1. Policy Statement

 Lighthouse Therapy Group will:

  • comply with both the law and good practice in relation to Data Protection

  • respect individuals’ rights

  • be open and honest with individuals whose data is held

  • provide training and support for staff and volunteers who handle personal data, so that they can act confidently and consistently

 Lighthouse Therapy Group recognisesthat its first priority under the Data Protection Act is to avoid causing harm to individuals. Information about staff, volunteers and clients will be used fairly, securely and not disclosed to any person unlawfully.

 Secondly, the Act aims to ensure that the legitimate concerns of individuals about the ways in which their data may be used are taken into account. In addition to being open and transparent, Lighthouse Therapy Group willseek to give individuals as much choice as is possible and reasonable over what data is held and how it is used.

 Lighthouse Therapy Group isthe Data Controller and is registered under the Data Protection Act 1998. All processing of personal data will be undertaken in accordance with the data protection principles.

 2.   Brief introduction to Data Protection Act

The Data Protection Act gives individuals the right to know what information is held about themand their child/children. It provides a framework to ensure that personal information is handled properly.

 The Act works in two ways. Firstly, it states that anyone who processes personal information must comply with eight principles, which make sure that personal information is:

  • Fairly and lawfully processed

  • Processed for limited purposes

  • Adequate, relevant and not excessive

  • Accurate and up to date

  • Not kept for longer than is necessary

  • Processed in line with the rights of Data Subjects

  • Secure

  • Not transferred to other countries without adequate protection

 The second area covered by the Act provides individuals with important rights, including the right to find out what personal information is held on computer and most paper records.

 Lighthouse Therapy Group will:

  • comply with both the law and good practice

  • respect individuals’ rights

  • be open and honest with individuals whose data is held

  • provide training and support for staff and volunteers who handle personal data, so that they can act confidently and consistently

3. Definitions

 The Data Subject is the individual whose personal data is being processed. Examples include:

• Employees– current and past

• Volunteers

• Jobapplicants

• Service users

• Suppliers.


Processing means the use made of personal data including:

• obtaining and retrieving

• Holdingand storing

• making available within or outside the organisation

• Printing, sorting, matching, comparing, destroying.


The Data Controller is the legal ‘person’, or organisation, that decides why and how personal data is to be processed. The data controller is responsible for complying with the Data Protection Act.

The Data Processor - the data controller may get another organisation to be their data processor, in other words to process the data on their behalf. Data processors are not subject to the Data Protection Act. The responsibility of what is processed and how remains with the data controller. There should be a written contract with the data processor who must have appropriate security.

 The Data Protection Officer is the name given to the person in organisations who is the central point of contact for all data compliance issues.

4. Responsibilities

Lighthouse Therapy Grouprecognises its overall responsibility for ensuring that they complywith its legal obligations.

The Data Protection Officer is currently Mark Walsh who has the following responsibilities:

  • Briefing the board on Data Protection responsibilities

  • Reviewing Data Protection and related policies

  • Advising other staff on Data Protection issues

  • Ensuring that Data Protection induction and training takes place

  • Handling subject access requests

  • Approving unusual or controversial disclosures of personal data

  • Ensuring contracts with Data Processors have appropriate data protection clauses

  • Electronic security

  • Approving data protection-related statements on publicity materials and letters

Each member of staff and volunteer at Lighthouse Therapy Group whohandles personal data will comply with the organisation’s operational procedures for handling personal data (including induction and training) to ensure that good Data Protection practice is established and followed.

All staff and volunteers are required to read, understand and accept any policies and procedures that relate to the personal data they may handle in the course of their work. Significant breaches of this policy will be handled under the organisations disciplinary procedures.

5. Confidentiality

Because confidentiality applies to a much wider range of information than Data Protection, Lighthouse Therapy Group hasa separate Confidentiality / privacy Policy. This Data Protection Policy shouldbe read in conjunction with theOrganisation’s Confidentiality Policy.

Lighthouse Therapy Group hasa privacy statement for clients, setting out how their information will be used. This is available on request, and a version of this statement will also be used on the Organisation web site. (See Annex below)

Staff, volunteers and sessional workers are required to sign a short statement indicating that they have been made aware of their confidentiality responsibilities.

In order to provide some services, Lighthouse Therapy Group willneed to share client’s personal data with other agencies (Third Parties). Verbal or written agreement will always be sought from the client before data is shared.

Where anyone within Lighthouse Therapy Group feelsthat it would be appropriate to disclose information in a way contrary to the confidentiality policy, or where an official disclosure request is received, this will only be done after discussions with a manager or the Data Protection Officer. All such disclosures will be documented.

6. Security

This section of the policy only addresses security issues relating to personal data. It does not cover security of the building, business continuity or any other aspect of security.

Any recorded information on clients, volunteers and staff will be:

    • Kept in locked cabinets

    • Protected by the use of passwords if kept on computer

    • Destroyed confidentially if it is no longer needed

Access to information on the main database is controlled by a password and only those needing access are given the password. Staff and volunteers should be careful about information that is displayed on their computer screen and make efforts to ensure that no unauthorised person can view the data when it is on display. Notes regarding personal data of clients should be shredded or destroyed.

Data Recording and storage

Lighthouse Therapy Group hasa database holding basic information about all clients and volunteers. The back-up discs of data are kept:

 Please insert location Room 116 in lockable unit.

Lighthouse Therapy Group will regularly review its procedures for ensuring that its records remain accurate and consistent and, in particular:

  • The database system is reviewed and re-designed, where necessary, to encourage and facilitate the entry of accurate data.

  • Data on any individual will be held in as few places as necessary, and all staff and volunteers will be discouraged from establishing unnecessary additional data sets.

  • Effective procedures are in place so that all relevant systems are updated when information about any individual changes.

  • Staff and volunteers who keep more detailed information about individuals will be given additional guidance on accuracy in record keeping.

  • Data will be corrected if shown to be inaccurate


Lighthouse Therapy Group storesarchived paper records of clients and volunteers securely in the office.

7. Access to data

All clients and customers have the right to request access to all information stored about them.

Parents will have ready access to the records of their own child/children, but will not have access to information about any other child.

If any information is required we act within the UK’s Freedom of Information act 2000guidelines.

Access requests will be handled by the Data Protection Officer within the required time limitof 20workingdays.

Access requests must be in writing(The letter can be emailed).

There is an administration charge of £20.00 

You will be required to include the following;

  • your name (not needed if requesting environmental information)

  • a contact addressand telephone no

  • a detailed description of the information you want - for example, you might want all information held on a subject, or just a summary

  • Proof of parental responsibility if information is concerning a child.The request will be notified to any other parent who has parental responsibility.

All staff and volunteers are required to pass on anything which might be a subject access request to the Data Protection Officer without delay. All those making a subject access request will be asked to identify any other individuals who may also hold information about them, so that this data can be retrieved.

Where the individual making a subject access request is not personally known to the Data Protection Officer their identity will be verified before handing over any information. The required information will be provided in permanent form unless the applicant makes a specific request to be given supervised access in person.

Lighthouse Therapy Group willprovide details of information to service users who request it unless the information may cause harm to another person.

Staff have the right to access their file to ensure that information is being used fairly. If information held is inaccurate, the individual must notify the Director so that this can be recorded on file.

8. Transparency

Lighthouse Therapy Group is committed to ensuring that in principle Data Subjects are aware that their data is being processed and 

  • for what purpose it is being processed;

  • what types of disclosure are likely; and

  •  Howto exercise their rights in relation to the data.

Data Subjects will generally be informed in the following ways:

  • Staff: in the staff terms and conditions

  • Volunteers: in the volunteer welcome/support pack

  • Clients: when they request (on paper, on line or by phone) services

Standard statements will be provided to staff for use on forms where data is collected. Whenever data is collected, the number of mandatory fields will be kept to a minimum and Data Subjects will be informed which fields are mandatory and why.

9. Consent

Consent will normally not be sought for most processing of information about staff. Although staff details will only be disclosed for purposes unrelated to their work for Lighthouse Therapy Group (e.g. financial references) with their consent.

Information about volunteerswill be made public according to their role, and consent will be sought for (a) the means of contact they prefer to be made public, and (b) any publication of information which is not essential for their role.

Information about clientswill only be made public with their consent (This includes photographs). Consent should be given in writing. In all cases it will be documented on the database that consent has been given.

All Data Subjects will be given the opportunity to opt out of their data being used in particular ways, such as the right to opt out of direct marketing(see below). Lighthouse Therapy Group acknowledgesthat, once given, consent can be withdrawn, but not retrospectively. There may be occasions where Lighthouse Therapy Group hasno choice but to retain data for a certain length of time, even though consent for using it has been withdrawn.

 10. Direct marketing

Lighthouse Therapy Group willtreat the following unsolicited direct communication with individuals as marketing:

  • seeking donations and other financial support;

  • promoting any services;

  • promoting events;

  • promoting membership to supporters;

  • promoting sponsored events and other fundraising exercises;

  • marketing products of the organisation

  • marketing on behalf of any other external company or voluntary organisation.


Whenever data is first collected which might be used for any marketing purpose, this purpose will be made clear, and the Data Subject will be given a clear opt out. If it is not possible to give a range of options, any opt-out, which is exercised,will apply to all Lighthouse Therapy Group marketing. Lighthouse Therapy Group doesnot have a policy of sharing lists, obtaining external lists or carrying out joint or reciprocal mailings.

Whenever e-mail addresses are collected, any future use for marketing will be identified, and the provision of the address made optional.

11. Staff training and acceptance of responsibilities

All staff that hasaccess to any kind of personal data will be given copies of all relevant policies and procedures during their induction process, including the Data Protection policy, Confidentiality policy and the operational procedures for handling personal data. All staff will be expected to adhere to all these policies and procedures. Lighthouse Therapy Group willprovide opportunities for staff to explore Data Protection issues through team meetings, and supervisions.


Lighthouse Therapy Group Privacy Policy

This privacy policy sets out how Lighthouse Therapy Group uses and protects any information that you give Lighthouse Therapy Group when you use this website.

Lighthouse Therapy Group is committed to ensuring that your privacy is protected. Should we ask you to provide certain information by which you can be identified when using this website, then you can be assured that it will only be used in accordance with this privacy statement.

Lighthouse Therapy Group may change this policy from time to time by updating this page. You should check this page from time to time to ensure that you are happy with any changes. This policy is effective from 1st June 2014.

What we collect

We may collect the following information:

  • name and job title

  • contact information including email address

  • demographic information such as postcode, preferences and interests

  • other information relevant to customer surveys and/or offers

What we do with the information we gather

We require this information to understand your needs and provide you with a better service, and in particular for the following reasons:

Internal record keeping

We may use the information to improve our products and services. We may periodically send promotional emails about new products, special offers or other information which we think you may find interesting using the email address which you have provided.

From time to time, we may also use your information to contact you for market research purposes. We may contact you by email, phone, fax or mail. We may use the information to customisethe website according to your interests.


We are committed to ensuring that your information is secure. In order to prevent unauthorisedaccess or disclosure we have put in place suitable physical, electronic and managerial procedures to safeguard and secure the information we collect online.

How we use cookies

A cookie is a small file which asks permission to be placed on your computer's hard drive. Once you agree, the file is added and the cookie helps analyseweb traffic or lets you know when you visit a particular site. Cookies allow web applications to respond to you as an individual. The web application can tailor its operations to your needs, likes and dislikes by gathering and remembering information about your preferences.

We use traffic log cookies to identify which pages are being used. This helps us analysedata about webpage traffic and improve our website in order to tailor it to customer needs. We only use this information for statistical analysis purposes and then the data is removed from the system.

Overall, cookies help us provide you with a better website, by enabling us to monitor which pages you find useful and which you do not. A cookie in no way gives us access to your computer or any information about you, other than the data you choose to share with us.

You can choose to accept or decline cookies. Most web browsers automatically accept cookies, but you can usually modify your browser setting to decline cookies if you prefer. This may prevent you from taking full advantage of the website.

Links to other websites

Our website may contain links to other websites of interest. However, once you have used these links to leave our site, you should note that we do not have any control over that other website. Therefore, we cannot be responsible for the protection and privacy of any information which you provide whilst visiting such sites and such sites are not governed by this privacy statement. You should exercise caution and look at the privacy statement applicable to the website in question.

Controlling your personal information

You may choose to restrict the collection or use of your personal information in the following ways:

  • whenever you are asked to fill in a form on the website, look for the box that you can click to

  • indicate that you do not want the information to be used by anybody for direct marketing purposes

  • if you have previously agreed to us using your personal information for direct marketing purposes, you may change your mind at any time by writing to or emailing us at [email address]

We will not sell, distribute or lease your personal information to third parties unless we have your permission or are required by law to do so. We may use your personal information to send you promotional information about third parties which we think you may find interesting if you tell us that you wish this to happen.

You may request details of personal information which we hold about you under the Data Protection Act 1998. If you believe that any information we are holding on you is incorrect or incomplete, please write to or email us as soon as possible, at the above address. We will promptly correct any information found to be incorrect.