audit and deletion of unique user accounts. Reporting/auditing of user access and login activity and to enable the postage of IT equipment issued to the users.

Name,
Email address
Address

Legitimate Interest

Required for the creation of unique user accounts

Data Breach Recording

Reporting of information about data breeches and near misses to enable the Privacy Manager to asses whether the data breech needs to be reported to the ICO. This data is also used to implement remedial actions and to focus data security training.

Name
Date of Birth
Prison number
Offense history
Email address
Address
Location in prison

legitimate interest

For IT security

Secure Email Accounts Creation

Collecting information to enable the creation of unique secure email user accounts.

Name
Email address

legitimate interest??/ contractual

Required for the creation of unique user accounts

Donations received

To record donations and related information (stewards, supporters and donors).

Name
Address
Email
Job title
Faith

Legitimate interest

to acknowledge and process donations and steward donors

Donor Solicitation and Stewardship Events

To manage, invite and host supporters to events.

Name
Address
Email
Job title
Faith

 Consent

  Not Applicable

Delivery of Fresh Start Newsletters (Hard Copy)

To manage the delivery of hardcopies of the Pact newsletter.

Name
Address

  Consent

  Not Applicable

Management of Fresh Start Newsletter

To manage the database of people who want to receive our newsletter.

Name
Address
Email
Job title
Faith

  Consent

  Not Applicable

Email Marketing List Maintenance

To send requested email updates to Pact supporters who have explicitly requested to receive the Fresh Start newsletter.

Name
Email

Consent

Not Applicable

Social Media Inbox Messages

To respond to messages received via social media (e.g. Facebook, Instagram, Twitter, etc.) and, if needed, to forward to the services team.

Name
Email
Contact number
Further information that may be offered to us, which may include special category information and sensitive data related to criminal convictions and/or health conditions.

Legitimate interest/Consent

Necessary to respond to data subject's feedback or request

 Transfers of Personal Data to Third Parties

Pact may transfer your personal data to third parties. Pact may transfer your personal data to the following categories of recipients:

  • Cloud based storage providers & storage systems
  • Printing Companies for Newsletter Delivery
  • Customer relationship management systems
  • Social media management systems

Pact will ensure that your personal data is hosted in UK and/or EU servers. Pact will also ensure that contracts with these third parties meet all UK-GDPR requirements.

Suppliers or Potential Suppliers

Purpose of Processing

Description of Processing

Categories of Personal Data

Lawful Basis for Processing

Legitimate Interest

Supplier Payment

Process for the payment of Pact suppliers and contractors.

Name
Bank Details
Email
Telephone number

Contract

Not Applicable

 Transfers of Personal Data to Third Parties

Pact may transfer your personal data to third-parties. Pact may transfer your personal data to the following categories of recipients:

  • Banks and financial management systems

Pact will ensure that your personal data is hosted in UK and/or EU servers. Pact will also ensure that contracts with these third parties meet all UK-GDPR requirements.

Service Users or Potential Service Users

Purpose of Processing

Description of Processing

Categories of Personal Data

Lawful Basis for Processing

Legitimate Interest

Support, Supervisions & Appraisals

To conduct Support, Supervisions & Appraisals for staff.

Name

Work plan

Training records

Job details

Management notes

Name and job title of manager

Case notes

Illness & health records in supervision notes

Legitimate interest

Performing Standard HR Processes

Data Breach Recording

Reporting of information about data breeches and near misses to enable the Privacy Manager to assess whether the data breech needs to be reported to the ICO. This data is also used to implement remedial actions and to focus data security training.

Name
Date of Birth
Prison number
Offense history
Email address
Address
Location in prison

legitimate interest

For IT security

Social Media Inbox Messages

To respond to messages received via social media (e.g. Facebook, Instagram, Twitter, etc.) and, if needed, to forward to the services team.

Name
Email
Contact number
Further information that may be offered to us, which may include special category information and sensitive data related to criminal convictions and/or health conditions.

Legitimate interest/Consent

Necessary to respond to data subject's feedback or request

Management of Service User data

Management of Service User data to support successful rehabilitation.

Name
Criminal Record information
Date of birth
Risk information 
Contact number  
National Insurance number
Employment history
Child services information
Family information [Children's data]

Contract and legitimate interests

Provision of commissioned services

Safeguarding Relatives of Services User

To record safeguarding concerns related to the service user relatives and acquaintances. To record any related Pact actions.

Name
Gender
Date of birth
Prison Number 
Address  
[Children’s Information] Narrative of the Concern

Vital interests & Consent

Not Applicable

Researching & Evaluation

Researching & evaluating the outcomes of Pact projects.

Name 
Age
Gender
Date of birth
Prison Number 
Email   
Case Narrative

Consent

Not Applicable

Services Grants

Data processed to support application of welfare grants.

Name
Address
National Insurance number
Date of birth
Contact Number 
Email
General Notes of Personal Circumstances

Consent

Not Applicable

Provision of befriending service

Collecting and processing of information to register and provide the befriending support service to Service Users.

Criminal data
Name
Address
Contact number
Email address
Prisoner number
Prisoner location
Other services supporting
Health data
Family information [Children's data]

Legitimate interest

Not Applicable

Service User Case Management

Collecting and processing of information to register and manage Service User cases.

Name
Date of Birth
Prison number
Criminal record
Family information [children's data]
Email
Address
Location in prison

Consent

Not Applicable

Survey Management

The management of feedback surveys. This process covers the gathering of data on individuals through surveys to gain insights that can be used to improve services and practice.

Job Role
Email
Name                                                                                         Age
Ethnicity
Religion/belief
Gender
Sexuality
Health/disability

Legitimate interest

Necessary for understanding effectiveness and inclusiveness of practice

Safeguarding of Service Users

Collecting and processing of information to escalate safety concerns as needed. To ensure that safeguarding concerns are escalated to the prison and that family is contacted.

Name
Contact number
Prisoner number
Prison Location
Gender
Health

Consent

Not Applicable

Group Support Sessions

To manage Service User group support sessions. Contact details are taken from consenting service users. The pact staff member then sends invitation to virtual group sessions.

Name
Contact number
Email

Legitimate interest

Not Applicable

 Transfers of Personal Data to Third Parties

Pact may transfer your personal data to third-parties. Pact may transfer your personal data to the following categories of recipients:

  • Cloud based storage providers & storage systems
  • Charity funding groups
  • Customer relationship management systems
  • Social media management systems
  • Government bodies for the purposes of Pact’s contractual obligations to the UK government
  • To the police and relevant government bodies for the purposes of safeguarding
  • University and research bodies for the purposes of research
  • Survey management providers

Pact will ensure that your personal data is hosted in UK and/or EU servers. Pact will also ensure that contracts with these third parties meet all UK-GDPR requirements.

Other Data Subject Types

Purpose of Processing

Description of Processing

Categories of Personal Data

Lawful Basis for Processing

Legitimate Interest

Social Media Inbox Messages

To respond to messages received via social media (e.g. Facebook, Instagram, Twitter, etc.) and, if needed, to forward to the services team.

Name
Email
Contact number
Further information that may be offered to us, which may include special category information and sensitive data related to criminal convictions and/or health conditions.

Legitimate interest/Consent

Necessary to respond to data subject's feedback or request

Media Enquiries

To respond to enquiries from media representatives that may be received by email or through social media channels.

Name
Email
Contact number
Organisation

Consent

Not Applicable

Press Release Distribution

To distribute press releases to relevant media contacts and raise brand awareness.

Name
Email

Legitimate interest/Consent

Some information may be in the public interest - i.e. related to Governmental decisions or impact on public health

Website Cookie Placement

Use of website cookies to personalise content, to analyse website traffic through Google Analytics and to occasionally deliver tailored advertising on social media (e.g. Facebook, Instagram, LinkedIn, etc.).

Online identifiers which may include, but are not limited to:
IP address, client ID, cookie ID, location data, username, password, browser & search history, advertising ID, pixel tags

Consent

Not Applicable

Unsolicited Personal Information

If you send Pact unsolicited personal information, for example a CV, Pact reserves the right to immediately delete that information without informing you or to decide which category of data subject that you appear to be and manage your personal data within the remit of that category as described elsewhere in this Privacy Notice.

Transfers of Personal Data to Third Parties

Pact may transfer your personal data to third parties. Pact may transfer your personal data to the following categories of recipients:

  • Cloud based storage providers & storage systems
  • Social media management systems

Pact will ensure that your personal data is hosted in UK and/or EU servers. Pact will also ensure that contracts with these third parties meet all UK-GDPR requirements.

Retention Schedule

Pact uses the following retention schedule:

Retention periods – safeguarding

The following minimum retention periods shall apply for data of a safeguarding nature. 

Category

Item

Retention period

Referrals to children’s social services, police, vulnerable adult services or other authority relating to concerns about possible abuse or neglect, whether the result of direct of direct disclosure, observation or the concerns of a third party

C1s or local authority referral forms

6 years after service user’s last contact with Pact, unless one of the exceptions below applies

Concerns which have been internally logged but found not to merit a referral to the services mentioned above

Blue book entries

1 year after service user’s last contact with Pact

Concerns about people (paid and unpaid) who work with children and young people, e.g. allegations, convictions, disciplinary action, inappropriate behaviour towards children and young people

Personnel files and training records, including disciplinary and working time records, investigation reports and outcome documents

6 years after employment ceases, unless one of the exceptions below applies

 Records with a 6 year retention period above should be retained for a longer period if any of the following apply:

  • There were concerns about the behaviour of an adult who was working with children where he or she behaved in a way that harmed, or may have harmed, a child;
  • The adult possibly committed a criminal offence against, or related to, a child;
  • The adult behaved towards a child in a way that indicates he or she is unsuitable to work with children.

In such circumstances, records should be retained at least until the adult reaches normal retirement age, or for ten years if that is longer. 

Retention periods – other items 

For other items, the following minimum retention periods shall apply:

Category

Item

Retention period

Health and safety documentation

Health and safety policy

Permanent

Risk assessment reports

Permanent

Injury records and accident books

3 years from the accident date

Service users

Personally identifiable information relating to service users accessing our programmes, including referral forms and starter and leaver forms

6 years from the end of the relationship, or until scanned and uploaded onto secure IT system if sooner

Demographic information

6 years

Service user feedback

6 years

Prison visitor lists (visitor centres and play)

Normally until used to collate information for monthly reports unless other arrangements apply for a particular service

Grant/contract documentation

Grant funding agreements

Permanent, or until no longer commercially useful as long as at least 6 years from project end

Contracts including action plans, reviews and exit documents

Permanent, or until no longer commercially useful as long as at least 6 years from contract expiry

Records relating to interventions delivered, e.g. outcomes start relationship radar, octopus, relationship and parenting course evaluations

6 years from contract expiry, or audit period specified in the contract if longer

Specific contracts

Family services contracts (2017 framework agreement)

12 years beyond contract end date

HMPPS ESF CFO documentation

12 years beyond contract end date

Supporter relations

Newsletter recipients

3 years, unless ongoing subscription confirmed

Donor information and correspondence

6 years after the end of the financial year in which the relationship ends

Legacy information

6 years after the end of the financial year in which the legacy received

Church lists

5 years unless ongoing engagement confirmed

Challenge event participant details

1 year after the event

Challenge event next of kin details

Until the event has taken place

Corporate partners

5 years after end of partnership

Corporate prospects

3 years

Communications

E-newsletter recipients

1 year after last engagement

Children’s Charter signatories

review whether relevant to current campaigns after 5 years

Photos

10 years after taken, but with selected photos kept for historical archiving purposes

Volunteers

Volunteer applications for unsuccessful candidates

6 months after end of application process

General volunteer records

1 year from the end of relationship, unless involved in an accident, in which case 6 years from the end of relationship

Basic volunteer information for reference purposes

Permanent

Staff members

Job applications for unsuccessful candidates

6 months after end of application process, with 6 month extension by consent

General employee records

6 years from the end of employment

PAYE and NI records

3 years from the end of the relevant tax year

Maternity, paternity and adoption payment records

3 years from the end of the relevant tax year

Sickness records

3 years from the end of the relevant tax year

Basic employee details for reference purposes

Permanent

Charity and company documentation

Company formation documents

Permanent

Register of directors and company secretaries

Permanent

Trustee and director details other than those on the register

3 years after ceasing to be a trustee or director

Minutes of board meetings and general meetings

Permanent

Accounting and banking records

6 years from the end of the relevant financial year

Tax documents

Corporation tax records

6 years from the end of the relevant financial year

VAT records

6 years from the end of the relevant financial year

Other electronic files

E-mails sent and received, existing volunteers and staff

6 years from sending date; if the e-mail might support supervision or appraisal notes or discussions for a staff member or volunteer, or if it relates to a contractual or other item with a longer retention period, it must be saved to relevant folder in the cloud or printed and filed as appropriate 

E-mails sent and received, former volunteers and staff

6 years from end of volunteering relationship or employment (but archive after 3 months)

Other documents, e.g. databases, Word documents, spreadsheets, slides, plans etc.

No retention period unless defined by a specific business need

Electronic communications, including instant messaging, tweets, posts, news articles, intranet site

No retention period unless covered in categories above

Phone calls, recorded voicemails, voice messaging etc.

No retention period

Where it is not practical to segregate and manage specific data types uniquely, then a blanket 7-year policy will be applied to all data with a prescribed retention period of 6 years or less.