Data protection policy


To carry out its statutory and administrative functions The Association of NMH Providers collect, hold and process personal information of our members (data subjects). We recognise the right to confidentiality and security of personal information and therefore take all reasonable steps to comply with the principles of the Data Protection Act 1998, General Data Protection Regulation (GDPR) 2018 and Human Rights Act 1998 (article 8).


Data protection principles

Personal data is processed lawfully

We obtain personal data from a variety of sources. In some cases, data is obtained directly

from an individual. In other cases, we obtain it from a third party. In each case, we ensure

that we have established a lawful basis for processing personal data.

Personal data is processed for limited purposes

We only process personal data for the purposes for which it was collected. In most cases,

this will be for sharing information and collecting membership fees.

Our privacy notices set out what data we collect, on what basis we process it and why. If we want to process the personal data for other reasons, we ask permission.

Personal data is processed in a transparent manner

When we collect personal data, we notify the individual of what data we collect, on what

basis we are processing it and why.

Personal data is adequate, relevant and limited to what is necessary

We limit the collection of personal data to that which is necessary for our purposes.

Personal data is accurate and, where necessary, kept up to date

We make regular contact with individuals to ensure we have up to date information.

Personal data is kept no longer than necessary

We have established retention periods for personal data following the expiry of which

personal data is destroyed unless we have legal obligation to retain it for longer or the

individual requests that we retain it.

Personal data is handled securely and confidentially

All board members in have had data protection training.

Information is stored on a cloud-based system that meets security measures in line with the GDPR.

Personal data is only transferred to third parties if required by law or otherwise permitted

Transfers of personal data to third parties are made in limited circumstances with a

preference that individuals provide their data directly to third parties where this necessary.

In almost all cases, transfers to third parties are done to facilitate continuation of the association

or for compliance with a legal obligation such as tax authority reporting.