Privacy Statement
Who are we?
The Windmill Trust provides specialist, creative therapy to children and young people in Cumbria requiring mental health support.
Our vision is a future where, regardless of economic background, children and young people have access to researched, effective therapeutic interventions to alleviate distress and ward against long-term mental health issues.
The mission of The Windmill Trust is to provide researched, effective therapeutic interventions to children, young people and families in West Cumbria, helping to reshape the impact of trauma, one child at a time.
The Windmill Trust is the controller for the personal information we process unless we state otherwise.
You can contact us about data privacy by email, post or phone via the Charity Manager, The Windmill Trust, 16 High Street, Wigton, Cumbria, CA7 9NJ, or email admin@thewindmilltrust.org or call us on 07708 650696.
Our Registered Charity number: 1195160
The Privacy Statement explains how and why we use your personal data, to ensure you remain informed and in control of your information.
What type of personal information do we collect?
We collect, process and store three main types of personal information:
-
Clinical records to ensure clients are provided with appropriate and supportive services.
-
Recruitment and HR records about our employees, contracted practitioners and volunteers in order to fulfil our record keeping obligations as employers and contractors.
-
Supporter records relating to our fundraising activities in order to comply with legal and financial obligations and to keep them informed.
How do we obtain your personal data?
Most of the personal data we process is provided to us directly by you when you:
-
Use our clinical services
-
Apply for a practitioner role
-
Apply for a job or volunteering role
-
Sign up to one of our training sessions
-
Request information about our activities and services
-
Make a donation to us
-
Fundraise on our behalf
-
Register for an event
-
Enter into a contract with us
-
Get in touch with us via phone, website or other method
​
The type of information we collect will vary according to how you are engaging with us and we always ensure we only collect the information necessary to fulfil this engagement.
Sometimes we collect your personal information indirectly from third-party fundraising organisations including Charities Aid Foundation (CAF) and JustGiving when you use their services to make a donation to us or sign up for school training. These third parties only share your information with us with your consent. You should check their Privacy Notices when you provide your information to understand fully how they will process your data.
You may also provide personal information to us when you visit The Windmill Trust’s pages on social media, e.g. Facebook, LinkedIn or Instagram, or when you visit our website. Our website uses cookies to support functionality, improve the security of the site and allow pages to be shared by social networks. For more information about cookies, please read our Cookies Notice.
How we Handle Clinical Records
We recognise that the information we collect to support our clinical work is likely to include sensitive personal data, so we handle our clinical records very carefully including but not limited to the following ways:
-
We obtain informed consent to process personal data.
-
For children, we obtain informed, parental, written consent and a child’s verbal or written consent to process personal data.
-
We keep brief and factual notes on children and families which are kept digitally on a password protected, cloud-based system, in a locked filing cabinet or in a portable, locked file box.
-
All information is kept securely and access is highly restricted to trained staff bound by confidentiality agreements.
-
Information may be used for monitoring and evaluation purposes in order to improve current and future delivery of services, and any personal data used for these purposes will be anonymised.
-
Information is anonymised when shared or used for evaluation and reporting.
-
If diversity information is collected, all reporting will be anonymised.
-
Data is only shared where The Windmill Trust has a legal obligation to do so or to protect the vital interests of an individual.
How we handle HR and recruitment records
We use personal data that you provide to:
-
Process an application for employment, volunteering, placement or practitioner role: we may process your data to ascertain suitability and for the performance of contract (or prior to entering into a contract).
-
Share appropriately with third party providers, including external payroll bureaus, pension providers and HM Revenue & Customs.
-
Maintain an employment relationship.
The above list is supplied for illustration and is not exhaustive.
How we Handle Fundraising Data
We use personal information to fundraise, process donations and stay in touch with our supporters to:
-
Thank them and keep them updated on what we have achieved with their support.
-
Let them know about any events or opportunities that may be of interest to them.
Our electronic marketing (email and telephone) is only undertaken with your prior consent and postal marketing is only undertaken where there are legitimate interests.
In order to do this effectively, we sometimes use third parties to store and process personal information linked to our fundraising activities:
-
To process your payments, including donations, to The Windmill Trust, some information may be passed to payment processors. Please refer to their privacy statements
-
When we share our data with these third-party providers, these “data processors” act only under our instructions and are not permitted to use your information for their own purposes
-
We will never sell your data to third parties, and you will not receive offers or communications from other companies or organisations as a result of giving your details to us.
​
Our Website
Our company is hosted on the wix.com platform. Wix.com provides us with the online platform that allows us to show our products and services to you. Your data may be stored through Wix.com’s data storage, databases and the general Wix.com applications. They store your data on secure servers behind a firewall.
All direct payment gateways offered by Wix.com and used by our company adhere to the standards set by PCI-DSS as managed by the PCI Security Standards Council, which is a joint effort of brands like Visa, MasterCard, American Express and Discover. PCI-DSS requirements help ensure the secure handling of credit card information by our organisation and its service providers.
How Long Will We Keep Your Information?
We will retain personal information for no longer than necessary for the purposes for which it was collected, taking into account guidance issued by NHS Digital’s Records Management Code of Practice, The Health and Care Professions Council (HCPC), ICO and are aligned with UK employment law, including the Limitation Act 1980 and the Employers’ Liability (Compulsory Insurance) Act 1969.
We will keep your personal information in respect of any financial transaction for as long as the law requires us to for tax or accounting purposes which may be for up to twenty-five years.
Child and Young Person clinical information is deleted/destroyed after twenty-five years.
Your Data Protection Rights
Under data protection law, you have rights we need to make you aware of. The rights available to you depend on our reason for processing your information.
Your Right of Access
You have the right to ask us for copies of your personal information. This right always applies. There are some exemptions, which means you may not always receive all the information we process. See ‘Data Sharing with Parents/Carers’ below.
Your Right to Rectification
You have the right to ask us to correct information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete. This right always applies.
Your Right to Erasure
You have the right to ask us to erase your personal information in certain circumstances.
Your Right to Restriction of Processing
You have the right to ask us to restrict the processing of your information in certain circumstances.
Your Right to Object to Processing
You have the right to object to processing if we are able to process your information in certain circumstances.
Your Right to Data Portability
This only applies to information you have given us. You have the right to ask that we transfer the information you gave us from one organisation to another or give it to you. The right only applies if we are processing information based on your consent or if the processing is automated under, or in talks about entering, a contract.
You are not required to pay any charge for exercising your rights. We have one month to respond to you. Please contact the Charity Manager, The Windmill Trust, 16 High Street, Wigton, Cumbria, CA7 9NJ, or email admin@thewindmilltrust.org or call 07708 650696 if you wish to make a request.
If you and/or your child are being supported within our clinical service, you may choose to speak to the therapist who will pass on your request.
If you are a Windmill Trust employee, contracted practitioner, or volunteer, you may choose to speak to your line manager or the staff member coordinating your role, who will pass on your request.
If you are not happy with the way we have handled your data and are unable to resolve the issue with us personally, you have the right to lodge a complaint with the Information Commissioner’s Office, the UK’s independent body set up to uphold information rights.
You can read more about your rights here: ICO
Data Sharing with Parents/Carers
While The Windmill Trust is committed to providing transparency to parents and carers, especially when it comes to the therapeutic journey of their children, we also uphold strict confidentiality standards to protect the privacy of our clients, including children and young people.
Sharing Updates
We provide parents and carers with relevant updates that reflect their child's journey in therapy, ensuring they are informed of therapeutic outcomes.
Confidentiality of Clinical Records
We do not share clinical records (such as session notes, audio/video recordings, or other sensitive materials) directly with parents or carers, as doing so may breach client confidentiality.
This is in line with our Therapy Consent and Data Consent Forms, which parents/carers sign before therapy commences. These forms outline our confidentiality policy and the circumstances under which information may be disclosed.
Client Confidentiality
The confidentiality of therapy sessions is crucial to the therapeutic process. Only in exceptional circumstances, such as safeguarding concerns or legal obligations, will information from clinical records be disclosed, and this will be done in accordance with our legal and ethical obligations.
ICO Registration
The Windmill Trust is registered with the Information Commissioner's Office (ICO) under registration number ZB335964. This registration signifies our commitment to protecting personal data and complying with applicable data protection laws.
Further Information
For more detailed information about how we handle personal data, please refer to our Data Protection and GDPR Policy, which is available upon request by contacting us at admin@thewindmilltrust.org
​
Updates to this Statement
We will update this Privacy Statement from time to time so you may wish to check it each time you submit personal information to The Windmill Trust.
This policy statement was last reviewed: October 2024
We are committed to reviewing our policy and good practice annually.
The next full review date for this policy is: October 2025
Signed: LRitchie
Name: Lesley Ritchie
Position: Chair of Governors
Date Signed: 9th October 2024