Tackling malnutrition in older people living at home in Scotland

Privacy Policy

Food Train is required to collect, store and process certain personal data to carry out our day to day charitable activities, meet our aims and vision and comply with legal obligations.

Food Train is committed to ensuring your personal data is dealt with in line with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA 2018). To comply with the law and your right to be informed, this policy outlines why we need your personal data, what we do with your data, how long we will retain the data for and how you can exercise your rights in relation to our handling of your data.

Data Protection Principles

Personal data must be processed in accordance with six 'Data Protection Principles'. It must:

  • be processed fairly, lawfully and transparently
  • be collected and processed only for specified, explicit and legitimate purposes
  • be adequate, relevant and limited to what is necessary for the purposes for which it is processed
  • be accurate and kept up to date. Any inaccurate data must be deleted or rectified without delay
  • not be kept for longer than is necessary for the purposes for which it is processed
  • be processed securely

We are accountable for these principles and must be able to show that we are compliant.

Who we collect personal data from

  • our members (service users)
  • our volunteers
  • our staff
  • prospective staff
  • our directors
  • our donors
  • referrers/emergency contact/member's identified contact
  • professionals/individuals involved in the support of older people
  • grant applicants
  • training participants
  • research participants

The personal data we collect

Members (service users)

If you are a Food Train member (service user), the data we will collect and hold includes your name, home address, telephone number, date of birth and emergency or identified contact. Our lawful basis for collecting and processing this information is to allow us to fulfil our contractual obligation in providing you with a service.

We will also ask for some basic information about your health, access and support needs to ensure the service we are providing you with is appropriate and tailored to your needs. Our lawful basis for collecting and processing this information is also to fulfil our contractual obligation. Processing is necessary to provide you with a social care service.

We may also ask your permission to take, store and use photographs of you taken during the course of service delivery for the purposes of service promotion or evaluation. Our lawful basis for collecting and processing this data is consent. At the time of providing your consent, we will ensure you are notified of how we plan to use the photographs and how long we plan to continue using them.

From time to time, we may ask you how our services have helped you. This is for the purpose of service evaluation and to allow us to improve our services. This information will only be gathered with your consent.

All member data is stored electronically on a membership database, accessed only by approved staff and volunteers and our IT support provider. Hard copy referral forms are stored in local offices in locked cabinets with restricted access to keys.

Your details will be removed immediately upon cessation of membership, unless appropriate and justifiable reason exists to retain for a limited period. An example of a justifiable reason may be the need to reconcile your account following the end of your service, this may take a number of weeks to complete.

Volunteers

If you are a Food Train volunteer, the data we will collect and hold includes your name, home address, telephone number, email address, date of birth, driving license details, PVG scheme record number and personal referee information. Our lawful basis for collecting and processing this information is to allow us to fulfil our contractual obligation of volunteer employment with you.

We will ask you for basic information about your health, access and support needs relevant to your volunteering role. This information allows us to assess the suitability of the role to you and to put in place any appropriate support that will help you to conduct your role. Our lawful basis for collecting and processing this information is also to fulfil our contractual obligation. Processing is necessary for assessing your work capacity.

We may also ask your permission to take, store and use photographs of you taken during the course of service delivery or while involved in other Food Train activities, such as training or volunteer meetings. Our lawful basis for collecting and processing this data is consent. At the time of providing your consent, we will ensure you are notified of how we plan to use the photographs and how long we plan to continue using them for promotional or service evaluation purposes.

From time to time, we may ask you how volunteering with Food Train has impacted on your life. This is for the purpose of service evaluation and to allow us to improve our services. This information will only be gathered with your consent.

All volunteer data is stored electronically on a membership database, accessed only by approved staff and volunteers and our IT support provider. Hard copy referral forms are stored in local offices in locked cabinets with restricted access to keys.

Protecting Vulnerable Groups Scheme records are kept in accordance with the law and destroyed securely within the timeframe set out by Disclosure Scotland.

If you are a volunteer within our branch-based services, your details will be removed immediately upon cessation of volunteering, unless appropriate and justifiable reason exists to retain for a limited period. An example of a justifiable reason might be your expressed uncertainty around the possibility of returning to your volunteer role after a short break.

If you are a volunteer within our platform-based services (i.e. Meal Makers or Connects), your details will similarly be removed immediately if you advise us you wish to stop volunteering or no longer be available as a volunteer. If you have signed up as a volunteer but not fully completed the vetting process and/or failed to be in contact with us for more than one year, we will email you to advise of our intention to soon delete your volunteer profile. We will send a reminder two weeks later and delete your profile after a further two weeks, unless you advise us otherwise.

Staff

If you are a Food Train employee, we will hold your name, home address, telephone number, date of birth, national insurance number, emergency contact details, bank details, PVG scheme record details, employment contract copy, holiday data, appraisal data, salary data, pension data and employment management information. Our lawful basis for collecting and processing this information is to allow us to fulfil our contractual obligation of employment with you.

We will ask you for basic information about your health, access and support needs and record sickness data. This information allows us to put appropriate support in place during your employment where necessary and to manage our company sickness levels. Our lawful basis for collecting and processing this information is also to fulfil our contractual obligation of employment with you. Processing is necessary for carrying out our obligations under employment law.

All staff data is stored securely in locked files in Food Train Head Office and only accessed by those authorised by the Chief Executive.

Staff data is held for 7 years (after an employee leaves the organisation) in accordance with company law, after which it is securely destroyed.

Prospective staff

If you apply for a job at Food Train, we will request certain personal data from you to process your application and assess your suitability for the role. Data collected during the recruitment process includes name, contact details, educational achievements, employment history, referee contact details, and shortlisting and interview records. Our lawful basis for collecting and processing this information is the necessity to undertake this step to enter into a contract of employment.

We will ask you for basic information about your access and support needs. This information allows us to put appropriate support in place during the interview stage of recruitment. Our lawful basis for collecting and processing this information is also the necessity to undertake this step to enter into a contract of employment. Processing is necessary for carrying out our obligations under employment law.

Recruitment files for non-appointed applicants are stored for 6 months in accordance with best practice, then securely destroyed.

Directors

If you are a Food Train Director, the data we hold about you includes your name, home address, telephone number, email address, date of birth, current directorships, employment status, a short biography and board meeting attendance. Our lawful basis for collecting and processing this information is to comply with our legal obligations in relation to charity law.

All director data is stored electronically within a director register, accessed only by approved staff and volunteers. Hard copy application forms are stored at Head Office in locked cabinets with restricted access to keys.

Director data is held for 7 years (after retirement) in accordance with company law, after which it is securely destroyed.

Donors

If you are a Food Train donor, the data we hold about you includes your name, home address, donation method, donation amounts, Gift Aid eligibility and your reasons for donating. Our lawful basis for collecting and processing this information is consent.

All donor data is stored electronically on a donor database, accessed only by approved staff and volunteers.

Hard copy records for Gift Aid purposes are stored securely in Head Office and destroyed following the time lapse in accordance with Company Law.

Referrers/ Emergency contact/ Member's identified contact.

If you have referred an older person to Food Train or been identified as a next of kin or relevant contact person, we may hold your personal contact details, including name, job role, organisation, postal address, email address and telephone number. This data is used to keep you informed of progress with the referral and the referred individual's support where applicable. Our lawful basis for collecting and processing this data is consent.

All referrer/next of kin/identified contact data is stored electronically on a membership database, accessed only by approved staff and volunteers and our IT support provider. Hard copy referral forms are stored in local offices in locked cabinets with restricted access to keys.

Your details may be stored for the duration of the related individual's membership of Food Train, however you have the right to request the deletion of your details at any time. When the related individual's membership ceases, your details will be automatically deleted along with theirs, unless you have indicated you would like to remain informed of the work of Food Train. In which case, your details may still be retained in our database of 'Professionals/ individuals involved in the support of older people' and processed as per the next section below.

Professionals/ individuals involved in the support of older people

If you are a professional/individual involved in the support of older people and have an interest in hearing about the work of Food Train for the further benefit of the older people you support, the data we hold about you might include your name, job title, postal address, email address, and telephone number. This data is used purely for sharing relevant information, news, developments and opportunities in relation to supporting older people at home. Our lawful basis for collecting and processing this information is usually consent but on occasion, we may also rely on your legitimate interest to further support the individuals you work with and our legitimate interest to further support our existing members (service users).

All contact details are stored electronically within a contacts database, accessed only by approved staff and volunteers. Hard copy consent forms are stored in locked cabinets with restricted access to keys.

Your data will be held for as long as we require it for the purpose listed above. You have the right to request a stop to any further communication from us at any time and the deletion of your contact details. Any electronic newsletters sent by Food Train will contain an unsubscribe button/link within the email.

We may also ask your permission to take, store and use photographs of you taken during the course of our professional involvement with you or whilst attending a Food Train event. This would be for the purposes of service/ project promotion, information sharing or evaluation. Our lawful basis for collecting and processing this data is consent. At the time of providing your consent, we will ensure you are notified of how we plan to use the photographs and how long we plan to continue using them.

Grant applicants/ holders

If you have applied for an Eat Well Age Well grant, the personal data we hold about you will include your name, preferred name, position in organisation (if relevant), postal address, email address, telephone number and names of any social media accounts or websites owned by you. If you are successful in securing a grant (and have applied as an individual rather than as a representative of an organisation), we may also ask you for your bank details to allow for the transfer of funds, as well as two forms of personal identification with address details. This data is only held for the purpose of administering your grant application/award. Our lawful basis for collecting and processing this information is to allow us to fulfil our contractual obligation as a grants administrator.

Your data is stored electronically on the Eat Well Age Well website and on our grants administration database, accessed only by approved staff. Hard copy files in relation to each grant holder are stored within locked filing cabinets, with key access restricted to authorised staff.

Your data will be held for the duration of our relationship with you during the funding period and for 7 years beyond in accordance with company law.

For the purpose of grant scheme evaluation and assessing the impact of our grant awards in achieving our Eat Well Age Well objectives, we will ask you to report on the outcomes of your funded activity. We will encourage you where possible to anonymise any personal data in relation to your project beneficiaries and if this is not possible, to confirm that you have sought the consent of your beneficiaries to share their data with us. Data we collect may be shared with our project funder, shared on our website or social media pages or used in publicly available reports/leaflets to demonstrate our impact.

Any personal data gathered about your beneficiaries for the purposes of impact assessment will be stored electronically within our Team Site and within hard copy grant holder files, as above. This data will be held for the duration of your relationship with us and for 7 years beyond, as above.

Training participants

If you are an individual who has applied to or attended an Eat Well Age Well training session, the personal data we hold about you might include your name and personal contact details, including your job role and organisation (if applicable), postal address, telephone number and email address. This data is held for the purposes of communicating with you about training sessions and keeping you informed about the Eat Well Age Well project. Our lawful basis for collecting and processing this information is consent.

Your data is stored electronically on our Eat Well Age Well administration database, accessed only by approved staff and our IT provider. Hard copy files are stored within locked filing cabinets, with key access restricted to authorised staff.

Your data will be held for the duration of the Eat Well Age Well project. You have the right to request a stop to any further communication from us at any time and the deletion of your contact details. Any electronic newsletters sent by Food Train will contain an unsubscribe button/link within the email.

We may also ask your permission to take, store and use photographs of you taken during the course of our professional involvement with you or whilst attending a Food Train event. This would be for the purposes of service/ project promotion, information sharing or evaluation. Our lawful basis for collecting and processing this data is consent. At the time of providing your consent, we will ensure you are notified of how we plan to use the photographs and how long we plan to continue using them.

Research participants

If you are an individual involved in our Eat Well Age Well research activity, the personal data we hold about you might include your name and personal contact details, including your job role and organisation (if applicable), postal address, telephone number and email address. This data is held for the purposes of communicating with you about your research participation and Eat Well Age Well project involvement. Our lawful basis for collecting and processing this information is consent.

If you are an older person with lived experience of malnutrition, we also ask for your date of birth or age and some health and social information that gives us a picture of health and social factors that are relevant to your diet and/or experience of malnutrition. Our lawful basis for collecting and processing this information is also consent. Processing of this information is necessary to allow us to achieve the objectives of our research.

For all participants taking part in our research, we ask your permission to take/record, store and use audio files, video files, text transcripts and photographs relating to your personal or professional experience of malnutrition. Our lawful basis for collecting and processing this data is consent. At the time of providing your consent, we will ensure you are notified of how we plan to use the files and only use your data in accordance with your instructions.

The information gathered from you is used to produce publicly available reports and case studies and may be used for our websites, social media, podcasts, training, campaigning and in press articles. You have the option to choose which of your identifiable information is used within our publications and can opt for this to be fully anonymised.

The information we collect from you during our research is kept securely in an online document storage system, is password protected and only accessed by approved staff and our IT provider. Your basic contact data is stored separately to your personal data about your experiences.

Your data will be held for the duration of our research project, then securely deleted. You have the right to withdraw your consent for Food Train to collect and process your personal information, or change the consent level agreed to, at any time up until the publication of our research findings.

How we collect data

Data is collected in a number of ways at Food Train, including face-to-face (e.g. volunteer interviews), telephone (e.g. customer sign-ups), email (e.g. job applications), and via our websites (e.g. donations, enquiries, referrals, volunteer sign-ups). At every data collection point, we will make you aware, prior to you providing any personal data, why we are asking for your data, how your data will be used and how long we will keep it for. A copy of our full up-to-date privacy policy will also be provided.

Food Train hosts 4 websites:

Our websites use cookies and Google analytics to allow us to provide an improved experience for the user. Please see our full Cookies Policy for further information.

How we keep your data secure

The security of your data is of paramount importance to us. Every category of data held at Food Train is given individual consideration and appropriate security measures are in place to ensure we are keeping it as secure as possible. In general, across the organisation, we take the following steps to ensure all personal data is kept secure at all times against unauthorised or unlawful loss or disclosure:

  • All electronic data is cloud hosted on a secure Team Site only accessible to approved Food Train employees and volunteers through approved passwords, and to our IT provider
  • All electronic data is backed up and stored by our IT provider
  • Restrictions and guidance on using the Team Site from mobile devices and home computers is in place for all staff and volunteers - any breach of this by paid staff is viewed and treated as misconduct and may be subject to disciplinary action
  • All hard copy files are stored in lockable cupboards with restricted access to keys
  • Personal data is not moved off site (paper copies and memory sticks) for any other purpose other than for daily service delivery purposes or when being taken to Head Office for storage
  • Hard copy service delivery documents are created, utilised, stored and/or destroyed upholding the principles of GDPR, the responsibility for ensuring the security of such paper records lies with all Food Train employees and volunteers
  • A clear desk policy applies to all Food Train employees, ensuring all confidential information is stored and/or filed securely and other paperwork on desks is kept to an appropriate and reasonable minimum

Sharing your data

Sometimes Food Train contractors or partner agencies may have access to your personal data while assisting us to conduct our business or provide a service to you. Such a contractor is our IT support provider. We require any contracted companies to keep your personal data confidential and secure and to protect it in accordance with the law and our policies. They are only permitted to process your data for the lawful purpose for which it has been shared and in accordance with our instructions.


We might share your personal data with partners, contractors and agents to carry out our obligations under our contract with you or to meet our legal obligations. Contractors and agents include:

  • Health and social care professionals (to further support our members)
  • Disclosure Scotland (staff and volunteers for criminal record checks)
  • HMRC (staff and donors for tax purposes)
  • Our pension provider (staff only)
  • Our legal advisers

Food Train does not send any personal data outside the European Economic Area where data protection legislation differs.

We also use third party service providers to allow us to carry out our work and communications with you more efficiently. In these circumstances, it may be necessary for us to share your data with these providers. Third party service provider applications used by Food Train include:

  • GoCardless - to process and administer direct debit payments
  • Google Analytics - to analyse our website traffic and usage
  • Google Maps - to map the locations of our customers and volunteers to allow for matching
  • Joomla - to deliver our websites
  • Mail Chimp - to send electronic newsletters and organisational updates to our stakeholders
  • MailGun - for email processing and monitoring
  • Microsoft Azure DevOps - for digital development and cloud-hosting
  • Microsoft Office 365 - to manage and store documents and share and communicate work effectively
  • PayPal - to process and administer credit and debit card payments
  • SendGrid - for automatic email processing and monitoring
  • SurveyMonkey - to undertake surveys to help us understand our impact and quality of service
  • Zoom - to participate in and deliver video meetings and online events

In using some third-party service providers, it may be necessary for some personal data to be transferred outside the UK where our service providers host, process, or store data in these countries. Where this is the case, we will always ensure contractual arrangements or safeguards are in place to protect this personal data. These include:

  • The country to which the data will be transferred has been deemed by the UK to provide an adequate level of protection for personal data
  • Using specific contract clauses approved by the European Commission which give personal data the same protection it has in the UK
  • Ensuring that providers we transfer data to in the US are part of the Privacy Shield framework, requiring similar levels of data protection as in the UK

Your rights

Unless subject to an exemption [under the GDPR], you have the following rights with respect to your personal data:

  • The right to request a copy of your personal data (a subject access request (SAR)) which Food Train holds about you
  • The right to request that Food Train corrects any personal data if it is found to be inaccurate or out of date
  • The right to request your personal data is erased where it is no longer necessary for Food Train to retain such data or you feel we are not entitled under the law to process it
  • The right to withdraw your consent to the processing at any time [where we rely on consent as the lawful basis for processing]
  • The right, where there is a dispute in relation to the accuracy or processing of your personal data, or whilst we are dealing with an application from you to correct or erase your data, to request a restriction is placed on further processing
  • The right to object to the processing of your personal data (where we rely on legitimate interest for processing, or process the data for direct marketing, research or statistical purposes

Contacting us

If you are a Food Train member (service user) or identified contact, volunteer, referrer or donor to a local branch and wish to simply correct or update the information we hold about you, you may do so via the local office/ Regional Manager/ Project Manager.

For all other contact in relation to exercising your rights, enquiries/suggestions about Food Train's data protection practices, requests to access the data we hold about you (a Subject Access Request) or to complain about how your data has been handled, please contact our Data Protection Officer - email dpo@thefoodtrain.co.uk, or telephone 01387 270800.

Complaints

If you have any concerns about how Food Train has used your personal data, our Data Protection Officer would like to hear about this. Please contact using the details above.

Should you have continued reason to be unhappy about how Food Train has collected or handled your personal information, you have the right to complain to the UK's Information Commissioner. You can do this by contacting the Information Commissioner's Office directly.

The Information Commissioner's Office can be contacted on 0303 123 1113. The www.ico.org.uk website has further information on your rights and our obligations.

Data breaches

Food Train has robust measures in place to minimise and prevent data breaches taking place. In the event that any personal data becomes lost or shared inappropriately by Food Train, we have a data breach management procedure in place to ensure any associated risk is minimised as soon as possible. If a significant breach occurs that is likely to risk the rights and freedoms of individuals, we will notify the Information Commissioner's Office within 72 hours of the breach being discovered.

Changes to this policy

We may update our privacy policy occasionally. Our up to date policy will always be available on our websites. If we make any significant changes to the way in which we treat your personal data, this will be highlighted on our website and you will be notified directly.