Ensuring that information about individuals is managed in a secure and sensitive way is rightly an important consideration for any organisation. We work with both adults and young people and the nature of our work means that we have a need to request and use a number of personal details.

This policy explains the principles by which we do this and the measures we take to ensure your data is used in a safe and responsible manner. Guidance about key data protection legislation (including GDPR) is given at the bottom of the page. If you have any concerns or questions about how your data is used, or how our approach could be strengthened please do not hesitate to contact us.

1. On any occasion where we request information from individuals, we will take all reasonable efforts to outline how the data is to be used.
2. We ask anyone providing us with personal details to give their consent for us to use the information.
3. Any individual will have the right to withhold their consent for us to use their personal information. However, withholding consent may make it impossible for them to participate in our projects. This will always be true in cases where we feel we require personal information to properly discharge our duty of care towards others.
4. An individual has the right to withdraw their consent for us to use their personal details. Unless otherwise advised, this should be done via email to [email protected]. As above, this may limit their ability to continue participating in our work.
5. Our duty of care towards individuals will always override agreements on data use. This means that if we believe, in good faith, that it is necessary to pass on personal information in ways other than those agreed with individuals in order to ensure their safety and wellbeing or the safety and wellbeing of others, we will do so.

• In all projects involving those under the age of 18, we will endeavour to establish a clear and open relationship with their parents or another adult who has been nominated to take responsbility for their welfare during a particular project (e.g. a teacher from a partner school).
• When requesting information directly from any person under the age of 16 we will ensure that consent for us to use this information is given by the individual’s parent (or where applicable another nominated adult).
• When requesting information from any individual aged 16 or 17 we will request contact details for a parent (or representative) and will ordinarily contact the parent, giving them an opportunity to withhold their consent for us to use the information. However, the young person in question has the right to refuse consent for us to contact their parents and we will abide by their wishes unless we feel that doing so would compromise our ability to uphold our duty of care.

The publication of identifiable images of individuals collected by or directly on behalf of Hobstone is managed as follows. This shall include images and videos published in physical form or online, including Social Media:

• Images of those under the age of 16 will always require the consent of their parent (or nominated representative) in advance of publication. Those aged 16 or 17 shall have the authority to give their own consent.
• Any individual will have the right to withdraw their consent for the use of identifiable images at any time before or after publication. Following any such request we will take all reasonable action to remove their image from circulation. It shall be accepted that complete removal may not always be possible.
• Images of individuals that do not readily identify them may be used without consent. This shall include images of those who are unknown to us. For example, those in wide-angle shots taken in public places, or places readily accessible to the public.
• In addition to images obtained by or on behalf of Hobstone, we reserve the right to use images provided by others individuals or organisations. We will expect that anyone giving us permission to use an image has the authority to do so and has obtained any consent necessary to satisfy their own data protection requirements.

Data in our possession may be stored physically of electronically. We will take the following measures to ensure it is secure.

• Physical data will be kept under lock and key or on the person of an authorised Hobstone representative. Any transfer of physical data between locations shall be the exception rather than the rule, but if necessary will usually be done using Royal Mail services and as a Recorded Delivery in cases of sensitive or important information
• Electronic data will be stored in password protected, cloud-based locations and secured email servers. Typically these services shall be provided by Microsoft and Google.
• Any electronic device on which data is stored or accessed will be password or pin protected.
• USB and other portable storage devices shall be used as an exception and shall be treated in the same manner as physical data.
• If we become aware of any data breach, we will inform those individuals involved as quickly as possible thereafter, taking all reasonable action necessary to limit the risk to them.

For a variety of reasons it is often necessary for us to pass personal details on to other individuals or organisations. Examples of this include: passing information to Homestay hosts about students (and vice-versa); giving information to hotels to confirm bookings or passing information to organisations such as the police or other authorities where the law requires us to do so. We agree to manage this as follows:

• Where possible, we will make it clear at the point of data collection which organisation or individuals we will need to pass the information to. If this is not possible, we will inform individuals of the need to pass on their information in advance of doing so, giving them an opportunity to withhold consent.
• We will take reasonable measures to ensure that third party organisations take responsibility for ensuring they manage the data we give to them in a secure and responsible manner.
• We will never sell information to other organisations nor pass in order for them to market their services without your consent.

• UK Government Information on Data Protection
• GDPR – General Data Protection Regulation – European Union Guidance
• How to request information about you from organisations

Data Protection Policy Version 4.01 – Published March 2023 – Review Date, 2th February 2024.