Privacy Policy

---

At Somebody's Dad CIC (Company), we are dedicated to protecting your privacy. This Privacy Policy (Policy) is developed in compliance with the requirements of the Data Protection Act 1998, as subsequently replaced and superseded by the General Data Protection Regulation (EU) 2016/679, as in force from time to time (Data Protection Law). If you have any inquiries regarding this Policy or how we handle your personal data, please contact us using the provided details at the end of this Policy.

We have constructed this Policy because we understand the significance of privacy and data security for everyone who entrusts us with their data, regardless of the interaction method, whether as a visitor to our website somebodysdad.org, through social media, or in response to printed materials as a donor, fundraiser, volunteer, or grants applicant/recipient.

This Policy elucidates how we utilize the Personal Data we collect. If you do not agree with this Policy, kindly refrain from engaging with the Company in any manner that involves sharing your data, including the use of this Site.

What Personal Data Do We Collect and How Is It Used? We collect Personal Data in accordance with the definition provided by Data Protection Law (see the summary of definitions at the end of this Policy). The Personal Data we gather may include your name, date of birth, email address, postal address, and telephone number. We keep a record of your information requests and any feedback you provide. Additionally, we may collect technical information related to your usage of our Site, such as your browser type or the Internet Protocol (IP) address used to connect your computer to the internet.

We strive to ensure the accuracy and currency of your Personal Data. If any of the information you have provided changes, such as your email address or postal address, please inform us using the contact details at the end of this Policy.

For certain purposes, we require your explicit consent to use your information. However, Somebody's Dad CIC also relies on its right to hold and process data in pursuit of its legitimate interests (e.g., advancing its charitable objectives, including fundraising) without always obtaining your explicit consent. When we use this approach to contact you, we will always provide you with the option to unsubscribe from future communications.

By affirmatively accepting this Policy, you grant consent for us to process your information for the following purposes:

• Administering the Site and keeping you informed about the Company's activities.
• Conducting marketing efforts on behalf of the Company, including fundraising, which may involve mail and email services (please note that the Company does not engage in telephone marketing).
• Evaluating grant applications, including assessing eligibility criteria, whether it pertains to you personally, the person on whose behalf you are applying, or your organization.
• Monitoring the progress and outcomes of grants.
• Achieving the charitable objectives of the Company.
• Administering the Company's activities.

If you submit your Personal Data through means other than the Site, the Company may provide you with an additional statement outlining any further processing activities related to your Personal Data.

By communicating with us in person or through any medium, using this Site, making a donation, submitting a grant application, or subscribing to our newsletter, you consent to the processing of your Personal Data for the aforementioned purposes. If you wish for the Company not to use your Personal Data for direct marketing (fundraising) purposes, kindly inform us using the contact details at the end of this policy.

If you supply any visual image or sound recording containing your personal data to the Company, or if the Company acquires such an image or recording by photographing or recording you, this image or recording may be used for the Company's marketing and promotional activities. The purpose for using your image or recording will always be clearly outlined in our consent form and/or on our website.

We also collect general information about the use of this Site, but we utilize aggregated or anonymous information that does not identify you as an individual visitor. We monitor which pages are visited most frequently, which services, events, or facilities generate the most interest, and track the pages users visit when they click on links in emails. This information helps us tailor the presentation of our Site, make improvements, and provide the best service to users.

Do We Share Your Information with Anyone Else? Please note that we do not share your Personal Data with any other organization for marketing purposes.

We will only share your Personal Data in the following circumstances:

• If you are a grant applicant, we may share your data with Somebody's Dad CIC in connection with the grant application and award process.
• If you are an online donor, we may share your data with our payment processor. By using our payment processor, you agree to their terms and conditions for using their services, including their privacy policy. We recommend reviewing their privacy policy when using their service as we are not responsible for data you share with      them.
• If you are a staff member, we may share your data with our payroll providers and companies that administer staff benefits.
• With our contractors and suppliers who provide services on our behalf, such as our IT providers, to the extent necessary to enable you to receive those services.
• With agencies that help us conduct online   or print campaigns to communicate our work to existing supporters and reach new ones.
• With Her Majesty's Revenue and Customs to process Gift Aid claims.
• With relevant authorities if the Company has a reasonable belief that criminal activity is occurring, or if it believes that an individual or group of individuals are at risk of harm, or if required by law or expressly permitted under Data Protection Law.

We may need to share your information with our service providers, affiliated organizations, and agents for the purposes described above.

Special Categories of Personal Data The Company collects Special Categories of Personal Data (see the summary of definitions at the end of this Policy) only when permitted by Data Protection Law.

We have implemented additional measures to safeguard the confidentiality of your Special Categories of Personal Data. We will only disclose your Special Categories of Personal Data to third parties as described in this Privacy Policy or where allowed by Data Protection Law.

Ongoing Processing The Company continues to process your Personal Data following your initial interaction with us, such as:

• Processing your grant application or monitoring your grant award.
• Providing you with requested information.
• Processing your donation.
• Keeping you informed about the Company's work.
• Managing your volunteering.
• Analysing our historical grants portfolio.

We retain all information in accordance with our Data Retention Policy, which is available upon request.

Your Rights You have the right to request that we do not process your Personal Data for marketing purposes.

You have the right to request the erasure of your data, often referred to as the 'right to be forgotten.' You may exercise this right for any reason, such as when your data is no longer necessary for our use, or if you withdraw your consent. Please note that we are entitled to and reserve the right to retain your data for statistical purposes. This right is not absolute, as we may need to continue processing this information, for example, to comply with our legal obligations or for reasons of public interest.

CONFIDENTIALITY POLICY for Somebody's Dad CIC

1. Introduction: A confidentiality policy is essential to safeguard the privacy of Somebody's Dad CIC service users, employees, and volunteers. This policy aims to prevent the unauthorized disclosure of information about them to individuals or organizations without the appropriate rights to access such information. It also provides clear guidance to employees and volunteers regarding the preservation of confidentiality, circumstances under which confidentiality may be breached, and the steps to be taken in such cases.      Furthermore, all Somebody's Dad CIC staff members are expected to adhere to the professional boundaries of confidentiality outlined in the BACP Ethical Framework.
2. General:  Confidentiality Statement 2.1. All Somebody's Dad CIC employees and      volunteers are expected to uphold the privacy and confidentiality rights of service users and fellow employees and volunteers to the fullest extent possible, taking into consideration legal requirements and the safety of others.

2.2. Service users have the inherent right to understand the scope and limitations of the confidentiality provided by Somebody's Dad CIC. They should be informed about the circumstances under which confidentiality may be breached, and this discussion should occur at the outset of their training, workshops, or counselling sessions.

2.3. If it becomes necessary to share information with another individual or organization, this should be done on a strict "need to know" basis. Whenever possible, consent from the person whose information is being shared should be obtained, and that person should be notified about the disclosure and its recipient.

2.4. This policy encompasses not only information intentionally provided by the individual or by others about the individual but also information obtained inadvertently or through observation.

1. Duty of Care 3.1. Somebody's Dad CIC owes a duty of care to its service users.      Therefore, confidentiality may be breached when a service user's actions or potential actions pose a serious threat to their well-being or the safety of others.

3.2. There is also a broader duty of care towards the general public. Somebody's Dad CIC may need to notify law enforcement or statutory authorities when there is a possibility of significant harm to a specific person or persons, or to the public at large.

3.3. Regarding children and vulnerable adults, Somebody's Dad CIC employees and volunteers share a duty of care. If there is knowledge or suspicion of sexual or physical abuse of a child or vulnerable adult, the relevant safeguarding procedures, such as reporting to the Child Protection Unit or appropriate social services, must be followed.

1. Sharing Information with Other Entities Sharing information with external parties is ideally done with the knowledge and cooperation of the individual concerned. Discussions should occur with the directors, especially when cooperation is not possible or advisable due to the risk posed to others.

Breach of this policy will be addressed through the appropriate Grievance and/or Disciplinary procedures.

1. Statistical Recording Somebody's Dad CIC is committed to maintaining effective      statistical records of service usage for monitoring and performance assessment. Any statistical records shared with third parties, such as those required for funding applications or local authority monitoring reports, will be presented in anonymous form to protect individuals'  identities.
2. Records: All records are securely stored in locked filing cabinets. Information      related to service users, including notebooks, correspondence copies, and      other data sources, will be stored in locked drawers.
3. Ensuring Policy Effectiveness All directors will receive a copy of this confidentiality policy. Existing and new employees will be introduced to the policy during their induction and training processes. The policy will undergo an annual review, with any proposed amendments subject to approval by the directors.

• All personal paper-based and electronic data must be stored in accordance with the Data Protection Act 2018 and must be safeguarded against unauthorized access, accidental disclosure, loss, or destruction. • Access to personal paper-based and electronic data should be limited to authorized individuals only.

Somebody's Dad CIC GDPR Data Protection Policy

1. Data Protection Principles Somebody's Dad CIC is fully committed to processing data in strict adherence to its obligations under the GDPR (General Data Protection Regulation). Article 5 of the GDPR mandates that personal data must meet the following criteria: a. Processed lawfully, fairly, and transparently concerning individuals. b. Collected for explicit, legitimate, and specified purposes, with no further processing incompatible with these initial objectives, except for archiving, public interest, scientific research, or statistical purposes. c. Adequate, relevant, and restricted to what is necessary for the intended purposes. d. Accurate, and when needed, maintained up to date, ensuring prompt rectification or erasure of inaccurate data. e. Retained only as long as necessary for the purposes, with exceptions for archiving, public interest, scientific research, or statistical purposes, subject to appropriate safeguards. f. Processed securely to protect against unauthorized or unlawful processing, accidental loss, destruction, or damage, using suitable technical and organizational measures.

2. General Provisions This policy applies to all personal data handled by Somebody's Dad CIC. The responsibility for ongoing compliance with this policy rests with the Directors of Somebody's Dad CIC. Regular policy reviews, at least bi-annually, will be conducted.

3. Lawful, Fair, and Transparent Processing To ensure lawful, fair, and transparent data processing, Somebody's Dad CIC will maintain a Register of Systems. This register will be reviewed at least bi-annually. Individuals retain the right to access their personal data, and any such requests to Somebody's Dad CIC will be promptly addressed.

4. Lawful Purposes All data processing by Somebody's Dad CIC must align with one of the lawful bases, including consent, contract, legal obligation, vital interests, public task, or legitimate interests. The appropriate lawful basis will be documented in the Register of Systems. For consent-based processing, evidence of opt-in consent will be retained with the associated personal data. Revocation of consent should be clearly accessible to individuals, and systems will be in place to accurately reflect such revocations.

5. Data Minimization Somebody's Dad CIC will ensure that personal data collected is adequate, relevant, and limited to what is necessary for the intended purposes.

6. Accuracy To maintain accuracy, Somebody's Dad CIC will take reasonable measures to ensure that personal data is kept up to date, especially when necessary for the lawful basis of data processing.

7. Archiving and Removal To prevent data retention beyond necessity, Somebody's Dad CIC will establish an archiving policy for each data processing area, subject to annual review. This policy will consider which data should be retained, for how long, and for what reasons.

8. Security Personal data will be stored securely using modern, up-to-date software. Access to personal data will be restricted to authorized personnel, and measures will be in place to prevent unauthorized sharing of information. When personal data is deleted, it will be done securely to ensure irrecoverability. Adequate backup and disaster recovery solutions will be maintained.

9. Breach In the event of a security breach resulting in accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access to personal data, Somebody's Dad CIC will promptly assess the risk to individuals' rights and freedoms. If necessary, the breach will be reported to the ICO. This policy will undergo bi-annual reviews and be amended as required. 

In order to mitigate Health & Safety risks at Somebody's Dad CIC, we are dedicated to the following objectives:

1. Providing and upholding the use of safe equipment.
2. Ensuring that all designated individuals possess the necessary competence to fulfill their roles.
3. Minimizing the potential for accidents and maintaining a safe and healthy working      environment.

Responsibilities

The ultimate and conclusive responsibility for health and safety rests with the Principal Director. The day-to-day duty of implementing this policy lies with the Centre Manager. All employees, therapists, students, trainers, and visitors are required to adhere to this policy, collaborate on health and safety concerns, and exercise reasonable care for their own well-being. Any health and safety issues or concerns should be promptly reported to the Administrator.

Risk Assessment

The Centre Manager is responsible for conducting risk assessments. The findings of the risk assessment will be conveyed to the Principal Director, who will take action or grant approval for necessary modifications. The Administrator will conduct a reassessment of the risks. Risk assessments will be conducted at regular intervals, with a minimum frequency of once every 12 months.

Induction

Induction training for all employees will be conducted by the Principal Director and the Administrator.

Accidents and First Aid

A designated first aid kit is located in the kitchen. All accidents must be reported to the Administrator and documented in the first aid book, which is stored in the main office on the shelf behind the Administrator's desk.

Emergency Procedures and Fire Evacuation

The Administrator is responsible for overseeing the fire risk assessment and its implementation. Escape routes are routinely inspected by the Administrator, and fire extinguishers are checked and maintained annually.

Risk Assessment for Somebody's Dad CIC

i. What Hazards Exist?

• Electrical  equipment: microwave, heaters, kettles, computers, TVs, overhead projectors, lamps, light fixtures.
• Proper maintenance of carpets and rugs.

ii. Who Could Be Affected?

• Staff, therapists, clients, students, visitors, trainers.

iii. Current Precautions in Place?

• Regular maintenance of furnishings and fittings.
• Documentation of maintenance/replacement of electrical equipment.

iv. Implementation of Risk Assessment

• Maintenance and replacement of electrical equipment will be executed as indicated in      the equipment documentation.

This policy undergoes regular reviews, with a minimum frequency of every 18 months, and is updated as needed, at least once every 36 months.