Privacy Policy

Introduction

The purpose of this policy is to explain what Oxfordshire Breastfeeding Support does with the personal data we collect, to ensure that data is used appropriately, and to ensure that records are securely maintained.

We aim to collect the minimum of personal data required to safeguard children and adults at risk, to safely and effectively deliver our services, to provide continuity of care, and to assess our performance against our mission and values, and project goals. Anonymised data is used where possible. When data is required for other purposes this will be stated clearly at the point of collection.

OBS aims to ensure that all personal data collected about service users, volunteers, trustees, contract workers and team members is collected, stored and processed in accordance with the General Data Protection Regulation (GDPR) and the provisions of the Data Protection Act 2018 (DPA 2018).

Data collection

We collect the following personal information from families every time they access our in-person and virtual services, not including our Facebook group:

  • The lactating parent’s name, age, email address
  • The baby’s name, date of birth or due date
  • The family’s house number or name, postcode and GP surgery
  • A brief description of the feeding issue or question, which may include baby weights if appropriate

On the first visit for each baby or pregnancy we also ask for:

  • The lactating parent’s ethnicity, gender identity, sexual orientation, disability, religion, number of weeks pregnant when they gave birth
  • Whether the baby spent time in a neonatal unit

We will at times ask families to share other types of personal information required to deliver our services more effectively and follow up on any concerns.

We recognise that this includes sensitive information, and will do all we can to ensure that the information provided by families is accurate, stored securely in line with GDPR and Data Protection Act requirements, accessible only to those who need to see it, and is used only for the purpose for which it was collected.

Legal basis for data collection 

The personal information that we collect is necessary to enable us to perform our core task of supporting families with infant feeding, and to safeguard children and adults at risk. We also have a legitimate interest in collecting statistical information that enables us to audit, fundraise for and develop our service. Information collected specifically for the purpose of fundraising is collected on the basis of informed consent.

Service user data processing

The information collected directly and through external platforms is used by OBS in the following ways:

  1. So that we can provide a service to the family in a way that responds to their individual needs.
  2. To provide statistics, for ourselves and funders, on who uses our service, referrals to and from the service, and the kinds of infant feeding issues we work with. For example we ask about ethnic origin and disability to understand whether we are providing appropriate support for the needs in the community or whether certain groups face more barriers to accessing our services. This data is pseudonymised before analysis and fully anonymised before reporting to funders, partners and in the public domain.
  3. Normally access to personal service user data is confined to the team and contract facilitators. In exceptional circumstances data may be shared with one or more trustees and/or outside agencies and partners in order to safeguard children and adults at risk from harm. In such cases we will obtain the service user’s permission to share their information where possible.
  4. When we collect personal information in order to deliver our services, service users can opt in to join our supporters’ mailing list. Outside of this mailing list, contact details will only be used to contact service users in connection with their use of our services.
  5. Our services use the following online platforms to process some sensitive service user information on our behalf. 
  • Cliniko: virtual appointment booking
  • Calendly: in-person and virtual appointment booking
  • Google: data collection form, pump registration form

When personal data about service users is collected on paper at in-person sessions, all necessary data will be transferred to OBS’s secure electronic records as soon as possible after the session, and the paper sheets will be destroyed.

OBS on Facebook

OBS is mainly active on Facebook on its private Facebook group for pregnant and lactating people in Oxfordshire, or whose babies were born in Oxfordshire, or who receive primary care from Oxford Health. All members must answer a set of joining questions and meet group membership requirements before being admitted by a moderator. We restrict the group membership to pregnant or lactating people only because of the sensitive nature of some of the infant feeding issues discussed.

Local health and allied professionals and students, who support OBS but may not meet the personal criteria, may be added at the discretion of the Facebook Administrator. 

OBS has a second, public Friends of OBS Facebook group that is open to all, and is primarily used for fundraising and service announcements. Anyone who posts requests for infant feeding support there will be signposted to the private group.

We also have a public Facebook page, which is used primarily to post information about the service or of relevance to service users. 

OBS does not provide support via private message on Facebook. Messages to our Facebook page are only visible to team members and an automatic response provides details of how to contact us for support.

Users of the OBS Facebook group should be aware that group membership is visible to all members and that, except if they post anonymously, other members will be able to see their Facebook profile name and photo. Posted comments will remain visible even after leaving the group unless specifically deleted by the user. OBS do not request any personal information on Facebook but the team has access to Facebook’s standard group membership and engagement information.

Information held by OBS about our volunteers, trustees & paid team members

Recruitment materials for volunteers, trustees, contract workers and team members ask for contact details, references, personal disclosures, references, DBS details and emergency contact details. Records are kept of training undertaken and attendance at supervision where applicable.

All information held about volunteers, trustees, contract workers and team members will be stored securely in electronic format inaccessible to the public.

We use the following online platforms to process information on our behalf about volunteers, trustees, contract workers and team members:

  • Google Workspace
  • SafeHR

Data security and storage limitation

All personal data collected will be stored securely. To protect users’ privacy, OBS have security systems to prevent unauthorised access, use, or disclosure, and loss, destruction or damage to personal data. OBS will investigate and take any actions needed to prevent breaches of data security. 

The amount of time we retain data depends on what it is used for. Service users have the right to request that personal data is erased at any time and can make this request either verbally or in writing. 

  1. Personal data about service users is deleted on a 2 yearly cycle. Users have the right to request that personal data is erased at any time and can make this request either verbally or in writing. 
  2. The exception to this is if a safeguarding issue is raised. In this event, we will create a separate record, which will be retained in a secure electronic format that is only accessible to relevant people, for up to 5 years, or as otherwise directed by Oxfordshire Safeguarding Children Partnership. This may be shared with other agencies, in accordance with our statutory obligations. 
  3. Information about volunteers will be kept for a maximum of 2 years after they stop volunteering with OBS.
  4. Information about trustees, contract workers and team members will be kept for a period of 6 years.

Data controller

The OBS staff member responsible for data control is Hannah Dingwall-Jones operations@oxbreastfeedingsupport.org.

Data Breaches

OBS has procedures in place that should ensure a data breach does not occur. However where there has been a failure, OBS will manage a data breach by following GDPR guidance and requirements to report to the Information Commissioner’s Office. 

This policy is available to download as a pdf.

Scroll to Top