Who we are
We are CMAGIC (Cheshire Merseyside Adult Gender Identity Collaborative) CIO.
Our website address is: https://www.cmagic.org.uk.
Please note this policy applies to CMAGIC CIO and services it provides only (including Cheshire & Wirral CMAGIC Counselling Services). This does not apply to the NHS England CMAGIC Gender Incongruence Pilot being delivered by MerseyCare NHS Foundation Trust, CMAGIC does not have access to any patient data for this service.
At CMAGIC, we’re committed to protecting and respecting your privacy when you engage with us online.
We obtain information about you when you use our website, for example, when you contact us about our services, to make a donation, apply to take part in our activities, or if you register to receive one of our newsletters on our mailing list.
This policy covers what this information is, how we use this information, the conditions under which we may disclose it to others, how we keep it secure and your rights to view, amend and/or request its deletion.
2. Policy Review Date
This policy is reviewed at least every 3 years, but it is anticipated that this will be done more frequently. The policy’s last review date was 7-12-2021.
CMAGIC reserves the right to amend this policy at any time, but where possible will aim to give at least 5 working days notice of changes to those affected.
Should the change be in response to an emergency/crisis management situation, or one where the changes are deemed to be significant to require the team member to re-sign the policy before continuing their duties, then CMAGIC also reserves the right to temporarily suspend user rights to any of its platforms.
3. Who is this policy for?
This policy applies to anyone that accesses our online resources. By using our website or any of our online resources, you’re agreeing to be bound by this Policy.
4. About the information we collect?
There are a number of ways that we collect your data through our online platforms:
|Where was it collected?||What Information?||What do we collect?||Life Cycle|
|When you make contact with us:||When you contact us through a general contact form, by email or social media we will often ask for:|
● Your name,
● Personal pronouns,
● Email address
|We collect this information to ensure that we can contact you and appropriately address you in response to your enquiry.||If via an online form, we will store this information for up to 2 years from the date of the submission.If as part of your submission you requested your details to be added to our mailing list, see the specific row below.|
|When you make a payment or donation to us:||When you make a payment or donation we will often ask for:|
● Your name
|We collect this information to allow us to process your payment in relation to the donation or the order you||We will keep information related to financial transactions for a period of 5 years in line with our financial record keeping and audit purposes.|
|● Email Address|
If you have purchased something for delivery, we will also ask for:
● Your delivery address
We use a third-party for our payment processing. You will make your payments through them. They will provide us with:
● The status of your payment
● An identifier for your payment method (such as provider and last four digits of your card)
We currently do not request information for the purposes of gift aid.
|have made and to fulfil the delivery of anything you have ordered, digitally or physically.|
|If you requested that you are added to our mailing list:||To subscribe to our mailing list we ask for the following information:|
● Email address
● Birth date
● Area you live
● If you are a partner of LCR Pride
|The information we collect when you sign up allows us to personalise your email experience as well as allows us to ensure we can conform to any requirements such as age or area restrictions we send.||Our mailing list is managed by Mailchimp.Information will be stored in Mailchimp until you tell us you would like to be removed from the system by clicking unsubscribe or emailing us, or the point in which Mailchimp removes it for inactivity.|
When you self-refer to the CMAGIC Counselling Service (Cheshire or Wirral) we store your information in a specific way to ensure that we comply with all requirements for your data and confidentiality.
We also handle the retention of this information differently, as outlined below.
|Data Collected||Why is it necessary?||Source||Where stored|
|First Name (Free Text)||To be able to refer to the client by their name and check against previous access to service.||Patient provided||Online Form Email System Patient Tracker|
|Pronouns (Free Text)||To be able to refer to the client with their personal pronouns.||Patient provided||Online Form Email System|
|Over 18? (Yes/No)||To verify if the client is eligible for the service||Patient provided||Online Form Email System|
|Does the person live within a funded area? (Yes/No)||To verify if the client is eligible to access the service (i.e. lives in one of the CCG’s funded areas)||Patient provided||Online Form Email System|
|Are they registered with a GP? Who? (Free Text) (Optional)||To give the counsellor some context into the patient’s journey to date and an additional safeguarding reference.||Patient provided||Online Form Email System|
|Within mental health care within 12 months?|
|To give the counsellor some context into the patient’s journey to date.||Patient provided||Online Form Email System|
|Currently receiving talking therapy elsewhere?||To give the counsellor some context into the patient’s journey to date.||Patient provided||Online Form Email System|
|Email Address||To allow the counsellor to make contact with the person and to be used as a unique identifier for the client.||Patient provided.||Online Form Email System Patient Tracker|
|Phone Number (Optional)||To allow the counsellor to make contact with the person. WIll only be used as a unique identifier if the client has not provided an email.*||Patient provided.||Online Form Email System Patient Tracker*|
|Contact preferences (Phone/Email)||To allow the client to specify their preferred method of contact.||Patient provided.||Online Form Email System|
|Preferable Times To Contact (Phone/Email)||To allow the client to specify their preferred method of contact.||Patient provided.||Online Form Email System|
5. How long do we keep the information?
Retention information for the general information we collect is in the table above. We review our retention periods for personal information on a regular basis. We are legally required to hold some types of information to fulfil our statutory obligations (for example the collection of Gift Aid). We will hold your personal information on our systems for any longer than it is necessary for the relevant activity, or as long as is set out in any relevant contract you hold with us.
Counselling Service Retention – We set different retention periods for data we hold about clients of our counselling services. Client data held both on the online form system and our appointment request inbox will be deleted within one month of the patient having been referred to their personal counsellor. This period allows enough time for a first session to be offered and taken up, and any queries to be raised by the personal counsellor before their details are removed. Client data for those who have not yet picked up will be stored in these systems until the time that a slot is available, or until the service is no longer operative. Once referred to a personal counsellor your data will be stored for the duration of the counselling services they provide you. Once complete, only your name and email will be retained as part of our patient tracker to ensure we have a record of users and can prevent abuse of the service.
6. Who has access to your information?
We will not sell or rent your information to third parties. This includes for marketing purposes.
General Information (not patient information) can be accessed by both authorised members of the CMAGIC team and LCR Pride Foundation teams.
Patient Information is accessed under different, contract-bound arrangements. None of the CMAGIC board/volunteers can access patient data and the closed-system means that usually this will only be visible to the applicable assigned counsellor. Nominated persons from LCR Pride Foundation can access patient information for the purposes of administering the service and emergencies. We do not share patient information with any third party, including the NHS.
Third Party Service Providers working on our, or LCR Pride Foundations, behalf: We may pass your information to our third party service providers, agents, sub-contractors, sub-processors and other associated organisations for the purposes of completing tasks and providing services to you on our behalf (for example to process donations and send you mailings). However, when we use third party service providers, we disclose only the personal information that is necessary to deliver the service and we have a contract(s) in place that requires them to keep your information secure and not to use it for any other purposes.
Please be reassured that we will not release your information to third parties beyond CMAGIC for them to use for their own direct marketing purposes, unless you have requested us to do so, or we are required to do so by law, for example, by a court order or for the purposes of prevention of fraud or other crime.
When you are using our secure online donation pages, payments or donations are processed by a third party payment processor, who specialises in the secure online capture and processing of credit/debit card transactions. If you have any questions regarding secure transactions, please contact us.
7. Control of your data
You have a choice about whether or not you wish to receive information from us.
If you do not want to receive direct marketing communications from us about the vital work we do and our exciting products and services, then you can select your choices by not ticking the relevant boxes situated on the form on which we collect your information.
We will not contact you for marketing purposes by email, phone or text message unless you have given your prior consent.
We will not contact you for marketing purposes by post if you have indicated that you do not wish to be contacted. You can change your marketing preferences at any time by clicking the ‘Update your details’ link at the bottom of our marketing emails or contacting us by email: email@example.com
8. Security precautions to protect your data
We and our suppliers have security precautions in place to protect the loss, misuse or alteration of your information. When you give us personal information, we take steps to ensure that it’s treated securely.
Any sensitive information (such as credit or debit card details) is encrypted and protected with the following software 128 Bit encryption on SSL. When you are on a secure page, a lock icon will appear on web browsers such as Microsoft Internet Explorer, Chrome and Safari.
Patient Information submitted through our online self-referral form (provided by LCR Pride Foundation’s contracted sub-processor) is done so through data in-transit (end-to-end encryption, including within the virtual private cloud at AWS) using secure TLS cryptographic protocols (TLS 1.2) and Advanced Encryption Standard (AES) is used with a 256-bit key to encrypt data at rest including the backups of the information.
Once we receive your information, we endeavour to ensure its security on our systems by employing only trusted, paid for systems from well known providers for whom we know their security arrangements.
9. Other areas of note
It is possible to switch off cookies by setting your browser preferences. For more information on how to switch off cookies on your computer, visit our full cookies policy. Turning cookies off may result in a loss of functionality when using our website.
In addition, if you link to our website from a third party site, we cannot be responsible for the privacy policies and practices of the owners and operators of that third party site and recommend that you check the policy of that third party site.
16 or under
We are concerned to protect the privacy of children aged 16 or under. If you are aged 16 or under‚ please get your parent/guardian’s permission beforehand whenever you provide us with personal information.
Any questions regarding this Policy and our privacy practices should be sent by email to firstname.lastname@example.org or by writing to LCR Pride Foundation, Avenue HQ, 17 Mann Island, Liverpool Waterfront, Liverpool, L3 1BP