Terms & conditions
Terms and Conditions of website usage
The content of the pages of this website is for your general information and use only. It is subject to change without notice. Neither we nor any third parties provide any warranty or guarantee as to the accuracy, timeliness, performance, completeness or suitability of the information and materials found or offered on this website for any particular purpose. You acknowledge that such information and materials may contain inaccuracies or errors and we expressly exclude liability for any such inaccuracies or errors to the fullest extent permitted by law. Your use of any information or materials on this website is entirely at your own risk, for which we shall not be liable. It shall be your own responsibility to ensure that any products, services or information available through this website meet your specific requirements.
This website contains material which is owned by or licensed to us. This material includes, but is not limited to, the design, layout, look, appearance and graphics. Reproduction is prohibited other than in accordance with the copyright notice, which forms part of these terms and conditions. All trademarks reproduced in this website, which are not the property of, or licensed to the operator, are acknowledged on the website. Unauthorised use of this website may give to a claim for damages and/or be a criminal offence.
From time to time this website may also include links to other websites. These links are provided for your convenience to provide further information. They do not signify that we endorse the website(s). We have no responsibility for the content of the linked website(s).
You may not create a link to this website from another website or document without Leeds Autism Services’ prior written consent.
Your use of this website and any dispute arising out of such use of the website is subject to the laws of England and Wales.
Data Privacy Notice
Your personal data – what is it?
Personal data relates to a living individual who can be identified from that data. Identification can be by the information alone or in conjunction with any other information in the data controller’s possession or likely to come into such possession. The processing of personal data is governed by the General Data Protection Regulation (the “GDPR”).
Who are we?
Leeds Autism Services is the data controller (contact details below). This means it decides how your personal data is processed and for what purposes.
How do we process your personal data?
Leeds Autism Services complies with its obligations under the “GDPR” by keeping personal data up to date; by storing and destroying it securely; by not collecting or retaining excessive amounts of data; by protecting personal data from loss, misuse, unauthorised access and disclosure and by ensuring that appropriate technical measures are in place to protect personal data.
We use your personal data for the following purposes: -
- To enable us to provide an adult social care service for the benefit of adults with autism in the Leeds area
- To administer service user records
- To fundraise and promote the interests of the charity
- To manage our employees and volunteers
- To maintain our own accounts and records (including the processing of gift aid applications)
- To inform you of news, events and activities associated with Leeds Autism Services
What is the legal basis for processing your personal data?
- Explicit consent of the data subject so that we can keep you informed about events and activities associated with Leeds Autism Services
- Maintaining up-to-date records of service users and significant others in order to undertake our legal obligations as a care provider
- Processing is necessary for carrying out legal obligations in relation to Gift Aid or under employment, social security or social protection law, or a collective agreement;
Sharing your personal data
Personal data will be treated as strictly confidential and will only be shared within LAS to carry out our legal obligations as a care provider. We will not share your data with third parties outside of LAS without your consent.
How long do we keep your personal data?
We keep data in accordance with the guidance and retention periods set out in the GDPR policy, which is available from the LAS website.
Specifically, mailing list information, gift aid declarations and associated paperwork for 6 years after the calendar year to which they relate.
Your rights and your personal data
Unless subject to an exemption under the GDPR, you have the following rights with respect to your personal data: -
- The right to request a copy of your personal data which Leeds Autism Services holds about you;
- The right to request that Leeds Autism Services corrects any personal data if it is found to be inaccurate or out of date;
- The right to request your personal data is erased where it is no longer necessary for Leeds Autism Services to retain such data;
- The right to withdraw your consent to the processing at any time
- The right to request that the data controller provide the data subject with his/her personal data and where possible, to transmit that data directly to another data controller, (known as the right to data portability), (where applicable) [Only applies where the processing is based on consent or is necessary for the performance of a contract with the data subject and in either case the data controller processes the data by automated means].
- The right, where there is a dispute in relation to the accuracy or processing of your personal data, to request a restriction is placed on further processing;
- The right to object to the processing of personal data, (where applicable) [Only applies where processing is based on legitimate interests (or the performance of a task in the public interest/exercise of official authority); direct marketing and processing for the purposes of scientific/historical research and statistics]
- The right to lodge a complaint with the Information Commissioners Office.
If we wish to use your personal data for a new purpose, not covered by this Data Protection Notice, then we will provide you with a new notice explaining this new use prior to commencing the processing and setting out the relevant purposes and processing conditions. Where and whenever necessary, we will seek your prior consent to the new processing.
A cookie is a small file of letters and numbers that we store on your browser or the hard drive of your computer if you agree. Cookies contain information that is transferred to your computer’s hard drive, and will not harm your computer.
We use the following cookies:
Strictly necessary cookies__: These are cookies that are required for the operation of our website. They include, for example, cookies that enable you to log into secure areas of our website, use a shopping cart or make use of e-billing services. Analytical/performance cookies. They allow us to recognise and count the number of visitors and to see how visitors move around our website when they are using it. This helps us to improve the way our website works, for example, by ensuring that users are finding what they are looking for easily.
Functionality cookies:__ These are used to recognise you when you return to our website. This enables us to personalise our content for you, greet you by name and remember your preferences (for example, your choice of language or region).
Targeting cookies: __These cookies record your visit to our website, the pages you have visited and the links you have followed. We will use this information to make our website more relevant to your interests.
You can find more information about the individual cookies we use and the purposes for which we use them in the table below:
|Cookie||Purpose||Sessional or persistent|
|_ga||Used by Google to distinguish users. The cookies collect information in an anonymous form.||2 years|
|__utma||Used by Google to distinguish users and sessions. The cookie is updated every time data is sent to Google Analytics. The cookies collect information in an anonymous form.||2 years from set/update;|
|__utmb||Used by Google to determine new sessions/visits. The cookie is updated every time data is sent to Google Analytics. The cookies collect information in an anonymous form.||30 mins from set/update|
You can block cookies by activating the setting on your browser that allows you to refuse the setting of all or some cookies. However, if you use your browser settings to block all cookies (including essential cookies) you may not be able to access all or parts of our site.
We do not use IP addresses to analyse trends, administer this website, track web user’s involvement or gather any other forms of demographic information
You may find sponsored links to other companies on our site with who are latest sponsors, supporter and or event partners LAS are not responsible for the privacy practices of these third parties; therefore we encourage you to read their privacy statements, as they may differ from ours.
LAS cannot guarantee or verify the contents of any externally linked website therefore cannot be held liable for any damages or implications caused by visiting any external links mentioned.
Notification of Changes
To exercise all relevant rights, queries of complaints please in the first instance contact the HR Manager at: Leeds Autism Services, 28 Grape Street, Hunslet, Leeds, LS10 1BX or email firstname.lastname@example.org
You can contact the Information Commissioners Office on 0303 123 1113 or via email https://ico.org.uk/global/contact-us/email/ or at the Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire. SK9 5AF.
General Data Protection Regulation Policy (GDPR)
This policy sets out how LAS seeks to protect personal data and ensure that staff understand the rules governing their use of personal data to which they have access in the course of their work. This policy requires staff to ensure that the Data Protection Controller (DPC) be consulted before any significant new data processing activity is initiated to ensure that relevant compliance steps are addressed.
The GDPR applies to LAS as it falls into two broad definitions: ‘controllers’ and ‘processors’. The definitions are similar to those defined in the Data Protection Act 1998 (DPA) in that controllers say how and why personal data is processed, and processors act on the controller’s behalf. If you are a processor, the GDPR will place specific legal obligations and liabilities on you; for example, you will be required to maintain records of personal data and processing activities. If you are a controller, you are not relieved of your obligations where a processor is involved. The GDPR places further obligations on you to ensure your contracts with processors comply with the GDPR
“data controller” means a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be processed
“data processor”, in relation to personal data, means any person (other than an employee of the data controller) who processes the data on behalf of the data controller.
“processing”, in relation to information or data means obtaining, recording or holding the information or data or carrying out any operation or set of operations on the information or data, including — organisation, adaptation or alteration of the information or data, retrieval, consultation or use of the information or data, disclosure of the information or data by transmission, dissemination or otherwise making available alignment, combination, blocking, erasure or destruction of the information or data
The purposes for which personal data may be used by LAS: Personnel, administrative, financial, regulatory, payroll and business purposes.
Business purposes include the following:
- Compliance with our legal, regulatory and corporate governance obligations and good practice
- Gathering information as part of investigations by regulatory bodies or in connection with legal proceedings or requests
- Ensuring business policies are adhered to (such as policies covering email and internet use)
- Operational reasons, such as recording transactions, training and quality control, ensuring the confidentiality of commercially sensitive information, security vetting, credit scoring and checking
- Investigating complaints
- Checking references, ensuring safe working practices, monitoring and managing staff access to systems and facilities and staff absences, administration and assessments
- Monitoring staff conduct, disciplinary matters
- Marketing our business
- Improving services
Personal data is information relating to identifiable individuals, such as job applicants, current and former employees, agency, contract and other staff, clients, suppliers and marketing contacts. Personal data we gather may include: individuals’ contact details, educational background, political opinions, financial and pay details, details of certificates and diplomas, education and skills, marital status, nationality, job title, and CV.
Sensitive personal data
Sensitive data is personal data about an individual’s racial or ethnic origin, religious or similar beliefs, trade union membership (or non-membership), physical or mental health or condition, criminal offences, or related proceedings. Any use of sensitive personal data should be strictly controlled in accordance with this policy. We will document the additional justification for the processing of sensitive data, and will ensure any biometric and genetic data is considered sensitive.
Scope of this policy
This policy supplements our other policies relating to internet and email use, recording and disclosure policy. LAS have appointed the HR Manager as the Data Protection Controller (DPC). The DPC has overall responsibility for the day-to-day implementation of this policy.
Fair and lawful processing
LAS must process personal data fairly and lawfully in accordance with individuals’ rights. This generally means that we should not process personal data unless the individual whose details we are processing has consented to this happening or we are required to do this by law (e.g. to comply with legal obligations to ensure health and safety at work). This must not be assumed consent.
Responsibilities of the IT service
LAS have outsourced their IT management to:
Man-sys UK Ltd
Hope Park Business Centre
Trevor Foster Way
It is their responsibility to:
- Check and scan security hardware and software regularly to ensure it is functioning properly
- Ensure all systems, services, software and equipment meet acceptable security standards
- Research third-party services, such as cloud services the company is considering using to store or process data
Responsibilities of the Partnership and Development Officer
- Approving data protection statements attached to emails and other marketing copy with the DPC
- Addressing data protection queries from clients, target audiences or media outlets
- Coordinating with the DPC to ensure all marketing initiatives adhere to data protection laws and LAS General Data Protection Regulation Policy
The processing of all data must be:
- Necessary to deliver our services
- In our legitimate interests and not unduly prejudice the individual’s privacy
In most cases this provision will apply to routine business data processing activities in accordance with the individual’s rights;
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- The right not to be subject to automated decision-making including profiling
Privacy Notice - transparency of data protection
LAS Terms of Business contains a Privacy Notice on data protection. Being transparent and providing accessible information to individuals about how we will use their personal data is important for our organisation.
Personal data will not be retained for longer than is necessary. What is necessary will depend on the circumstances of each case, taking into account the reasons that the personal data was obtained, but should be determined in a manner consistent with our data retention guidelines:
- Statutory and Employment Records during term of employment then 6 years subsequently
- All gift aid information to be retained for 6 years from date of last donation as evidence required by HMRC
- Accounts and financial transactions to be held for 6 years
- Service user records (including incident reports and daily records) should be kept for 20 years after the last entry in the record or 8 years after the service user’s death if service user died whilst in the care of the organisation (Department of Health guidelines – record management 2009)
- Health and Safety / Accident records to be kept for the length of employment plus 3 years
- Employee training records for the length of employment plus five years
Accuracy and relevance
LAS will ensure that any personal data that is processed is accurate, adequate, relevant and not excessive, given the purpose for which it was obtained. LAS will not process personal data obtained for one purpose for any unconnected reason unless the individual concerned has agreed to this or would otherwise reasonably expect this.
Individuals may ask that we correct inaccurate personal data relating to them. If you believe that information is inaccurate you should record the fact that the accuracy of the information is disputed and inform the DPO.
Your personal data
You must take reasonable steps to ensure that personal data we hold about you is accurate and updated as required. For example, if your personal circumstances change, inform HR so that they can update your records.
LAS must keep personal data secure against loss or misuse. Where other organisations process personal data as a service on our behalf, the DPC will establish what, if any, additional specific data security arrangements need to be implemented in contracts with those third party organisations.
Storing data securely
In cases when data is stored on printed paper, it should be kept in a secure place where unauthorised personnel cannot access it. Printed data should be shredded when it is no longer needed. Email or other social media accounts should be protected by strong passwords that are changed regularly. Personal data must not be stored on local hard drives or portable data storage devices such as CDs, memory sticks, mobile phones / tablets or portable hard drives. All personal data must be stored exclusively on the authorised cloud server. The CEO must approve any cloud used to store data. Our servers are located at Node4 DC, Pope Street, Normanton, Wakefield, WF6 2TA.
Data is encrypted and backed up to the second location on a daily basis using VSS and application aware back-ups, and stored using a 30 day retention period as standard. Data is protected by anti-virus software, internal and external firewalls and intrusion detection software which is monitored and scanned by the IT support provider. Account holders should empty recycle bins on the remote desktop on a monthly basis. Data should never be saved directly to mobile devices such as laptops, tablets or smartphones. All servers containing sensitive data must be approved by the CEO and protected by security software, and strong internal and external firewalls.
Transferring data internationally
There are restrictions on international transfers of personal data. You must not transfer personal data anywhere outside the UK without first consulting the Data Protection Controller. Specific consent from the individual must be obtained prior to transferring their data outside the EEA.
Upon request, an individual (namely employees) has the right to receive a copy of their data in a structured format. These requests should be processed within one month, provided there is no undue burden and it does not compromise the privacy of other individuals. They may also request that their data is transferred directly to another system. This must be done for free. This request must be referred to the HR Manager immediately. In the event of a request being manifestly unfounded or excessive, LAS have the right to charge for the request. If a request is refused, the individual concerned will be informed of the reason(s) and that they have the right to complain to the supervisory authority. This complaint must be done without undue delay and at the latest, within one month.
Please contact the HR Manager if you would like to correct or request information that we hold about you. There are also restrictions on the information to which you are entitled under applicable law.
Subject Access Requests (SARS)
We will ensure that the named Data Controller will have responsibility for dealing with all SARS requests and will ensure compliance of any given request within 30 calendar days of receipt. However, if we feel that the request is complicated or is a large request, we reserve the right to extend the response time by a further two months. There are also certain exceptions whereby we may charge a nominal fee if we feel the request is manifestly unfounded or excessive.
Conditions for processing
We will ensure any use of personal data is justified using at least one of the conditions for processing, and this will be specifically documented. All staff who are responsible for processing personal data will be aware of the conditions for processing. The conditions for processing will be available to individuals in the form of a privacy notice.
The data that we collect is subject to active consent by the individual. This consent can be revoked at any time.
Disclosure and Barring Service (DBS)
Any DBS checks are justified by law. DBS checks cannot be undertaken based solely on the consent of the subject.
Right to be forgotten
An individual may request that any information held on them is deleted or removed, and any third parties who process or use that data must also comply with the request. An erasure request can only be refused if an exemption applies.
All members of staff have an obligation to report actual or potential data protection compliance failures. This allows us to:
- Investigate the failure and take remedial steps if necessary
- Maintain a register of compliance failures
- Notify the Supervisory Authority (SA) of any compliance failure that are material either in their own right, or as part of a pattern of failures
Everyone must observe this policy. The CEO has overall responsibility for this policy. Data audits will be conducted regularly to make sure policy is being adhered to.
Consequences of failing to comply
We take compliance with this policy very seriously. Failure to comply puts both you and the organisation at risk. The importance of this policy means that failure to comply with any requirement may lead to disciplinary action under our procedures which could result in dismissal. If you have any questions or concerns about anything in this policy, do not hesitate to contact the DPC.
All staff will receive training on this policy. New staff will receive training as part of the induction process. Further training will be provided at least every three years, or whenever there is a substantial change in the law or to our policy and procedure.
Training will cover:
- The law relating to data protection
- Our data protection and related policies and procedures
Completion of training is compulsory