Full privacy notice
This Privacy Notice explains when and why we collect personal information about you, how we use it and the conditions under which we may disclose it to others. Your personal data is defined as any information that can directly or indirectly identify you. This notice also explains how we keep your data safe and secure and includes information you need to know about your rights and how to exercise them.
If you have any questions regarding our Privacy Notice and our use of your personal data or would like to exercise any of your rights, please get in touch via the following information:
Email us: info@jamiuk.org
Telephone us: 020 8458 2223
Write to us: Martin B Cohen Centre, Gould Way, Deansbrook Road, Edgware HA8 9GL
Data Protection Officer: dataprotection@jamiuk.org
Jami has appointed Hope and May as an external Data Protection Officer. Hope and May, will therefore, assist Jami in complying with the UK GDPR and upholding the Data Subject Rights.
If you are unhappy with the way we process your data, you can also make a complaint to the Information Commissioner’s Office (ICO) which regulates the use of information in the UK. They can be contacted by:
Telephone 0303 123 1113
Write to the ICO: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Or by going online to www.ico.org.uk/concerns
If you are based outside of the UK, the complaint should be directed to the relevant Data Protection Supervisory Authority in that Country.
1. Who are we?
2. The personal data collected, how and why we collect it and on what lawful basis
3. Fundraising and marketing communications
4. Your rights
5. Transferring your information outside of the United Kingdom
6. Making a complaint
7. Changes to our privacy notice
- How and when do we collect information about you?
- What types of information is collected about you and who provides it?
- How is the information used?
- Lawful basis for processing
- How long do we keep your data?
- Confidentiality, Data Sharing and Safeguarding
- Information collected and why, who provides it and when, data retention and lawful basis
- Confidentiality, Data Sharing and Safeguarding
- Feedback and Evaluation
- Information collected and why, who provides it and when, and lawful basis
- Philanthropy
- How long do we keep your data for?
- Confidentiality – who do we share your data with?
APPENDIX 4 – Website visitors and cookies
- When you visit this website
- Social Media
- Cookies
- Financial transactions on the website
- Links to other websites
We are Jami and for the purposes of UK Data Protection Law we are registered as a Data Controller under registration number ZA317613.
In this Notice, ‘Jami’, ‘we’, ‘us’, ‘our’ means:
Jami The Jewish Association for Mental Illness (Company No: 02618170) with a registered address at Leila’s House 55 Christchurch Avenue, London N12 0DG.
Jami enriches and saves lives impacted by mental illness in the Jewish community
Appendix 1 – Human Resources (employees, trustees, job applicants and volunteers)
Appendix 2 – Service Users
Appendix 3 – Fundraising and Engagement
Appendix 4 – Website Visitors and cookies
Your contact details may be used to provide you with information about our services or our fundraising opportunities via:
- Post
We may use our legitimate Interest to send you fundraising or marketing communications by post. If you prefer not to hear from us this way, please get in touch by using any of the contact details listed at the top of this notice.
- Phone
If you have provided us with your telephone number or email address, we may contact you by phone with fundraising and marketing communication under our legitimate interest (unless you are enrolled to TPS or you told us not to do so).
- Email, text or other electronic message
We will only send you fundraising and marketing communications by email, text or other electronic message if you have explicitly provided your consent or if you have been involved in a commercial transaction with us. You may opt-out of our fundraising and marketing communications at any time by clicking the unsubscribe link at the end of our marketing emails. Alternatively, you can get by using any of the contact details listed at the top of this notice.
When you give us consent to receive marketing and fundraising communications, we will monitor consent and ensure that you still wish to receive such communications by occasionally reaffirming your consent with us. Our approach is designed to uphold your privacy and information rights, to respect your choices, and to ensure we are not intrusive.
If you want to know more about our Fundraising and Engagement and how we use the data for these purposes, please refer to Appendix 3.
Under data protection laws in the UK and EU, you have certain rights over the personal information that we hold about you. If you would like to exercise your rights, please get in contact with any of the details listed above. Here is a summary of the rights we think apply:
a) Right to be Informed
You have the right to be informed as to how we use your data and under what lawful basis we carry out any processing. This Privacy Notice sets this information out however if you would like further information or feel that your rights are not being respected, please get in contact with any of the details listed above.
b) Right of Erasure – also known as the right to be forgotten
You may ask us to delete some or all of your information we hold about you. Sometimes where we have a legal obligation we cannot erase your personal data.
c) Right to Object
You have the right to object to processing where we are using your personal information such as where it is based on legitimate interests or for direct marketing.
d) Inaccurate personal information corrected
Inaccurate or incomplete information we hold about you can be corrected. The accuracy of your information is important to us, and we are working on ways to make this easier for you to review and correct the information that we hold about you. We will also carry out an annual accuracy check. If any of your information is out of date or if you are unsure of this, please get in touch through any of the contact details listed in this notice.
e) Right of restriction
You have a right to restrict the processing of some or all of your personal information if there is a disagreement about its accuracy, or we are not lawfully allowed to use it.
f) Right to Access your information
You have a right to request access to a copy of your personal information that we hold about you, along with the information on what personal information we use, why we use it, who we share it with, how long we keep it for and whenever it has been used for automated decision making. You can make a request for access free of charge and proof of identity is required. More information can be provided by Jami Subject Access Right Information Sheet (please get in touch with us if you would like to receive a copy).
g) Automated decision making and profiling
Automated decision-making takes place when an electronic system uses personal information to make a decision without human intervention. We currently do not undertake automated decision making in our HR department. We may profile information about our potential donors. You have the right to question the outcome of automated decisions and our profiling activities that may create legal effects or create a similar significant impact on you.
h) Portability
You can ask us to provide you or a third party with some of the personal information that we hold about you in a structured. Commonly used, electronic form so it can be easily transferred.
i) Right to withdraw consent
Where you have provided consent to our use of your data, you also have the right to withdraw that consent at any time. This means that we will stop processing your data
Where personal data is stored outside of the UK and the EU, safeguards to protect personal data may include but are not limited to the UK Addendum used in conjunction with the EU Standard Contractual Clauses (SCCs), or UK International Data Transfer Agreement (IDTAs). Such safeguards will be subject to Transfer Risk Assessments (TRAs).
If you think your data rights have been breached or you are not happy with how we handle your data, you are able to raise a complaint with us by contacting dataprotection@jamiuk.org. Our DPO at Hope and May will reach out to you to resolve your complaint and to help you understand your rights. You can also contact the ICO at Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF or by telephone on 0303 123 1113 (local rate) or 01625 545 745.
This privacy notice is kept under regular review. If we make any significant changes to the way in which we process your information, we will make the required changes to this Privacy Notice and will notify you so that you can raise any concerns or objections with us. When making less impactful changes, we’ll update this notice and post a summary of the changes on our website.
Job applicants and current and former employees, trustees, volunteers and freelancers
How and when do we collect information about you?
You provide several pieces of data to us directly during the recruitment period and subsequently upon the start of your employment/engagement.
In some cases, we will collect data about you from third parties, such as employment agencies and recruitment websites (such as Charity Job and LinkedIn). We may also contact former employers when gathering references.
What types of information is collected about you and who provides it?
We keep several categories of personal data on our employees in order to carry out effective and efficient processes. We keep this data in a personnel file relating to each employee and we also hold the data within our computer systems, for example, our holiday booking system.
Specifically, we may process the following types of data:
a) personal details such as name, address, phone numbers
b) name and contact details of your next of kin
c) your photograph, your gender, marital status
d) footage of the organisation events where you may appear
e) information of any disability or other medical information you have disclosed
f) right to work documentation
g) information gathered via the recruitment process such as that included in a CV, cover letter or application form, references from former employers, details on your education and employment history etc
h) National Insurance number, bank account details and tax codes
i) information relating to your employment with us (e.g., job title, job description, salary, terms and condition of the contract, annual leave records, appraisal and performance indication, formal and informal proceedings involving you such as letters of concern and disciplinary, disciplinary and grievance proceedings).
j) internal and external training modules undertaken
k) information on time off from work including sickness absence, family related leave etc
l) IT equipment use including telephones and internet access
m) your biography and picture for the website
n) information on your race and religion for equality monitoring purposes
o) IT equipment use including telephones and internet access
We may also process special category of data which include health information, sexual orientation, race, ethnic origin, political opinion, religion, trade union membership, genetic and biometric data. We may also process criminal records information if the role involves DBS check.
How is the information used?
We are required to use your personal data for various legal and practical purposes for the administration of your contract of employment or your volunteer/trustee/youth advisory board agreement, without which we would be unable to employ you. Holding your personal data enables us to meet various administrative tasks, legal obligation or contractual/agreement obligation such as paying your salary and/or expenses, paying taxes, making necessary adjustment to facilitate your work for us, tracking your performance, administer leave etc.
Lawful basis for processing
We mainly use ‘contractual obligation’ as a lawful basis for processing your personal data for employees, job applicants and free lancers. We mainly use ‘legitimate interest’ for trustees and volunteers (including first responders). We may also have legal obligation in order to process and share your data, for example we need to share salary information to HRMC or use some of your data to enrol a new employee on a pension scheme.
We may collect health data (special category of data) in order to manage sickness/absence procedure and determine reasonable adjustments. We may rely on Art 9 (b) in the field of employment – Condition 1 DPA 2018 (Health and Safety at Work Act 1974).
We may rely on our legitimate interest for processing activity such as keeping supervision and appraisal records; using your image, bio on our website or marketing/fundraising materials to promote the charity.
When processing criminal records (for example, in order to perform DBS check), the organisation relies on the lawful basis of legitimate interest, and Condition 10 from Schedule 1, DPA 2018, (“preventing or detecting unlawful acts”).
How long do we keep your data?
We only keep your data for as long as we need it for, which will be at least for the duration of your employment/engagement with us though in some cases we will keep your data for a period of 6 years after your employment/engagement has ended. If you have applied for a vacancy but your application hasn’t been successful, we will keep your data only for 2 years.
Some data retention periods are set by the law. Retention periods can vary depending on why we need your data. Please get in touch by contacting us if you want to know more about retention period.
Data is destroyed or deleted in a secure manner as soon as the retention date has passed.
Confidentiality, Data Sharing and Safeguarding
Employees within our charity who have responsibility for recruitment, administration of payment and contractual benefits and the carrying out performance related procedures will have access to your data which is relevant to their function. All employees have been trained in ensuring data is processing in line with UK GDPR and the Data Protection Act (2018).
Data in relation to your salary is shared with HRMC as part of our legal obligation. Data may be shared with third parties for the following reasons: for the administration of payroll, pension, administering other employee benefits. When sharing with third parties, we have data sharing, processor agreements or contract in place to ensure data is not compromised. Third parties must implement appropriate technical and organisational measures to ensure the security of your data.
To comply with our duty of care and safeguarding, we may need to pass some information raising safeguarding concern with the authorities. In such circumstances, we apply the following lawful basis:
a) Where an individual’s life may be at risk, we may process the data according to the UK GDPR Article 6(d) where such processing is vital to the individual’s life
b) Where an individuals or child is at risk – UK GDPR Article 6(f) legitimate interest, Article 9(g), substantial public interest, DPA 2018 Schedule 1, Part 2 paragraph 18 Safeguarding of children and of individuals at risk
c) Where an individual is at economic risk – UK GDPR Article 6(f) legitimate interest, Article 9(g), substantial public interest, DPA 2018 Schedule 1, Part 2 paragraph 18 Safeguarding of economic well-being of certain individuals
Information collected and why, who provides it and when, data retention and lawful basis
If you join our mental health support programme:
We may collect information such your full name, contact details, GP contact detail, emergency number, reason for your referral, mental health information, current support network and background history. This information is essential to us in order to provide you with the right service. Information is provided directly by yourself or by third parties (e.g., GP, parents, mental health provider) if you provide your consent for the data to be requested.
We process your data under our legitimate interest, supported by Art 9 (2), d – processing is carried out in the course of its legitimate interest with appropriate safeguards by non-for-profit body. When special category of data (such as ethnicity and sexual orientation) is collected, but they are not necessary for the delivery of our service, we may rely on your consent. We retain your information for a period of up to 6 months after 8 years from the end of your engagement with us. This retention period differs for Children and Young People (CYP). We retain CYP information for a period of up to 6 months of the person turning 25 years old.
In the circumstances where you have made an enquiry, but this hasn’t progressed into one of programmes’ enrolment, we will retain your data on the basis of our legitimate interest but only for 1 year. This is to allow us to still provide you with short term support and signposting.
Your information may also be processed by the fundraising team for profiling purposes – for more information please refer to Appendix 3 – Fundraising.
If you attend one of our educational or community events/programs (e.g., training, seminars, first responder training, drop-in sessions):
We may collect information such as your name, phone, email, address, emergency contact number that you would provide directly yourself when booking for the event. We would process your information under our legitimate interest, in order to administer your attendance. Your information may also be processed by the fundraising team for profiling purposes – for more information please refer to Appendix 3 – Fundraising.
During our programs, we may take videos and pictures where you may appear. We use the footage for marketing and communication purposes. Depending on the circumstances, we may collect your consent in order to process this type of data or we may rely on our legitimate interest. We retain your information for a period of 5 years after the media content has been gathered.
If you join our counselling service (ex-Raphael) the following information may be provided by yourself during the initial assessment phase: name, DOB, contact details, marital status, any children, contribution paid for counselling, disability, GP details, any previous experience with counselling, mental and physical health information, relationship history, risk assessment via CORE 34 form, life history, support network, occupation. During the counselling process, the counsellor will keep session and supervision notes. Counselling records are retained for a period of up to 6 months after 7 years from the end of your engagement with counselling at Jami, but they could be kept for longer if legally required.
It’s part of our contractual obligation (Art 6.b of the UK GDPR) with yourself to process the information above. The contractual obligation is further supported by additional condition of the UK GDPR and DPA 2018 when we process special category of data and potential information related to criminal offences that you will decide to disclose during the counselling sessions.
Raphael service was acquired by Jami – this means that in order to guarantee continuity of the support offered, Raphael has transferred to Jami the data of service users who are active at the time of acquisition or have accessed the service in the past through Raphael. The lawful basis applied for the transfer is contractual obligation. Further conditions have been applied in reference to special category of data. If you have any questions or concerns, please get in touch at dataprotection@jamiuk.org.
Confidentiality, Data Sharing and Safeguarding
To comply with our duty of care and safeguarding, we may need to pass some information raising safeguarding concern with the authorities. In such circumstances, we apply the following lawful basis:
d) Where an individual’s life may be at risk, we may process the data according to the UK GDPR Article 6(d) where such processing is vital to the individual’s life
e) Where an individuals or child is at risk – UK GDPR Article 6(f) legitimate interest, Article 9(g), substantial public interest, DPA 2018 Schedule 1, Part 2 paragraph 18 Safeguarding of children and of individuals at risk
f) Where an individual is at economic risk – UK GDPR Article 6(f) legitimate interest, Article 9(g), substantial public interest, DPA 2018 Schedule 1, Part 2 paragraph 18 Safeguarding of economic well-being of certain individuals
Feedback and Evaluation
There may, on occasion, be the opportunity to become involved in feedback and evaluation relating to our programmes. You are under no obligation to become involved in any evaluation and this will not impact upon the service you receive. We rely on our legitimate interest to get in touch with it for this purpose.
Information collected and why, who provides it and when, and lawful basis
When you make a donation
Information is provided by you via a donation form which may be hard copy, our website or via third party donation platform (e.g., Just Giving). The information gathered may include name, email address, Gift Aid sign up, company name if donation made by an organisation, donation details, reason for engagement with Jami, postal address and contact preferences.
This information allows us to process your donation, and deal with any potential enquiry. We rely on our legitimate interest to process this data. If you agree that we can claim Gift Aid on your donations we are legally required to keep a record of the claim and your Gift Aid declaration.
When you sign up to our fundraising events
Information is mainly provided by you via our website forms, via third party platforms (e.g., Eventbrite or other online event registration companies) or in person during the events by paper forms. The information gathered may include: name, email address, company name if applicable, donation/payment details, reasons to engage, postal address, contact preferences.
This information allows us to administer your sign up, process payments, and deal with any potential enquiry. We rely on the legitimate interest or contractual obligation to process this data.
During these types of events, we may also take photographs and video recording of people attending where you may be included. This information allows us to showcase our work and have an effective external communication. We rely on our legitimate interest to process this data.
When you show interest in supporting us (e.g. through a gift in your will or a pledge) and you decide to contact us
Information is provided mainly by yourself, via hard copy forms, online forms or phone/email conversation with us. The information gathered may include: occupation, title, details of any correspondence had with Jami, DOB, fundraising appeals responses, event participations with Jami, details of your reasons to engage with Jami.
This information allows us deal with your enquiry and show you how to get engaged. We rely on our legitimate interest to process this data.
When your register to use the Wi-Fi at the Jami Head Room Café
Information is provided by you via a website form. The information gathered may include name, gender, age, email address and mobile number. When joining Wi-Fi, we will ask for your consent to sign up to the Head Room Café newsletter. If you consent to this, your first name, last name and email address will be shared with the Fundraising team and stored on Raiser’s Edge.
Philanthropy
In case of a generous donation or in order to identify potential high value supporters, we may use profiling and screening techniques. We may undertake in-house research and from time to time engage specialist agencies such as Prospecting for Gold to gather information about you from publicly available sources, for example, Companies House, the Electoral Register, company websites, ‘rich lists’, social networks (such as LinkedIn, Facebook, Twitter, Instagram), political and property registers and news archives.
We would gather publicly available information regarding previous charity support, connection to our cause, credibility, geographical, demographic, financial soundness, career information, peer networks and other publicly available information (e.g. age, address, listed Directorships, hobbies and interests).
If you have already engaged with us, we may also profile information that you have provided to during your engagement, including information such as occupation, title, details of any correspondence had with Jami, DOB, fundraising appeals responses, event participations with Jami, details of your reasons to engage with Jami.
We also use publicly available sources to carry out due diligence on donors in line with the charity’s Gift Acceptance Policy and to meet money laundering regulations.
This research helps us to understand more about you as an individual so we can focus conversations we have with you about fundraising in the most effective way. It also allows us to understand how likely it is that you would be interested in supporting us so that we can better tailor our communications and provide you with an experience as a donor or potential donor which is appropriate for you.
We rely on our legitimate interest in order to profile and screen your information. If you would rather we did not do this, please just let us know and we will, of course, respect your wishes. Otherwise, following our initial profiling and screening, we will contact you either via phone or via e-communication if consent has been provided. During our conversation, we inform you of our processing and of your rights as data subject (which include right to object, to restrict our processing and to have your data deleted). If you are happy to engage with us, we’ll proceed with establishing our relationship with you, which will include further engagement and profiling.
Additionally, we sometimes ask existing supporters, trustees, and volunteers whether they would be prepared to open their networks up to us. An existing supporter may tell us about an individual previously unknown to us and facilitate an introduction. In this scenario we would check that the person in question is registered on the TPS or FPS and exclude them if their details have been registered on either of these registries. We would then advise our Trustee or existing supporter about our data responsibilities and ask them to ensure that the person they would like to introduce to us is happy for an introduction to take place. Following the introduction, we would direct the individual to this privacy notice and confirm their marketing consent preferences before communicating with them further. We will also share a link to our privacy notice in the footer of all of our email communications.
How long do we keep your data for?
We keep your data as long as necessary. If you’ve made a donation, showed interest in supporting us or participated in our events we may keep your data for 10 years after the last donation or engagement with us. If you have been part of profiling activities, you have never engaged with Jami and you have indicated that you are not interested in engaging with Jami for fundraising purposes, we will delete your data as early as possible.
Data is destroyed or deleted in a secure manner as soon as a request for deletion has been made.
If you wish to know more about our data retention, please contact us at dataprotection@jami.org.uk.
Confidentiality – who do we share your data with?
Please rest assured that we will never sell your details to any third party.
In addition, if we ever need to send data to a third party for processing for the purposes of legitimate interests (for example checking against the Telephone Preference Service, updating our records and prospect researching from publicly available sources such as the electoral roll) we will make sure the company we use has signed a data processing agreement with us or other contractual obligations, so that they are bound to take care of your data in the same way we do. We may also share personal information with external auditors, e.g. the Charities Commission or for the audit of our accounts.
We may disclose and exchange information with law enforcement agencies and regulatory bodies to comply with our legal and regulatory obligations.
If you have made a Gift Aid declaration, we may disclose the information you have provided as part of the declaration to HMRC for the purpose of reclaiming gift aid on your donation(s). We may share or disclose your personal information if we are required to do so by any law, regulation or court order.
When you visit this website
We may, like many companies, automatically collect the following information when you visit our website:
Technical information, including the type of device you’re using, your IP address, domain name, the date and time of your visit, the pages you accessed, documents you downloaded, the previous website you have visited and type of browser you are using.
We collect and use your personal information by using cookies on our website – more information on cookies can be found under ‘Cookies’ section below. Wherever we use non-essential cookies we will request your Consent.
Social Media
When you interact with us on social media platforms such as Facebook and Twitter, we may obtain information about you (for example, when you publicly tag us in an event photo). The information we receive will depend on the privacy preferences you have set on those types of platforms.
Cookies
Cookies are small text files placed on your device which uniquely identify your device. Cookies cannot be used to run programs or deliver viruses to your device.
We use cookies and similar technologies to collect and store information (which may include your personal information) about how you interact with our website. We may use these technologies to help us deliver relevant information about our organisation.
For further information, please see our full cookie policy here.
Financial transactions on the website
We encrypt credit or debit card details on our online donation page which means that they cannot be intercepted and subsequently accessed. We redact all bank details that are provided to us during setting up Direct Debits and do not store credit card details.
All debit and credit card details are processed securely by our payment processing partner, according to the Payment Card Industry Security Standards.
If you are donating or signing up to an event using a third party (e.g., Just Giving, Virgin Money giving), please also refer to the privacy notice published on their websites.
Links to other websites
Our website may contain links to other websites of interest. Once you have used these links to leave our site, you should note that we do not have any control over that other website. Therefore, we cannot be responsible for the protection and privacy of any information which you provide whilst visiting such sites and such sites are not governed by this privacy policy. You should exercise caution and look at the privacy policy applicable to the website in question.