We need to hold personal information about people that interact with Merton CIL to provide quality services, deliver needed work and keep our community informed.

We hold all personal information in line with General Data Protection Regulations (GDPR) and all other UK data protection laws. We will ask for consent before we keep your personal information, and we will keep your information safe and private.

We will usually only share your personal information if you give us permission. However, we may have a legal duty to share your personal information if we think someone is at risk or if a crime has been committed.

We may update this privacy notice at any time.

Some of the information on this page may be difficult to understand. Please get in touch if you would like something explained to you.

 

Download our privacy policy

Easy Read Privacy Notice - 2026

PDF Privacy Notice 

BSL Privacy Notice

Enable the recite me button at the top of the page to translate the information below. 

 

The personal information that we collect

We collect, store and use the following information:

  • Contact information – we keep contact information like home addresses, phone numbers and email addresses.
  • Demographic information – if you chose to share, we keep information about things such as your ethnicity, religion and more.
  • Information about your impairment or health condition.
  • Casework information – when we provide Advice or speaking up support, we keep a record of our work together, the problems you are facing, details of your support needs, impairments or health condition.
  • Information about your interests, goals or work.
  • Financial or employment information – sometimes we may store bank details or NI numbers for advice purposes or to pay volunteer expenses.
  • Technical information – when you use our website cookies collect information about your domain name, location, IP address, content you view on our website and how long you stayed on a page.
  • Any feedback, compliments or complaints shared.

 

Why we need the information and what we use it for

We hold your personal information because it is necessary for our legitimate interests. These are a few ways that we may use your personal information:

  • To provide you with a quality service and keep in contact whilst we work together.
  • To keep records about the work that we do for contracts, agreements with funders and legal purposes. We report back to funders about the services we deliver and to whom.
  • To work with third party service providers that audit and evaluate the quality of our work to help make our services more accessible and effective.
  • To let you know about Merton CIL’s work and ways that you can get involved if you want to join our push for change.

 

How we get the information

You will give us the information yourself. You may do this when you use our advice service, join our community of members, volunteer, come to an event or more. Your information may have been given to us by another organisation if they have referred you for support.

 

Consent

We will ask you to consent to us keeping and using your personal information. This may happen by:

  • Verbally - If you contact us by telephone, email or dropping in to Vestry Hall, we will take basic information and ask you verbally if you are happy with your details being stored on our database.
  • If you register as a member of our community, you will be asked to sign form giving us consent to sign you up and store your information.
  • If you are using one of our services, you will be asked to sign a number of consent forms.
  • If we need to share your information with another organisation you will be asked to sign a sharing information agreement or referral form to give consent.
  • We will ask you for consent to create anonymous case studies and use your case during audits of our work.

 

There are some situations where we can share your information without your permission

  • If you are at risk of harm or you present a risk to others.
  • If we need to share information as part of a criminal investigation or believe a crime may or has been committed.
  • We share anonymised demographic information with funders.

 

How we store your information

  • We hold digital personal information in secure systems and databases with servers in the UK. Our systems and data bases are password protected, cloud based and we use multi factor authentication.
  • We aim to digitise the personal information that we hold but if we do have paper information, this is stored in our office at Vestry Hall in locked and secure cabinets. Information is shredded once it has been digitised.

 

How long we keep information for

If you use our services or you join our community of members, we will keep your information for 6 years after the date of your last contact with us. This is a legal requirement.

We keep personal information if job applicants for 6 months. We keep financial information for 6 years.

 

Your rights

Under GDPR you have the right to:

  • The right to be informed
  • The right of access – you can ask for copies of your personal information. This is called a ‘subject access request’.
  • The right to rectification – you can ask us to make corrections if you think we hold inaccurate personal information.
  • The right to erasure – you can ask us to delete date unless we have a legal obligation to keep it.
  • The right to restrict processing – you can ask us to restrict how we use your personal information unless we have a legal obligation to keep it.
  • The right to data portability – you can ask us to transfer your personal information to another organisation.
  • The right to object
  • Rights in relation to automated decision making and profiling.

 

We may be entitled to refuse requests if the conflict with our legal obligations.

 

How to make a subject access request

You should follow the process below to make a request to access the personal information that we hold on you:

  • Tell us in writing or verbally that you would like access to your personal information.
  • We will write to you to confirm or decline your request.
  • If we confirm, we will provide information without delay and at least within 28 days of receiving your request.
  • We can extend this by a further two months for complex or numerous requests. In this case we will provide a written explanation.
  • We will provide your information in a format that is most accessible to you for free.
  • We can charge a ‘reasonable fee’ when a request is excessive, repeated or unfounded. This does not mean that we can charge for all subsequent access requests.

If we refuse to enforce a right, eg the right of erasure, we will inform you within 28 days of the request. We will provide a written explanation of the reasons we are not taking action and share details of the ICO and your ability to seek to enforce this right through a judicial remedy.

 

Questions, concerns or complaints

If you have any questions or concerns about how we process your personal data, or you wish to exercise any of the rights set out above, you should contact out Data Protection Officer, David Jenkins.

  • Email – info@mertoncil.org.uk
  • Telephone – 0203 397 3119
  • SMS - 0779 671 2502
  • Social media - @MertonCIL
  • Post – Vestry Hall, 336 London Road, Mitcham, CR43UD

 

You can find out more about your rights on the ICO website. If you are not satisfied with how we are processing your personal data, you can raise also raise a concern with the ICO too.