Privacy Notice for the Kaleidoscope Project
(To provide a brief explanation of Kaleidoscope’s compliance with the General Data Protection Regulations (GDPR) and the Data Protection Act 2018 (DPA))
Kaleidoscope has drafted separate privacy notices for each of its services to ensure that it complies on a bespoke basis to the GDPR. However, it considers it is important to have a brief overview of what it does to reassure our stakeholders of our general compliance.
The Kaleidoscope Project collects and processes a large amount of personal information to carry out its functions as a treatment agency. This document explains how we collect and store your data and provides an overview of our processing activities. Please note that the detail of our processing activities will be contained within the individual service Privacy Notices which will be provided to a service user and/or staff member at first point of contact.
Sources and Categories of Information being processed
The majority of the information we collect is provided by you, the Data Subject. Sometimes, we obtain your personal data from sources other than yourself. Where this is the case, we will tell you where we have obtained your information (the source) and explain to you the categories of information that we have collected, for example, your name, address and date of birth. Purpose and legal basis for using your information. For each of our processing activities, we will tell you explicitly why we need to process your personal information. We will also identify a legal basis for processing your information. We will only ever ask you for information about yourself that is appropriate for the purposes of processing. If we have obtained your consent to process your information, you have the right to withdraw your consent at any time and we will explain to you, clearly, how to do this.
Sometimes we process special category data which is afforded more protection under the Data Protection Act 2018. This is because special category data is deemed to be more sensitive. If we are processing your special category data then we need to establish a further lawful basis for processing, and we will tell you what that lawful basis is. Special category data is deemed to be data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, the processing of genetic or biometric data for the purposes of identification, health data and sexual orientation. We do not use machines or automated processing to determine what treatment you should have and we do not transfer your information outside the UK.
Who will have access to your personal information?
The Kaleidoscope Project is typically the data controller and the Data Protection Officer is currently David McNeil – email email@example.com
Please be aware that Kaleidoscope offers a number of services commissioned from different public authorities. As part of those arrangements, Kaleidoscope may be the data processor rather than the data controller. Even as the data controller, we will be required to ensure that your rights are properly respected under the GPDR.
When we process your personal information, we will tell you;
i. Who the main users of your information are ; and
ii. If we share your information and who we share it with.
Requests for Personal Information
All recorded personal information held by the Kaleidoscope Project may be subject to requests under the Data Protection Act 2018.
If you would like to request a copy of the personal information that we hold about you, you can request it. If you can email firstname.lastname@example.org then that will ensure that your request goes to the right place. Other individuals within Kaleidoscope have been trained to identify and process requests and we will deal with requests in any form, although we would appreciate confirmation in writing to ensure that we know what you want. We may request a form of identity check or authorisation if you are acting on behalf of a third party.
The Data Protection Act gives you a number of rights. Please note that not all of these rights are absolute and we will need to consider your request upon receipt.
You have the right to request:
a) to have your data rectified if it is inaccurate or incomplete;
b) to have your data erased;
c) to restrict the processing of your data; and
d) to exercise your right to data portability.
In all instances, please submit your request to: email@example.com
If you are unhappy with the way the Kaleidoscope Project is using your data, you have the right to complain to us.
If you would like to do this, please contact us by sending an e-mail to this address; firstname.lastname@example.org
If you are not content with the subsequent outcome of your complaint, then we would ask for the opportunity to review your complaint, but you may apply directly to the Information Commissioner for a decision. Generally, the ICO cannot make a decision unless you have exhausted the Kaleidoscope Project’s complaints procedure.
The Information Commissioner can be contacted at: The Information Commissioners Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF. https://ico.org.uk/
How long will we retain your information?
We will retain your information in line with the Kaleidoscope Project’s Personal Data Policy. We will only retain your information for as long as is needed, after which, it will be deleted or destroyed.
We will protect the integrity and confidentiality of your personal data by using the appropriate technical or organisational measures to ensure the security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage.