Dementia Active is committed to protecting the privacy, dignity and personal information of everyone who uses, works with or supports our service. This policy explains how Dementia Active handles confidential information and personal data in line with UK GDPR, the Data Protection Act 2018, confidentiality duties and safeguarding practice.

This final merged version incorporates Dementia Active's website privacy policy and staff / volunteer privacy notice, while keeping the broader confidentiality and GDPR controls needed for day-to-day service delivery.

This policy applies to staff, volunteers, trustees, contractors, sessional workers and anyone acting on behalf of Dementia Active. It applies to information held in any format, including paper records, online forms, Jotform, emails, phones, spreadsheets, photographs, video, messaging apps, payroll systems and verbal conversations.

· People living with dementia who attend groups, sessions or activities.

· Family members, carers, relatives, friends and emergency contacts.

· Staff, volunteers, trustees, contractors and applicants.

· Referrers, funders, donors, supporters, professional partners and members of the public.

· Organisations that invite Dementia Active CIC or CIO to run a session.

This website and the related services are operated by Dementia Active CIC and Dementia Active CIO jointly. Dementia Active CIC and Dementia Active CIO work closely together. Where they jointly decide why and how personal information is used, they act as joint controllers.

Dementia Active is responsible as controller, or joint controller where applicable, for the personal information it processes. The organisation will make clear which entity is responsible where this matters for participants, staff, volunteers, partners or funders.

Dementia Active, 7 Manor Park, Jugglers Close, Banbury, Oxfordshire OX16 3TB

Telephone: 01295 408441

Email: info@dementiactive.co.uk / dementiactive@gmail.com

All staff, volunteers, trustees and representatives of Dementia Active must treat personal, sensitive and organisational information as confidential. Confidential information must only be accessed, used or shared where there is a proper reason connected to the person's role or Dementia Active's lawful responsibilities.

Confidential information must not be discussed in public places, with friends or family, on personal social media, or with anyone who is not authorised to know it. The duty of confidentiality continues after a person stops working or volunteering with Dementia Active.

Dementia Active may collect and use the following types of information where relevant and necessary:

· Name, address, email address and telephone numbers.

· Date of birth, emergency contacts, carer/family/relative/friend details and communication preferences.

· Information provided on sign-up forms about a relative or friend attending a Dementia Active group.

· Health, mobility, medication, allergies, dementia-related needs, support needs and wellbeing information.

· Attendance, activity, transport, risk assessment, incident, accident, complaint and safeguarding records.

· Bank or payment details where GoCardless or another payment route is used.

· Photographs, video and publicity information where appropriate permission has been given.

· Staff and volunteer recruitment, role, contract, training, payroll, pension, tax, bank, leave, sickness, wellbeing, occupational health, reference and accident-at-work information.

Most personal information is provided directly by the individual, a relative, friend, carer, staff member, volunteer, referrer or partner organisation. Participant information is collected so Dementia Active can support the person safely and appropriately in a Dementia Active group.

Dementia Active uses personal information to provide safe and person-centred activities, manage attendance, support needs, transport and emergency arrangements, communicate with carers and families, meet safeguarding responsibilities, manage staff and volunteers, process payments where applicable, keep records required for insurance, funding, monitoring and governance, and respond to complaints, incidents or legal obligations.

Dementia Active will not share personal information with another organisation or individual without permission unless there is another lawful and necessary reason, such as safeguarding, legal obligation, vital interests, insurance, emergency response or prevention of serious harm.

Dementia Active will identify an appropriate lawful basis before processing personal data. Depending on the situation, this may include:

· Consent - for example, certain photographs, video, publicity stories or non-essential communications.

· Contract - where information is needed for employment, volunteering, service, payment or other arrangements.

· Legal obligation - for health and safety, employment, tax, safeguarding, charity governance, accounting or regulatory duties.

· Vital interests - in an emergency where someone's life, health or safety may be at risk.

· Legitimate interests - where Dementia Active has a reasonable need to use information to run safe and effective services and this does not override individual rights.

Health, wellbeing, dementia-related information and some staff health information are special category data and require additional protection. Dementia Active will identify both a lawful basis under UK GDPR Article 6 and a special category condition under Article 9 where required. This may include explicit consent, provision of health or social care, employment obligations, vital interests, safeguarding, legal claims or another relevant condition.

Where Dementia Active relies on consent, consent must be freely given, specific, informed, clearly recorded and easy to withdraw. Withdrawal of consent will be respected unless there is another lawful reason to continue using the information, such as safeguarding, legal duties, insurance or vital interests.

Consent should be reviewed where someone's circumstances, capacity, family arrangements or wishes change. Staff and volunteers must be alert to dignity, capacity and safeguarding issues when relying on consent.

By signing up for a Dementia Active session, signing up as a volunteer or staff member, or inviting Dementia Active CIC or CIO to run a session, individuals may be asked to give permission for photographs or video taken by Dementia Active to be used in social media content, promotional materials and publicity efforts where the participants are over the age of 18.

Photographs and videos may be used in publications, printed promotional materials, direct mail, electronic media, the internet, websites, social media or other forms of promotion. Dementia Active should record clear consent for identifiable photographs, video and personal stories and should explain what the material may be used for, where it may appear, that consent can be withdrawn, and any practical limits on removing material already printed, distributed or published by third parties.

People must not be pressured to appear in photographs, videos or publicity. Particular care must be taken with people living with dementia, including capacity, best interests, distress, dignity and family/carer concerns.

Dementia Active will only share personal information where there is a lawful and necessary reason. Information may be shared with express permission, or without consent where required by law, for safeguarding, to prevent serious harm, in an emergency, or to meet a legal or insurance requirement.

Only the minimum necessary information should be shared, and sharing should be recorded where appropriate. Information may be shared with:

· Emergency services.

· Health and social care professionals.

· Local authorities and safeguarding teams.

· Transport providers where needed for safe travel.

· Training suppliers, HMRC, payroll/pension providers and employee benefit schemes.

· External auditors, funders, regulators, insurers, legal advisers and professional advisers where necessary.

· GoCardless or another payment processor where the individual chooses or is required to use that payment route.

Participant information may be securely stored on the Jotform platform. Dementia Active may also use email, paper records, phones, spreadsheets, payroll systems, accounting records and other approved systems. Dementia Active will protect personal information by:

· Keeping paper records in locked storage.

· Using password protection, access controls and secure devices.

· Limiting access to people who need the information for their role.

· Avoiding unnecessary printing or duplication.

· Using secure email, password-protected documents or secure portals where appropriate.

· Not leaving records visible in vehicles, public spaces or activity venues.

· Not using personal email, personal cloud storage or unapproved apps for service-user information unless specifically authorised.

Dementia Active will not keep personal information for longer than necessary. Information will be securely deleted, shredded or anonymised when no longer required. Participant information is normally kept for as long as the relative/friend remains a member of Dementia Active and is then deleted from Jotform, unless Dementia Active needs to retain limited records for legal, safeguarding, insurance, complaint or governance reasons.

Record and Retention approach

Participant registration, sign-up and membership information -

Keep while the person is a member or receiving support, then delete or archive only what is   necessary for legal, safeguarding, insurance or complaint purposes.

Emergency, health, dementia-related and support information -

Review regularly and update promptly; delete or archive when no longer needed,   subject to safeguarding, legal and insurance requirements.

Incident, accident and complaint records -

Usually at least 3 years, or longer where safeguarding, insurance, legal or unresolved   complaint issues require it.

Safeguarding records -

Retain in line with safeguarding guidance and risk; keep longer where concerns are ongoing   or may need future reference.

Staff and volunteer files -

Up to 6 years after the person leaves, in line with the staff / volunteer privacy notice.

Payroll, pension, tax and financial records -

Usually 6 years or as required by tax, accounting, pension or charity law.

Photograph / video consent records -

Keep while the relevant image, video or story is in use, then delete or archive   appropriately.

Marketing and publicity contacts -

Keep until consent is withdrawn, the contact unsubscribes, or the information is no   longer active or needed.

A personal data breach may include sending information to the wrong person, losing paperwork or a device, unauthorised access, accidental deletion or alteration, or inappropriate verbal disclosure.

All suspected breaches must be reported immediately to Andrew Gill or the designated manager/data protection lead. Dementia Active will assess the breach, take action to reduce harm, record what happened and, where legally required, report it to the ICO and/or affected individuals.

Individuals have rights under data protection law. These include:

· The right to be informed about how their information is used.

· The right of access - to ask for copies of personal information.

· The right to rectification - to ask for inaccurate or incomplete information to be corrected.

· The right to erasure - to ask for deletion in certain circumstances.

· The right to restriction of processing - to ask Dementia Active to limit how information is used in certain circumstances.

· The right to object to certain processing.

· The right to data portability in certain circumstances.

· The right to withdraw consent where consent is the lawful basis.

Requests should be passed to Andrew Gill or the manager/data protection lead as soon as possible. Dementia Active will respond without undue delay and in any event within one month unless an extension is permitted by law.

To make a data protection rights request, contact Dementia Active using the contact details in section 4.

Confidentiality must never be used as a reason to ignore abuse, neglect or risk of harm. If staff or volunteers have a safeguarding concern, they must report it immediately to the Dementia Active safeguarding lead or manager in line with the Safeguarding Policy.

Information will be shared on a need-to-know basis with appropriate professionals or authorities.

When someone works or volunteers for Dementia Active, personal information may be collected and used to manage their role, keep records, make salary, pension or expense payments, provide training, manage wellbeing and meet legal duties.

This may include job role, contract details, start and leave dates, salary, working patterns, timesheets, expenses, overtime, leave, sick leave, maternity, paternity, shared parental and adoption leave and pay, pension details, bank account details, payroll records, tax status, general health and wellbeing information, occupational health referrals and reports, fit notes and accident at work records.

Lawful bases may include consent, contract and legal obligation. Health and wellbeing information may also require a special category condition. Staff and volunteer information is usually kept for up to 6 years after leaving, unless a longer or shorter period is justified.

Information may be shared with training suppliers, HMRC, payroll providers, pension providers, employee benefit schemes, external auditors, insurers, legal advisers and professional advisers where necessary.

All staff, volunteers and trustees must:

· Read and follow this policy and relevant privacy notices.

· Keep personal information confidential and secure.

· Only access information needed for their role.

· Not share passwords or login details.

· Report data breaches, confidentiality concerns and safeguarding concerns immediately.

· Complete relevant training where required.

· Ask for guidance if unsure whether information can be used or shared.

When working off-site, travelling or running community sessions, staff and volunteers must carry only the information needed, keep paperwork and devices secure, avoid confidential conversations where they can be overheard, return records to secure storage promptly and avoid personal email, personal cloud storage or unapproved messaging apps for confidential information.

Dementia Active will provide appropriate guidance or training on confidentiality, data protection and safeguarding. Training will be refreshed where necessary, especially where roles, systems, services or legal requirements change.

Anyone with concerns about Dementia Active's use of personal information can contact Dementia Active at Dementia Active, 7 Manor Park, Jugglers Close, Banbury, Oxfordshire OX16 3TB, by telephone on 01295 408441, or by email at info@dementiactive.co.uk / dementiactive@gmail.com. Dementia Active will investigate and respond as appropriate.

If a person remains unhappy, they can complain to the Information Commissioner's Office:

ICO address

Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF

ICO helpline

0303 123 1113

ICO website

ico.org.uk/make-a-complaint

Policy owner - Andrew Gill

Approved by - The Trustees

Contact details -01295 408441 /   info@dementiactive.co.uk / dementiactive@gmail.com

Responsibilities - Data protection questions, privacy notices, subject access requests, breach reporting, retention and deletion, staff and volunteer guidance, and privacy queries   from members, relatives, carers and partners.

Dementia Active's website privacy notice should be kept consistent with this policy. The public-facing notice should clearly explain who Dementia Active is, what personal information is collected, how it is obtained, why it is used, lawful bases, retention, rights, complaints, ICO contact details and any third-party platforms such as Jotform and GoCardless.

Where the website includes a staff / volunteer privacy notice, it should also cover salary, pension, payroll, tax, leave, wellbeing, occupational health, accident at work records, lawful bases, retention, sharing with HMRC/training suppliers/benefit schemes/auditors and the joint controller relationship between Dementia Active CIO and CIC.

This policy will be reviewed at least annually or sooner if legislation, ICO guidance, Dementia Active services, systems, website wording, contracts or data handling practices change.

The policy should also be reviewed following any serious data breach, safeguarding issue involving information sharing, significant complaint or introduction of a new system.

Review date : 07/06/2027