Privacy Policy

NPSS takes the protection of your personal information seriously, we never sell or exchange your information with other organisations.

This privacy policy outlines:

• The information we collect about you
• Our legal basis for using the information we collect
• What the information may be used for

This policy also outlines your rights about your personal information.

Below we have summarised how we handle your personal information:

1. We will only ask for or collect the personal information that we need to run and improve our services and to talk with you about our work
2. We give you control over the personal information we hold about you to make sure it is accurate
3. We make sure your personal information is always secure and protected
4. We are fair and transparent about how we use the personal information we hold
5. We only ever use your personal information for the purposes you trusted us to use it for
6. We will never sell your personal information
7. We will tell you if there are any important changes that affect your personal information or how we use it

What personal information does NPSS collect?

NPSS defines personal information as any information which can be used to identify an individual. We collect personal information in a number of different ways; it could be on information you share with us or we may collect information using other means such as through email and our website.

If you attend an NPSS event, for example, we collect and use personal information such as your name, email address and phone number. We also hold details of your marketing communications preferences, along with our communications with you and any communications you have with us.

What legal basis does NPSS use to collect personal information?

NPSS needs a lawful reason to collect and use personal information. The law names six legitimate ways that we can process personal data:

• Information is processes on the basis of someone’s consent
• Information is processed on the basis of a contractual relationship
• Information is processed on the basis of the ‘legitimate interests’ of NPSS

Consent

As a customer of NPSS we will always ask for explicit consent to send marketing emails. You can withdraw consent at any time by contacting us on 01962 851 747 or by emailing support@npsservice.org.uk

Contractual relationship

If you attend one of our training courses, conferences or events, or if you contact us advice or guidance then this can be considered the basis of a contractual relationship which means we provide you with a service. We can only provide you with the most appropriate services if you choose to share some of your personal information with us. We will not share this information without your consent.

Legitimate interests

The law allows NPSS to legally collect and process personal information if it is necessary for a legitimate business interest of the organisation. However, it must be used in a fair and balanced way that does not impact your rights.

You have the right to object to our lawful processing of your information. To let us know that you no longer want to receive emails from us please telephone us on 01962 435043 or email support@npssservice.org.uk

We have other legitimate interests holding and processing, these are:

Governance:  

• To help deliver our corporate objectives
• Internal and external audit for financial or regulatory compliance purposes  

Operational management:

• Physical security, IT and network security  
• Maintaining a 'do not contact' lists
• Processing for historical, or statistical purposes 

Financial management and control:

• Processing financial transactions and maintaining financial controls  
• Preventing fraud, misuse of services or money laundering  
• Enforcing legal claims  

Purely administrative purposes:

• Responding to any solicited enquiry from any of our partners
• Delivering requested products or information packs  

The types of information you may share with us:

We collect personal information that you share with us when you contact or interact with us through our website, email, phone, face to face and through our online forms. You can decide not to provide certain information or ask that any information that you have previously shared is removed. For example, you might provide information to us when contacting us, registering for an event or updating your communication preferences. Through these interactions, your name, email address and contact number can be collected.

Do we process ‘sensitive’ personal information?

Under all data protection law in the UK and EU, certain categories of personal data are classified as ‘special category’ or ‘sensitive.’

The following personal data is considered ‘sensitive’ and is subject to specific processing conditions:

• personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs;
• trade-union membership;
• genetic data, biometric data processed solely to identify a human being;
• health-related data;
• data concerning a person’s sex life or sexual orientation.

At NPSS we do not ask you to provide us with any special category information.

Where does the information we hold come from?

The information we hold is given to us directly by you during your interaction with our website, our services and members of the NPSS team.

How long do we keep your information?

We only keep your information for as long as we need to, to be able to use it for the reasons given in this privacy policy.

In general terms we removed identifiable personal information from our records five years after the date of your last interaction with us. On request, we will delete information except if we have a legal or contractual basis to retain minimal information for example, if you had a reportable accident whilst attending one of our events. We are legally required to retain health and safety records for three years.

How can you change the way we contact you?

We will only send you digital communications once you have told us that you are happy for us to.

If you haven’t previously asked us to send you communications, you can ask us to start contacting you by calling our office on 01962 435043 or emailing support@npsservice.org.uk

If you have previously said that you would like us to contact you but you want to change or update that, you can do this by calling our offices on 01962 435043 or emailing support@npsservice.org.uk

If you wish to stop receiving communications from us you can call our office on 01962 435043 or email support@npsservice.org.uk

What information do we share with third parties?

NPSS doesn’t share, sell or exchange your information with other organisations to be used for their own marketing communications.

When attending training or an event hosted by NPSS we may share your details with the venue. This information is shared solely is for health and safety reasons in the event of an emergency, such as a fire evacuation drill.

We process personal data through two third third party organisations; Hubspot and Dropbox.  Hubspot Data is stored and backed up outside of the EU. Where data is stored and backed up outside of the EU we ensure that appropriate technical and organisations safeguards are in place to maintain the safety and integrity of the data. Hubspot is certified on the EU-US Privacy Shield. Dropbox is also registered on the EU-US privacy shield.

The NPSS website is developed and maintained by Thorgate. Data processed and stored via the website is done so within the EU.

How do we protect your personal information?

We are committed to protecting your personal information. We use appropriate technical and organisational measures, including encryption, to protect personal information and privacy. We protect your information using a combination of physical and IT security controls, including access controls which restrict and mange the way that information is processed, managed and handled. We also make sure that our team is adequately trained in protecting personal information.

In the unlikely event of a security breach which compromises our protection of personal information and we need to let you know, we will do so.

What are my rights when it comes to personal data?

Data protection rights

Where NPSS is using your information with consent, you can withdraw that consent at any time. Just contact our office on 01962 435043 or email support@npsservice.org.uk

The right to be informed

You have the right to know how your personal information will be used. This privacy policy document is intended to be a clear and transparent description of how your information may be used.

The right of access

You can write to us asking for what information we hold about you and can request a copy of that information. From May 2018 , once we are sure you have the right to see the requested records we will have one calendar month to comply.

The right to be forgotten

You have the right to request that your information be deleted from our systems and databases in certain circumstances.

The right of rectification

You have the right to ask that we correct and update factually incorrect information that we may hold on you

The right to restrict processing

You have the right to request that we restrict the processing of your personal data in certain circumstances:

• When you are contesting the accuracy of the data we hold and we are verifying the accuracy of that data
• When you have objected to having your information processed under the lawful basis of legitimate interest and we are consideration whether our organisation’s legitimate grounds override yours
• When the processing is unlawful and you oppose erasure and request restriction instea
• Where we no longer need the information, but you have requested your data from us to establish, exercise or defend a legal claim

The right to data portability

You have the right to data portability. This means that you can ask for and reuse your personal information for your own purposes across different services. It has been designed to allow you to copy of transfer your information from one IT environment to another.

The right to object

You have the absolute right to stop the processing of your personal information, even in circumstances where we may be processing your information under the legitimate interest lawful basis.

How to access your personal data:

The Data Protection Act gives you the right to request access to the information held by an organisation – this is called a Subject Access Request. The FAQs below will help you if you want to access the personal information held about you by Crisis.

How do I make a Subject Access Request (SAR)?

You can make a request by email to support@npsservice.org.uk, by phoning our office on 01962 435043 or by speaking with one of the team in person.

Confirming your identity

We may have to confirm your identity before we are able to process your request. This is to ensure that we disclose only your personal information to you.

In rare circumstances, if we are not able to confirm who you are from what you share with us, we may have to ask for more formal proof of identity.

Can I make a request on behalf of someone else?

This is only possible in limited circumstances, these are:

• Where you can evidence that you have the authority of the person whose information is being requested
• Where you are their legal representative
• Where you have power of attorney over the individual’s affairs

What information can I ask for?

You can ask for any information that we hold, but it is helpful and speeds up the process if you can tell us if you are looking for anything specific.

Can I ask for emails?

Yes, it is helpful if you can specify a time period and/ or the name of the person

How will I receive my information?

You can receive it either to an email address of your choice or as a hard copy by post to a specified address, this will always be sent signed-for delivery.

Do I have to pay for my information?

In general, no. However, if you were to make repeat requests or the volume of work is considered excessive, we can charge a reasonable administration fee.

How long does it take?

We aim to process requests as soon as possible, but within one calendar month from the resolution of any enquiries about your identity or the scope of your request. If we find that it is likely to take longer than a month, we will write to you within that month and advise you of the reason and give you a revised date by which you can expect us to complete the request.

What if I think information is missing or I have concerns about how my information has been processed by NPSS?

We will work with you if you have concerns about missing information but please note that we don’t keep information forever and have retention policies governing how long we keep information for.

We would prefer you to raise any concerns about missing information or how your information has been handled with us initially, preferably at your point of contact with the organisation. Your concerns will be acknowledged within three working days and we aim to resolve the issue within 15 working days.

We will consider all concerns raised within a reasonable period of a SAR being completed, up to a maximum of three months after you receive your information.

You can go straight to the regulatory body, the Information Commissioner (ICO), at any time during this review process. The Information Commissioner (ICO) can be contacted at https://ico.org.uk/make-a-complaint/ or by phone on 0303 123 1113. The ICO would, however, expect that you have sought to resolve your concerns with us before approaching them.

Notifications of changes to this policy

This privacy policy may change from time to time, for example, we will continue to update it to reflect new legal requirements. Please visit this website to keep up to date with changes. This policy was last updated in February 2019.