Sheffield Young Carers Privacy Notice
Policy statement: Sheffield Young Carers Project (SYC) is an independent charity which has existed in Sheffield since 1997. We are dedicated to supporting young carers across the city. When doing this, we process personal data about people who: access our support services; help by supporting young carers within their own settings, e.g. education or health services; or provide us with support through campaigns, donations, booking onto training courses or volunteering.
We regard the protection of individuals’ personal and sensitive data to be of the greatest importance and will comply with the requirements of the current data protection legislation at all times. We are registered with the Information Commissioner’s Office as a data controller (registration no. Z2467860) and our named Data Protection Officer is our CEO.
Definition of terms
Within this policy:
‘data controller’ refers to Sheffield Young Carers
‘data processor’ refers to Sheffield Young Carers (or any third party we instruct to process data on our behalf)
‘data subject’ refers to any individual, e.g. young person, staff member, or financial supporter, whose data we process.
Throughout this policy, the words ‘you’ and ‘yours’ refer to the data subject and the words ‘we’ and ‘us’ refer to Sheffield Young Carers.
The purpose of this notice: This notice outlines what data we collect, how we may use it, how we protect your data and your rights. This policy should be read in conjunction with SYC’s Data Protection and Confidentiality Policies, to which it is closely related.
This notice includes any data we collect from you during your relationship with Sheffield Young Carers (SYC). This may be via:
any paper forms you fill out
verbal data collection
forms via our website, or online surveys
communication via social media
photographs, video or audio recordings.
We regularly check this notice to ensure that we are providing you with the most up-to-date information regarding our data processing activities. We strongly advise you to read this page from time to time to ensure you are happy with any changes that might be made.
If you have any questions, please telephone us on 0114 258 4595 or contact us here.
Why we collect your data: At Sheffield Young Carers, we communicate with a wide range of individuals and organisations in order to carry out our work, including service users and their families, partner organisations including referrers, and staff and volunteers.
We only collect personal details needed to fulfil the service you expect from Sheffield Young Carers. Depending on your relationship with us and the service you receive, the information we gather and record may differ.
Your rights: Under data protection laws in the UK and EU, you have certain rights over the personal information that we hold about you. If you would like to exercise your rights, please get in contact with any of the details listed below. Here is a summary of the rights we think apply:
a. Right to be Informed: You have the right to be informed as to how we use your data and under what lawful basis we carry out any processing. This Privacy Notice sets this information out however if you would like further information, please get in touch.
b. Right of Erasure – also known as the right to be forgotten: You may ask us to delete some or all of your information we hold about you. Sometimes where we have a legal obligation we cannot erase your personal data.
c. Right to Object: You have the right to object to processing where we are using your personal information such as where it is based on legitimate interests or for direct marketing.
d. Inaccurate personal information corrected: Inaccurate or incomplete information we hold about you can be corrected. The accuracy of your information is important to us. If any of your information is out of date or if you are unsure of this, please get in touch using the contact details below.
e. Right of restriction: You have a right to restrict the processing of some or all of your personal information if there is a disagreement about its accuracy, or we are not lawfully allowed to use it.
f. Right to Access your information: You have a right to request access to a copy of your personal information that we hold about you, along with the information on what personal information we use, why we use it, who we share it with, how long we keep it for and whenever it has been used for automated decision making. You can make a request for access free of charge and proof of identity is required.
g. Automated decision making: Automated decision-making takes place when an electronic system uses personal information to make a decision without human intervention. You have the right to question the outcome of automated decisions that may create legal effects or create a similar significant impact on you.
h. Portability: You can ask us to provide you or a third party with some of the personal information that we hold about you.
i. Right to withdraw consent: Where you have provided consent to our use of your data, you also have the right to withdraw that consent at any time. This means that we will stop processing your data
j. Transferring your information outside of the United Kingdom: Where personal data is stored outside of the UK and the EEA, safeguards to protect personal data may include but are not limited to the UK Addendum used in conjunction with the EU Standard Contractual Clauses (SCCs), or UK International Data Transfer Agreement (IDTAs). Such safeguards will be subject to Transfer Risk Assessments (TRAs).
If you would like to exercise any of these rights or would like any further information, please contact us on the details below:
By telephone: 0114 258 4595
By email: information@sheffieldyoungcarers.org.uk
By post: Data Protection Officer, Sheffield Young Carers, Unit R7b, Sheaf Bank Business Park, 20 Prospect Road, Sheffield S2 3EN
Storing and managing your personal data: If you are receiving support from us, we will need to process your data because of your specific relationship with us.
We will keep all of your personal information – including notes, letters and information given to us about you – in a confidential online record that is specific to you. For service users and agencies that we work with, we also use a customer relationship management system (CRM) called Simply Connect to help us do this accurately and securely. It allows us to keep the information you provide us with so we are able to see the history and relevant details of our work with you. This ensures that we provide appropriate and accurate advice or support. We take information security very seriously. No one is allowed access to our system or files unless they need this in order to provide the service to you or one of the other purposes discussed in this notice.
In order to make sure that our services meet a high standard of quality, service user files are sometimes checked by management staff for quality assurance purposes. Files may also be checked by external auditors if the work we do is funded by another organisation, such as the local authority or the Big Lottery Fund. All auditors are bound by confidentiality policies.
We may use your data for statistical reports. These statistics will not include any information that could be used to identify any individual.
We will only process your data for the following purposes, with your consent:
informing you about services provided by SYC
informing you about any changes to our services
communications about our charitable purpose, campaigns and fundraising
marketing purposes
SYC service or research questionnaires.
Retention of your data: Whatever your relationship with us, we will only store your information for a specific amount of time in line with our retention schedule. This may depend on the law or regulations that the information falls under such as financial regulations, Limitations Act, Health and Safety regulation etc., or any contractual obligation we might have – such as with government contracts or if we have a business case, such as with research data. For business case data, we will anonymize the data so no individual is identifiable. Once the retention period has expired, the information will be confidentially disposed of or permanently deleted.
Disclosure of your personal data: We will not, without your consent, supply any of your personal data to any third party – except where:
The transfer is to a secure data processor, which carries out data processing operations on our behalf.
We are required to do so by law enforcement or regulatory bodies where this is required or allowed under the relevant legislation.
If there is a situation where we are asked to share your data with other support services, funders or third-party survey providers, we will make sure you are informed and we will obtain your consent to share your data at the time of data collection. We will make sure your details are safe, secure and only used for the limited purpose you have provided them to u.
We will never share or sell your personal data to a third-party organisation for marketing, fundraising or campaigning purposes.
Security of your personal data: We use appropriate technical and organisational precautions to protect your personal data against any unauthorised or unlawful processing or any accidental loss, destruction or damage.
Personal data collected, how and why we collect it, and on what lawful basis
For more detailed information, please read the relevant appendices below.
Appendix 2 - Human Resources
Appendix 3 – Fundraising and Marketing
Appendix 4 – Website Visitors and Cookies
In the event of a data breach: We will notify the Information Commissioner without unnecessary delay and, where possible, within 72 hours of the data breach. Where the data breach is likely to lead to risks for rights and freedoms of our data subjects (not just in the scope of the UK GDPR but beyond) we will notify the data subjects as soon as practicably possible.
Making a complaint to SYC: When we receive a complaint from a person we make up a file containing the details of the complaint. This normally contains the identity of the complainant and any other individuals involved in the complaint.
We will only use the personal information we collect to process the complaint and to check on the level of service we provide. We may compile and publish statistics showing information like the number of complaints we receive, but not in a form which identifies anyone.
We usually have to disclose the complainant’s identity to whoever the complaint is about. This is inevitable where, for example, the accuracy of a person’s record is in dispute. If a complainant doesn’t want information identifying him or her to be disclosed, we will try to respect that. However, it may not be possible to handle a complaint on an anonymous basis.
We will keep personal information contained in complaint files in line with our retention policy. This means that information relating to a complaint will be retained for two years from closure. It will be retained in a secure environment and access to it will be restricted according to the ‘need to know’ principle.
Similarly, where enquiries are submitted to us we will only use the information supplied to us to deal with the enquiry and any subsequent issues and to check on the level of service we provide.
When we take enforcement action against someone, we may publish the identity of the defendant in our Annual Report or elsewhere. Usually we do not identify any complainants unless the details have already been made public.
If you are unhappy with the way we process your data, please get in touch by using one of the contact methods above. You can also make a complaint to the Information Commissioner’s Office (ICO) which regulates the use of information in the UK. They can be contacted by at 0303 123 1113 or you can write to them at Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.
Transferring your information outside of the United Kingdom: Where personal data is stored outside of the UK and the EEA, safeguards to protect personal data may include but are not limited to the UK Addendum used in conjunction with the EU Standard Contractual Clauses (SCCs), or UK International Data Transfer Agreement (IDTAs). Such safeguards will be subject to Transfer Risk Assessments (TRAs).
Changes to this privacy notice: We keep our privacy notice under regular review. If we make any significant changes to the way in which we process your information, we will let you know by either contacting you or posting a banner on our website.
How to contact us: If you want to request information about our privacy notice, email information@sheffieldyoungcarers.org.uk or write to us at:
Data Protection Officer, Sheffield Young Carers, Unit R7b, Sheaf Bank Business Park, 20 Prospect Road, Sheffield, S2 3EN
APPENDIX 1 – Service Users
1. How do we collect information about you?
We may collect the following information about you when you join SYC to allow SYC to provide you with advice and support, or to refer you on to other services that you have requested or been recommended:
Contact information, employment and financial details, family, lifestyle and social circumstances, health information and safeguarding information. This information is provided to us by you directly or via a referral, through completion of our forms. We may also collect criminal records information, and information through case studies.
Personal details shared during conversations with our support workers.
Personal details shared when participating in surveys and research (although this is voluntary).
Information shared to help improve SYC’s services and service users’ experiences.
If you are a training delegate:
Personal details needed for the administration of your booked training course.
Data needed to record and contact you regarding any payments you make to SYC, where applicable.
2. How is your information used? We may use your personal information toCarry out a thorough assessment of your needs;
Provide an appropriate service which best meets your needs;
Provide progress reports to funders;
Monitor and manage risk;
Protect yourself and the general public;
Meet our safeguarding duties;
Evaluation purposes;
Collate anonymised or pseudonymised statistical information for funders, the charity and delivery partners
3. Lawful basis for processing
We mainly rely on legitimate interest as our lawful basis for processing your personal data for the main activities we provide. When we process special category data and criminal records, the lawful basis is substantial public interest read with conditions from the Data Protection Legislation.
For case studies, we rely on your consent. For evaluation purposes, we rely on our legitimate interest.
Where our lawful basis for processing personal data is 6(1)(a) Consent of the data subject, we will ensure that consent is ‘freely given, specific, informed and unambiguous’ and, using our consent mechanisms, (e.g. referral form, e-newsletter sign-up form on our website) data subjects will be required to take some form of clear affirmative action, or ‘positive opt-in’. We will ensure that consent is separate from other terms and conditions and we will maintain accurate records pertaining to consent in order to remain transparent and accountable.
4. How long do we keep your data for?
We retain the personal data of all service users for a period of time in line with our retention periods. If you would like to know more about this, please contact us using the contact details on this page.
5. Confidentiality, data sharing and safeguarding
We may share or store your data with Sheffield City Council, your school/college, your GP, or other services involved in providing support. These organisations act as data processors, and process such data on our behalf.
When sharing information with funders, we will provide information anonymously.
When sharing information regarding attendance of support/training sessions, we will rely on legitimate interest.
To comply with our duty of care and safeguarding, we may need to pass some information raising safeguarding concerns with the authorities. In such circumstances, we apply vital interest and legitimate interest as our lawful basis. Data subjects’ rights and other UK GDPR provisions may be restricted when concerning personal data processed in these circumstances. Exceptions and exemptions are applied on a case-by-case basis.
APPENDIX 2 – Human Resources: Job applicants, current and former employees, trustees, volunteers, freelancers/consultants
When you apply for a job with SYC, your personal data will be collated in order to monitor the progression of your application, and monitor the effectiveness of the recruitment process through the statistics collected. Where we need to share your data – such as gathering references or obtaining a Disclosure and Barring Services – you will be informed beforehand, unless the disclosure is required by law. These checks are only done after a position has been offered and only to the successful candidate. On the application form, you are asked to complete the referee details and can tick permission to contact referee. If you tick yes, once offered a role we will automatically send out reference requests. If you tick no, we will contact the successful candidate for permission first.
Personal data about unsuccessful applicants is held for 12 months after the recruitment exercise is complete for that particular vacancy. Applicants can ask us to remove their data before this time if you do not want us to hold it. If we feel there is another suitable vacancy available, we will contact the applicant prior to sharing your application details with the relevant manager.
Once you have taken up employment with SYC, we will compile a file relating to your employment. The information contained in this will be kept secure and will only be used for purposes directly relevant to your employment, for example:
Bank details – to process salary payments
Emergency contact details – so we know who to contact in case you have an emergency at work
Pension provider details – to process pension payments
Once your employment with SYC has ended, we will retain the file in accordance with the requirements of our retention schedule and then delete it from our files
1. How and when do we collect information about you?
You provide several pieces of data to us directly during the recruitment period and subsequently upon the start of your employment/engagement. In some cases, we will collect data about you from third parties, such as employment agencies or former employers when gathering references.
2. What types of information is collected about you and who provides it?
We keep several categories of personal data on our employees, job applicants, trustees, volunteers, and consultants/freelancers in order to carry out effective and efficient processes. Specifically, depending on your type of engagement with SYC, we may process the following types of data:
personal details such as name, address, phone numbers
name and contact details of your next of kin
footage of the organisation events where you may appear
information of any disability or other medical information you have disclosed
right to work documentation
information gathered via the recruitment process such as that included in a CV, cover letter or application form, references from former employers, details on your education and employment history etc
National Insurance number, bank account details and tax codes
information relating to your employment with us (e.g job title, job description, salary, terms and condition of the contract, annual leave records, appraisal and performance indication, formal and informal proceedings involving you such as letters of concern and disciplinary, disciplinary and grievance proceedings.
internal and external training modules undertaken
information on time off from work including sickness absence, family related leave etc
IT equipment use including telephones and internet access
your biography and photograph of you for the website (if applicable).
We may also process special category data which include health information, sexual orientation, race, ethnic origin, political opinion, religion, trade union membership, and genetic data. We also process criminal records information if the role involves a DBS check.
3. How is the information used? We are required to use your personal data for various legal and practical purposes for the administration of your contract of employment or your volunteer/trustee agreement, without which we would be unable to employ you or have you volunteer with us. Holding your personal data enables us to meet various administrative tasks, legal obligation or contractual/agreement obligation. We process information in relation to the DBS for our safe recruitment practices.
4. Lawful basis for processing: We mainly use ‘contractual obligation’ as a lawful basis for processing personal data for employees, job applicants and freelancers. We mainly use ‘legitimate interest’ for trustees. We may also have a legal obligation to process and share your data, for example, where we need to share salary information to HMRC or use some of your data to enrol a new employee on a pension scheme.
We may rely on our legitimate interest for processing activities such as keeping supervision and appraisal records; using your image, bio and videos/pictures of the organisations’ events where you may appear on our website or marketing/fundraising materials to promote the charity.
Some special categories of personal data, such as information about health or medical conditions is processed in order to carry out employment law obligations (such as those in relation to colleagues with disabilities and for health and safety purposes). We may also process other special categories of personal data, such as information about ethnic origin, sexual orientation, health or religion or belief for the purposes of equal opportunities monitoring.
When processing criminal records (for example, in order to perform DBS checks), the organisation relies on the lawful basis of legitimate interest. When processing special category data and criminal records, we rely on additional conditions of the UK GDPR and DPA 2018.
5. How long do we keep your data? We only keep your data for as long as we need it, which will be for a duration of 6 years after your employment/engagement with us has ended. If you’ve applied for a vacancy but your application hasn’t been successful, we will keep your data only for 12 months.
Some data retention periods are set by the law. Retention periods can vary depending on why we need your data. Please get in touch by contacting us using the details above if you want to know more about retention periods.
Data is destroyed or deleted in a secure manner as soon as the retention date has passed.
6. Confidentiality - who do we share your data with? Personal Data in relation to your salary is shared with HMRC as part of our legal obligation. Personal Data may be shared with third parties for the following reasons: for the administration of payroll, pension, HR functions (for example, administering other employee benefits such as the Childcare Voucher Scheme). When sharing information with third parties, we have data sharing, processor agreements or contracts in place to ensure data is not compromised. Third parties must implement appropriate technical and organisational measures to ensure the security of your data.
APPENDIX 3 – Fundraising and Marketing
If you are a supporter, the information we collect is through the following ways:
When you make a donation
Information is provided by you via a donation form on our website or via third party donation platforms (e.g Stripe, GoCardless, JustGiving, Give As You Live Donate, CAF, PayPal Giving) . The information gathered may be: name, email address, Gift Aid sign up, company name if donation is made by an organisation, donation details, reasons to engage, postal address.
This information allows us to process your donation, and deal with any potential enquiry. We rely on our legitimate interest to process this data. If you agree that we can claim Gift Aid on your donations we are legally required to keep a record of the claim and your Gift Aid declaration. If you are donating using a third party, please also refer to the privacy notice published on their websites.
When you sign up to our fundraising events
Information is mainly provided by you via our website forms, via third party platforms (e.g Eventbrite) or in person during the events by paper forms. The information gathered may be: name, email address, company name if applicable, donation/payment details, reasons to engage, postal address, email address contact preference.
This information allows us to administer your sign up, process payments, and deal with any potential enquiry. We rely on the basis of legitimate interest to process this data.
During these types of events, we may also take photographs and video recording of people attending where you may be included. This information allows us to showcase our work and have an effective external communication. We rely on our legitimate interest to process this data. If you are signing up to an event using a third party, please also refer to the privacy notice published on their websites.
When you show interest in supporting us (e.g through a gift in your will or a pledge) and you decide to contact us
Information is provided mainly by yourself, via online forms or phone/email conversations with us. The information gathered may be: occupation, title, details of any correspondence had with ourselves, date of birth, fundraising appeals responses, event participations with us, details of your reasons to engage with us. This information allows us deal with your enquiry and show you how to get engaged. We rely on our legitimate interest to process this data.
Marketing Communications:
Your contact details may be used to provide you with information about our services or our fundraising opportunities via email, text or other electronic message. We will only send you fundraising and marketing communications by email, text or other electronic message if you have provided your consent, or if you have been involved in a commercial transaction with us. You may opt-out of our fundraising and marketing communications at any time by clicking the unsubscribe link at the end of our e-marketing communication. Alternatively, you can let us know by using any of the contact details listed in this notice.
In all cases, we will do our best to ensure that your personal data is accurate and, where necessary, kept up to date. We will ensure that our records are adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
Appendix 4: Website visitors and cookies
Website: The platform used to build our website is www.squarespace.com. When someone visits www.sheffieldyoungcarers.org.uk we use Squarespace Analytics to collect standard internet log information and details of visitor behaviour patterns. We do this to find out things such as the number of visitors to the various parts of the site. This information is only processed in a way which does not identify anyone. We do not make any attempt to find out the identities of those visiting our website. If we do want to collect personally identifiable information through our website, we will be up front about this. We will make it clear when we collect personal information and will explain what we intend to do with it.
Please note that our website may contain links to other websites of interest. Once you have used these links to leave our site, you should note that we do not have any control over that other website. Therefore, we cannot be responsible for the protection and privacy of any information which you provide whilst visiting such sites and such sites are not governed by this privacy policy. You should exercise caution and look at the privacy policy applicable to the website in question.
Cookies: A cookie is a small data file that is downloaded from a website to your computer, to make the site easier to use in a number of ways. For example, it may store details that you submit on the site, such as your personal settings, your location, or what you have in a shopping cart etc., so you don’t need to enter information more than once.
Using cookies does not allow us to identify users personally; we will only store information that you've specifically given us permission for.
Our website uses a small number of cookies to give us a better overall picture of how people interact with the site, and how we can improve our services to our service users and supporters. The information we gather through this process is completely anonymous, and visitors to the site cannot be identified.
We use some tools on our pages from social networks, such as Twitter and Facebook. Any information used via these tools is not shown to us, and we don't store any information from them. Please refer to each site's own privacy policies for more information.
Controlling and deleting cookies on your computer: All browsers allow you to manage which cookies you accept, reject and delete. You can usually find these controls under the ‘Preferences’ or ‘Tools’ menu. You can find more detail about individual browser settings at http://www.aboutcookies.org. Please note that, if you choose not to accept cookies from our website, some sections may not work properly.
E-newsletter: We use a third-party provider, Mailchimp, to deliver our quarterly e-newsletters. We gather statistics around email opening and clicks using industry standard technologies including clear gifs to help us monitor and improve our e-newsletter. For more information, please see MailChimp’s privacy policy.
Online surveys and our e-referral form: We collect information volunteered by members of the public about our services and referrals to our project using third party online survey tools such as Typeform and Microsoft Forms. These companies are data processors for SYC and only process personal information in line with our instructions. For more information, please see Typeform’s policies and Microsoft Form’s privacy information.
People who contact us via social media: We use a third-party provider, Hootsuite, to manage our social media interactions. If you send us a private or direct message via social media the message will be stored by Hootsuite for three months. It will not be shared with any other organisations.
People who email us: We encrypt and protect email traffic in line with government guidance. We also monitor any emails sent to us, including file attachments, for viruses or malicious software. Please be aware that you have a responsibility to ensure that any email you send is within the bounds of the law.
This privacy notice was last updated August 2025.