NAD UK Privacy Policy

Last updated 30 December 2020

This document sets out the data protection and privacy policy for NAD- UK, a volunteer-led organisation which operates from this address: NAD-UK, Charlotte Court, Canterbury Road, Margate, Kent CT9 5NB. Information about NAD-UK is available at the website www.neuroassistancedogs.org.uk. The data processed by NAD-UK comprises information about staff and clients of the organisation: specifically, persons with certain medical conditions who seek canine assistance and companionship in aid of preventing or treating their condition. The data processed by NAD-UK is derived from information that client individuals reveal about themselves. All data is processed exclusively for the purposes of fulfilling the mission of the organisation. From time-to- time NAD-UK may add new functions and features which involve the further processing of stored personal data, in which cases a Privacy Impact Assessment is performed and, where needed, changes are implemented to ensure continuing data protection and privacy.

ABOUT THIS DOCUMENT

This Privacy Policy makes clear what NAD-UK commits to do in looking after individuals’ personal data. It describes what kinds of data NAD-UK processes, its lawful basis for processing that data, who can access which kinds of data through the system, how long data is stored, and how data is kept safe. Lastly, the Policy indicates how requests may be made to view, correct or delete personal data.

NAD-UK’S COMMITMENTS

NAD-UK commits and agrees:
* To apply industry best practices in keeping personal data safe, secure and private * To process personal data only for the intended purposes of the organisation
* To retain personal data only for as long as it is needed for its intended purposes * Never to use personal data to profile system users for sharing with third parties
* Never to sell personal data, data summaries, or data derivatives, to anyone
* To enable the individual subjects of personal data to correct or delete their data.

LEGALLY-COMPELLED DISCLOSURES

NAD-UK may be compelled to surrender particular personal data to legal authorities without express consent if presented with a court subpoena or similar legal order, or as required or permitted by the laws, rules and regulations of any applicable jurisdiction. Also, in the event of a violation of its agreements, including but not limited to a violation of any restrictions on the use of data provided through the system, NAD-UK may be compelled to disclose particular personal data to affected parties and legal authorities in furtherance of potential or on-going legal proceedings.

INDIVIDUAL CONSENT

Individuals who engage the services of NAD-UK and thereby giving consent to the processing of their personal data as supplied. The subject of that personal data may subsequently withdraw their consent at any time by informing NAD-UK that they wish to do so. If consent is withdrawn, NAD-UK will be unable to supply its services in relation to that individual and all relevant data will be permanently deleted.

CATEGORIES AND LAWFUL BASES OF DATA PROCESSING
Not all data processed by NAD-UK is personal data, but for completeness listed here are the categories of all the data recorded, processed and stored by NAD-UK and the lawful basis for NAD-UK to process that data:
* Names and contact details (LAWFUL BASIS: administration, client communications)
* Personal details including the subject’s own description of their relevant health conditions (LAWFUL BASIS: administration, formulating advice)
* Profiling (LAWFUL BASIS: administration, formulating advice).

WHO CAN ACCESS WHICH CATEGORIES OF DATA
Listed here are the types of INDIVIDUALS and which categories of data each type of system user is given access to:
* NAD-UK STAFF: their own names and contact details, personal details, and profiling
* NAD-UK CLIENTS: names and contact details, personal details, and profiling.

HOW DATA IS PROTECTED

NAD-UK utilises these and other technology security ‘best practices’:
* ‘Sensitive’ data is stored encrypted in an offline database accessible only to managers
* Data access is user-dependent (e.g., NAD-UK staff have limited access on a need-to-know basis; ‘sensitive’ data is configured for manager-access only)
* A GDPR-compliant, 24/7 live-managed web hosting service is used for server maintenance, security patching, and recovery.

VIEWING, CORRECTING OR DELETING DATA

Any individual client of NAD-UK, in respect of their personal data stored by NAD-UK, is entitled to the following:
* To view any of their stored personal data
* To question the veracity of any of their personal data and to have false information corrected

* To require the permanent deletion of any of their personal data. However, if certain data is deleted permanently, NAD-UK will be unable to provide some or all of its services in relation to that individual.

Individuals wishing to do any of the above should put their request in writing to NAD-UK directly by writing to the postal address above and a response and schedule of action will be provided by NAD-UK to the requesting individual within 30 days.