The Breastfeeding Network (BfN) is committed to protecting any personal information that we collect. We therefore issue this privacy notice in the interests of transparency over how we use (“process”) the personal data that we collect from visitors to our website, the people we support, our donors and fundraisers, our trainees and volunteers and our customers (“you”).
This page, together with our Cookies Policy sets out how we will process any personal information we collect from you or that you give us.
Your personal data – what is it?
Personal data relates to a living individual who can be identified from that data. Identification can be by the information alone or in conjunction with any other information in the data controller’s possession or likely to come into such possession. The processing of personal data is governed by [the General Data Protection Regulation 2016/679 (the “GDPR”)].
Sensitive personal data The GDPR refers to sensitive personal data as “special categories of personal data” and includes:
- the racial or ethnic origin of the individual,
- their political opinions,
- their religious or philosophical beliefs,
- their membership of a trade union,
- their physical or mental health or condition,
- their sexual life,
- the commission or alleged commission by them of any offence,
- any proceedings for any offence committed or alleged to have been committed by them, the disposal of such proceedings or the sentence of any court in such proceedings,
- genetic data; and
- biometric data where processed to uniquely identify a person (for example a photo in an electronic passport)
For data protection purposes the “data controller” means the person or organisation who determines the purposes for which and the manner in which any personal data are processed.
The data controller is The Breastfeeding Network.
In some areas, we are commissioned to deliver breastfeeding support services and to collect information on behalf of someone else e.g. the local council or health board. In these cases, the Breastfeeding Network is acting as a data processor, but we apply the same level of protection to any information we collect.
The Breastfeeding Network (BfN) is a UK charity which aims to be an independent source of support and information for breastfeeding women and those involved in their care.
Our registered Scottish charity number is SC027007
The Breastfeeding Network is a Company Limited by Guarantee Registered in Scotland, No SC330639
What kind of information do we collect?
At all times we strive to minimise the amount of information we collect and will always ensure that we have a justifiable reason (lawful basis) to gather any information we request from you. The types of information we collect are:
- Information about people who we support (these might be mothers at drop-ins or in hospital, those who phone the National Breastfeeding Helpline, those who email, those who contact us via online chat, those who contact us via social media, those who contact us by text, those who have been referred to one of our peer support services and those who sign up to receive support from us)
- Staff details
- Information about people who have applied to work or volunteer with us
- Information about our trainees and volunteers
- Information about members of our Friends schemes
- Information about our Directors
- Information about next of kin/emergency contacts
- Information about referees
- Photographs of staff, volunteers, mothers and babies
- Information about people who donate or fundraise for us
- Information about our Commissioners and people who work for them
- Information about shop customers, online, post and by email
- Information about people who speak at our events
- Information about our suppliers
- Information about people who enquire about training with us
- Information about people who respond to our surveys or questionnaires
- Information about people who visit our website
- Information about people who email us to make an enquiry, report a concern or complaint or give us feedback
Purpose of processing the data
It is necessary for us to process personal data for one or more of the following reasons:
- To provide the support services or information you have requested
- To identify an individual for the purposes of recruitment, training or volunteering
- To maintain that information for the general purposes of the ongoing employment, training or volunteering relationship including performing the employment/volunteer contract, maintaining the health and safety of individuals on our premises and enabling our volunteers to operate safely and effectively
- To deliver the services you have requested by joining one of our membership or friendship schemes
- To notify the relevant parties of any changes to our Board of Trustees
- To process or acknowledge any donations made to us
- To deliver any services we are commissioned to provide or to provide quotations for future contracts
- To deliver products or services ordered via our online shop, by email or by post
- To contact the people who are speaking at our events and to arrange payment of any fees or expenses
- We will need this information in relation to any contract for goods or services supplied to us
- To process responses to our surveys or questionnaires
- To assess which country visitors to our website are located and which pages they visit
- To respond to enquiries, concerns, complaints or feedback
Our lawful basis for processing the personal data of service users, staff, volunteers, members, trainees, volunteers, donors, customers and contacts is:
- Processing the personal data is necessary for the purpose of carrying out a service level agreement/contract where we are commissioned to provide breastfeeding support services;
- Processing is necessary in order for us to fulfil a contract to deliver items or services ordered from our shop
- We have your explicit consent to process the information that you provide to us
- Processing the data is necessary for the purposes of our “legitimate interests” as the data controller (except where such interests are overridden by the interests, rights or freedoms of the individual).
Our “legitimate interests” for these purposes are:
- the need to process service user data for the purposes of providing breastfeeding support services;
- the need to process data for the purposes of responding to enquiries or providing information requested from us
- the need to process data in order to enable and support our members, staff and volunteers effectively
Recipients of personal data
Your personal data may be received by the following categories of people:
- Our HR department;
- In the case of job applicants, the interviewer and prospective manager;
- Any individual authorised by us to maintain personnel files;
- Our professional advisers
- Our external providers, such as Bank of Scotland, payroll provider, IT support company, Call Handling and online survey providers
- Our external regulators and authorities (such as HMRC and HSE)
- Commissioners and funders (information will always be anonymised as far as possible)
- Tutors, Supervisors, Project Leads and local coordinators/administrators
- Central staff
We do not envisage that your data would be transferred to a third country outside the EU or the US. If we perceive the need to do so we would discuss that with you and explain the legal basis for the transfer of the data at that stage. We would also ensure that the transfer and storage of data is adequately protected and compliant with the UK GDPR, for example Survey Monkey is covered by the EU-US Privacy Shield https://www.privacyshield.gov/welcome .
Storage of Personal Data
We adopt appropriate data collection, storage and processing practices and security measures to protect against unauthorised access, alteration, disclosure or destruction of your personal information, transaction information and data.
We will keep personal data for no longer than is strictly necessary, having regard to the original purpose for which the data was processed. Further details of our records retention schedule can be found in our Information Governance policy.
Your Rights in Relation to your Personal Data
The right to be forgotten
You have the right to request that your personal data is deleted if:
- it is no longer necessary for us to store that data having regard to the purposes for which it was originally collected; or
- in circumstances where we rely solely on your consent to process the data (and have no other legal basis for processing the data), you withdraw your consent to the data being processed; or
- you object to the processing of the data for good reasons which are not overridden by another compelling reason for us to retain the data; or
- the data was unlawfully processed; or
- the data needs to be deleted to comply with a legal obligation.
However, we can refuse to comply with a request to delete your personal data where we process that data:
- to exercise the right of freedom of expression and information;
- to comply with a legal obligation or the performance of a public interest task or exercise of official authority;
- for public health purposes in the public interest;
- for archiving purposes in the public interest, scientific research, historical research or statistical purposes; or
- the exercise or defence of legal claims.
The right to data portability
You have the right to receive the personal data which you have provided to us, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided (us) where:
- the processing is based on consent or on a contract; and
- the processing is carried out by automated means.
Note that this right only applies if the processing is carried out by “automated means” which means it will not apply to most paper based data.
The right to withdraw consent
Where we process your personal data in reliance on your consent to that processing, you have the right to withdraw that consent at any time. You may do this in writing to the Central Support team or to your local manager.
The right to object to processing
Where we process your personal data for the performance of a legal task or in view of our legitimate interests you have the right to object on “grounds relating to your particular situation”. If you wish to object to the processing of your personal data you should do so in writing to Central Support or to your local manager stating the reasons for your objection.
Where you exercise your right to object we must stop processing the personal data unless:
- we can demonstrate compelling legitimate grounds for the processing, which override your interests, rights and freedoms; or
- the processing is for the establishment, exercise or defence of legal claims.
The right of subject access
So that you are aware of the personal data we hold on you, you have the right to request access to that data. This is sometimes referred to as making a “subject access request”. Any such requests should be sent to the Central Support Manager who will respond within 30 days. Further details can be found in our Information Governance policy.
The right to rectification
If any of the personal data we hold on you is inaccurate or incomplete, you have the right to have any errors rectified.
Where we do not take action in response to a request for rectification you have the right to complain about that to the Information Commissioner’s Office.
The right to restrict processing
In certain prescribed circumstances, such as where you have contested the accuracy of the personal data we hold on you, you have the right to block or suppress the further processing of your personal data.
Rights related to automated decision making and profiling
The GDPR defines “profiling” as any form of automated processing intended to evaluate certain personal aspects of an individual, in particular to analyse or predict:
- performance at work;
- economic situation;
- personal preferences;
- location; or
You have the right not to be subject to a decision when it is based on automated processing; and it produces a legal effect or a similarly significant effect on you.
However, that right does not apply where the decision is necessary for purposes of the performance of a contract between you and us. We may use data related to your performance or attendance record to make a decision as to whether to take disciplinary action. We consider that to be necessary for the purposes of conducting the employment contract. In any event that is unlikely to be an automated decision in that action will not normally be taken without an appropriate manager discussing the matter with you first and then deciding whether the data reveals information such that formal action needs to be taken. In other words there will be “human intervention” for the purposes of the GDPR and you will have the chance to express your point of view, have the decision explained to you and an opportunity to challenge it.
If we wish to use your personal data for a new purpose, not covered by this Data Privacy Notice, then we will publish a new notice explaining this new use prior to commencing the processing and setting out the relevant purposes and processing conditions. Where and whenever necessary, we will seek your prior consent to the new processing.
To exercise all relevant rights, queries of complaints please in the first instance contact the Central Support Manager as listed on our website.
Where you take the view that your personal data are processed in a way that does not comply with the GDPR, you have a specific right to lodge a complaint with the relevant supervisory authority. The supervisory authority will then inform you of the progress and outcome of your complaint. The supervisory authority in the UK is the ICO https://ico.org.uk/
Other party websites
This privacy notice does not cover the links within this site linking to other websites. We encourage you to read the privacy statements on those sites.