Data Protection Policy


The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is a regulation by which the European Parliament, the European Council and the European Commission intend to strengthen and unify data protection for individuals within the European Union (EU). It also addresses the export of personal data outside the EU. The primary objectives of the GDPR are to give citizens back control of their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU. 

The following guidance is not a definitive statement on the Regulations but seeks to interpret relevant points where they affect PH7 Wellbeing.

The Regulations cover both written and computerised information and the individual’s right to see such records.

It is important to note that the Regulations also cover records relating to staff and volunteers.

All PH7 Wellbeing staff and volunteers are required to follow this Data Protection Policy at all times. 

The Chief Executive has overall responsibility for data protection within PH7 Wellbeing, but each individual processing data is acting on the controller’s behalf and therefore has a legal obligation to adhere to the Regulations. 


Processing of information – how information is held and managed.

Information Commissioner – formerly known as the Data Protection Commissioner.

Notification – formerly known as Registration.

Data Subject – used to denote an individual about whom data is held.

Data Controller – used to denote the entity with overall responsibility for data collection and management.  PH7 Wellbeing is the Data Controller for the purposes of the Act.

Data Processor – an individual handling or processing data

Personal data – any information which enables a person to be identified

Special categories of personal data – information under the Regulations which requires the individual’s explicit consent for it to be held by PH7 Wellbeing 


Data Protection Principles

As data controller, PH7 Wellbeing is required to comply with the principles of good information handling.

These principles require the Data Controller to:

  1. Process personal data fairly, lawfully and in a transparent manner.
  2. Obtain personal data only for one or more specified and lawful purposes and to ensure that such data is not processed in a manner that is incompatible with the purpose or purposes for which it was obtained.
  3. Ensure that personal data is adequate, relevant and not excessive for the purpose or purposes for which it is held.
  4. Ensure that personal data is accurate and, where necessary, kept up-to-date.
  5. Ensure that personal data is not kept for any longer than is necessary for the purpose for which it was obtained.
  6. Ensure that personal data is kept secure.
  7. Ensure that personal data is not transferred to a country outside the European Economic Area unless the country to which it is sent ensures an adequate level of protection for the rights (in relation to the information) of the individuals to whom the personal data relates.



PH7 Wellbeing must record service users’ explicit consent to storing certain information (known as ‘personal data’ or ‘special categories of personal data’) on file.

For the purposes of the Regulations, personal and special categories of personal data cover information relating to:

  1. The racial or ethnic origin of the Data Subject.
  2. His/her political opinions.
  3. His/her religious beliefs or other beliefs of a similar nature.
  4. Whether he/she is a member of a trade union.
  5. His/her physical or mental health or condition.
  6. His/her sexual life.
  7. The commission or alleged commission by him/her of any offence
  8. Online identifiers such as an IP address
  9. Name and contact details
  10. Genetic and/or biometric data which can be used to identify an individual


Special categories of personal information collected by PH7 Wellbeing will, in the main, relate to service user’s mental health. Data is also collected on ethnicity and held confidentially for statistical purposes.


Consent is not required to store information that is not classed as special category of personal data as long as only accurate data that is necessary for a service to be provided is recorded.

As a general rule PH7 Wellbeing will always seek consent where personal or special categories of personal information is to be held.


It should also be noted that where it is not reasonable to obtain consent at the time data is first recorded and the case remains open, retrospective consent should be sought at the earliest appropriate opportunity.

If personal and/or special categories of personal data need to be recorded for the purpose of service provision and the service user refuses consent, the case should be referred to the Head of Operations or Chief Executive for advice.


Obtaining Consent

Consent may be obtained in a number of ways depending on the nature of the interview, and consent must be recorded on or maintained with the case records:

  • face-to-face
  • written
  • telephone
  • email



A pro-forma should be used.



Verbal consent should be sought and noted on the case record.



The initial response should seek consent.


Consent obtained for one purpose cannot automatically be applied to all uses e.g. where consent has been obtained from a service user in relation to information needed for the provision of that service, separate consent would be required if, for example, direct marketing of insurance products were to be undertaken.


Preliminary verbal consent should be sought at point of initial contact as personal and/or special categories of personal data will need to be recorded either in an email or on a computerised record (e.g. IAPTUS).  The verbal consent is to be recorded in the appropriate fields on the computer record or stated in the email for future reference.  Although written consent is the optimum, verbal consent is the minimum requirement.


Specific consent for use of any photographs and/or videos taken should be obtained in writing.  Such media could be used for, but not limited to, publicity material, press releases, social media, and website.  Consent should also indicate whether agreement has been given to their name being published in any associated publicity.  If the subject is less than 18 years of age, then parental/guardian consent should be sought.


Individuals have a right to withdraw consent at any time.  If this affects the provision of a service(s) by PH7 Wellbeing, then the Head of Operations should discuss with the Clinical Services Manager at the earliest opportunity.


Ensuring the Security of Personal Information


Unlawful disclosure of personal information

  1. It is an offence to disclose personal information ‘knowingly and recklessly’ to third parties.
  1. It is a condition of receiving a service that all service users for whom we hold personal details sign a consent form allowing us to hold such information.
  1. Service users may also consent for us to share personal or special categories of personal information with other helping agencies on a need to know basis.
  1. A client’s individual consent to share information should always be checked before disclosing personal information to another agency.
  1. Where such consent does not exist information may only be disclosed if it is in connection with criminal proceedings or in order to prevent substantial risk to the individual concerned. In either case permission of the Chief Executive or Clinical Services Manager should first be sought.
  1. Personal information should only be communicated within PH7 Wellbeing staff and volunteer team on a strict need to know basis. Care should be taken that conversations containing personal or special categories of personal information may not be overheard by people who should not have access to such information.


Ethnic Monitoring


In order for PH7 Wellbeing to monitor how well our staff, volunteers and service users reflect the diversity of the local community we request that they complete an Equality and Diversity Monitoring form.  The completion of the form is voluntary, although strongly encouraged. Responses are securely stored and held on a passworded database for statistical purposes.


Use of Files, Books and Paper Records


In order to prevent unauthorised access or accidental loss or damage to personal information, it is important that care is taken to protect personal data.  Paper records should be kept in locked cabinets/drawers overnight and care should be taken that personal and special categories of personal information is not left unattended and in clear view during the working the day. If your work involves you having personal / and/or special categories of personal data at home or in your car, the same care needs to be taken.


Disposal of Scrap Paper, Printing or Photocopying Overruns


Be aware that names/addresses/phone numbers and other information written on scrap paper are also considered to be confidential.  Please do not keep or use any scrap paper that contains personal information but ensure that it is shredded. 

If you are transferring papers from your home, or your client’s home, to the office for shredding this should be done as soon as possible and not left in a car for a period of time. When transporting documents, they should be carried out of sight in the boot of your car.



Where computers are networked, access to personal and special categories of personal information is restricted by password to authorised personnel only. 

Computer monitors in the reception area, or other public areas, should be positioned in such a way so that passers-by cannot see what is being displayed.  If this is not possible then privacy screens should be used on the monitor to afford this level of protection.  If working in a public area, e.g. reception, you should lock your computer when leaving it unattended.

Firewalls and virus protection to be employed at all times to reduce the possibility of hackers accessing our system and thereby obtaining access to confidential records.

Documents should only be stored on the server or cloud-based systems and not on individual computers. 

Where computers or other mobile devices are taken for use off the premises the device must be password protected.

Cloud Computing

When commissioning cloud-based systems, PH7 Wellbeing will satisfy themselves as to the compliance of data protection principles and robustness of the cloud-based providers.


Direct Marketing


Direct Marketing is a communication that seeks to elicit a measurable fundraising response (such as a donation, a visit to a website, sign up to Gift Aid, etc.).  The communication may be in any of a variety of formats including mail, telemarketing and email.  The responses should be recorded to inform the next communication.  PH7 Wellbeing will not share or sell its database(s) with outside organisations. 


PH7 Wellbeing holds information on our staff, volunteers, clients and other supporters, to whom we will from time to time send copies of our newsletters, magazine and details of other activities that may be of interest to them.  Specific consent to contact will be sought from our staff, clients and other supporters, including which formats they prefer (e.g. mail, email, phone etc) before making any communications.


We recognise that clients, staff, volunteers and supporters for whom we hold records have the right to unsubscribe from our mailing lists.  This wish will be recorded on their records and will be excluded from future contacts.


The following statement is to be included on any forms used to obtain personal data:

We promise never to share or sell your information to other organisations or businesses and you can opt out of our communications at any time. 



Privacy Statements


Any documentation which gathers personal and/or special categories of personal data should contain the following Privacy Statement information:

  • Explain who we are
  • What we will do with their data
  • Who we will share it with
  • Consent for marketing notice
  • How long we will keep it for
  • That their data will be treated securely
  • How to opt out
  • Where they can find a copy of the full notice


Personnel Records

The Regulations apply equally to volunteer and staff records.  PH7 Wellbeing may at times record special categories of personal data with the volunteer’s consent or as part of a staff member’s contract of employment.


For staff and volunteers who are regularly involved with vulnerable adults, it will be necessary for PH7 Wellbeing to apply to the Disclosure & Barring Service to request a disclosure of spent and unspent convictions, as well as cautions, reprimands and final warnings held on the police national computer.  Any information obtained will be dealt with under the strict terms of the DBS Code.   Access to the disclosure reports is limited to the Senior Management Team. 



Further guidance regarding confidentiality issues can be found in our Confidentiality Policy.


When working from home, or from some other off-site location, all data protection and confidentiality principles still apply.  All computer data, e.g. documents and programmes related to work for PH7 Wellbeing should not be stored on any external hard disk or on a personal computer.  If documents need to be worked on at a non-networked computer, they should be saved onto a USB drive which should be password protected.


Workstations in areas accessible to the public, e.g. reception or trading office, should operate a clear desk practice so that any paperwork, including paper diaries, containing personal and/or special categories of personal data is not left out on the desk where passers-by could see it.


When sending emails to outside organisations, e.g. social worker or hospital staff, care should be taken to ensure that any identifying data is removed and that codes (e.g. initials or identifying code number, such as social services number, etc.) are to be used.  Confidential and/or special categories of personal information should be written in a separate document which should be password protected before sending.  Wherever possible, this document should be ‘watermarked’ confidential.


Any paperwork kept away from the office (e.g. clients care plan kept at home by a worker) should be treated as confidential and kept securely as if it were held in the office.  Documents should not be kept in open view (e.g. on a desktop) but kept in a file in a drawer or filing cabinet as examples, the optimum being a locked cabinet but safely out of sight is a minimum requirement.  Enablers needing to take paperwork away from a client’s home (e.g. unable to make a required phone call during the visit) must ensure that it is returned to the client’s home on the next visit.


If you are carrying documents relating to a number of clients when on a series of home visits, you should keep the documents for other clients locked out of sight in the boot of the car (not on the front seat) and not take them into the client’s home.  When carrying paper files or documents they should be in a locked briefcase or in a folder or bag which can be securely closed or zipped up. Never take more personal data with you than is necessary for the job in hand.  Care should be taken to ensure that you leave a client’s home with the correct number of documents and that you haven’t inadvertently left something behind.


Retention of Records


Paper records should be retained for the following periods at the end of which they should be shredded:


  • Client records – 6 years after ceasing to be a client.
  • Staff records – 6 years after ceasing to be a member of staff.
  • Unsuccessful staff application forms – 6 months after vacancy closing date.
  • Volunteer records – 6 years after ceasing to be a volunteer.
  • Timesheets and other financial documents – 7 years.
  • Employer’s liability insurance – 40 years.


Archived records should clearly display the destruction date.


What to Do If There Is a Breach


If you discover, or suspect, a data protection breach you should report this to your line manager who will review our systems, in conjunction with the Senior Management Team to prevent a reoccurrence.  The CEO and Head of Operations should be informed of the breach, action taken and outcomes to determine whether it needs to be reported to the Information Commissioner.


Any deliberate or reckless breach of this Data Protection Policy by an employee or volunteer may result in disciplinary action which may result in dismissal.


The Rights of an Individual


Under the Regulations an individual has the following rights with regard to those who are processing his/her data:

  • Personal and special categories of personal data cannot be held without the individual’s consent (however, the consequences of not holding it can be explained and a service withheld).
  • Data cannot be used for the purposes of direct marketing of any goods or services if the Data Subject has declined their consent to do so.
  • Individuals have a right to have their data erased and to prevent processing in specific circumstances:
    • Where data is no longer necessary in relation to the purpose for which it was originally collected
    • When an individual withdraws consent
    • When an individual object to the processing and there is no overriding legitimate interest for continuing the processing
    • Personal data was unlawfully processed
  • An individual has a right to restrict processing – where processing is restricted, PH7 Wellbeing is permitted to store the personal data but not further process it. PH7 Wellbeing can retain just enough information about the individual to ensure that the restriction is respected in the future.
  • An individual has a ‘right to be forgotten’.
  • PH7 Wellbeing will not undertake direct telephone marketing activities under any circumstances.


Data Subjects can ask, in writing to the Chief Executive, to see all personal data held on them, including e-mails and computer or paper files.  The Data Processor (PH7 Wellbeing) must comply with such requests within 30 days of receipt of the written request.

Powers of the Information Commissioner

The following are criminal offences, which could give rise to a fine and/or prison sentence

  • The unlawful obtaining of personal data.
  • The unlawful selling of personal data.
  • The unlawful disclosure of personal data to unauthorised persons.


Further Information


Further information is available at

Details of the Information Commissioner

The Information Commissioner’s office is at

Wycliffe House

Water Lane


Cheshire  SK9 5AF


Switchboard: 01625 545 700        


Data Protection Help Line: 01625 545 745

Notification Line: 01625 545 740


PH7 Wellbeing needs to collect and use personal data about staff, students and other users to allow it to monitor performance, achievements, and health and safety, for example. It is also necessary to process information so that staff can be recruited and paid, courses organised and legal obligations to funding bodies and government complied with.

It is our policy to collect and use fairly and lawfully all personal data required for its purposes in accordance with the Data Protection Principles contained in the 1998 Data Protection Act.

To comply with the Act, we will only collect and use personal data that is adequate, relevant, accurate and where necessary, up to date and will not keep the data any longer than is necessary for the purpose for which the data is processed. PH7 Wellbeing will also take appropriate measures against unauthorised and unlawful processing of personal data and accidental loss or destruction of or damage to, personal data by ensuring that the personal data is held in a secure manner thereby protecting confidentiality at all times. 

Roles and Responsibilities

PH7 Wellbeing Designated Data Controllers

PH7 Academy is the Data Controller under the Act and is therefore ultimately responsible for implementation. However, day to day matters will be dealt with by PH7 Academy Data Protection Officer.

Members of staff are responsible for:

  • Checking any information that they provide to PH7 Wellbeing in connection with their employment is accurate and up to date
  • Informing PH7 Wellbeing of any changes to information, which they provide. For example, change of address
  • If and when, as part of their job, members of staff collect information about other living people, they must comply with PH7 Wellbeing Data Protection Staff Guidelines

Students are responsible for:

  • Checking that information that they provide to PH7 Wellbeing is accurate and up to date
  • Informing PH7 Academy of any changes to information, which they provide. For example, change of address
  • If and when students are required to process personal data to fulfil some academic objective, they must comply with PH7 Wellbeing Data Protection Student Guidelines


Staff and Students Rights

As individual data subjects, members of staff and students have rights under the Act. In particular, they have the right of access to the personal data held about them by PH7 Academy, the right to inaccurate personal data corrected or erased and, where appropriate, to seek redress for any damage caused.


Making an Enquiry

To obtain a copy of all information held about you, to which the Data Protection Act applies, a request in writing must be made and sent the Designated Data Controller. PH7 Wellbeing will comply with the request within 40 days of the Designated Data Controller receiving the form unless there is good reason for the delay. In such cases, the reason will be explained in writing to the data subject making the request. You will need to pay a fee of £10.00.


All enquiries about access to information should be addressed to:

The Designated Data Controller

PH7 Academy

Churchill House

60, Bank Parade


BB11 1TS




The Website

This website and its owners take a proactive approach to user privacy and ensure the necessary steps are taken to protect the privacy of its users throughout their visiting experience. This website complies to all UK national laws and requirements for user privacy.

Cookie Policy

This website uses cookies to better the users experience while visiting the website. Where applicable this website uses a cookie control system allowing the user on their first visit to the website to allow or disallow the use of cookies on their computer / device. This complies with recent legislation requirements for websites to obtain explicit consent from users before leaving behind or reading files such as cookies on a user’s computer / device.

The cookies in use to deliver Google Analytics service are described in the table below.

Cookie Title Description





Google Analytics

These cookies are used to store information, such as what time your current visit occurred, whether you have been to the site before, and what site referred you to the web page.These cookies contain no personally identifiable information but they will use your computer’s IP address to know from where in the world you are accessing the Internet.

Google stores the information collected by these cookies on servers in the United States. Google may transfer this information to third-parties where required to do so by law, or where such third-parties process the information on Google’s behalf.


In order to provide website visitors with more choice on how data is collected by Google Analytics, Google has developed the Google Analytics Opt-out Browser Add-on. The add-on communicates with the Google Analytics JavaScript (ga.js) to stop data being sent to Google Analytics. The Google Analytics Opt-out Browser Add-on does not affect usage of the website in any other way. A link to further information on the Google Analytics Opt-out Browser Add-on is provided below for your convenience.

For more information on the usage of cookies by Google Analytics please see the Google website. A link to the privacy advice for this product is provided below for your convenience.

Disabling Cookies

If you would like to restrict the use of cookies you can control this in your Internet browser. Links to advice on how to do this for the most popular Internet browsers are provided below for convenience and will be available for the Internet browser of your choice either online or via the software help (normally available via key F1).

Contact & Communication

Users contacting this website and/or its owners do so at their own discretion and provide any such personal details requested at their own risk. Your personal information is kept private and stored securely until a time it is no longer required or has no use, as detailed in the Data Protection Act 1998. Every effort has been made to ensure a safe and secure form to email submission process but advise users using such form to email processes that they do so at their own risk.

This website and its owners use any information submitted to provide you with further information about the products / services they offer or to assist you in answering any questions or queries you may have submitted. This includes using your details to subscribe you to any email newsletter program the website operates but only if this was made clear to you and your express permission was granted when submitting any form to email process. Or whereby you the consumer have previously purchased from or enquired about purchasing from the company a product or service that the email newsletter relates to. This is by no means an entire list of your user rights in regard to receiving email marketing material. Your details are not passed on to any third parties.

Email Newsletter

This website operates an email newsletter program, used to inform subscribers about products and services supplied by this website. Users can subscribe through an online automated process should they wish to do so but do so at their own discretion. Some subscriptions may be manually processed through prior written agreement with the user.

Subscriptions are taken in compliance with UK Spam Laws detailed in the Privacy and Electronic Communications Regulations 2003. All personal details relating to subscriptions are held securely and in accordance with the Data Protection Act 1998. No personal details are passed on to third parties nor shared with companies / people outside of the company that operates this website. Under the Data Protection Act 1998 you may request a copy of personal information held about you by this website’s email newsletter program. A small fee will be payable. If you would like a copy of the information held on you please write to the business address at the bottom of this policy.

Email marketing campaigns published by this website or its owners may contain tracking facilities within the actual email. Subscriber activity is tracked and stored in a database for future analysis and evaluation. Such tracked activity may include; the opening of emails, forwarding of emails, the clicking of links within the email content, times, dates and frequency of activity [this is by no far a comprehensive list].

This information is used to refine future email campaigns and supply the user with more relevant content based around their activity.

In compliance with UK Spam Laws and the Privacy and Electronic Communications Regulations 2003 subscribers are given the opportunity to un-subscribe at any time through an automated system. This process is detailed at the footer of each email campaign. If an automated un-subscription system is unavailable clear instructions on how to un-subscribe will by detailed instead.

External Links

Although this website only looks to include quality, safe and relevant external links, users are advised adopt a policy of caution before clicking any external web links mentioned throughout this website. (External links are clickable text / banner / image links to other websites, similar to; or Affordable Websites.)

The owners of this website cannot guarantee or verify the contents of any externally linked website despite their best efforts. Users should therefore note they click on external links at their own risk and this website and its owners cannot be held liable for any damages or implications caused by visiting any external links mentioned.

Social Media Platforms

Communication, engagement and actions taken through external social media platforms that this website and its owners participate on are custom to the terms and conditions as well as the privacy policies held with each social media platform respectively.

Users are advised to use social media platforms wisely and communicate / engage upon them with due care and caution in regard to their own privacy and personal details. This website nor its owners will ever ask for personal or sensitive information through social media platforms and encourage users wishing to discuss sensitive details to contact them through primary communication channels such as by telephone or email.

This website may use social sharing buttons which help share web content directly from web pages to the social media platform in question. Users are advised before using such social sharing buttons that they do so at their own discretion and note that the social media platform may track and save your request to share a web page respectively through your social media platform account.

Shortened Links in Social Media

This website and its owners through their social media platform accounts may share web links to relevant web pages. By default some social media platforms shorten lengthy urls [web addresses] (this is an example:

Users are advised to take caution and good judgement before clicking any shortened urls published on social media platforms by this website and its owners. Despite the best efforts to ensure only genuine urls are published many social media platforms are prone to spam and hacking and therefore this website and its owners cannot be held liable for any damages or implications caused by visiting any shortened links.

Resources & Further Information

December 2018 – PH7 Wellbeing Centre. Company Registration Number 10943606 (England and Wales). Registered office address: 13 Lyndhurst Road, Burnley, United Kingdom, BB10 3JP. Postal Address: Churchill House, 60 Bank Parade, Burnley, Lancashire, BB11 1TS