General Data Protection Regulation (GDPR)

Client Privacy Notice

On 25th May 2018, one of the biggest changes to UK data privacy law comes into effect. The General Data Protection Regulation (or GDPR for short) is a really positive step towards people having more control over how their data is used and how they are contacted. The changes will also help to better protect your personal data. We have updated our privacy policy to reflect these changes. The Mental Health Advocacy Scheme (MHAS) is committed to data security and the fair and transparent processing of personal data. This Policy sets out how the MHAS treats personal data.

Please read this Policy carefully as it contains important information on who we are, how and why we collect and store your personal data, your rights in relation to your personal data, how to contact us, and how to contact the supervisory authorities in the event that you would like to report a concern about the way in which we process your personal data.

Who we are.

The MHAS provides an independent, confidential, free, equitable and accessible advocacy service to the people of Gwynedd and the Isle of Anglesey working to the Advocacy Charter and through the Advocacy Quality Mark Standard.

MHAS has charitable status: Registered Charity No 1054623 and is a Company Limited by Guarantee No 03170574 registered in England /Wales 2003

What personal data do we collect?

To allow the MHAS to provide the best possible service we need to collect some information about you.

Information such as your name and address, your date of birth, telephone numbers and any information relevant to your advocacy issue.

We will ensure that any personal data we process is accurate, adequate, relevant and not excessive, and used for the purpose for which it was obtained.

Community advocacy – how long will we keep your personal data?

In order to collect the anonymised statistics that are required by our funders, the records we hold will be retained for a period of 18 months following case closure. Information is stored securely on our computer system.

Statutory advocacy – how long will we keep your personal data?

The MHAS delivers statutory advocacy in accordance with the Mental Health Act and Mental Capacity Act. There is a legal framework surrounding these services for which client information cannot be deleted and must be retained for six years.

How is personal data protected?

MHAS protects your personal data and is aware of its information security obligations.

We operate an advocacy database to keep your electronic information securely. In addition, documents are kept in a locked filing cabinet. We limit access to your personal data to those who have a genuine need to know within the organisation and not shared with anyone else unless you ask us to or we are required to by the law.

We also have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.

The only exception to when we would breach someone’s information is fully explained in the MHAS Confidentiality Policy.

Your rights

Under the GDPR you have various rights with respect to our use of your personal data:

Right to Access

You have the right to request a copy of the personal data that we hold about you by contacting us by email, telephone or letter. Please include with your request information that will enable us to verify your identity. We will respond within 1 month of the request. Please note that there are exceptions to this right. We may be unable to make all the information available to you if for example:

the information available to you would reveal personal data about another person,

we are legally prevented from disclosing such information,

there is no basis for your request, or if it is excessive.

Right to rectification

We aim to keep your personal data accurate and complete. We encourage you to contact us using the contact details provided below to let us know if any of your personal data is not accurate or subject to change. This ensures that we can keep your personal data up-to-date.

Right to erasure

You have the right to request the deletion of your personal data where, for example, the personal data is no longer necessary for the purposes for which it was collected, where you withdraw your consent to processing, where there is no overriding legitimate interest for us to continue to process your personal data, or your personal data has been unlawfully processed. If you would like to request that your personal data is erased, please contact us using the contact details provided below.

Right to object

In certain circumstances you have the right to object to the processing of your personal data. If you would like to object to the processing of your personal data, please contact us using the contact details provided below.

Right to restrict processing

In certain circumstances you have the right to request that we restrict the further processing of your personal data. Please contact us for further details.

Right to data portability

In certain circumstances you have the right to request that some of your personal data is provided to you. This may be in a machine-readable format. This allows you to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without affecting its usability.

Please note that the GDPR sets out exceptions to these rights. If we are unable to comply with your request due to an exception, we will explain this to you in our response.


If you believe that your data protection rights may have been breached you may wish to consider lodging a complaint with the UK Information Commissioner’s Office.

Changes to this Policy

Any future changes to this policy will be communicated via our website:

Contact Us

If you have any queries about this Policy please contact us as follows:

Telephone: (01248) 670 450


Write to us at MHAS, Ground Floor, 12 Llys Castan, Ffordd Y Parc, Parc Menai, Bangor, Gwynedd. LL57 4FH.