Privacy Notice

In this Privacy Policy, “The Forward Trust”, “Forward”, “we”, or “our” means:

• The Forward Trust (Registered Company (2560474) and Registered charity in England and Wales (1001701)
• Vision Housing
• Blue Sky Services
• The Bridges
• More Than My Past

In this notice “Forward”, “the charity”, “we” and “our” means The Forward Trust.

Our head office is located at:

Forward Trust
Edinburgh House, unit 106
170 Kennington Lane
London
SE11 5DP

You may know us by another name such as Vision Housing, Blue Sky Services, The Bridges, Clouds House, The Brink, More Than My Past, or our social enterprise Amenity Landscaping. Sometimes a reference number is the easiest way to find us, below are some of the places we are registered, and the number to find us there:

Charity Commission & Fundraising Regulator 1001701

Companies House 2560474

Information Commissioner’s Office (ICO) Z7310452

Care Quality Commission 1-126776256

Office for Standards in Education, Children’s Services and Skills (Ofsted) 2674166

Depending on your interactions with us we collect information from a variety of sources such as:

• When you use our services
• When you visit our websites
• When you provide information to us directly such as through a contact form or when making a donation
• When you provide it to us indirectly via a third party – such as via professional referrals, where you’ve given them permission to share the information they hold about you with us
• Other sources (such as social media or information available in the public domain)
• When you choose to complete surveys
• When you apply for a job with us, or for volunteering role

Part of our work is commissioned by other organisations, in such cases our charity will perform tasks on behalf of a local authority, NHS Trust or other public authority. In those cases, Forward will usually be a ‘processor’ on behalf of a ‘controller’. In plain English, Forward will only have access to the data for specific reasons, and only for as long as the organisation who is primarily responsible permits this.

The Forward Trust has implemented all appropriate technical and organisational measures to keep your data confidential and secure – and as cyber risks and standards evolve, we continuously evolve too. Don’t just take our word for it, the Forward Trust’s Information Management was audited against these standards which you can verify using the links below:

NHS Data Security and Protection Toolkit “Standards Exceeded”
Cyber Essentials
Cyber Essentials Plus
ISO/IEC 27001:2013 Information Security Management Systems

The Forward Trust has a strong and experienced IT team, which ensures that our systems are secured in line with best practice. Forward has a highly qualified Data Protection and Information Governance team, which ensures data is processed lawfully; while ensuring appropriate standards on for instance robust access controls, data retention, staff training and awareness. Additionally, two of Forward’s Directors were appointed as ‘Caldicott Guardians’, who oversee the confidentiality of people’s health and care information, so it is protected, and confidential information is used ethically.

Let’s first clarify ‘processing’ since it can mean a lot of different things; processing includes storing, collecting, retrieving, using, combining, erasing and destroying personal data – both automatically and manually.

The law says we may only process personal data if we have an appropriate ‘lawful basis’. The relevant legal bases are set out in the UK General Data Protection Regulation and the Data Protection Act 2018. The lawful bases that apply will affect what specific rights you have in relation to your data. The Information Commissioner’s Office (ICO) provides useful information. We list these six lawful bases below together with some of the most common situations, but please contact dataprotection@forwardtrust.org.uk if you would like to know how this works in your specific situation.

Consent

You have given clear consent to Forward for us to process specific personal data for a specific purpose. You have the right to withhold your consent, or to withdraw your consent at any time.

• Consent is the only lawful basis for marketing by e-mail and SMS.
• Consent is used whenever we like to use or pass on the health data of our clients for secondary purposes, such as health research and statistical analysis. For example, most of our clients are asked to consent to us passing their pseudonymized data for the National Statistics about Drug and Alcohol Misuse Treatment (NDTMS). We feel the NDTMS is invaluable at improving addiction support across the UK, but the support clients would receive from Forward would never be affected by their decision to consent, or withhold consent, to NDTMS purposes.
• Consent is in most cases (but not always!) the basis we use for referrals (e.g. to provide you with additional support) and for your general care.

Contract

The processing is necessary for a contract you have with us, or because you have asked us to take specific steps before entering into a contract.

• ‘Contract’ together with ‘Legal Obligation’ are the primary lawful bases on which we process staff information.
• We keep your details based on ‘Contract’ if you are funded by us to perform specific research, or if you have applied to us for research funding.
• In some situations, clients may also have a contract between Forward and themselves.

Legal Obligation

The processing is necessary for us to comply with the law.

The Forward Trust is legally required to process certain personal data, for example:

• Payroll data for HMRC
• The name and address of donors who opted to Gift Aid also needs to be kept for HMRC
• The Care Quality Commission requires us to keep certain data of our clients so that the quality of our services can be audited
• Under section 19 of Terrorism Act 2000 it is an offence for a person not to disclose their belief or suspicion that another person has committed a terrorist offence.
• A court may require us to keep, or share, specific information.

Vital Interests

The processing is necessary to protect your life or that of somebody else.

• Safeguarding reasons, for instance if the Forward team believes you may be at risk of self-harm or risk of harm to any person, especially children. This relates to harm that is serious, foreseeable, and imminent.
• Your information needs to be shared for urgent medical reasons, and you are not able to provide/withhold consent.

Public Task

The processing is necessary for Forward to perform a task in the public interest, and the task or function has a clear basis in law.

• The Forward Trust is commissioned by Councils, the NHS and others to provide certain services on their behalf. In those situations, Forward may process your personal data on a Public Task basis, for instance based on the Homelessness Act 2002.

Legitimate Interest

The processing is necessary for Forward’s legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.

Legitimate Interest is generally seen as the most flexible lawful basis, but is only used by Forward following a documented assessment of the following questions:

• Purpose test – is there a legitimate interest behind the processing?
• Necessity test – is the processing necessary for that purpose?
• Balancing test – is the legitimate interest overridden by the individual’s interests, rights or freedoms?

We use Legitimate Interest for processing surveillance video “CCTV”, and for our internal data analysis for the purpose of service improvement.

• Some of our sites use security cameras to protect our clients, staff and property; while proportionate, non-intrusive, use of video surveillance is clearly legitimate, it’s easy to understand why none of the other lawful bases would be suitable for this purpose.
• Legitimate Interest may be appropriate in situations where Consent would not be practical or appropriate, for instance if service users lack the ability to consent, for instance when they are unconscious or intoxicated.
• Legitimate Interests may be used to contact clients by email or SMS; e.g. to confirm an appointment, or to request a client to contact Forward. (Forward never uses Legitimate Interest for marketing emails)
• Legitimate interest is also often used by Forward in situations where individuals may not feel free to withhold consent and it would thus be unfair to ask for their consent, in such situations it’s more transparent to put the full responsibility for the decision on Forward.
• We rely on legitimate interest when we do analysis and profiling of our supporters using personal information we already hold.
• We rely on legitimate interest to hold the emergency ‘next of kin’ contact details of our clients.

UK GDPR specifically prohibits the processing of certain types of personal data which are considered more sensitive under human rights law, this includes health data, criminal offence data, ethnic origin, information related to religious beliefs and sexual preferences.

Clearly, such information is often vital for Forward to provide our clients with tailored care and support, and therefore organisations like the Forward Trust are allowed to process such data when -besides the above-mentioned lawful bases- additional conditions are met.

Please contact dataprotection@forwardtrust.org.uk if you like to know this information for specific information that is processed by our charity, but the following may apply:

• Article 9(2)(a) where the data subject has given explicit consent; for instance, for the purpose of equality and diversity and inclusion monitoring.
• Article 9(2)(b) which relates to carrying out our obligations and exercising our rights in employment and the safeguarding of your fundamental rights; for instance, so that we can provide reasonable adjustments to staff with disabilities.
• Article 9(2)(c) to protect your vital interests or those of another person where you are incapable of giving your consent; for instance, in cases of confidential safeguarding referrals.
• Article 9(2)(f) for the establishment, exercise or defense of legal claims.
• Article 9(2)(g) processing is necessary for reasons of public interest in the area of public health or ensuring high standards of quality and safety of health care; this will for instance allow us to keep records of the care and support we have provided so that these can be audited by regulatory bodies.
• Article 9(2)(h) for the purposes of preventative or occupational medicine and assessing your working capacity as an employee.

You have rights under data protection laws, though none of these rights are absolute. We may for instance need to redact some of the data we have about you when this data also identifies another person, and disclosure would harm the rights of this other individual, or we may be legally required to retain some of your personal data. However, as a charity with a strong human rights ethos we value these rights, and the data protection team will help you with your request without undue delay. We only charge for this in very specific and unusual situations, and we would inform you of this before you incur any costs.

Below are the most important individual rights under UK GDPR.

The right of access
You have the right to ask us for copies of your personal data which for instance allows you to verify that the information we have about you is correct and proportionate. This is known as a Data Subject Access Request, ‘DSAR’ or ‘SAR’.

If the data we hold about you is processed by Forward on behalf of another organisation, such as a Council or NHS Trust, we will pass on your request or assist you in contacting the right person.

Click here for more detailed information on this right.

The right to rectification
You have the right to ask us to rectify personal data you think is inaccurate. You also have the right to ask us to complete information you think is incomplete. We hate to get things wrong so please use this right if you feel that the information we have about you is incorrect or incomplete!

The right to erasure
You have the right to ask us to erase your personal data, this right is often referred to as the right to be forgotten. This right can usually only apply to data we process on the basis of your consent, or where processing is inappropriate.

The right to restriction of processing
You have the right to ask us to restrict the processing of your personal data. For instance, if you withdraw your consent to our fundraising emails, we will stop sending such emails to you as you have restricted that form of processing, but we may still process your email address for other reasons, e.g. to allow you to access our digital platforms.

The right to object to processing
You have the right to object to the processing of your personal data.

The right to data portability
You have the right to ask that we transfer the personal data you gave us to another organisation, or to you. This may usually only apply to information you have provided us with yourself and that is in digital form.

We will never ever sell your personal data, but in some circumstances, and depending on the purpose for which we process your personal data, we may share information with third parties such as:

• HMRC
• Your GP
• Employee benefit schemes
• Health and benefit suppliers
• External auditors including the Care Quality Commission (CQC) and Ofsted
• The Nursing and Midwifery Council

Like any organisation, we also use ‘data processors’, which are third party organisations that process personal data, or have potential access to personal data, while The Forward Trust remains primarily responsible. Examples include Microsoft (which host Forward Trust data on its UK servers), other charities that have been subcontracted to perform tasks on Forward’s behalf, a provider of IT support services. Crucially, any ‘data processor’ is legally and contractually required to implement all reasonable technical and organisational measures to keep the data secure, and to return the data to Forward if instructed to do so. And your rights under UK GDPR are not affected by the use of data processors.

Forward will often also refer clients to other support providers; when a client has additional support, such as a specific medical condition, needs that don’t fully align with Forward’s expertise. Or for instance when a client is based in an area where Forward doesn’t provide recovery support or support to find housing or employment. Only in very rare and specific circumstances are such referrals made without the client’s consent, and only if another appropriate lawful basis has been identified.

Most of Forward’s clients will also be asked for their consent in order for Forward to share some pseudonymous details with the National Drug and Alcohol Treatment Monitoring System (NDTMS) which collects person level, patient identifiable data from drug and alcohol treatment providers at a national level for the purpose of:

• monitoring the effectiveness of drug and alcohol treatment services.
• supporting the improvement of outcomes for service users.
• planning and developing services that best meet local needs.

No such data will be shared with the NDTMS or for other research purposes without your informed consent for this purpose.

Finally, in some situations Forward may need to share personal data without consent, for instance if the Forward team believes you may be at risk of self-harm or risk of harm to any person, especially children. This relates to harm that is serious, foreseeable, and imminent. Or when we are legally required to provide information, for instance based on a Court Order. Even in the latter case we carefully assess whether it would be fair and lawful to provide the requested information.

For client data it is Forward’s policy to only use servers based in the United Kingdom, and there are very few exceptions to this rule. Where data is kept in the European Economic Area, or elsewhere, this will only be for optional services, and clients will be informed where this would be the case.

Most staff data is kept within the UK or EEA, though some systems process basic staff details (name, position, email address) in the United States. If the latter applies this will be done under the UK Extension to the EU-US Data Privacy Framework” (UK Extension) under Article 45 of the UK General Data Protection Regulation (GDPR) or the international data transfer agreement (IDTA), the international data transfer addendum to the European Commission’s standard contractual clauses

The Forward Trust does not use automated decision-making.

One of the principles of UK data protection legislation is that personal data should not be kept longer than needed, so how long do we keep personal data? It depends…

Whenever the Forward Trust processes information on behalf of another organisation, for instance a Council or the NHS, this other organisation, the ‘controller’, will decide how long Forward will need to retain this information, this means that different retention periods may exist across different Forward teams.

Where Forward determine the purposes and means by which personal data is processed things are a little more straightforward, but it’s still not an easy answer. Data that relates to taxes will usually, by law, have to be kept for a minimum of ‘six years plus current’, so seven years. Information related to Forward’s governance as a registered charity and private limited company will normally have to be kept for ten years. For most information, the law does not mandate or even suggest a specific retention period. The Forward Trust has a detailed minimum retention schedule based on legal considerations, such as the Limitations Act 1980, best practice such as the NHS Records Management Code of Practice, the likeliness that our records may still potentially benefit our former clients and our practical operational considerations. When data has reached the end of its retention period, it will be deleted or permanently anonymized. In the latter case, for example by aggregation with other data, it becomes non-identifiable.

Forward’s retention schedule is regularly reviewed. Below are some of the main retention periods, but please contact dataprotection@forwardtrust.org.uk if you have any questions or concerns about how long we intend to keep your personal data.

Retention schedule (extract)

We hope this Privacy Notice has been helpful in setting out the way we handle your personal data and your rights to control it.

If you have any questions that haven’t been covered, please contact our Data Protection team, we will be pleased to help you, please email us at dataprotection@forwardtrust.org.uk or write to us at:

Data Protection Officer
Governance and Quality Assurance Department
The Forward Trust
Unit 106 Edinburgh House
170 Kennington Lane London
SE11 5DP

You also have the right to lodge a complaint about any use of your information with the Information Commissioner’s Office (ICO)

The ICO’s address:

Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Helpline number: 0303 123 1113

Website: https://www.ico.org.uk/make-a-complaint

We may change this Privacy Notice from time to time. If we make any significant changes in the way we treat your personal information we will make this clear to you.

Change log

• July 2024 Notice revised and published
• September 2022 Notice Updated
• 6 April 2021 Notice updated
• 11 May 2020 Notice updated
• 19 November 2019 Notice updated
• 13 November 2019 Notice updated
• 20 March 2019 Notice updated
• 14 September Notice published