Your personal data – what is it?

Personal data relates to a living individual who can be identified from that data. Identification can be by the information alone or in conjunction with any other information in the data controller’s possession or likely to come into such possession. The processing of personal data is governed by the General Data Protection Regulation (the “GDPR”).

Who are we?

Leeds Autism Services is the data controller (contact details below). This means it decides how your personal data is processed and for what purposes.

How do we process your personal data?

Leeds Autism Services complies with its obligations under the “GDPR” by keeping personal data up to date; by storing and destroying it securely; by not collecting or retaining excessive amounts of data; by protecting personal data from loss, misuse, unauthorised access and disclosure and by ensuring that appropriate technical measures are in place to protect personal data.

We use your personal data for the following purposes: -

  • To enable us to provide an adult social care service for the benefit of adults with autism in the Leeds area
  • To administer service user records
  • To fundraise and promote the interests of the charity
  • To manage our employees and volunteers
  • To maintain our own accounts and records (including the processing of gift aid applications)
  • To inform you of news, events and activities associated with Leeds Autism Services

What is the legal basis for processing your personal data?

  • Explicit consent of the data subject so that we can keep you informed about events and activities associated with Leeds Autism Services
  • Maintaining up-to-date records of service users and significant others in order to undertake our legal obligations as a care provider
  • Processing is necessary for carrying out legal obligations in relation to Gift Aid or under employment, social security or social protection law, or a collective agreement;

Sharing your personal data

Personal data will be treated as strictly confidential and will only be shared within LAS to carry out our legal obligations as a care provider. We will not share your data with third parties outside of LAS without your consent.

How long do we keep your personal data?

We keep data in accordance with the guidance and retention periods set out in the GDPR policy, which is available from the LAS website.

Specifically, mailing list information, gift aid declarations and associated paperwork for 6 years after the calendar year to which they relate.

Your rights and your personal data

Unless subject to an exemption under the GDPR, you have the following rights with respect to your personal data: -

  • The right to request a copy of your personal data which Leeds Autism Services holds about you;
  • The right to request that Leeds Autism Services corrects any personal data if it is found to be inaccurate or out of date;
  • The right to request your personal data is erased where it is no longer necessary for Leeds Autism Services to retain such data;
  • The right to withdraw your consent to the processing at any time
  • The right to request that the data controller provide the data subject with his/her personal data and where possible, to transmit that data directly to another data controller, (known as the right to data portability), (where applicable) [Only applies where the processing is based on consent or is necessary for the performance of a contract with the data subject and in either case the data controller processes the data by automated means].
  • The right, where there is a dispute in relation to the accuracy or processing of your personal data, to request a restriction is placed on further processing;
  • The right to object to the processing of personal data, (where applicable) [Only applies where processing is based on legitimate interests (or the performance of a task in the public interest/exercise of official authority); direct marketing and processing for the purposes of scientific/historical research and statistics]
  • The right to lodge a complaint with the Information Commissioners Office.

Further processing

If we wish to use your personal data for a new purpose, not covered by this Data Protection Notice, then we will provide you with a new notice explaining this new use prior to commencing the processing and setting out the relevant purposes and processing conditions. Where and whenever necessary, we will seek your prior consent to the new processing.

Website Provider

Your data may also be available to our website provider to enable us and them to deliver their service to us, carry out analysis and research on demographics, interests and behavior of our users and supporters to help us gain a better understanding of them to enable us to improve our services. This may include connecting data we receive from you on the website to data available from other sources. Your personally identifiable data will only be used where it is necessary for the analysis required, and where your interests for privacy are not deemed to outweigh their legitimate interests in developing new services for us. In the case of this activity the following will apply:

  1. Your data will be made available to our website provider
  2. The data that may be available to them include any of the data we collect as described in this privacy policy.
  3. Our website provider will not transfer your data to any other third party, or transfer your data outside of the EEA.
  4. They will store your data for a maximum of 7 years.
  5. This processing does not affect your rights as detailed in this privacy policy.

Cookie Policy Link

General Data Protection Regulation Policy (GDPR)

Policy Statement

This policy sets out how LAS seeks to protect personal data and ensure that staff understand the rules governing their use of personal data to which they have access in the course of their work. This policy requires staff to ensure that the Data Protection Controller (DPC) be consulted before any significant new data processing activity is initiated to ensure that relevant compliance steps are addressed.

The GDPR applies to LAS as it falls into two broad definitions: ‘controllers’ and ‘processors’. The definitions are similar to those defined in the Data Protection Act 1998 (DPA) in that controllers say how and why personal data is processed, and processors act on the controller’s behalf. If you are a processor, the GDPR will place specific legal obligations and liabilities on you; for example, you will be required to maintain records of personal data and processing activities. If you are a controller, you are not relieved of your obligations where a processor is involved. The GDPR places further obligations on you to ensure your contracts with processors comply with the GDPR


“data controller” means a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be processed

“data processor”, in relation to personal data, means any person (other than an employee of the data controller) who processes the data on behalf of the data controller.

“processing”, in relation to information or data means obtaining, recording or holding the information or data or carrying out any operation or set of operations on the information or data, including — organisation, adaptation or alteration of the information or data, retrieval, consultation or use of the information or data, disclosure of the information or data by transmission, dissemination or otherwise making available alignment, combination, blocking, erasure or destruction of the information or data


The purposes for which personal data may be used by LAS: Personnel, administrative, financial, regulatory, payroll and business purposes.

Business purposes include the following:

  • Compliance with our legal, regulatory and corporate governance obligations and good practice
  • Gathering information as part of investigations by regulatory bodies or in connection with legal proceedings or requests
  • Ensuring business policies are adhered to (such as policies covering email and internet use)
  • Operational reasons, such as recording transactions, training and quality control, ensuring the confidentiality of commercially sensitive information, security vetting, credit scoring and checking
  • Investigating complaints
  • Checking references, ensuring safe working practices, monitoring and managing staff access to systems and facilities and staff absences, administration and assessments
  • Monitoring staff conduct, disciplinary matters
  • Marketing our business
  • Improving services

Personal Data

Personal data is information relating to identifiable individuals, such as job applicants, current and former employees, agency, contract and other staff, clients, suppliers and marketing contacts. Personal data we gather may include: individuals’ contact details, educational background, political opinions, financial and pay details, details of certificates and diplomas, education and skills, marital status, nationality, job title, and CV.

Sensitive personal data

Sensitive data is personal data about an individual’s racial or ethnic origin, religious or similar beliefs, trade union membership (or non-membership), physical or mental health or condition, criminal offences, or related proceedings. Any use of sensitive personal data should be strictly controlled in accordance with this policy. We will document the additional justification for the processing of sensitive data, and will ensure any biometric and genetic data is considered sensitive.

Scope of this policy

This policy supplements our other policies relating to internet and email use, recording and disclosure policy. LAS have appointed the HR Manager as the Data Protection Controller (DPC). The DPC has overall responsibility for the day-to-day implementation of this policy.

Fair and lawful processing

LAS must process personal data fairly and lawfully in accordance with individuals’ rights. This generally means that we should not process personal data unless the individual whose details we are processing has consented to this happening or we are required to do this by law (e.g. to comply with legal obligations to ensure health and safety at work). This must not be assumed consent.

Responsibilities of the IT service
LAS have outsourced their IT management to:
Man-sys UK Ltd
Hope Park Business Centre
Trevor Foster Way

It is their responsibility to:

  • Check and scan security hardware and software regularly to ensure it is functioning properly
  • Ensure all systems, services, software and equipment meet acceptable security standards
  • Research third-party services, such as cloud services the company is considering using to store or process data

Responsibilities of the Partnership and Development Officer

  • Approving data protection statements attached to emails and other marketing copy with the DPC
  • Addressing data protection queries from clients, target audiences or media outlets
  • Coordinating with the DPC to ensure all marketing initiatives adhere to data protection laws and LAS General Data Protection Regulation Policy

The processing of all data must be:

  • Necessary to deliver our services
  • In our legitimate interests and not unduly prejudice the individual’s privacy

In most cases this provision will apply to routine business data processing activities in accordance with the individual’s rights;

  • The right to be informed
  • The right of access
  • The right to rectification
  • The right to erasure
  • The right to restrict processing
  • The right to data portability
  • The right to object
  • The right not to be subject to automated decision-making including profiling

Privacy Notice - transparency of data protection

LAS Terms of Business contains a Privacy Notice on data protection. Being transparent and providing accessible information to individuals about how we will use their personal data is important for our organisation.

Retention period

Personal data will not be retained for longer than is necessary. What is necessary will depend on the circumstances of each case, taking into account the reasons that the personal data was obtained, but should be determined in a manner consistent with our data retention guidelines:

  • Statutory and Employment Records during term of employment then 6 years subsequently
  • All gift aid information to be retained for 6 years from date of last donation as evidence required by HMRC
  • Accounts and financial transactions to be held for 6 years
  • Service user records (including incident reports and daily records) should be kept for 20 years after the last entry in the record or 8 years after the service user’s death if service user died whilst in the care of the organisation (Department of Health guidelines – record management 2009)
  • Health and Safety / Accident records to be kept for the length of employment plus 3 years
  • Employee training records for the length of employment plus five years

Accuracy and relevance

LAS will ensure that any personal data that is processed is accurate, adequate, relevant and not excessive, given the purpose for which it was obtained. LAS will not process personal data obtained for one purpose for any unconnected reason unless the individual concerned has agreed to this or would otherwise reasonably expect this.

Individuals may ask that we correct inaccurate personal data relating to them. If you believe that information is inaccurate you should record the fact that the accuracy of the information is disputed and inform the DPO.

Your personal data

You must take reasonable steps to ensure that personal data we hold about you is accurate and updated as required. For example, if your personal circumstances change, inform HR so that they can update your records.

Data security

LAS must keep personal data secure against loss or misuse. Where other organisations process personal data as a service on our behalf, the DPC will establish what, if any, additional specific data security arrangements need to be implemented in contracts with those third party organisations.

Storing data securely

In cases when data is stored on printed paper, it should be kept in a secure place where unauthorised personnel cannot access it. Printed data should be shredded when it is no longer needed. Email or other social media accounts should be protected by strong passwords that are changed regularly. Personal data must not be stored on local hard drives or portable data storage devices such as CDs, memory sticks, mobile phones / tablets or portable hard drives. All personal data must be stored exclusively on the authorised cloud server. The CEO must approve any cloud used to store data. Our servers are located at Node4 DC, Pope Street, Normanton, Wakefield, WF6 2TA.

Data is encrypted and backed up to the second location on a daily basis using VSS and application aware back-ups, and stored using a 30 day retention period as standard. Data is protected by anti-virus software, internal and external firewalls and intrusion detection software which is monitored and scanned by the IT support provider. Account holders should empty recycle bins on the remote desktop on a monthly basis. Data should never be saved directly to mobile devices such as laptops, tablets or smartphones. All servers containing sensitive data must be approved by the CEO and protected by security software, and strong internal and external firewalls.

Transferring data internationally

There are restrictions on international transfers of personal data. You must not transfer personal data anywhere outside the UK without first consulting the Data Protection Controller. Specific consent from the individual must be obtained prior to transferring their data outside the EEA.

Data portability

Upon request, an individual (namely employees) has the right to receive a copy of their data in a structured format. These requests should be processed within one month, provided there is no undue burden and it does not compromise the privacy of other individuals. They may also request that their data is transferred directly to another system. This must be done for free. This request must be referred to the HR Manager immediately. In the event of a request being manifestly unfounded or excessive, LAS have the right to charge for the request. If a request is refused, the individual concerned will be informed of the reason(s) and that they have the right to complain to the supervisory authority. This complaint must be done without undue delay and at the latest, within one month.

Please contact the HR Manager if you would like to correct or request information that we hold about you. There are also restrictions on the information to which you are entitled under applicable law.

Subject Access Requests (SARS)

We will ensure that the named Data Controller will have responsibility for dealing with all SARS requests and will ensure compliance of any given request within 30 calendar days of receipt. However, if we feel that the request is complicated or is a large request, we reserve the right to extend the response time by a further two months. There are also certain exceptions whereby we may charge a nominal fee if we feel the request is manifestly unfounded or excessive.

Conditions for processing

We will ensure any use of personal data is justified using at least one of the conditions for processing, and this will be specifically documented. All staff who are responsible for processing personal data will be aware of the conditions for processing. The conditions for processing will be available to individuals in the form of a privacy notice.


The data that we collect is subject to active consent by the individual. This consent can be revoked at any time.

Disclosure and Barring Service (DBS)

Any DBS checks are justified by law. DBS checks cannot be undertaken based solely on the consent of the subject.

Right to be forgotten

An individual may request that any information held on them is deleted or removed, and any third parties who process or use that data must also comply with the request. An erasure request can only be refused if an exemption applies. 

Reporting breaches

All members of staff have an obligation to report actual or potential data protection compliance failures. This allows us to:

  • Investigate the failure and take remedial steps if necessary
  • Maintain a register of compliance failures
  • Notify the Supervisory Authority (SA) of any compliance failure that are material either in their own right, or as part of a pattern of failures


Everyone must observe this policy. The CEO has overall responsibility for this policy. Data audits will be conducted regularly to make sure policy is being adhered to.

Consequences of failing to comply

We take compliance with this policy very seriously. Failure to comply puts both you and the organisation at risk. The importance of this policy means that failure to comply with any requirement may lead to disciplinary action under our procedures which could result in dismissal. If you have any questions or concerns about anything in this policy, do not hesitate to contact the DPC.


All staff will receive training on this policy. New staff will receive training as part of the induction process. Further training will be provided at least every three years, or whenever there is a substantial change in the law or to our policy and procedure.

Training will cover:

  • The law relating to data protection
  • Our data protection and related policies and procedures

Completion of training is compulsory.