Our privacy promise
We take our duties when processing your personal data very seriously. We promise that we will tell you what data we are collecting and why. We will make every reasonable effort to collect, process, store and share your data safely and securely. We will also make sure that our trusted partners do the same. We also promise that we will be open and clear with you about our use of your personal information and that you will be able to control your personal information with ease.
In order to provide support and or provide services to you, we need to collect and keep personal data about you, like your name, contact details, preferred means of communication or, when appropriate, payment details. Some of this data we may need to share with 3rd parties such as payment agencies or government departments or our trusted partners, such as event organisers, specialist service providers and professional advisors. This is to provide you with the support and services you require from us and we have to provide to you.
We use your data to deliver our services
As a Beneficiary, we use your personal data to provide you with the tailored, lifelong practical and emotional support you expect and to support your wider interests. We may also, with your consent, use your personal data to help us to market the charity and fundraise so that we can offer our support to even more blind veterans.
As a domestic or commercial tenant, we use your data to manage our estate services safely, to comply with the law and any regulations and to meet your tenancy needs.
You are in control
If you would like to make any changes to the way we are processing your data, if you believe it is inaccurate or incomplete, or you have any concerns regarding how it is being processed you can amend your preferences at any time. Whether a beneficiary, or a domestic or commercial tenant you can contact us using the details in Section 9 of this policy “How to Contact Us”.
As a beneficiary you can always start by speaking to your community worker or as a tenant with the estates team. If you wish to discuss how your personal data is used or if you wish to make an individual rights request you can e-mail our Data Protection Officer whose details are also in Section 9.
Changes to this policy
We may change the content of this document from time to time to reflect the latest views of what we do with your data or to accommodate legal and regulatory changes. Please check back frequently. You will be able to see changes have been made by the date it was last updated.
1. Who we are
Since 1915, the Blind Veterans UK Group has held to the belief that no-one who has served our country should battle blindness alone. That's why we're here to help with lifelong practical and emotional support for blind veterans, regardless of when they served or how they lost their sight. We help veterans recover their independence and discover a life beyond sight loss.
References to "Blind Veterans UK Group", ‘the charity’, “our’, ‘us’ and "we" mean Blind Veterans UK registered charity 216227 in England and Wales and SCO39411 in Scotland.
This also includes: our wholly owned subsidiary charitable trading company, Four Seasons NWMC Housing Limited (registered company No. 01882050); managing our properties and tenants; Bravo Victor Limited (registered company No.13144807) conducting Biomedical, Social & Welfare and Innovation research and the St Dunstan’s Retirement Benefits Plan (1973). For the purposes of the pension scheme we are Joint Controllers with St Dunstan’s Retirement Benefits Plan (1973).
2. What personal data we collect and why
What we need to collect
For data to be considered ‘personal’ it must relate to you as an identified or identifiable individual. An individual can be identifiable either directly (your name, address, email address etc.) or indirectly (Reference or ID number, location, business phone number). Where there is insufficient data used to identify you as an individual from a group this use of identifiable is not personal data. If your identifiable data is used but the use does not relate to you, then this processing would also not be considered use of personal data. We need personal data about our beneficiaries and domestic and commercial tenants to allow us to provide you with the support and services that you require in the ways that you want.
As a Beneficiary, we will collect personal data about you in order to establish your eligibility to join us, and then to provide you with the appropriate services and support and to safeguard our staff and volunteers. This information may include:
• Postal address, telephone number, email address.
• Date and place of birth.
• Your service record, war pension, national insurance number.
• Payment details (if there is a requirement for financial transactions).
• Whether you have pets or smoke (as a duty of care to our staff and volunteers).
• Your preferences for communication, publicity and attendance at events.
• Voluntary information to assist us in building an understanding about our beneficiaries, such as your early life, professional career, your military background, hobbies, interests and aspirations.
As a Domestic tenant of one of the charity’s properties, we will collect personal data about you in order to manage your tenancy and to provide you with the appropriate services and support. This information may include:
• Postal address, telephone number, email address.
• Payment details (if there is a requirement for financial transactions).
• References and credit rating analysis.
We will be very clear with you when we wish to collect such personal data, our reason for collecting such information and we will only do so when we have a lawful basis for processing the personal data. You retain the right to change your communication preferences at any time.
As a Commercial tenant of one of a charity’s owned properties, we will collect personal data of a named individual to be our point of contact. Where applicable we collect non-personal company information in order to manage your tenancy agreement to provide you with the appropriate services and support. This information will at minimum include:
• Tenant’s Name or Trading Name and a point of contact Name
• Postal address, telephone number, email address.
• Payment details (as there is a requirement for financial transactions).
• References and credit rating analysis ( where necessary)
We will be very clear with you what additional data we wish to collect, our reason for collecting this data and we will only do so if we have a lawful basis for processing it. You retain the right to change your communication preferences at any time.
UK data protection law and regulation recognises certain information as being ‘special category’ data and as being particularly sensitive. This includes racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, genetic data, certain biometric data, data concerning physical and mental health or a person's sex life or sexual orientation. Sometimes we may need to collect or may indirectly obtain special category personal data. For example:
• As a beneficiary you will be asked to provide us with ‘special category’ personal data regarding health matters to allow us to provide you with appropriate care provision, support services and where necessary medical treatments to safeguard your welfare. This will include data regarding: Your visual impairment; general health (including mental health) any disabilities; and specific social and health care needs.
While providing this care provision we will create additional special category data to keep your health and welfare records up to date. Examples include but not limited to, standard care observations, records of illness, infection or injury etc. which are added to your medical records and notes. An additional example of record creation is our use of medical photography. This is used for the purpose of recording the healing and treatment of wounds, injuries, or pressure sores actively treated while you are in our care. As this example is special category’ data you will be asked to consent to the capture, use and sharing of medical images.
• We will require you to provide contact details of emergency or carer contacts, eye care and health professionals, other care or health agencies you are receiving services from.
• You may reveal some of this sensitive information if you share photos or personal information in our Review magazine, on our website or social media channels.
• As a domestic tenant, health related data could be directly or indirectly revealed during the management of your tenancy in order to meet your specific needs.
• As a commercial tenant, the only special category’ personal data requested would be to comply with a legal or regulatory requirement, such as equality monitoring purposes. Once processed for this purpose this data will be anonymised or deleted.
The accuracy of your personal data is really important to us. If you wish to make an update or correction to any personal data we hold, please contact us on using the contact details in Section 9 “How to Contact Us” at the end of this policy.
Alternately as a beneficiary or domestic tenant you can speak with your community support worker or as commercial tenant speak to your estate team representative.
Why we need it
We need your personal data in order to perform functions such as:
- Manage your relationship with us. To establish your eligibility and suitability to receive our support and services. To keep a record of your relationship with us and any direction you give on how we are to comply with your preferences and rights. To deliver, administer and manage the services and support required as a beneficiary or to provide property maintenance services to you as a domestic or commercial tenant. To safeguard your welfare and interests.
- Communicate with you. To know how you prefer to be contacted and to make adjustments as you specify. To provide you with specific and, where appropriate, personalised services, products, updates, newsletters, feedback and information. To assist with technical problems related to our services or properties.
- Comply with applicable legal requirements and regulations. As Landlord and data controller we need to use personal data provided to us to comply with our legal obligations, for example health and safety obligations such obtaining gas safety certifications or to a third party.
- Manage your broader relationship with us. If you chose to support the charity through marketing or fundraising, then we will keep a record of your relationship with us and any interests or preferences you have. To administer any donations or support your fundraising, including processing Gift Aid.
- To personalise and improve your Beneficiary experience. We may use some of your personal data in order to celebrate our charity’s successes, or to acknowledge personal celebrations, such as milestone birthdays or anniversaries with other beneficiaries of our charity. We may use your personal data to ask you how we can improve our information and services. To understand how we can improve our services, products or information. Where appropriate, to provide communication in a way that you control and that suits you.
- To improve our services and administration as a customer or a commercial tenant. To ensure the most efficient and appropriate use of the resources we have. To drive efficiency through statistical and market analysis.
If you do choose to withhold certain personal data, we may not be able to provide you with the full range of service information, support or services you would like.
3. How we collect your personal data
We collect data about you in a variety of ways. We collect personal data you provide directly to us as well as data we collect indirectly available from other sources, such as care or health agencies or previous landlords or letting agencies.
Direct from you
You will give us personal data directly yourself. When you engage with us as a beneficiary or when you contract with us when taking up a domestic or commercial tenancy. If you use our websites, applications or portals to communicate with us, if you sign up for one of our events these activities will require us to collect personal data. When you make a payment to us, by either purchasing one of our products, such as tickets, raffles, or merchandise or paying rent for a contracted property. If you choose to support us via a 3rd party organisation, website or application your personal data will be collected on our behalf. (e.g. an event organiser or agency contractor).
Indirectly from other sources
We may obtain your personal data indirectly when you give consent to other 3rd party organisations to share it or where it is publicly available:
• Third party organisations or individuals. We may obtain information from third parties if you have agreed that we can approach them. For example the NHS, Ministry of Defence, eye health specialists, other care or health agencies. As a domestic or commercial tenant we may obtain data from former landlords or letting agencies (for the purpose of seeking references). We will usually seek a confidential reference from a 3rd party before agreeing to a domestic or commercial tenancy. This may be performed automatically where you may have provided consent for a company or other organisation or agency to share your data with third parties. This could be when you buy a product or service or register or sign up to a website. We can only use this data where we have been named as a recipient of the data or the third party has named a charity subsection into which we fit. We may also be provided with credit/debit card transaction details. Like all companies, through our website and mobile apps, we may collect information about what browser you are using, your IP address and computer operating system and may use this information to improve the services we offer.
• Independent event organisers. Your information may be shared with us by independent event organisers. For example the London Marathon or fundraising sites like Just Giving or Virgin Money Giving. These independent third parties will pass on your data when you have indicated that you wish to support Blind Veterans UK. Note, this sharing operates using consent collected by the third party.
• Social media. Depending on your settings or the privacy policies for social media and messaging services like LinkedIn, Facebook or Twitter, you may permit organisations to access personal data from those accounts or services.
• Publicly available sources. Public information may include personal data from places such as Companies House, the electoral register and information that has been published in articles / newspapers. Additionally, the Post Office’s National Change of Address database allows us to keep your information up to date.
4. The lawful basis for processing
UK Data protection law and regulation requires us to have a lawful basis for processing your personal information. These include:
• Where you have given consent to do so for a specific purpose(s). This may include sending you e-mails / texts / marketing material or to provide you with a product, service or information that you have requested or require. Where we need your consent, it will be clearly identifiable as a consent for a specific purpose. You are able to withdraw consent at any time by contacting us, if you make this choice it may affect our continuing relationship as some services may no longer be able to be supplied if consent to process data is withdrawn.
• To comply with a legal obligation. We will process your personal data where UK legislation requires us to do so, or where we are required to do so by a court, regulatory authority, the police or the security services. Examples include, complying with employment, social security or social protection law, such as Health and Safety, conducting a criminal offence check or financial due diligence requirements.
• To protect the vital interests of yourself or another person. If we believe that the vital interests of you or a third party is at risk, we have a duty to protect an individual and this is a lawful basis permitting us to process personal data.
• The performance of a contract. If we are setting up or have a contract with you we will process your data to comply with the obligations of the contract.
• Where we as a charity possess a legitimate interest. Where we have a legitimate interest, we must ensure that we are not harming any of your interests or rights and only use your data in a manner that you would reasonably expect us to. For example, we have a legitimate interest in using our beneficiaries ’ and domestic or commercial tenants’ data, contacts and preferences for the purposes you would expect; for providing support and services that you have requested or could reasonably expect from us including to meet our responsibilities as a charity, care organisation and domestic or commercial landlord. We also have a legitimate interest in fraud prevention and informing authorities about possible criminal acts or security threats.
• Special category. Where we process ‘special category’ personal information (such as health) we will ensure we do so in accordance with a lawful basis under Art. 6 and the additional “exception” condition for processing special category data under Art. 9 of UK-GDPR 2020. An example is Art. 9(2)(b) where the law allows special category personal data to be processed for the purposes of “employment and social security and social protection law”. This allows us to make reasonable adjustments where the law requires us to.
5. Protecting and sharing your personal data
How we protect your personal data.
We ensure there are reasonable and appropriate technical and organisational controls in place to protect your personal data against unauthorised or unlawful processing and against accidental loss, corruption, destruction or damage. If we believe if it is likely processing will pose a risk of harm to individuals we will complete a risk assessment process known as a DPIA to identify and minimise these risks. For example, our IT architecture is actively protected and routinely monitored. We have policies and procedures in place which staff and volunteers are expected to comply with and for which they receive training. A data back-up and recovery process to prevent permanent loss of data in the event of corruption, damage or accidental loss, is in place across our IT network.
- Password security. Where we have given you (or where you have chosen) a password which enables you to access certain parts of our website, you are responsible for keeping the password confidential. You agree not to share that password with anyone else. You will never be asked to provide it by any of our IT or support staff. If you are asked, decline and report the request.
You should be aware that the use of the Internet is not entirely secure and although we will do our best to protect your personal data we cannot guarantee the security or integrity of any personal information which is transferred from you or to you via the Internet. Any transmission is at your own risk.
Managing access and sharing of your personal data
We undertake reviews of who has access to the personal data we hold to ensure that your data is accessible only by necessary and appropriately trained staff and trusted third parties. We require all third parties that process personal data on our behalf to have appropriate and technical and organisational measures in place to protect your data at the same standard that we apply ourselves. If we share your data with a third party or require you to directly share your personal data with a third party your data will be secure to the best of our knowledge.
We may on occasions be compelled by law or agree to disclose your personal data to third-parties. Examples include, law enforcement agencies, Solicitors acting in our interest, the UK courts, government bodies or national regulators. Where we are required to share personal data with non-governmental organisations or sector regulators such as, The Charity Commission, the Information Commissioner’s Office, the Health and Safety Executive, the Care Quality Commission. We have limited control over how it is processed by these parties, we therefore recommend that you consult their own privacy policies.
Examples of when we will consider sharing your personal data voluntarily, without your consent but within the law include, where we believe a crime has been committed, to assist with the apprehension of an offender, to respond to an individual Right of Access Request (known as DSAR).
We may in certain circumstances share your personal data without your consent for the purpose of fulfilling our safeguarding responsibilities. This doesn’t happen often, but we may share your personal data:
- If we believe there is a serious risk to the public, our beneficiaries, our domestic or commercial tenants’ our staff or to other professionals,
- To protect a vulnerable person, (child or adult) who we believe may be at risk, for example if they are frail, confused or cannot understand what is happening to them,
- We will share your personal and health data in an emergency situation which is vital to your health or well-being or where you are incapable or unable to provide consent.
Occasions, other than by law, when we may share your data include:
- If you have agreed that we may do so.
- When we use external service providers to collect or process personal data on our behalf, (a list of processors is included the end of this policy).
- As a regulated care provider for our beneficiaries, to provide you with personal care services it will be necessary on some occasions for us to share your personal and health data with health care professionals for the purposes of ensuring your health and wellbeing. As this is special category data we will ask for your consent to do this. This may include your name, updated details of your general health, updates on any permanent conditions, food intolerance, allergies and medical photography. The sharing of this data is limited to parties that have a specific need for your health and medical data, such as NHS institutions, other Health Services, your GP practice, other social care and trusted partner organisations which process person data on our behalf.
- As a landlord operating nationally, we will make use of local specialist service providers. If we share your personal data with a 3rd party provider, we will inform you during our engagement. The following examples identify when this applies. We use external service providers on our behalf to provide property maintenance services; property and contractor agencies and advisors, such as local surveyors and solicitors; the processing/ mailing of product orders; answering questions about our products or services; sending mail and emails; when using auditors/advisors, when processing credit/debit card payments or using online tracking and analysis software.
- If you sign a domestic or commercial tenancy agreement, we will share your personal data with the local authority for the purposes of a calculating your obligations to pay Council Tax on the property and or business rates for the duration of your tenancy.
- With our subsidiaries within the Blind Veterans UK Group, where relevant and appropriate.
- If a data sharing agreement process has been completed between Blind Veterans UK and another controller. Such a document allows two organisations to have a collaborative relationship while being separate legal entities.
- If we receive a complaint about any inappropriate content you have posted or transmitted to or from one of our sites, forums, social media pages or apps we may share your personal data with your internet provider or law enforcement agencies.
- We may disclose aggregate statistics about our beneficiaries and tenants to describe our services and operations to prospective supporters, partners, advertisers and other reputable third parties and for other lawful purposes, but these statistics won’t include any personally identifying information without your explicit consent.
- If we run an event in partnership with other named organisations your details may need to be shared. We will be very clear what will happen to your data when you register.
- If we merge with, or diversify, forming a separate/new organisation with its own legal identity, information including your personal data may be transferred to the new entity subject to a data protection risk assessment (DPIA).
We will never rent or sell your personal data. We will not share or swap it with other organisations for their own purposes or to make money out of your data without your consent.
Where we store your information
The personal data you provide to us whether in paper or electronic format will be stored securely meeting the requirements of this policy. Where we store your information may differ depending on the purpose for which we are processing it for, as indicated above. Your personal data may be held within in our Microsoft 365 Cloud Environment or within a number of bespoke databases or specialist applications. Your data may also be stored within a number of systems of trusted third-party processors who process your personal data on our behalf. (Details of these can be found in the third-party processors list at the end of this document)
Cross Boarder Transfers of Personal Data
We may need to use the services or provide access and processing to service providers and other organisations located outside of the UK. If this is required we will conduct an appropriate risk assessment and put in to place appropriate “additional measures” to safeguard your personal data and your data rights, Examples of such measures include the of Standard Contractual Clauses (SCC). Note, if the transfer is a one off or infrequent we may ask for your explicit consent to conduct the transfer.
The UK has recognised some countries and all of the EEA states as possessing data protection “adequacy” for the purposes of data transfers to these countries. The UK Government has decided no additional safeguards are needed to conduct data transfers to the EEA as these states have equivalent standards of data protection as the UK-GDPR 2020.
The EU has recognised the UK as possessing data protection “adequacy” for the purposes of personal data transfers of EU subject’s personal data into the UK. No additional safeguards are needed as the UK has an equivalent level of protection to that guaranteed under EU law. (EU-GDPR 2016).
In cases when we use or link to external websites provided by other organisations such as Twitter or Facebook, then we would ask you to consult their privacy policies to determine how your personal data will be processed by these controllers.
6. Retaining and sharing your personal data
The law requires we hold your personal data for only as long as is necessary. This is to fulfil the purposes for which the data was collected and our legitimate interests or in order to comply with legal or regulatory rules and requirements.
At the Blind Veterans UK Group we manage the retention of personal data with the use of a Retention and Disposal Policy. The policy uses a 2-step process to determine how long we retain documents which may contain personal data. The criteria we use for this process is to identify the “Business Function” the document was used for, then to apply a “Purpose of Retention” (from the list below). Identifying the business function allows us to group similar documents together and assign corporate ownership to proactively manage data retention. Applying a retention purpose ensures we only retain personal data for a transparent period of time necessary to meet statutory, contractual or best practice requirements.
- Retained as Live data only……………….………. No retention
- Record(s) of Activity and or a Process………….. 3 years
- Evidence or Compliance………………………….. 6 years
- Governance Purposes……………………………. 7 years
- Legal (Pensions, Property, Safeguarding)…..… 12 years
- Permanent retention (subject to review)…….… (Life of charity)
If you decide to end your relationship as a beneficiary of the charity or terminate your tenancy agreement with the Blind Veterans UK Group and or Four Seasons NWMC Housing Limited or request that we have no further contact with you, we will need to retain some basic personal information to comply with our legal and regulatory obligations and to maintain a suppression list to ensure we can comply with your request to receive no further contact from us. Suppression as opposed to deletion of data to prevent further contact once an individual has opted out is the accepted methodology of the UK data protection regulator the ICO.
7. Your details on the internet and website
Like most organisations, our website and apps use “cookies” and other tracking software to help us make our site and the way you use it better and more relevant to you. We will not be able to personally identify you from the data gathered but it may help us improve our online services.
- Cookies mean that a website will remember you. They’re small text files that are transferred to your computer (or phone or tablet). They make interacting with a website faster and easier, for example by automatically filling your name and address in text fields. Please read our cookies policy for more information. You can change your cookie preferences whenever you wish.
- When visiting our website or apps we may collect information about the type of device you’re using to access them and the settings on that device. This might also include the IP address and your operating system and certain device settings as well as diagnostic information.
8. What are your rights?
UK data protection legislation includes the UK General Data Protection Regulations 2020 (UK-GDPR) and the Data Protection Act 2018, these two authorities are to be jointly considered as the authority of UK data protection law. This legislation gives everyone a number of very important rights. In abbreviated form these are:
- The right of access. Request confirmation of processing and to be provided with copies of personal data we hold about you.
- The right of rectification. Update or amend the information we hold about you if it is incomplete or inaccurate.
- The right to erase or ‘right to be forgotten'. Ask us to remove your personal data from our records where there is no compelling reason for its continued processing, subject to a number of conditions.
- The right to restrict processing. Ask us to supress the processing of your data, subject to a number of conditions.
- The right to data portability. Obtain and reuse your personal data for your own purposes, subject to a number of conditions.
- The right to object. Object to the processing of your data for certain purposes (such as marketing, research, statistics or our legitimate interests).
- Rights in relation to automated decision making and profiling.
If you would like to know more about your rights under the data protection law see the Information Commissioner’s Office (ICO) website.
Remember, you can exercise your rights in relation to your personal information at any time by contacting your community worker (beneficiaries) or estate team representative (tenants) or through the contact details set out in the ‘How to contact us’ section of this policy.
If you are not satisfied with our response or believe we are not processing your personal data in accordance with the law and your rights, you can complain directly to the Information Commissioner’s Office.
9. How to contact us
If you are a Beneficiary of the charity:
Write to us
C/O Member Services
Blind Veterans UK
3 Queen Square
Please call your own community worker
Please email your own community worker
If you are a Domestic or Commercial tenant:
Write to us
C/O Estates Department
Blind Veterans UK
3 Queen Square
020 7723 5021 (Main switchboard, please ask for the Estates Team)
email@example.com (please add ‘For Estates Team’ in subject header)
If you wish to enquire further about how your personal data is processed, wish to make an individual rights request, ask for information to be provided, or to raise a data protection related complaint, please contact our Data Protection Officer.
Write to us
C/O Data Protection Officer
Blind Veterans UK
3 Queen Square
020 4534 1127 (direct dial)
Appendix-List of data processors
Care Inspectorate | Scottish Care regulator | Privacy notice: Care inspectorate (Scotland)
Public Health Wales | Care Sector Requirement | Privacy Notice: Public Health Wales
Social Care Conwy | Care Sector Requirement | Privacy notice: Social Care Wales
Consortio Security | Site CCTV | Data Protection Policy: Consortio Security
Assa Abloy | Security door system | Privacy Notice - ASSA ABLOY Opening Solutions
Site Doctor | Care of beneficiaries | Woodingdean Medical Centre
Site Doctor | Care of beneficiaries | Saltdean and Rottingdean Medical Practice
Site Dentist | Care of beneficiaries | N/A
NHS - Covid | Mandatory reporting requirement | Privacy notice: GOV.UK