Privacy Policy William Simpsons Privacy Policy https://www.williamsimpsons.org.uk/privacy-policy DOWNLOAD PRIVACY NOTICE FOR WILLIAM SIMPSONS SERVICE USERS, THEIR RELATIVES AND GUARDIANS AND MEMBERS OF THE PUBLIC What is the purpose of this document? William Simpsons are committed to protecting the privacy and security of personal data. This privacy policy describes how we collect and use personal data about you. It explains who we are, what we collect, how we collect, use and store personal data, the purpose for which it is collected, who we share it with and what rights you have in relation to our handling of personal data. It applies to all personal data we process, including when you Use our services Visit our Main Home or Flat 9. Communicate with William Simpsons in person, by telephone, or in writing, Visit our website (https://www.williamsimpsons.org.uk) Information we collect will be used only in accordance with applicable data protection laws, including the Data Protection Act 2018 (“DPA 2018”), the UK General Data Protection Regulation (“UK GDPR”) together with all applicable legislation, regulations, guidance and codes of practice in force from time to time relating to the processing of personal data and the privacy of individuals in the UK (together, the “data protection laws”). Data protection law requires that your personal data must be: Used lawfully, fairly and in a transparent way. Collected only for valid purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes. Relevant to the purpose we have told you about and limited only to those purposes. Accurate and kept up to date. Kept only as long as necessary for the purposes we have told you about. Kept securely. Whenever we collect your personal data, we will respect your privacy, and we collect only the information we need and ensure your personal data is retained securely until it is no longer required. It is important that you read this policy, together with any additional privacy information we may provide on specific occasions when we are collecting or processing personal information about you, so that you understand how and why we are using information and your rights. It is also important that the personal data we hold about you, or the service user for whom you are responsible, is accurate and current. Please keep us informed if your personal data changes during your relationship with us, for example a new address or email address. This policy is in a layered format so you can click through to the specific sections set out below. Alternatively, you can view the full version of the privacy policy OR download a copy of the policy here: privacy-policy. We may update this policy at any time but if we do so, we endeavour to provide you with an updated copy of this notice as soon as is reasonably practicable. 1. Who we are William Simpsons (referred to as “we” in this policy) is a Scottish charity (registered number SC000485) and a Scottish company limited by guarantee (company number SC377149). Our registered office is at Main Street, Old Plean, Stirling, FK7 8BQ.We are a “data controller” of all personal data collected and used for the purposes described in this policy. This means that we are responsible for deciding how we hold and use personal data about you. 2. The kind of personal data we hold about you Personal data means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data). Personal data means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data). We may collect, use, store and transfer different kinds of personal data about you, which we have grouped together as described in the table below. Types of personal data Includes, for example: Contact Data address, email address, telephone numbers Criminal offence data as defined by law, personal data relating to criminal convictions and offences or related security measures, including for example Disclosure Barring Service (DBS) or Disclosure Scotland checks, Compulsory Supervision Orders. Also, this will include data relating to checks, references and ID verification. By law, this information is subject to additional protections, due to its sensitive nature. Financial Data your bank account and payment card details, military service information for grant purposes, insurance details, pension details, DWP pension and support payments and financial assessment details Family, lifestyle and social circumstances data information relating to family of the data subject, for example; names and contact details of family contact details for next of kin or emergency contacts, including name and contact details for doctor and doctor’s practice information about any relationship you have to a service user or to WS that you tell us about. information about family activities, lifestyle and social circumstances where appropriate, welfare information, which includes information about family and home life circumstances and history, such as languages spoken, current marriage, partnerships and marital history car/vehicle details. for those who use our parking facilities Identification document data information issued as an identifier by a public authority, such as National Insurance numbers, CHI number, identity card numbers, driving licence details, passport details. If you are a financial and/or welfare guardian, a copy of the Office of the Public Guardian paperwork. If you are acting under a power of attorney, a copy the legal paperwork. Identity data first name, maiden name, last name, username or similar identifier, title, gender, pronoun preferences, age, marital status, date of birth and any information that identifies an individual and their personal characteristics, including physical description Image data photographic and video images captured by video-surveillance/CCTV Marketing and Communications Data your preferences in receiving communications from us including records of consent for electronic marketing (including fundraising information), where appropriate Service provision data information relating to services we provide to you, such as; correspondence with you and family and/or representatives, including information relating to compliments and complaints internal records and reports information about trips and activities Special category data as defined by law, including personal data revealing nationality, racial or ethnic origin, political opinion, religious or philosophical beliefs, sexual orientation, information concerning sex life or health, which would in particular cover: medical information about any health condition, treatment, medication, allergies and dental health dietary requirements (such as vegetarian, vegan, gluten free and religious requirements) information relating to health and safety (including incident investigation details and reports and accident book records) Welfare and safeguarding information, including reports and information about you from your social worker and/or local authority, and doctors and medical practitioners. By law, this information is subject to additional protection due to its sensitive nature. Technical Data includes internet protocol (IP) address, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, device ID and other technology on the devices you use to access this website. Further details are in our Cookie Policy. Transaction Data details about payments from you and other details of products and services you have purchased from us. Website Usage Data information about how you interact with and use our website, products and services. Further details are in our Cookie Policy Cookie Policy | William Simpsons. We also collect, use and share Aggregated data, such as statistical or demographic data which is not personal data as it does not directly (or indirectly) reveal your identity. We may use these categories of personal data: If you are a service user: Contact data, Criminal Offence data, Financial data, Family, lifestyle and social circumstances data, Identification document data, Identity data, Image data, Marketing and Communications data, Service provision data, Special category data, Technical data, Transaction data, Website Usage data If you are a relative, guardian, attorney or advocate of a service user: Contact data, Criminal offence data, Financial data, Family, lifestyle and social circumstances data, Identification document data, Identity data, Image data, Marketing and Communications data, Service provision data, Special category data, Technical data, Transaction data, Website Usage data If you donate or are involved in our fundraising: Contact data, Criminal offence data, Family, lifestyle and social circumstances data, Financial data, Identification document data, Identity data, Image data, Marketing and Communications data, Technical data, Transaction data, Website Usage data If you provide services to William Simpsons: Contact data, Criminal offence data, Financial data, Identity data, Image data, Service provision data, Technical data, Transaction data, Website Usage data If you send an enquiry, visit us or get in touch: Contact data, Service provision data, Technical data, Transaction data, Website Usage data For information on the terms and conditions of our website: Terms and Conditions 3. Where we get personal data from We use different methods to collect data from and about you, including through those summarised in this table. Sources For example: Direct interaction with you Mostly, we receive personal data from you directly (including, in the case of Residents, from guardians/carers and immediate family). You may give us your personal data about yourself and immediate family member when filling in forms, by corresponding with us by post, phone, email or otherwise, or by interacting with staff. This includes personal data you provide when you: apply to William Simpsons; request information to be sent to you; subscribe to our publications; receive services from us; give us feedback or contact us. Automated technologies or interactions. As you interact with our website, it will automatically collect information about your equipment, browsing actions and patterns. It collects this data by using cookies, server logs and other similar technologies. We may also receive information about you if you visit other websites employing our cookies. Please see our Cookie policy for further details Cookie Policy | William Simpsons. Publicly available sources We may collect personal data about you from: the Electoral Register the Land Register of Scotland Business and financial reference sources, such as Linkedin Social media and other websites Third parties (organisations and individuals) We may receive or collect personal data about you from : Family members Guardians, carers, advocates and representatives, including MPs Local authorities or local councils, including for example social services professionals Health care providers, such as G.P.s and NHS Scotland Governmental bodies such as the Department of Work and Pensions. Where you are a veteran, the Armed Services. Other service providers, such as chiropodists, hairdressers, or any other service provider you currently or have previously attended Regulatory authorities, such as the Care Inspectorate Law enforcement agencies, such as Police Scotland Professionals working with you, including for example professional counsellors Any market research organisations used or providers of fundraising lists Credit reference agencies, if used Suppliers and service providers This may include other sources or persons who are authorised or are required by law to share the information with William Simpsons, or where you provide your consent to share your personal data. The above are examples and is not an exhaustive list, and for further information, please contact us Special category and Criminal Offence personal data We may, as described in this policy, process special category personal data, as defined by law. This includes the following personal data revealing: An individual’s health for care planning purposes. A natural person's sex life or sexual orientation for care planning purposes. Religious or philosophical beliefs, for the purpose of arranging activities or outings and funeral plans. Also, from time-to-time, we may process criminal offence data. This covers a wide range of information about offenders or suspected offenders in the context of criminal activity, allegations, investigations and proceedings. It includes personal data relating to criminal convictions and offences or related security measures. We do so to comply with our legal obligations and for care planning purposes. We treat your sensitive personal data with particular care. It is essential that we have such information: it is used for the provision of health care and to ensure your welfare. It is used only when necessary and with absolute respect to individual privacy and confidentiality. We have in place appropriate safeguards which we are required by law to maintain when processing such data, which we may process in the following circumstances: For the provision of health and social care and the management of health and social care services and assessment of service users’ capacities and needs. When it is necessary for reasons of public health including ensuring high quality care standards. To protect your vital interests in the event of a medical or other emergency or to protect your vital interests or those of another individual where you or the other individual is incapable of giving consent. The processing is necessary for reasons of substantial public interest. Those would include, for instance, preventing or detecting unlawful acts, counselling, supporting individuals with a particular disability or medical condition, and safeguarding of individuals at risk For archiving, research and statistical purposes Less commonly, we may process this type of information where it is needed in relation to legal claims or where you have already made the information public. When used, we would seek explicit consent except where it is necessary to use that information and the law allows us do so without explicit consent. That arises in limited and exceptional circumstances (involving safeguarding, for example, or where we consider use necessary to protect the interests of an individual incapable of giving consent). We are not required to get your consent if we process personal data in accordance with our written policies to carry out our legal obligations or exercise specific legal rights which are outlined above. In limited circumstances, if we request your explicit consent, we will provide you with full details of the data that we would like to process and the reason for doing so. This allows you to carefully consider whether you wish to give consent. You should be aware that it is not a condition of any contract you have with us that you agree to any request for consent from us. Change of purpose: We only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If you ever wanted an explanation about how the processing for the new purpose is compatible with the original purpose, please contact us. 4. How we will use your personal data Under UK data protection law, we must always have a “lawful basis” for collecting and using your personal information. Information about lawful bases is available on the ICO’s website. Most commonly, we use it where the following lawful bases are available: Lawful basis Explanation Legal obligation Where we have to collect or use information to comply with the law Public task Where we have to collect or use your information to carry out a public task which the law intends to be performed Contract Where we have to collect or use the information so we can enter into or perform a contract we have with you Vital interests In exceptional circumstances, collecting or using information is needed when someone’s physical or mental health or wellbeing is at urgent or serious risk. Vital interests can be our lawful basis in those situations, when personal data is used because necessary to protect someone’s life. Legitimate Interests This may apply where it is necessary for William Simpson’s specific legitimate interests (or those of a third party) to use your personal data, and your interests and fundamental rights do not override those interests. We consider and balance any potential impact on you and your rights (both positive and negative) before we process your personal data for our legitimate interests. Our legitimate interests include: For the safeguarding of a vulnerable individual For the purposes of responding to an emergency For the purposes of detecting, investigating or preventing crime, or apprehending or prosecuting offenders For security, including ensuring the security of our network and information systems Note that we may use your personal data for more than one lawful basis listed in the section above, depending on the specific purpose for which we are using your data. Please contact us if you require further information. Generally, we do not rely on consent as a legal basis for processing personal data. But we will get consent in some situations. We would obtain your consent before sending fundraising or marketing communications to you via email or text message, for example. You have the right to withdraw consent at any time by contacting us. Where we need to collect personal data – for example, to comply with a legal obligation, or to perform the respective contracts we have entered into with you or the service user, – and you do not provide it, we may not be able to provide the services you expect. We would contact you to further discuss any such situations if this arose. Below is an overview of the main purposes for which we use categories of your personal data, and what types of data are used, alongside which of the legal bases we rely on to do so. Situations in which we will use your personal data The situations in which we will process your personal data are listed below. Purpose or Use Providing care and support services This includes: making decisions about your care and needs, providing care and support services, engaging with representatives of service users – families, guardians, next of kin, attorneys and advocates, for example to provide information and in the event of emergencies arranging any follow-on care package for service users working with suppliers providing products or services relating to your care. facilitating birth or death certificates with the Registrar. assisting with funeral arrangements Lawful Basis Types of Data Legal obligation, Public task, Contract, Vital interests, Legitimate Interests Contact data, Criminal Offence data, Financial data, Family, lifestyle and social circumstances data, Identification document data, Identity data, Image data, Marketing and Communications data, Service provision data, Special category data, Technical data, Transaction data, Website Usage data Purpose or Use Communication This includes: Contacting you when you get in touch and managing our relationship with you, which would include dealing with queries, complaints or claims, and sending communications informing you about services, events and benefits available Lawful Basis Types of Data Legal obligation, Public task, Contract, Vital interests, Legitimate Interests Contact data, Criminal Offence data, Financial data, Family, lifestyle and social circumstances data, Identification document data, Identity data, Image data, Marketing and Communications data, Service provision data, Special category data, Technical data, Transaction data, Website Usage data Purpose or Use Contract delivery/fulfilment carrying out obligations from any contracts between us, which would include managing payments, fees and charges, and collection and recovery of money owed Lawful Basis Types of Data Legal obligation, Public task, Contract, Legitimate Interests Contact data, Criminal Offence data, Financial data, Family, lifestyle and social circumstances data, Identification document data, Identity data, Image data, Marketing and Communications data, Service provision data, Special category data, Technical data, Transaction data, Website Usage data Purpose or Use Security for any security purposes, including operation of and monitoring external CCTV cameras (with a standard 15-day retention policy in respect of all footage). Lawful Basis Types of Data Legitimate Interests Criminal Offence data, Family, lifestyle and social circumstances data, Identity data, Image data Purpose or Use Management This includes: Business management and planning, including administering funding for our services, accounting and auditing, forecasting, research and statistical analysis, including that imposed or provided for by law such as tax, diversity or gender pay gap analysis Assessing the quality of our services and conducting performance reviews, risk assessments, audits and determining performance requirements. Handling complaints, including legal disputes involving you, or other service users or their relatives or representatives, or our staff liaising with local authorities, health care professionals, regulators and service providers and our other external partners who support William Simpsons services. Lawful Basis Types of Data Legal obligation, Public task, Contract, Legitimate Interests Contact data, Criminal Offence data, Financial data, Family, lifestyle and social circumstances data, Identification document data, Identity data, Image data, Marketing and Communications data, Service provision data, Special category data, Technical data, Transaction data, Website Usage data Purpose or Use Regulation, including legal compliance Fulfilling statutory duties, which include: engaging with and reporting to professional and regulatory bodies such as the CI or OSCR. enabling the relevant authorities to assess and monitor our performance, for example carrying out or cooperating with any external investigation by a regulator such as the Care Inspectorate or the HSE, or intervening/assisting with investigations and incidents as appropriate to prevent, detect, investigate, report and/or prosecute alleged or suspected fraud or crime notification of changes to our terms and/or privacy policy Lawful Basis Types of Data Legal obligation, Public task, Legitimate Interests Contact data, Criminal Offence data, Financial data, Family, lifestyle and social circumstances data, Identification document data, Identity data, Image data, Marketing and Communications data, Service provision data, Special category data, Technical data, Transaction data, Website Usage data Purpose or Use Fundraising and Marketing for fundraising and promotional activities and related communications such as sending electronic messages (email, text) or making calls for the purposes of donor due diligence, such as to confirm the identity of prospective donors Lawful Basis Types of Data Legal obligation, Legitimate Interests, Consent Contact data, Criminal Offence data, Financial data, Family, lifestyle and social circumstances data, Identification document data, Identity data, Image data, Marketing and Communications data, Service provision data, Special category data, Technical data, Transaction data, Website Usage data Data, Special category data, Transaction Data 5. Sharing personal data with third parties We may share personal data with other individuals or third parties, including third-party service providers. This may arise where sharing required by law, or to protect the vital interests of you or someone else, or where it is necessary to perform our contract and our obligations to you, or where we have another legitimate interest in doing so. We require all third parties to respect the security of your personal data and to treat it in accordance with the law. “Third parties” may include: Local authorities, the DWP and the military – for funding reasons. Social services Healthcare providers Emergency services Regulatory bodies such as the Care Inspectorate and the HSE – for ensuring compliance and the safety and welfare of service users. Organisations we need to share information with for safeguarding reasons any organisation or individuals we are legally obliged to share personal information with, for example by a court order External auditors or inspectors Police Scotland, external investigators and/or the Procurator Fiscal, in relation to any suspected or alleged fraudulent or criminal activity Governmental and judicial authorities, such as the courts and tribunals in the event of investigation or prosecution of crime or legal claims. HMRC – for taxation purposes. Private pension providers. Researchers, providers of statistical or analytical services – for reviews, planning and assessment (and we will in such cases anonymise all data where possible prior to sharing). Service providers including contractors and designated agents, professional advisors who provide services essential for the running of our organisation and provision of service to you. These providers include but not limited to: The Access Group, Wellwood Communications, Navigator Law, Datto We will share personal data in line with our policies. When we need to share your personal data with third party service providers, we do not allow the service provider to use your personal data for their own purposes. We only permit them to process your personal data for specified purposes and in accordance with our instructions and provided they apply appropriate measures of security that comply with our policies and the Data Protection Laws. 6. Keeping your data safe We have put in place and shall maintain appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. All paper files are kept in locked secure cabinets when not in use and personal data stored electronically is protected by up-to-date IT security software. We ensure that we update our systems to continuously improve security and resolve any issues which may or could occur, and comply with guidance of our regulators.In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. All our staff are required to undergo and complete training and are obliged to ensure the highest levels of confidentiality. Only persons authorised to enter our Care Home and Respite and Day Care Centre may do so and are required to notify their identity and follow our security procedures and requirements for entry.We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so. Please contact [email protected] if you have any queries on our personal data breach procedures. 7. How long we use your personal data We only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting or reporting requirements, or for defence or pursuit of a legal claim. Details of retention periods for different aspects of your personal information are available in our Data Retention Policy, which is available by contacting [email protected].To determine the appropriate retention period for personal data, we consider the relevant facts including the amount, nature and sensitivity of the personal data, the purposes for which we process or store that personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.In some circumstances and to the extent that this is possible, we may anonymise your personal data so that it can no longer be associated with you as an individual and can no longer be used identify you, in which case we may use such data without further notice to you.Once the purpose for which we collected your personal data is completed or at an end, or the data is no longer required, we will retain and where appropriate securely destroy your personal information in accordance with our data retention policy and applicable laws and regulations. 8. Your rights: Under certain circumstances, by law you have the right to: Request access to your personal data (commonly known as a “data subject access request”). This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it. Request correction of the personal information that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected. Request erasure of your personal information. This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have exercised your right to object to processing (see below). Object to processing of your personal information where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. Request the restriction of processing of your personal information. This enables you to ask us to suspend the processing of your personal data, for example if you want us to establish its accuracy or the reason for processing it. Request the transfer of your personal information to another party. If you want to review, verify, correct or request erasure of your personal data, object to the processing of your personal data, or request that we transfer a copy of your personal data to another party, please contact [email protected]. You will not usually have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances. Your right to withdraw consent to processing In the limited circumstances where you have provided your consent to the collection, processing and transfer of your personal data for a specific purpose, you may have the right to withdraw your consent for that specified processing at any time. To withdraw your consent, please contact [email protected]. Once we have received notification that you have withdrawn your consent, we will no longer process your personal data, unless we have another legitimate basis for doing so in law. What we may need from you We may need to request specific information from you or your nominated representative to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is an appropriate security measure to ensure that personal information is not disclosed to any person who has no right to receive it. Data protection complaints If you have any questions about this privacy notice or how we handle your personal data, including any requests to exercise your legal rights, please contact us by email, [email protected] or by telephone 01786 812421 You have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues (ico.org.uk). We keep our privacy policy under review. This version was last updated on 12/08/25. Historic versions can be obtained by contacting us Manage Cookie Preferences