GDPR | YCS Wales

YCS Data & Privacy Policy

Who we are?

In this Privacy Policy, “we”, “us” or “our” means YCS Counselling Wales.

Registered charity in England and Wales as Y CWMNI SIARAD / THE TALKING COMPANY.

Charity Number 1182049

Registered Address:

YCS Therapy Centre

31 The Parade

Roath

Cardiff

CF24 3AD

T: 07379 672 870

E: admin@ycscounsellingwales.co.uk

General Data Protection Regulation (GDPR) May 2018

GDPR is an European law designed to protect personal data about living individuals. This means that any person or organisation who handles personal data must comply with the requirements of the legislation.

GDPR has replaced the Data Protection Act 1998 in the UK since May 2018. Any organisation that processes personal data of EU citizens are required to comply with the GDPR, regardless of where the organisation is based globally, so although the UK is not in the EU, GDPR applies to UK organisations. GDPR governs the way in which data is handled (processed), people’s rights regarding their data and how companies should handle this data. We comply with all aspects of the UK’s data protection legislative framework, which includes the European General Data Protection Regulation (GDPR) and the UK’s own legislation, including the Data Protection Act 2018.

YCS have developed this Data & Privacy policy about how we collect personal data and how we treat this data. The policy is also provided to any person either working with YCS (staff, volunteer counsellors and Board members) or receiving a service from us (clients), in order to be as transparent as possible about the personal information we collect and use. We treat privacy and confidentiality very seriously. We are a charitable incorporated organisation (CIO), and as a CIO we have relationships with fundraisers, volunteers, supporters and service users so we use personal information on YCS on a day-to-day basis in order to fulfil our mission to provide low-cost counselling. We never use the personal information of clients to an outside organisation.

We use statistics such as amount of people receiving counselling, areas they live and gender. Our use of personal information allows us to make better decisions and improve our service to you, fundraise more efficiently and, ultimately, helps us to achieve our vision. Please ensure you read this notice carefully and contact us if you have any questions or concerns about our privacy practices.

What this Notice Covers?

We ask that you read this privacy notice carefully as it contains important information

about:

how we collect your personal information
the personal information that we collect and use
the lawful bases we rely on to collect and use personal information
why we collect and use personal information
sharing your personal information
when we transfer personal information outside the European Economic Area
(EEA)
how long we keep information
how we ensure personal information is secure; and your privacy rights

You should ensure that you read this general privacy policy alongside any specific

privacy notice we may issue to you, from time to time, in relation to your information.

How we collect information

We collect information in the following ways:

You may give us your information in order to complete a contact form, register for counselling with us, as an employee or as a volunteer for us as a Board member or a volunteer counsellor, or otherwise communicate with us.
You may be aware of a technology called “cookies”. Cookies are small data files which may be placed on your browser or the hard drive of your computer. We use cookies to gather information about the use of, and track activity on, our website. Cookies contain information that is transferred to your computer’s hard drive. They help us to improve our site and to deliver a better and more personalised service. Some of the cookies we use are essential for our site to operate. Please note that cookies can’t harm your computer. We don’t store personally identifiable information in the cookies we create, but we do use encrypted information gathered from them to help improve your experience of the site.
If you would prefer to restrict, block or delete cookies from this website, or any other website, you can use your browser to do this. Each browser is different, so check the ‘Help’ menu of your particular browser (or your mobile phone’s handset manual) to learn how to change your cookie preferences. Please bear in mind that if you do this, some features of this website may not function correctly or may not be provided to you.
Third Party Cookies: When you are using this site you may notice that there is content from other websites, such as Google maps or YouTube videos. We may also provide you with the opportunity to share information with others using social networks such as Facebook. We add this content from time to time to give a better user experience. As a result, you may be sent cookies from these other websites. We do not control these cookies and we suggest you check these third-party websites for more information about the cookies they use and how you can manage them.
If you’d like to learn more about cookies in general and how to manage them, visit www.allaboutcookies.org

If you wish to give us personal information about another person, please speak to us to ensure that you are legally entitled to give us the information and for advice on informing that person.

Your information may be shared with us by third parties, for example:

A referring organisation that may provide your contact details as a person interested in applying for counselling.
Funding providers e.g. Big Lottery fund. We do not share your personal details with our funding providers but do provide them with some information such as; figures of the amount of counselling we provide, a breakdown of gender, ethnic background and the area that counselling is provided e.g. Cardiff.

Categories of Personal Information that we hold
The personal information that we collect includes:

your name
your contact details (including postal address, telephone number, e-mail address)
your date of birth
your gender
your bank or credit card details where you provide these to make a payment
if you volunteer for us or apply for a job with us, information necessary for us to process these applications and assess your suitability (which may include things like employment status, previous experience depending on the context,
as well as any unspent criminal convictions or pending court cases you may have)
information relating to your health (for example your GP details, medications that you are taking)
age, sexual orientation, disability and nationality and ethnicity information for monitoring purposes; and
any other personal information you provide to us.

Sensitive personal data

Certain types of personal information are in a special category under data protection laws, as they are considered to be more sensitive. Examples of this type of data include information about health, race, religious beliefs, political views, trade union membership, sex life or sexuality and genetic/biometric information. We only collect this type of information about you to the extent that there is a clear reason for us to do so or where you make it public or volunteer it to us. Wherever it is practical for us to do so, we will explain clearly why we are collecting this type of information and what it will be used for.

The lawful basis for processing personal information

We rely on the following legal bases to process your personal information:

Performance of a contract
This applies where we need to collect and use your personal information in order to take steps to enter into a contract with you or to perform our obligations under a contract with you.
Legal obligation
This applies where we need to collect and use your personal information.
Legitimate interests
We may collect and use your personal information to further our legitimate business interests. We only do this where we are satisfied that your privacy rights are protected satisfactorily. We’re committed to putting you in control of your data and you’re free at any time to opt out from any activity we’re undertaking based on this legal basis.
Consent
We may (but usually do not) need your consent to use your personal information. You can withdraw your consent by contacting us.

When we use special category personal information (please see the “sensitive personal data’” section above), we require an additional legal basis to do so under data protection laws, so will either do so on the basis of your explicit consent or another route available to us at law for using this type of information (for example if you have made the information manifestly public, we need to process it for employment, social security or social protection law purposes, your vital interests, or, in some cases, if it is in the public interest for us to do so).

Why do we collect and use personal information?

We collect and use personal information for the following purposes, relying on the specific lawful bases set out in the table below. The table below highlights a number of legal bases that we use. We use different legal bases depending on the individual concerned e.g. a client would sign a contract to receive our services, a volunteer makes an application to work with us and we have a legitimate interest to check references for this person.

Why	Legal Basis
To train and develop our staff and volunteers.	Performance of a Contact, Legal obligation
To otherwise carry out the day-to-day operations of our organisation efficiently including managing our financial position, capability, planning, communications, corporate governance and audit.	Legal obligation, Legitimate interests
To meet our legal obligations to regulators, government and/or law enforcement bodies.	Legal obligation, Legitimate interests
To audit and administer our accounts.	Legal obligation
To process your application for a job, volunteering position or a counselling service.	Contract, Legitimate interests
To monitor website use to identify visitor location, guard against disruptive use, monitor website traffic and/or personalise information which is presented to you.	Consent, Legitimate interests
To safeguard our staff and volunteers.	Legal obligation
To generate reports on our work, services and events. Our reports to funders are anonymised and do not have individuals in the report.	Legitimate interests, Legal obligation
To administer our websites and to troubleshoot, perform data analysis, research, generate statistics and surveys related to our technical systems.	Legitimate interests
To send you correspondence and communicate with you, including updating your contact details (see “Keeping your information up to date” below).	Consent, Legitimate interests
To manage our events/training.	Contract, Legitimate interests, Legal obligation
To better understand how we can improve our services, products or information by conducting analysis and market research.	Legitimate interests
To respond to or fulfil any requests, complaints or queries you make to us.	Legitimate interests, Legal Obligation
To keep a record of your relationship with us. This would include counselling notes.	Contract, Legitimate Interests
To provide you with the services, products or information you asked for – this includes counselling service.	Contract

Managing your contact preferences

We make it easy for you to tell us how you want us to communicate, in a way that suits you. Our referral forms have clear communication preference questions. If you change your preferences at any time, just let us know and we will change how we contact you. Sharing your personal information Some third parties may have access to your personal information, or we may share or send it to them. This includes:

Counsellors who may process information on our behalf;
IT service providers. We use a software package called Medesk to protect all our data processing. Medesk is a web hosted solution, which means that no information is held on local computers, servers or laptops. The data is held by a Redundant cloud storage, with servers based wholly in the United Kingdom, with a globally recognised 2048-bit SLL certificate. Their high-security data centres are similar to those used by leading banks and financial institutions.
We may also be required to share personal information with regulatory authorities, government agencies and law enforcement agencies. We will use reasonable endeavours to notify you before we do this, unless we are legally restricted from doing so.
We do not sell, rent or otherwise make personal information commercially available to any third party.
We reserve the right to disclose your personal information to third parties.
If we sell or buy any business or assets, in which case we may disclose your personal information to the prospective seller or buyer of such business or assets; and/or
If substantially all of our assets are acquired by a third party, personal information held by us may be one of the transferred assets.

Transfers Outside the European Economic Area (EEA)

We do not send personal data outside the EEA. None of the service providers we use to help us run our businesses are based outside of the EEA.

Keeping your information updated

If your contact details change please email admin@ycscounsellingwales.co.uk, to ensure that the information we have is as up to date and accurate as possible. This activity also prevents us from having duplicate records and out of date preferences, so that we don’t contact you when you’ve asked us not to.

How long we keep personal information

Our policy is to not hold personal information for longer than is necessary. We have established data retention timelines for all of the personal information that we hold based on why we need the information. The timelines take into account any statutory or regulatory obligations we have to keep the information, our ability to defend legal claims, our legitimate business interests, best practice and our current technical capabilities. The length of time that we will retain your data will vary depending upon the purpose for which it is processed. For more information, email admin@ycscounsellingwales.co.uk

How we ensure personal information is secure

We are strongly committed to information security and we take reasonable and appropriate steps to protect your personal information from unauthorised access, loss, misuse, alteration or corruption. We have put in place physical, electronic, and managerial procedures to safeguard and secure the information you provide to us including the use of encryption and pseudonymisation.

We use a software package called Medesk to protect all our data processing. Medesk is a web hosted solution, which means that no information is held on local computers, servers or laptops. The data is held by a Redundant cloud storage, with servers based wholly in the United Kingdom, with a globally recognised 2048-bit SLL certificate. Their high-security data centres are similar to those used by leading banks and financial institutions. Role-based access is used to ensure people only see the information they should.

Your privacy rights

You have a number of rights in relation to your personal data which we have. Not all

of the rights apply in all circumstances. If you wish to exercise any of the rights, please

You have a right of access to the personal information we hold about you.
You have the right to ask us to correct any information we hold about you that you think is wrong or incomplete.
You have the right to object to any processing of your personal information where we are relying on a legitimate interest to do so and you think that your rights and interests outweigh our own and you wish us to stop. There may, however, be legal or other legitimate reasons why we need to keep or use your information. If this is the case, we will consider your request and explain why we cannot comply with it. You can ask us to restrict the use of your personal information while we are considering your request.
We do not use your personal information for the purposes of direct marketing.
You have the right to ask us to delete your information. This is also known as the right to be forgotten or to erasure. We will not always agree to do this in every case as there may be legal or other legitimate reasons why we need to keep or use your information. If this is the case, we will consider your request and explain why we cannot comply with it. You can ask us to restrict the use of your personal information while we are considering your request.
Where our processing of your personal information is based on your consent, you have the right to withdraw it at any time. Please contact us if you want to do so.
You may have a right to obtain the personal information that you have given us in a format that can be easily re-used and to ask us to pass this personal information on in the same format to other organisations. Please contact us to find out if this right applies to you.

How to Complain

Please let us know if you are unhappy with how we have used your personal

information. You can contact us the following way:

T: 07379 672 870

E: admin@ycscounsellingwales.co.uk

You also have the right to complain to the Information Commissioner’s Office. Find out

on their website how to report a concern www.ico.org.uk.

Changes to this Privacy Notice

This privacy notice was last updated July 2024. We keep this privacy notice under

regular review and may change it from time to time by updating this page in order to

reflect changes in the law and/or our privacy practices. We would encourage you to

check this privacy notice for any changes on a regular basis.

Contact

If you have any questions, comments or requests regarding this data and privacy

policy please email admin@ycscounsellingwales.co.uk or write to us at:

The Trustees

YCS Therapy Centre

31 The Parade

Roath

Cardiff

CF24 3AD

For more information regarding data protection legislation please go to ico.org.uk