Welcome to the Imara Privacy Notice

Welcome to the Imara Privacy Notice.  

This privacy notice is to communicate what we do with personal data (this means any information that identifies or could identify you) either given directly by you or which is provided to us by third parties.  We want everyone who supports us, comes to us for support or works alongside us to feel confident and comfortable with how any personal information you share with us will be looked after.

Section 2 of this privacy notice is divided into sub sections, so that you can look at the sub section which is most relevant to the relationship you have with Imara.

Personal Data can be collected through a number of different channels namely:

  • this website,
  • when you use our support services,
  • by third party providers who are introducing you to our services namely East Midlands Children and Young People’s Sexual Assault Service (EMCYPSAS
  • when you attend our training courses
  • by being one of our Supporters,
  • applying to, or by being Employed, an Intern, a Trustee or Volunteering for Imara.

The Imara Privacy Notice may change so please remember to check back from time to time, this is version was last updated on the 16th March 2021. Where we have made any changes to this Privacy Policy, we will make this clear on our website.

1.Who we are:

IMARA CIO is a registered charity in England and Wales (charity number 1170331) and is the Data Controller, registered with the ICO reference number ZA472704

The registered office is 200/202 Mansfield Road Nottingham Nottinghamshire Postcode NG1 3HX 

Imara has a Data Protection Officer (DPO), who is responsible for answering any questions you have about this Privacy Notice. They may be contacted at the above address, or by email: report@imara.org.uk

You have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK’s supervisory authority for data protection issues (www.ico.org.uk). We would, however, appreciate the chance to deal with any concerns you may have before you approach the ICO, so please feel free to contact us first

Please also keep us informed if your personal data changes during the duration of your relationship with us.

2.The personal data we collect from you, how we collect and how we use it.

To navigate this section please read the sub section which describes your relationship with Imara:

2a. People who use our support services

2b. People who support us

2c. Visitors to our website

2d. Job applicants – Paid, Volunteer, Intern and Trustee Roles

2e. Our current and former employees, volunteers, interns and trustees

2f. Delegates attending our training events

2a. People who use our support services

We hold a range of personal information about you, some of which you give us directly and some of which is passed to us by other organisations, such as the East Midlands Children and Young People’s Sexual Assault Service, Nottingham Police and Social Care. This information is passed to us on a need-to know basis and we do not keep any information we are given that we do not need.

What information do we collect?

  • Your name, age and contact details
  • The school you attend and the GP you are registered with
  • The names and details of your immediate family members who may also wish to receive support from us

In addition, if you go on to receive therapy or CHISVA support from us, we will start keeping data like:

  • Dates and times of your meetings and contact with us
  • Your scores and responses to questionnaires and measures you complete with us
  • Any outcomes of your legal case, if relevant
  • Content of your sessions or meetings with us. For therapy this is recorded just by key words and themes, and not in any detail. For the CHISVA service, this is recorded in more detail as we need to conduct an ongoing and thorough assessment of your risks and needs.

Also if we are assisting in your CICA claim : 

  • Proof of your identity e.g. birth certificate, marriage certificate, change of name documentation. 
  • Details of the incident and reporting of the incident e.g. date and location. Wherever possible we will get this information from the Police so usually you would not have to provide it.  
  • GP and dentist, and/or medical records confirming diagnoses, treatment and appointments. 

Please note that due to the nature of our services we do collect children’s personal data and sensitive personal data and have the relevant capture procedures in place to conform with regulations.

Why do we collect your information?

Under the UK General Data Protection Regulation (GDPR), and the Data Protection Act 2018, we must have a legal reason to keep your data and process it. When Imara provides you with a service (which can include contributing evidence to your legal case and safeguarding yourself and other young people.)  We will process your data under a number of legal bases including consent, legitimate interest, legal obligation or vital interests. 

In order to provide the best service we may use your personal data for the following reasons:

1.To monitor our own performance and report back to our funders and professional bodies

2.To contribute to and conduct our own research in order to improve the quality of services and support available for other people like you in the future.

However it is really important to note that for the above 2 reasons we anonymise some of the personal data and when case studies are used to illustrate the importance of our support services these are presented as composite case studies, which protects your identity.

Who do we share your information with?

We share your data within Imara with limited people who need to see it, in order to provide you with a service. We may also share it with the organisation that pays for your service or with external agencies that inspect our work (see the above section which mentions the processes we use) We may be required to share your data with other agencies for legal reasons, or with other organisations if we believe that you are at risk of harm. We may also anonymise or adapt your data, so you are no longer personally identifiable, in order to share information and statistics about the service with the wider public for the purposes of research, fundraising and raising awareness. This may include anonymised or composite case studies from which no individuals can be identified.

Who is responsible for your data?

The Data Controller is responsible for your data. This may be Imara or the organisation that originally referred you to Imara.

How long we keep your data for?

We keep your personal information for as long as required to operate the service in accordance with professional body and legal requirements. Where your information is no longer required, we will ensure it is destroyed in a secure manner, for more details we have a data retention policy which sets out the specific timescales.

2b. People who support us

Imara processes your personal data in order to keep you updated as a supporter and invite you to be involved in events and fundraising.

What information do we collect?

We may hold personal data about you when you have submitted your personal information to local platforms such as Just Giving and/or If you sign up to our mailing list, we will hold a range of personal information about you, all of which you give us:

  • your name
  • your email address

We do not usually collect special categories of data about our supporters unless there is a clear reason for doing so such as participation in a fundraising event or when we need to ensure we provide the appropriate facilities or support to enable you to participate in an event.

How do we use your data?

We hold your name and email address in order to send you our regular Newsletter with relevant updates such as:

• big changes to Imara
• upcoming fundraising events and campaigns
• successes and follow-up from previous fundraising campaigns and projects
• opportunities to volunteer or get involved
• invitations to Thank You events

We do this to foster the Imara community and to carry out efficient fundraising.The lawful basis for this is your consent, as demonstrated by signing up for our mailing list which involves opt-in tickboxes and verification of your email address.  You are able to remove your consent at any time, by unsubscribing to our emails or by emailing us at report@imara.org.uk

Keeping your personal information

We keep your personal information for as long as required to operate the service in accordance with legal requirements and tax and accounting rules. Where your information is no longer required, we will ensure it is destroyed in a secure manner.

2c. Visitors to our website

Our existing website does not use cookies to track website activity.

2d. Job applicants – Paid, Volunteer and Trustee Roles

As part of our recruitment process, Imara uses a third party provider to collect and process personal data relating to job applicants. If you apply for a role with Imara, we will only use the information you supply to us to process your application.

What information do we process?

We will process a range of information about you, including:

 • Your name, address and contact details, including email address and telephone number;

 • Details of your qualifications, skills, experience and employment history;

 • Information about your current salary;

  • Your professional/character references from previous employers/other referees
  • Your Disclosure and Barring Service (DBS) number if you are registered for the Update Service or the documentation required to apply for a DBS check, and the results.
  • Whether or not you have a disability for which we need to make reasonable adjustments during the recruitment process;
  • Information about your entitlement to work in the UK

 How do we collect your personal data?

We collect it in a variety of ways. For example, you may have filled in an application form, or submitted a CV or resume, you may have provided your passport details or other identification documents, or we may have collected it through interviews. We may also collect information about you from third parties, such as references supplied by former employers. Imara will only seek information about you from third parties once we’ve made you an offer.

Where will we keep your data?

Your personal information will be stored securely with our third party recruitment provider

Why do we need your personal data?

We need to process your data in order to enter into a working agreement with you. In some cases we need to process your data to ensure we are complying with our legal obligations, eg checking an individual’s right to work in the UK. We have a legitimate interest in processing your personal data during the recruitment process and for keeping records of the process. It allows us to manage that process, assess and confirm your suitability for the role and decide who to offer a role to. We process health information if we need to make a reasonable adjustment to the recruitment process for the candidates who have a disability. This is to carry out our obligations and exercise specific rights in relation to employment. For some roles Imara is obliged to seek information about criminal convictions and offences. This is necessary to carry out our obligations and exercise specific rights in relation to employment. Imara will not use your personal information for any purpose other than the recruitment exercise for which you have applied.

How long will we keep your data?

Personal data supplied by our Recruitment provider is not stored by Imara if you are not a successful applicant.

Who has access to your data?

Your information will be shared internally for the purposes of the recruitment exercise. This includes members of the HR third party provider and the Imara recruitment team, interviewers involved in the recruitment process, managers in the business area with a vacancy. As part of the recruitment process we may need to share your data with third parties in order to conduct any necessary background checks and vetting processes, such as contacting previous employers/referees to obtain a reference; and/or the Disclosure and Barring Service to conduct criminal l record checks. As part of the recruitment process, we will make clear to you which checks will be required and at what stage of the process.

What if you don’t provide personal data?

You are under no statutory or contractual obligation to provide data to us during the recruitment process. However, if you do not provide Imara with the information, we may not be able to process your application properly, or at all. You are under no obligation to provide information for equal opportunities monitoring purposes and there are no consequences for your application if you choose not to provide such information.

Automated decision making

Some of Imara’s recruitment process is solely based on automated decision-making. For example, when applicants are asked to confirm they have the right to work in the UK; or when applicants confirm that they are not barred from undertaking roles working within regulated activity; or whether the applicant has a clean and valid driving licence where driving is an essential requirement for the role. If an applicant is unable to fulfil the requirements they will not be able to progress any further with their application. Should an applicant wish to challenge any automated decision within the recruitment process they should contact the recruitment team.

2e. Our current and former employees, interns, volunteers and trustees

Imara collects and processes personal data relating to its staff and volunteers in order to manage the work relationship with you.

What information do we collect?

Imara collects and processes a range of information about you that is appropriate to the role you perform with us. This will vary depending on whether you are an employed member of staff, volunteer, contractor, and may include:

 • Your name, address and contact details, including email address and telephone number, date of birth and gender;

 • Details of your qualifications, skills, experience and employment history, including start and end dates with previous employers and with us;

• Information about your salary, including entitlement to benefits such as pensions;

 • Details of your bank account and national insurance number;

 • Information about your marital status, next of kin, dependents and emergency contacts;

 • Information about your nationality and entitlement to work in the UK;

• Information about your criminal record;

• Details of your schedule (days of work and working hours) and attendance at work;

• Details of periods of leave taken by you, including holiday, sickness absence, family leave and extended leave, and the reasons for the leave;

• Details of any disciplinary or grievance procedures in which you have been involved, including any warnings issued to you and related correspondence;

• Assessments of your performance, including appraisals, performance reviews and ratings, training you have participated in;

 • Information about medical or health conditions, including whether or not you have a disability for which the organisation needs to make reasonable adjustments.

How do we collect your personal data?

We collect your information in a variety of ways. For example, you may have filled in an application form, or submitted a CV or resume; you may have provided your passport details or other identity documents; from forms completed by you at the start or during your work with us; from correspondence with you; or through interviews. We may also collect information about you from third parties, such as recruitment agencies, references supplied by former employers, and information from criminal records checks as permitted by law.

Where will we keep your data?

Your personal information will be stored, securely with our outsourced HR Management provider.

Why do we need your personal data?

Imara needs to process your data to enter into a working relationship with you and to meet our contractual obligations under any agreement with you. For example, if you are an employee we need to process your data to provide you with an employment contract, to pay you in accordance with that contract and to administer any benefits. In some cases, Imara needs to process data to ensure that we are complying with our legal obligations. For example, it is required to check a worker’s right to work in the UK, to deduct tax, to comply with health and safety laws and to enable employees to take periods of leave to which they are entitled. For certain positions, it can be necessary to carry out criminal records checks to ensure that individuals are permitted to carry out their role. Processing staff data allows the organisation to:

 • Maintain accurate and up-to-date staff records and contact details (including details of who to contact in the event of an emergency), and records of contractual and statutory rights;

• Operate and keep a record of disciplinary and grievance processes, to ensure acceptable conduct within the workplace;

 • Operate and keep a record of employee performance and related processes and workforce management processes;

• Operate and keep a record of absence and absence management procedures, to ensure that employees are receiving the pay and other benefits to which they are entitled;

• Obtain occupational health advice, to ensure that it complies with legal obligations

 • Operate and keep a record of other types of leave (including maternity, paternity, adoption, parental and shared parental leave), to ensure that workers are receiving pay or other benefits to which they are entitled;

 • Ensure effective general HR administration;

• Provide references on request for current or former employees;

• Respond to and defend against legal claims;

• Comply with our statutory and regulatory obligations.

(Some special categories of personal data, such as information about health or medical conditions, are processed to carry out employment law obligations, such as those in relation to employees with disabilities and for health and safety purposes.

Who has access to the data?

Your information will be shared internally to the relevant people including the Finance Team, your line manager, managers and any other members of staff for whom access to the data is necessary for the performance of their roles. Imara shares your data with third parties in order to obtain pre-employment references from other employers and, if applicable to your role, to obtain necessary criminal records checks from the Disclosure and Barring Service. The services we provide to children and young people are subject to external regulation, so  your personal data will be shared with inspectors as necessary

Imara also shares your data with third parties that process data on our behalf, in connection with payroll, the provision of benefits, and the off-site storage of personal data relating to HR.

How long will we keep your data?

Imara will hold your personal data for the duration of your working relationship with us. After the end of your working relationship with us, due to the nature of the work that Imara carries out, and in order to meet our safeguarding commitments, we may hold some of your data until your 75th birthday depending on your role.

2f. Training delegates from current and past courses

When you have either attended a course with us and have enquired about a course through Eventbrite.

What information do we collect?

We collect your contact details:

Name

Email address

Phone number

How do we collect your personal data?

We collect your contact details through the third party provider Eventbrite. We take these details so that we can contact you about a current course or you may sign up to our mailing list so that we can contact you about any future courses which you may be interested in. We will use consent to do this, and you have control over your consent whenever we contact you so that it is easy for you to unsubscribe at any time.

Where will we keep your data?

Your personal information will be stored, securely, with our third party providers, Eventbrite & Mailchimp.

Who do we share your information with?

We share your data within Imara with limited people who need to see it, in order to provide you with a training service. 

How long will we keep your data?

After the course has been completed Imara have no requirement to keep this personal data and the personal data is stored as mentioned.  We will contact you if we feel there is a future course which you may be interested in.  However you are given the option to unsubscribe on any email we send to you in this respect.

3. Working with Third Parties

Imara will never sell your personal data, however we may share your information with third parties in order to provide services to you. Your data may be accessible to our IT support who manage our business critical systems, however, this is only for the purposes of supporting our IT systems and is strictly governed by our contractual arrangements with them. We require all third parties to respect the security of your personal information and to treat it in accordance with the law, which is why we have data sharing contracts in place, which means that our third-party service providers cannot use your personal information for their own purposes and can only process your personal information for specified purposes and in accordance with our instructions.

Some of our partners may run their operations outside of the EEA (European Economic Area) and this may include countries who have different Data Protection Laws. We will always take steps to make sure appropriate protections are in place (in accordance with UK Data Protection Law) and that information is safeguarded. Except for these specific cases listed below, we won’t share financial information with third parties without your specific consent unless required to do so by law.

By donating you are consenting to your financial and/or personal information being passed to our third party organisation Local Giving to process your transactions with Imara.  

Other third party service providers are: Charitylog, our Customer Relationship Management system;

Benefits providers and Criminal Records Check processors; Where we are under a duty to disclose or share your personal information in order to comply with any legal obligations, or in order to enforce or apply our Terms of Use and other agreements; or to protect the rights, property, or safety of Imara, our supporters or others.

For employees, payroll agencies, HMRC, pension, insurance companies.and statutory bodies, where regulated to do so by law

We will keep your personal information confidential, and where we provide it to other third parties we will only do so under contract, on conditions of confidentiality and security, and only for the purposes for which you have provided your information to us.

Third Party Websites

Our website may contain links to third party websites. This policy only applies to this site so if you follow a link to a third party site, please make sure you read the privacy policy on that site.

We do not accept any responsibility for third party sites.

4 How do we keep your data safe?

We take the security of your personal data very seriously. We have internal policies, controls and appropriate data collection, storage and processing practices and security measures in place to ensure that your data is not lost, accidentally destroyed, misused or disclosed, and is not accessed except by our employees in the proper performance of their duties. We work hard to make sure that our security procedures do the job they are designed to do and any communications between you and Imara are protected by secure email, and encryption procedures.

5 Where we store and process your information

The information that we collect from you may be transferred to, and stored in, a location outside of the United Kingdom, but only where we are satisfied that it has an adequate level of protection.  By submitting your personal information, you agree to this transfer, storing or processing. Imara will take all steps reasonably necessary to ensure that your information is treated securely and in accordance with this Privacy Notice.

6 Your legal rights

Under the UK General Data Protection Regulation (GDPR), you have the following rights:

a. the right to be informed

b. the right to access your personal information

c. the right to edit and update your personal information

d. the right to request to have your personal information deleted

e. the right to restrict processing of your personal information

f. the right to data portability

g. the right to object- including automated decision making and profiling

h. the right to lodge a complaint with a supervisory authority

 If you wish to exercise your rights, please contact us, providing as much information as possible about the nature of your contact with us to help us locate your records. Any changes you have requested may take 30 days before they take effect.

6a. The right to be informed.

You have the right to be informed about the data we hold and share about you. This will be described to you through our privacy notice above.

6b. The right to access your personal information

You have a right to access your personal data. By making a subject access request to Imara you can find out what personal data we hold about you, why we hold it and who we disclose it to. To make a subject access request please Email: report@imara.org.uk

Or write to: Data Protection Officer,Imara,200/202 Mansfield Road Nottingham Nottinghamshire Postcode NG1 3HX 

Once we have received your request, and verified your identity, we will respond within 30 days.

6c. The right to edit and update your personal information

The accuracy of your personal information is important to us. You can edit your personal information including your address and contact details at any time.

6d. The right to request to have your personal information deleted

You have the right to request the deletion of your personal information which we will review on a case-by-case basis.

6e. The right to restrict processing of your personal information

You have the right to ‘block’ or suppress processing of your personal data. However, we will continue to store your data but not further process it. We do this by retaining just enough of your personal information so we can ensure that the restriction is respected in the future. Please note, this is not an absolute right and only applies in certain circumstances.

6f. The right to data portability

You have the right to get your personal data from us in a way that is accessible and machine readable, for example as a csv file. You also have the right to ask us to transfer data you have provided us with to another organisation where technically feasible.

6g. The right to object

You have the right to object to your personal information being processed for marketing (including automated decision making and profiling) and for research purposes. From the very first communication from us and every marketing communication we send after you will have the right to object to marketing.

6h. Your right to lodge a complaint with a supervisory authority

We would hope that we can solve your complaint in the first instance by you emailing our Data Protection Officer  report@imara.org, but should you wish to lodge a complaint or seek advice from a supervisory authority please contact: The Office of the Information Commissioner, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF Tel: +44 (0) 01625 545 745 Website: www.ico.org.uk