Oxfordshire Breastfeeding Support Privacy Policy

Introduction

The purpose of this policy is to provide information about what OBS will do with personal data collected, to ensure that records are fit for purpose and securely maintained.

OBS aims to ensure that all personal data collected about trustees, contractors, volunteers, and service users is collected, stored and processed in accordance with the General Data Protection Regulation (GDPR) and the provisions of the Data Protection Act 2018 (DPA 2018).

Data collection

We request the following personal information from families who use our drop-in sessions:

  • Mother’s name, age, ethnicity, religion, sexual orientation, disability
  • Baby’s name and date of birth/age (or due date, if still pregnant)
  • Gestational age of baby at birth and whether they spent time in the neonatal unit
  • Postal address (house number, postcode)
  • Phone number
  • Email address
  • GP practice
  • How the mother was referred to us
  • Brief description of the feeding problem or issue, including recent baby weights where relevant

On subsequent contacts, the following information is collected:

  • Mother’s name and address
  • Baby’s name and age
  • GP practice
  • Brief description of feeding problem or issue, including recent baby weights where relevant

We recognise that this includes sensitive information, and will do all we can to ensure that the information provided by families is accurate, stored securely in line with GDPR and Data Protection Act requirements, accessible only to those who need to see it, and is used only for the purpose for which it was collected.
The purposes for which data is used, and information about security, storage and processing, will be stated clearly at the point of data collection.

Legal basis for data collection 

The personal information that we collect is necessary to enable us to perform our core task of supporting families with breastfeeding, and to meet our legal obligations (safeguarding). We have a legitimate interest in collecting statistical information that enables us to audit, fundraise for and develop our service. Information specifically for the purpose of fundraising is collected on the basis of informed consent.

The purposes for which data is used, and information about security, storage and processing, will be stated clearly in writing at the point of data collection


Data processing

The information collected is used by OBS in the following ways:

  1. So that we can provide a service to the family.

  2. To provide statistics, for ourselves and funders, on who uses our service, referrals to and from the service, and the kinds of breastfeeding issues we work with. For example we ask about ethnic origin and disability to understand whether we are serving the whole community appropriately or whether certain groups face more barriers to accessing our services. This data is pseudonymised before analysis and fully anonymised before reporting in the public domain and to funders. Pseudonymisation means that we use users’ postcodes and house number to create a User ID. This means that we can identify how many individuals access OBS services, rather than simply how many visits there are, and allows us to understand any patterns in service use - for example whether users attending antenatal sessions come back after their baby is born. Once each year’s data has been analysed using the User ID, it is destroyed and the remaining data is totally anonymous.

  3. All personal information is confidential and will not be shared beyond the OBS team and trustees without user permission. However in the rare circumstance that we feel that users or another person are at risk of harm we have a statutory duty to disclose this to relevant agencies.

  4. The mother’s email contact information is collected for marketing and communication purposes via our “Friends of OBS” mailing list. This is optional and relies on explicit, opt-in consent at the point of data collection. Email contact information from families who have given consent is stored on the MailChimp platform and will not be shared outside OBS. Consent can be withdrawn and the record deleted at any time, by the service user directly, or at their request.

Data security and storage limitation

All personal data collected will be stored securely. To protect users’ privacy, OBS have security systems to prevent unauthorised access, use, or disclosure, and loss, destruction or damage to personal data.

OBS will investigate and take any actions needed to prevent breaches of data security. Personal data will not be kept for longer than is necessary for its purpose (in line with legislation and data retention guidance). OBS destroys personal data collected after a maximum of 18 months where possible, with the exception of data held on MailChimp. Users have the right to request that personal data is erased at any time and can make this request either verbally or in writing.

The exception to this is if a safeguarding issue is raised. In this event, we will create a separate record, which will be retained in secure electronic format for up to 6 years, or as otherwise directed by Oxfordshire Safeguarding Children Board. This may be shared with other agencies, in accordance with our statutory obligations.


OBS on Facebook

OBS’s main Facebook platform is a private Facebook group for pregnant and lactating people in Oxfordshire, or whose babies were born in Oxfordshire, or who receive primary care from Oxford Health. All requests to join must be approved by an Administrator, who will be an OBS facilitator or a trained volunteer. We restrict the group membership to pregnant or lactating people only because of the sensitive nature of some of the breastfeeding issues discussed.

Local health and allied professionals and students, who support OBS but may not meet the personal criteria, may be added at the discretion of the Facebook Admins.

OBS has a second, public Facebook group which is open to all, and is primarily used for fundraising and service announcements. Anyone who posts requests for breastfeeding support there will be signposted to the private group.

We also have a public Facebook page, which is used primarily to post information about the service or of relevance to service users.
Facilitators will respond privately to messages via the page requesting breastfeeding information/support but we are not able to provide substantive feeding support via messaging.

Users of OBS Facebook groups should be aware that, if they make any posts or comments, their Facebook profile names and profile photo will be subsequently displayed to other members of the group. Furthermore, posted comments will remain visible even after leaving the group unless specifically deleted by the user. Facebook now offers the option to post anonymously and we enable this within our private group. OBS Facebook groups can be left by a user at any time. OBS do not request, use or store any user personal information or data from Facebook.

OBS do not accept any advertising or recommendations of commercial products or services in our Facebook groups. Posts will be removed and repeat posters banned from the group.


Information held by OBS about our volunteers & facilitators

The application form for volunteers includes personal disclosures, references, DBS details, attendance at supervision, records of training undertaken and emergency contact details.

All information on volunteers, contractors and trustees will be stored securely in electronic format. Volunteer information will be accessible only to contractors. All information on contractors and trustees will be accessible to contractors and trustees.

All personal information will be deleted/destroyed when the volunteer, contractor or trustee ceases volunteering or providing a service for OBS unless they notify OBS that they intend to return and request retention of their data.


Data controller

The OBS staff member responsible for data control is This email address is being protected from spambots. You need JavaScript enabled to view it..

Data Breaches

OBS has procedures in place that should ensure a data breach does not occur. However where there has been a failure, OBS will manage a data breach by following GDPR guidance and requirements to report to the Information Commissioner's Office.

This policy is available to download as a pdf.


Date of policy: June 2019
Revised: February 2021
Due for revision: February 2024