To download a copy of the 4YP privacy notice, please click here.
A more extensive version for volunteers and staff is available if you click here.
Suffolk Young People's Health Project (also referred to as ‘4YP’) believes confidentiality should be taken seriously and is committed to the security of your data and protecting your privacy.
The Role of SYPHP
SYPHP is a Data Controller. This means SYPHP is responsible for determining how we gather and store data of individuals (or Data Subjects), and the purposes for and manner in which that personal data is processed.
We define personal information as any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data) such as collated statistics from survey responses.
Our Promise to You
Any personal information we hold about you will be:
What Data We Collect
SYPHP may collect, store, and use the following categories of personal information:
We may also collect, store and use the following "special categories" of more sensitive personal data which require a higher level of protection:
How We Collect Personal Information
You may provide personal data to SYPHP when you:
To fulfill our obligation to funders, we may need to obtain data via observations.
We may also collect data, including the ‘special categories’, with your written consent.
Sometimes we collect data because of our obligation to do so by law, for an individual’s safety (to protect your vital interests), or for our role as an employer.
Where appropriate, we will seek consent of the holder of parental responsibility for any young person below the age of 16 years old. However, if deemed necessary (e.g. for sake of safeguarding) we may not as per paragraph 38 of the regulation, which states it may “not be necessary in the context of preventive or counselling services offered directly to a child.”
How Suffolk Young People’s Health Project Uses Data About You
We will only use your personal information for the purposes that we collect it for.
SYPHP uses data to carry out our objective to provide young people with an appropriate and supportive service or to help them access one.
Your personal information may be disclosed to any SYPHP employee or volunteer as reasonably necessary for the purposes identified in this policy.
SYPHP also uses data to:
On rare occasions, we may need to use your data for other reasons. In this case, we will notify you, explain why we are doing this, and tell you the legal basis which allows us to do so. We may need to use your data to:
Please note that we may process your personal information without your knowledge or consent, in compliance with the above rules, GDPR, and where this is required and permitted by law.
We may anonymise some personal data, for example survey results. In this case, it can no longer be associated with, or used to identify, an individual.
SYPHP uses some third-party services to assist in our operations.
SYPHP will act as a Data Controller for the personal data third-party services share with us.
These third-party services include:
SYPHP may on occasion need to share your data with third parties, including trusted service providers with whom we work. This will only be done where necessary, and you will be notified.
As with SYPHP, third parties are required to respect the security of your data. We only permit them to process your data for specified purposes and treat it in accordance with GDPR, the law, and SYPHP policies.
Examples of third parties 4YP works with in partnership or hold contracts with:
SYPHP may share statistical data with third parties, but no information from which individuals can be identified.
We will not, without your consent, supply your personal information to third parties for the purpose of direct marketing.
SYPHP uses a range of measures to protect the security of your information and prevent unauthorised access, loss, misuse or inappropriate alteration of your data.
We have put in place reasonable physical, electronic and managerial procedures to safeguard and secure personal information. For example, we use:
SYPHP limits access to your personal information to only the necessary employees and volunteers who need to know.
We have procedures to deal with a suspected data security breach, which may include notifying you and the Information Commissioner’s Office where we are legally required to do so.
We will retain your personal information (including printed and electronic documents) for only as long as necessary to fulfil the purposes for which we collected it, and to fulfill legal, accounting, employment, and reporting requirements.
Different types of data may be retained for different periods, as outlined in the SYPHP Retention Policy.
Your personal data stored by SYPHP will be destroyed or deleted at the point retention expires.
SYPHP has a duty to keep all the information we hold about you up-to-date in line with any amendments you tell us of.
As such, please keep us informed of any changes to your personal information by contacting us in one of the ways described under Your Rights, below.
The GDPR gives you greater control over your data held by a Data Processor like SYPHP.
You may express your rights, in writing or verbally, by addressing your request to the Data Protection Officer, by:
Providing an additional, appropriate security measure, we may need identification or other information to confirm who you are. This will clarify your right to access the data and exercise your rights and avoid incorrect disclosures.
Valid forms of identification may include a passport, driving licence or birth certificate.
SYPHP will respond to your request within one calendar month. Normally, no fee will be charged unless the request is excessive.
If we are unable to fulfill your request (for example, a legal obligation), or need to take longer to process your request, we will explain why.
SYPHP will always inform you about the collection and use of your personal information, outlining the purpose for which we obtain and use your data, the retention periods and who it will be shared with.
You have the right to request access to your personal information. If you do this, SYPHP will provide you with a copy of the personal information we hold about you to check that:
If you consider the personal information we hold about you to be inaccurate or incomplete, you can request for us to correct it.
If you have any concerns about the way SYPHP may be using your data, you may request for us to suspend its use while these are investigated. This is known as ‘restriction’. Concerns you may have could include:
You should note that restricted data remains stored (but not erased) and may be restricted only for a limited time period.
You have the right to prevent SYPHP using your personal data where your particular situation means you object to it being processed. In this case, we may require specific reasons.
We cannot request reasons for your objection to direct marketing. This includes contacting you about fundraising.
This data may still be stored, and not erased.
As part of your ‘right to be forgotten’, you may ask SYPHP to delete or remove your personal information where:
This right allows you to request us to move, copy, or transfer your personal data easily from the SYPHP IT network to yourself or another network, service, business, etc. We will do so without compromising security or the data usability.
This excludes information stored on paper-based files.
Right to Withdraw Consent
Occasionally, we may obtain your consent to collect and process your personal data for a specific purpose.
You have the right to withdraw your consent at any time by contacting the Data Protection Officer (see Changes to the Notice, below).
After SYPHP receives notification that you have withdrawn consent, we will no longer process your information for the stated purpose(s). There may be exceptions where we have another legitimate, lawful basis for doing so, which we will inform you of.
Report a Concern
If you have a concern about the way your personal information has been handled, complaints can be reported directly to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues, at:
Further information, including live chat help, is available online at https://ico.org.uk/concerns
Changes to this Notice
Suffolk Young People’s Health Project reserves the right to update and amend this privacy notice at any time.
The correct version will be accessible on the 4YP website at any time. Copies may also be requested from the Data Protection Officer at: