Data Privacy Policy

Data protection guidance and template policies and privacy notices.

Model Privacy Notice

This document has been automatically migrated from the Nightline Association’s policy library, and formatting has not yet been corrected. View the PDF version of this guidance and suggested privacy notice.

Data Privacy Policy

Background
Our practices are aligned with the General Data Protection Regulation UK (GDPR UK), which came into effect on the 31st December 2020, and the existing ePrivacy regulation, called the Privacy and Electronic Communications Regulation (PECR).

The GDPR requires that Data Controllers (defined as those who take ultimate responsibility for the data) provide certain information to people whose Personal Data they hold and use. A Privacy Notice (sometimes also referred to as a Fair Processing Notice) is one way of providing this information.

A Privacy Notice is required to satisfy the transparency and purpose limitation requirements mentioned above. Articles 13 and 14 of GDPR state the information that must be provided.

Information to be provided
Privacy Notices must include, as a minimum:

the name and contact details of the organisation;
the name and contact details of the representative and Data Protection Officer;
the purposes of the Processing;
the lawful basis for the Processing;
the recipients of the Personal Data;
the retention periods for the Personal Data;
the rights available to individuals in terms of the data Processing;
the right to withdraw consent; and
and the right to lodge a complaint.

The information must be clear, concise, transparent and easily accessible. It must be regularly reviewed and updated when necessary, with people informed about changes.

Example Policy (X Nightline)

What is personal data?
‘Personal data’ is information that is personally identifiable i.e. you can use the data to find out who it is about.
This could be:

A name
Date of birth
Location data
Ethnicity

‘Special category data’ is more sensitive information, for example genetic information or records of previous criminal offences.
Your rights
We want to inform you of your rights when it comes to your data and we would like to help you to better understand them. These are:

Consenting to data processing
By disclosing personal data to X Nightline, you are consenting to the collection, storage and processing of data in the manner described in this policy, unless clearly stated otherwise.

The right to access a copy of the personal data we hold.
You, or an organisation with legal purpose, can request a copy of your personal data for legitimate purposes. This is known as a ‘Subject Access Request’. To request this, contact us using the contact details at the end of this policy. Please note that proof of identity and the reason for your request will be necessary for X Nightline to respond appropriately. We may ask for further details if needed.

The right to be “erased”.
This is where you can request that X Nightline delete the data that we hold on you. Please note that this will not apply if there is lawful duty for us to continue to use the data we hold about you. To request this, contact us using the contact details at the end of this policy.

The right to rectify inaccurate data.
As detailed above you can make corrections to the data we hold about you. To request this, contact us using the contact details at the end of this policy.

Why we Collect your Data

At X Nightline, we would like to build long-lasting relationships with our volunteers, supporters and contacts based on trust, transparency and compassion; and we want to provide the best service possible.

‘Processing’ is the action that X Nightline takes when collecting, updating, storing or accessing an individual’s personal data to produce meaningful information which helps X Nightline to grow and develop.

Processing your data enables us to understand you better, communicate with you and others in the most appropriate way and adhere to best practices whereby your data and preferences are kept up to date.

In turn, this better equips us to fulfill our aims: to ensure that every student at an educational institution based in (X Nightline), is aware of, and has access to, confidential emotional peer support, which is non-advisory, non-judgemental, and open all night from 8pm-8am.

How we Process and Use your Data

At X Nightline, we only collect the data we need and we only share it on a need to know basis. We do not sell or share personal data externally except when we are required by law to do so.

We store most of our data on G Suite (i.e. Gmail, Google Drive). It is secured and supported by Google and has been security assessed by independent organizations (including the National Cyber Security Centre: https://www.ncsc.gov.uk/guidance/g-suite-security-review). We store some data on other systems when G Suite is not the best place. For every system we use, we check that it complies with privacy laws and that it has good privacy and security practices.

We are provided guidance on the best practice in the secure use of G Suite and data security by our parent organisation, the Nightline Association.

Nightline Service Users

Some personal data (IP addresses, email addresses, etc.) and messages are stored in the databases of our anonymous instant messaging and email software, which is provided to X Nightline by our parent organisation, the Nightline Association. Volunteers at X Nightline cannot access any personal data, and the Nightline Association does not access the databases, except in exceptional circumstances where system administrators must undertake system maintenance.

Any service data about service users, which we pass onto the Nightline Association for statistical analysis, remains anonymous and is therefore not considered personal data under GDPR.

Volunteers and Potential Volunteers

At X Nightline we recruit annually in October. During this process, we collect some information from everyone who registers their interest in volunteering. This includes their email address and the institution where they study. In addition to this, we also ask the applicants general questions about themselves to assess their suitability for the role. Once the recruiting procedure is over, we retain the information for one year. The information is not shared with anyone outside of X Nightline before, during or after the recruitment drive.

We have an equal opportunities policy, therefore we do not ask our applicants during any part of recruitment about their age, race, sex, religion, political association, ethnic origin, disability or sexual orientation.

If you wish to withdraw the information that you have shared with us or discuss this further, please email us at >…< and we will get back to you ASAP.

Website Visitors

When you visit the X Nightline website, we automatically collect certain information about your device, including information about your web browser, IP address, time zone, and some of the cookies that are installed on your device. Additionally, as you browse the website, we collect information about the individual web pages or products that you view, what websites or search terms referred you to the Site, and information about how you interact with the Site. We refer to this automatically-collected information as “Device Information”.

“Cookies” are data files that are placed on your device or computer and often include an anonymous unique identifier. Cookies are sent to your browser from a web site and stored on your computer’s hard drive.

X Nightline uses “cookies” to collect information. You can opt-out of cookies but you are required to do this proactively by changing the setting in your browser – unfortunately, we cannot control this on your behalf. For more information about cookies, and how to disable cookies, visit http://www.allaboutcookies.org.

Anonymised data from visitors to our website will be collected, including your interaction with our website and cookies to track with pages you visit. This helps us to analyse how our website is being used and how we can improve.

You can choose to opt-out of cookies by changing the setting of your browser.

Social Media and Third Party Advertisers

X Nightline may choose to use third party advertising on their social media platforms, in this case cookies enable the advertiser to offer customised suggestions to you and to understand the information we receive about you, including information about your use of other websites and apps, whether or not you are registered or logged in.

To show adverts that are relevant to you, the advertiser uses information about what you do on social media and on third-party sites and apps you use. For example, you might see ads based on the people you follow and things you like on Instagram, your information and interests on Facebook, and the websites and apps you visit.

To know more about the information collected by Facebook, for example, please check the following link: https://www.facebook.com/about/privacy.

For more information about how targeted advertising works, you can visit the Network Advertising Initiative’s (“NAI”) educational page at: http://www.networkadvertising.org/understanding-online-advertising/how-does-it-work.

You can opt out of targeted advertising by using the links below:

Additionally, you can opt out of some of these services by visiting the Digital Advertising Alliance’s opt-out portal at: http://optout.aboutads.info

Monitoring vulnerability

Children and Young People
X Nightline is not a service designed for use by those under the age of 18 (“Children”).

Nightlines are required to disclose personal information of children in these circumstances:

We believe your life or someone else’s life is in danger
A child is being hurt by someone in a position of trust such as a teacher, religious leader etc.
You tell us that you’re seriously hurting another person
You tell us about another child who’s being hurt and is not able to tell someone or understand what is happening to them
We’re told we have to by law, for example for a court case.

Sharing Data

All data collected will be shared amongst the committee members on a need-to-know basis. This will be anonymised and non-identifiable.

On occasion, this data may also be shared with volunteers of the service if it is deemed helpful. When this occurs, the data will remain anonymous and non-identifiable as highlighted above.

There are only four specific situations when information collected from our callers’ will be shared with external organisations. These are:

Terrorism

Any calls relating to a threat or information of a terrorism act will be forwarded on to the police. More information can be found in our Disclosure to Third Parties policy.
Safeguarding

Any calls where there is a threat to either a child or a vulnerable adult will be forwarded on to the police. More information can be found in our Disclosure to Third Parties policy.
Suicide

Any calls where there is a serious risk of harm to the caller will be forwarded to the emergency services. More information can be found in our Suicide Policy.
Court Order

Information may be disclosed to the police if requested under a court order by a judge.

If you have any questions about how data is processed within X Nightline please contact us at coordinator@Xnightline.co.uk

GDPR:

The UK GDPR is the retained EU law version of the General Data Protection Regulation ((EU) 2016/679) (EU GDPR). It forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 and as amended by Schedule 1 to the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (SI 2019/419).

It is defined in section 3(10) of the Data Protection Act 2018 (DPA 2018), supplemented by section 205(4).

Updated 11th May 2021
Model Privacy Notice

Model Privacy Notice

*The parts in red you should edit to reflect your Nightline’s policy and details*

[Insert Nightline Name] Privacy Notice

Date privacy notice was completed:

Our organisational details:

Name:

Phone Number:

Email:

Our governing body’s details [if your Nightline is not an independent body]:

Name: [this is the organisation/institution your Nightline is legally a part of e.g X Students’ Union]

Phone Number:

Email:

Useful Definitions

‘Personal data’ is information that is personally identifiable, i.e. you can use the data to find out who it is about. This could be a name, date of birth or location data.

‘Special category data’ is more sensitive information, for example, health or genetic information.

‘Processing’ is the action that X Nightline or a trusted third party takes when collecting, updating, storing, or sharing an individual’s personal data.

‘We’ or ‘Nightline’ refers to X Nightline.

Why we collect your data

We aim to minimise as much as possible the amount of personal data we process. We may process personal data where the law requires us to do so, in order to safeguard vulnerable individuals, to protect our volunteers’ wellbeing and to continuously improve and develop the services we provide.

All of our practices comply with UK GDPR. We have lawful bases for processing your personal data and special category data. The main lawful bases we rely upon are:

We have a legal obligation
Protecting vital interests
Our legitimate interests as an organisation

How we protect your data

At Nightline, we only collect the data we need and we only share it on a need-to-know basis.

We do not share personal data externally with the exception of the circumstances outlined in this policy. In this situation, we will always make you aware of how your personal data might be affected and will always check that the organisation’s systems comply with privacy laws and have robust privacy and security practices.

[The below section is relevant should you use Google software for data storage. You will need to add information relating to any other system you use for data storage (such as Three Rings: https://www.threerings.org.uk/privacy-policy/).]

We store most of our data on Google Workspace (i.e. Gmail, Google Drive etc). It is secured and supported by Google and has been security assessed by independent organisations (including the National Cyber Security Centre: https://www.ncsc.gov.uk/guidance/g-suite-security-review). We store some personal data on other systems too. For every system we use, we check that it complies with privacy laws and has good privacy and security practices.

How we process your data

Nightline Service Users

As a general rule, Nightline does not store personal data of service users in call records. We keep call logs, but these are limited to primarily statistical information and no identifying information is recorded.

On some occasions, in order to detect and prevent abuse to Nightline services, we do collect data about calls we believe to be non-genuine, in order to prevent such calls taking place again in the future. This information includes details of the caller and the topics discussed on the call.

[The below section is relevant should you use Nightline Association software for email and/or IM. Otherwise you will need to add information relating to the system you use for these services.]

Some personal data (IP addresses, email addresses, etc.) and messages are stored in the databases of our anonymous instant messaging and email software, which is provided to Nightline by our umbrella organisation, the Nightline Association. Volunteers at Nightline cannot access any personal data, and the Nightline Association does not access the databases (unless requested by us as outlined below), except in exceptional circumstances where system administrators must undertake system maintenance.

In certain circumstances, Nightline may share personal data with a third party:

Terrorism
Any information relating to an act or potential act of terrorism will be reported to the police in order to comply with our legal obligation under the Terrorism Act 2000
Safeguarding
Any calls where there is a threat to either a child or an adult at risk may require us to make a report to the police or to the local authority. This is done to meet our responsibilities to protect vulnerable individuals.
Suicide
Where we receive a call where there is a serious risk of harm to the caller we may pass personal data onto the emergency services in order to protect the vital interests of the caller
Court Order
Personal data may be disclosed to the police if requested under a court order. This is in order to meet our legal obligation to cooperate.
Abuses of the Service
Where a caller acts in an abusive or threatening manner towards our volunteers, we may disclose personal data of that caller to appropriate third parties. These parties include the police, other Nightlines, the Nightline Association and other authorities with responsibility for the welfare of our volunteers such as X University and X Student’s Union/Guild. This is done in order to serve our legitimate interest to protect our volunteers from harm and to keep the service available for genuine users.

Volunteers and Potential Volunteers

During the process of recruiting new volunteers, we collect some information from everyone who registers their interest in volunteering. The data collected includes the following:

[Insert bulleted list of personal data you retain on volunteers which will usually include information such as name, email, phone number and address.]

Once the recruiting procedure is over, we retain the information of unsuccessful applicants for [retention period e.g. 1 month]. The information is not shared with anyone outside of Nightline before, during or after the recruitment drive.

For our volunteers, we store this data (along with other relevant information such as the number of shifts you complete and ongoing training sessions you attend) for as long as you are a volunteer and for [retention period] after you leave the Nightline.

We collect this information in order to administer the recruitment process and effectively run the service.

Website Visitors

Social Media (if you use sponsored advertising)

X Nightline may choose to use sponsored advertising on our social media platforms. In this case cookies enable the advertiser to offer customised suggestions to you and to understand the information we receive about you, including information about your use of other websites and apps, whether or not you are registered or logged in.

To know more about the information collected by Facebook, for example, please check the following link: https://www.facebook.com/about/privacy.

You can opt out of targeted advertising by using the links below:

Additionally, you can opt out of some of these services by visiting the Digital Advertising Alliance’s opt-out portal at: http://optout.aboutads.info

Data Retention Periods

We only keep your information for as long as is necessary for the relevant purpose. We use a number of criteria for determining the retention period, including obligations under law, our legitimate interests, and consideration of the original purpose we collected it for.

Your rights

The right to be informed
You have the right to be provided with clear, transparent and easily understandable information about how we use your information and rights. This is why we are providing you with the information in this policy. If you have any additional questions, you can contact us using the contact details at the end of this policy.

The right to object
You always have the right to object to certain types of processing, including the option to stop receiving information from us across all of our communication channels (which is known as processing for direct marketing). This is at your discretion and we will respect your choice. However, for us to enact this we encourage you to notify us. You can use unsubscribe links on emails or contact us using the contact details at the end of this policy.

The right to access a copy of the personal data we hold.

You, or an organisation with legal purpose, can request a copy of your personal data for legitimate purposes. This is known as a ‘Subject Access Request’. To request this, contact us using the contact details at the end of this policy. Please note that proof of identity may be required and providing the reason for your request will allow X Nightline to respond most appropriately. We may ask for further details if needed.

The right to erasure
This is where you can request that X Nightline delete the data that we hold on you. Please note that this will not apply if there is lawful basis for us to continue to use the data we hold about you. To request this, contact us using the contact details at the end of this policy.

The right to rectify inaccurate data
As detailed above you can make corrections to the data we hold about you. To request this, contact us using the contact details at the end of this policy.

The right to restrict processing
You have rights to ‘block’ or suppress further use of your information. When processing is restricted, we can still store your information, but may not use it further. We keep lists of people who have asked for further use of their information to be ‘blocked’ to make sure the restriction is respected in future.

The right to data portability
You have rights to obtain and re-use your personal data for your own purposes across different services.

The right to lodge a complaint
You can lodge a complaint about the way we handle or process your personal data with us or your national data protection regulator.

Contact [insert your Nightline’s email/channels for submitting complaints]. We will respond to your complaint within 48 hours.

The national data protection regulator for the UK is the Information Commissioner’s Office (ICO) and they can be contacted here: https://ico.org.uk/global/contact-us/.

Data Privacy Policy

Table of contents

Model Privacy Notice

Data Retention Periods

We only keep your information for as long as is necessary for the relevant purpose. We use a number of criteria for determining the retention period, including obligations under law, our legitimate interests, and consideration of the original purpose we collected it for.