We’re Khulisa (which means ‘to nurture’ in Zulu), a national youth and rehabilitation charity dedicated to helping young people and adults with complex needs to live healthier, crime-free lives. Khulisa is a registered charity (no. 1120562) and company limited by guarantee (no. 6210432). We deliver emotional and social wellbeing programmes, therapeutic support and mentoring to young people and adults with complex needs in schools, prisons and the community. We also deliver training on the effects of trauma to professionals working with these young people and adults, such as teachers, prison officers and social workers.
At Khulisa, we frequently work with external organisations in the course of our work. We partner with multiple organisations, such as schools and prisons, to deliver our services. We refer to these organisations as our Delivery Partners. We also partner with organisations which provide us with funding or other support, and communicate with other organisations for the purposes of policy influencing, networking or other partnership working. We are committed to protecting and respecting the privacy of all of the people we work with.
- when and why we collect personal data and other information about you;
- how we use that information;
- the conditions under which we may disclose this to others;
- how we keep the information secure; and
- the rights you have over the personal data we collect.
This privacy notice is made under Articles 13 and/or 14 of the General Data Protection Regulation (GDPR).
Your letter should be addressed to our registered office address:
The Data Protection Officer
32 Cubitt Street
Why and how do we collect information about you?
As an employee of an external organisation, Khulisa may collect and process information about you for the purpose of communicating with you. This could be about delivery of our services, funding our services or other partnership working. We collect information about you for the purposes of making contact with you, or continuing to maintain contact. We either collect this information directly from you when you interact with us, or we may also receive information about you from third parties. For example, where a Delivery Partner recommends a new organisation to us as a prospective Delivery Partner.
What information do we collect?
We collect the following personal data about employees of external organisations:
- Your name, job title and organisation you work for; and
- Your business contact details, including office address, telephone numbers and email addresses.
Where we have consulted you for your views, the information may include your opinions.
The data is collected by us and stored in our secure data processing system as explained below.
How do we use the information we collect?
We may use the information collected about you to:
- Contact you about partnering with Khulisa; and
- Communicate about delivery of our services.
We will always treat your data confidentially and will only share your details where it is necessary to do so to ensure an effective partnership. For example, where we invite visitors from prospective Delivery Partners to observe a programme at a school, we would need to share details of these visitors with the school to ensure access. Third parties providing a service to Khulisa may also be able to access the information we collect about you under certain circumstances, detailed below.
We take steps to ensure that all personal information we collect is treated securely. Access to our email, document management and storage services is limited to members of Khulisa’s staff, secured either via two-step verification or encrypted and password protected databases.
Who has access to the information we collect?
Third parties providing a service to Khulisa may be able to access the information we collect about you e.g. the company we use to provide our secure data processing system, Salesforce. This includes our suppliers, subcontractors, agents and other associated organisations we use to complete tasks and provide services to you on our behalf. However, no information will be shared unless there is a contract in place that requires the third party to keep the information secure and prevents use for any other purpose than delivering the service. We only disclose the personal information that is necessary to deliver the service.
We will not sell or rent the information about you to third parties, nor will we share this information with third parties for marketing purposes.
Please be reassured that we will not share your information with third parties beyond this network, unless:
- it is necessary to organise the training or other services, such as to arrange access to an external training venue;
- you have requested us to do so;
- we are required to do so to protect the rights, property or safety of our supporters and customers; or
- we are required to do so by law, for example, by a court order or for the purposes of prevention of fraud or other crime.
In the event of a sale, business restructure or reorganisation of some or all of our business and assets to any third party, we will take steps with the aim of ensuring that your privacy rights continue to be protected.
How long will we keep the information?
We review our retention periods for personal information on a regular basis. We will hold your personal information on our systems for as long as is necessary for the relevant activity, and if you leave your role, the information will be updated and/or deleted. This review process should take place at least once a year.
Some of the personal information we collect may be transferred and stored securely outside of the UK and European Union by the suppliers of our online surveys and email, document management and storage services. Where that is the case, safeguards are in place to ensure legal protection under the GDPR. This includes supplier certification under the Privacy Shield Scheme if based in the United States of America, or reliance on Model Contract Clauses.
Legal basis of processing
Under the GDPR, we process your personal data under the legal basis that this falls within our legitimate interests as an organisation to contact and communicate with external organisations we can partner with.
You have the right to ask for a copy of the information Khulisa hold about you. To do this, please make a request in writing (via our contact form on our website, by email or by post) to the Data Protection Officer and we will provide a response within 30 days. Your rights under the GDPR also include the following:
- Right to rectification: This means you may ask us to rectify any of the personal data we hold about you.
- Right to object: You have the right to object to us processing the data we hold for you. In this event, we will stop processing any more information unless we can show legitimate grounds for the processing of this information.
- Right to restrict processing: You have the right in certain circumstances (for example, where accuracy is contested) to request that the processing of the personal data we hold about you is restricted.
- Right to erasure (sometimes known as the right to be forgotten): If you object to us processing the data we hold for you, and Khulisa cannot show legitimate grounds for processing this data, you have the right to request us to delete the personal data we hold for you.
If you consider that the personal data we hold for you has been misused or mishandled, you may make a complaint to the Information Commissioner, who is an independent regulator.
Any complaint to the Information Commissioner is without prejudice to your right to seek redress through the courts.
The Information Commissioner can be contacted at:
By email: email@example.com
By phone: 0303 123 1113
By post: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow. Cheshire. SK9 5AF