Introduction
Privacy is at the heart of what we do at Nightline Association. We are committed to protecting your privacy and the personal data that we hold. The purpose of this statement is to be clear and transparent about what that data is and how the Nightline Association uses it.
Our practices are aligned with applicable data protection laws (currently the Data Protection Act 2018 and the UK General Data Protection Regulation (GDPR)).
Useful Definitions
‘Personal data’ is information that is personally identifiable, i.e. you can use the data to find out who it is about. This could be a name, date of birth or location data.
‘Special category data’ is more sensitive information, for example, health or genetic information or records of criminal offences.
‘Processing’ is the action that Nightline Association, or a trusted third party, takes when collecting, updating, storing or accessing an individual’s personal data to produce meaningful information which helps Nightline Association to grow and develop.
‘We’ refers to the Nightline Association.
Who we are
The Nightline Association is a charitable company limited by guarantee registered in England and Wales under company number 05436297 and charity number 1112793 and registered in Scotland under charity number SC050834.
Nightline Association is the umbrella charity for Nightline services across the UK. We support our affiliated Nightlines and our mission is to raise the quality, profile and number of Nightline services so that every student is aware of and has access to confidential emotional peer support.
How we protect your data
At Nightline Association, we only collect the data we need and we only share it on a need-to-know basis.
We do not share personal data externally unless we are collaborating with an organisation that is working on our behalf. In this situation, we will always make you aware of how your personal data might be affected and will always check that the organisation’s systems comply with privacy laws and have robust privacy and security practices
We store most of our data on Google Workspace (i.e. Gmail, Google Drive etc). It is secured and supported by Google (and complies with National Cyber Security Centre principles: NCSC – Cloud Security (UK) – Compliance). We store some personal data on other systems too. For every system we use, we check that it complies with privacy laws and has good privacy and security practices.
Our staff and volunteers are given guidance on best practice in the secure use of our systems.
Using your data
Why we collect your data
At Nightline Association, we would like to build long-lasting relationships with our staff, volunteers, supporters, and contacts based on trust, transparency and compassion; and we want to provide the best service that we can to Nightlines.
Processing your data enables us to understand you better, communicate with you and others in the most appropriate way, and adhere to best practices whereby your data and preferences are kept up to date. For instance, we are able to recognise and acknowledge your support and the commitment you show towards the Nightline Association over the years.
In turn, this better equips us to handle enquiries, deliver events and process payments like gift aid or expenses. However, above all, it facilitates us in providing quality support and fulfilling our aim to raise the quality, profile and number of Nightline services.
What data we collect and how we use it
This explains who we collect personal data about, what that personal data is and the purpose we collect it for. As set out below, we also sometimes process special category data, such as health data.
To make you aware, we have lawful bases for processing your personal data and special category data. The main lawful bases we rely upon are:
- Consent
- It is necessary for us to perform our contracts
- Our legitimate interests as a charity
- It is necessary for us to perform a task in the public interest
- We have a legal obligation
Nightline Service Users
- If you contact a Nightline using our anonymous email or instant messaging systems, we may process your data. We do not control the use of this data however, only process it on behalf of the Nightline.
- Please make sure you review the privacy policy of the individual Nightline you are contacting for information on how they process your personal data.
- Any data about service users given to us by our Nightlines, which is used for statistical analysis, is anonymous and therefore not personal data as covered by GDPR.
Nightline Association Staff
- We collect and process your name, contact details, email address, and other personal details for administrative purposes.
- We collect and process your bank details, hours worked, and any absences so that we can pay your salary to you, and for monitoring purposes.
- We also collect emergency contact details to allow us to take action to ensure your safety if necessary.
- If you require reasonable adjustments to support you in your role, we may collect and process special category data relating to your health so that we can put these adjustments in place.
- We may access your work emails or files where necessary (for example, if you are absent and it would not be practical to wait for your return).
Nightline Association Volunteers
- We collect and process your name, contact details, email address, the content of any correspondence with us, your photo, and bank details (where necessary) for the purpose of administration.
- We also collect emergency contact details to allow us to take action to ensure your safety if necessary.
- We may access your volunteering emails or files where necessary (for example, if you are absent and it would not be practical to wait for your return).
Nightline Volunteers
- We collect and process the names and contact details of some Nightline volunteers, particularly those with responsibility for running aspects of Nightline services. We do this so that we can communicate with you about your Nightline, and to keep you updated about the support available from us.
Supporters
- We may collect and process personal data about our supporters, which we use to best respond to their requests and provide the best experience with the charity, e.g. through thanking them for their gift and updating them on its impact.
- This could include names, contact and financial data in order to process gifts or gift aid or reasons for supporting the charity.
Event Attendees
- If you register for one of our events, we will collect details needed to ensure you can attend the event such as your name and contact details. We will also collect information to make sure that we can run the event safely such as emergency contact details. This may include special category data, such as accessibility requirements or medical details, for your own health and safety.
- We may also take photographs and videos at the event. If you do not wish to be included in any publicity, please make this clear to the event organisers.
Newsletter Subscribers
- If you sign up to hear from Nightline Association through our newsletters, we will store your name and email address in order to contact you.
Website Visitors
- We use analysis tools which help us to understand how our website is being used and how we can improve the content and operation of it. These tools collect anonymous data about your interaction with our website and use cookies to track which pages you visit
- You can opt out of cookies but are required to do this proactively by changing the setting in your browser – unfortunately, we cannot control this on your behalf.
Nightline Association Applicants
- If you apply for a volunteer or staff position at Nightline Association, we keep your application form, CV and anything else you send us for up to six months after the role is appointed.
- If you are successfully appointed, we will keep your application for as long as you are volunteering or working with us so that it can be referred to in the event of any allegations of fraud being made against you.
Nightline Alumni
- We are developing an alumni network for previous volunteers of Nightline Association and Nightlines so that we can keep in touch.
- We will only collect your data if you have opted in and will only contact you as you have requested.
- You can opt out by contacting Nightline Association. Contact information is provided at the end of this policy.
We take reasonable steps to create an accurate record for you. However, we look to you for ensuring the ongoing accuracy of your personal data. We encourage you to take responsibility for reporting personal data updates by contacting us. Our contact information is provided at the end of this policy.
How do we use special category data?
Special categories of particularly sensitive personal information include information about your health, racial or ethnic origin, sexual orientation or trade union membership, and requires higher levels of protection. We need to have further justification for collecting, storing and using this type of personal information. We may process special categories of personal information in the following circumstances:
- In limited circumstances, with your explicit written consent.
- Where we need to carry out our legal obligations or exercise rights in connection with employment, such as in relation to employees with disabilities.
- Where it is needed in the public interest, such as for equal opportunities monitoring.
- Where it is necessary to protect you or another person from harm.
- Less commonly, we may process this type of information where it is needed in relation to legal claims or where it is needed to protect your interests (or someone else’s interests) and you are not capable of giving your consent, or where you have already made the information public.
How long do we keep your personal data for?
We only keep your information for as long as is necessary for the relevant purpose. We use a number of criteria for determining the retention period, including obligations under law, our need to defend or bring any contractual claims within the statutory limitation period, and consideration of the original purpose we collected it for.
Transfers of personal data outside the UK
We may transfer your personal data outside the UK, for example to our service providers. Where we transfer data outside of the UK, we have security measures in place and use other safeguards to protect your personal data. Please contact us using the contact details at the end of this policy if you would like more details about our safeguards for international data transfers.
Safeguarding
Nightline Association is committed to protecting all individuals by putting appropriate measures in place which prevent harm or damage.
Our work in mental health does mean that we come into contact with people who may be at risk in different ways. Nightline Association takes this responsibility very seriously and we try to ensure that people feel comfortable to raise any concerns should they arise.
We are also committed to training staff and volunteers whose role is related to working with people from outside of the Nightline Association.
Please see our Safeguarding Policy for more details.
Your rights
We want to inform you of your rights when it comes to your data and we would like to help you to better understand them. These are:
The right to be informed.
You have the right to be provided with clear, transparent and easily understandable information about how we use your information and rights. This is why we are providing you with the information in this policy. If you have any additional questions, you can contact us using the contact details at the end of this policy.
The right to object.
You always have the right to object to certain types of processing, including the option to stop receiving information from us across all of our communication channels (which is known as processing for direct marketing). This is at your discretion and we will respect your choice. However, for us to enact this we encourage you to notify us. You can use unsubscribe links on emails or contact us using the contact details at the end of this policy.
The right to access a copy of the personal data we hold.
You, or an organisation with legal purpose, can request a copy of your personal data for legitimate purposes. This is known as a ‘Subject Access Request’. To request this, contact us using the contact details at the end of this policy. Please note that proof of identity and the reason for your request may be necessary for Nightline Association to respond appropriately. We may ask for further details if needed.
You should note that, whilst we usually act on requests and provide information free of charge, we may charge a reasonable fee to cover our administrative costs of providing the information for baseless or excessive/repeated requests, or further copies of the same information. We may also be entitled to refuse to act on the request in some circumstances. Otherwise, we’ll respond as soon as we can. Generally, this will be within one month from when we receive your request but, if the request is going to take longer to deal with, we’ll come back to you and let you know.
The right of erasure.
This is also known as the ‘right to be forgotten’. This is where you can request Nightline Association to delete or remove the personal data that we hold on you. Please note that this is not a general right, and there are exceptions, i.e. if there is lawful duty for us to continue to use the personal data we hold about you. To request this, contact us using the contact details at the end of this policy.
The right to rectify inaccurate data.
As detailed above, you can make corrections to the personal data we hold on you if it is inaccurate or incomplete. To request this, contact us using the contact details at the end of this policy.
The right to restrict processing.
You have rights to ‘block’ or suppress further use of your information. When processing is restricted, we can still store your information, but may not use it further. We keep lists of people who have asked for further use of their information to be ‘blocked’ to make sure the restriction is respected in future.
The right to data portability.
You have rights to obtain and re-use your personal data for your own purposes across different services.
The right to lodge a complaint.
You can lodge a complaint about the way we handle or process your personal data with your national data protection regulator. In the UK this is the Information Commissioner’s Office and they can be contacted here: https://ico.org.uk/global/contact-us/.
The right to withdraw consent.
If you have given your consent to anything we do with your personal data, you can withdraw your consent at any time (although if you do, it does not mean that anything we have done with your personal data with your consent up to that point is unlawful). This includes your right to withdraw consent to us using your personal data for marketing purposes.
Contacting Nightline Association about your data
You can contact Nightline Association online through the contact page on our website or you can send a letter to our registered address, which can be found on our website.
If you are in the European Union (EU) or European Economic Area (EEA):
- Pursuant to Article 27 of the General Data Protection Regulation (GDPR), Nightline Association has appointed European Data Protection Office (EDPO) as its GDPR Representative in the EU. You can contact EDPO regarding matters pertaining to the GDPR:
by using EDPO’s online request form: https://edpo.com/gdpr-data-request/ - by writing to EDPO at Ground Floor, 71 Lower Baggot Street, Dublin, D02 P593, Ireland
Changes to Nightline Association’s privacy and data protection policy
We keep this policy under regular review and it may change from time to time.