Privacy Policy, Data Processing and Retention, and Confidentiality Agreement


  1. Confidentiality

Ensuring confidentiality is a paramount for Richmond Foundation. Any information you disclose will not be shared with any third parties, except with those who are essential in processing your information (further information is provided below). In cases where data is gathered for statistical purposes, you shall remain anonymous and unidentifiable.

However, there are extraordinary circumstances where confidentiality might be overridden and information will be disclosed to the relevant professional bodies and / or authorities. This will occur if there appears to be a risk of harm to self or others, in cases of neglect or risk of abuse to minors or vulnerable persons.

This means that if you choose to disclose your location and your life or that of others is in immediate danger, Richmond Foundation will be obligated to pass on this information to emergency services (eg. Police/Fire/Ambulances) to assist you. This might also include sharing your mobile number or IP address of the device being used with the relevant authorities.

Your GPS location might also be shared if you choose to press the GPS function yourself.

In addition, confidentiality is also overridden in cases where the professional is asked to testify in court. If any disclosed information is required for legal reasons, this information may be passed to the relevant authorities for legal purposes. This data will also be retained as long as is deemed necessary by the courts or authorities.


  1. General Introduction to Personal Data Processing

Richmond Foundation is strongly committed to protecting personal data.  This privacy statement describes how and why we collect and use personal data and provides information about individuals’ rights in relation to personal data.  It applies to personal data provided to us, both by individuals themselves or by others.  We may use personal data provided to us for any of the purposes described in this privacy statement or as otherwise stated at the point of collection.

In this privacy statement, we refer to information about you or information that identifies you as “personal data” or “personal information”.  We also sometimes collectively refer to handling, collecting, protecting or storing your personal information as “processing” such personal information. Richmond Foundation processes personal data for numerous purposes.  Our policy is to be transparent about why and how we process personal data.


  1. Data Collection

3.1 Websites and applications

By using the Websites/Applications and providing personal information to us, you acknowledge you have read this privacy statement, and, to the extent your consent is necessary and valid under applicable law, you consent to the collection, use and disclosure of such personal information by Richmond Foundation and any third party recipients in accordance with this privacy statement.

When you use our Websites/Applications, we may collect information about you and your use of the relevant site/app, including through cookies and analytics tools.  We may collect personal information about you, such as your name, job title, company name, address and telephone number, either directly from you or by combining information we collect via the website with personal information we collect and maintain through other channels (such as client relationship management systems or identification and access management systems, including IP addresses) or as we may lawfully collect from social media or other third-party sites.

Below are examples of how you may provide personal information to us via Websites:

  • Searching and browsing for content;
  • Subscribing to or ordering newsletters and/or publications;
  • registering for events and conferences;
  • submitting resumes or work history information;
  • contacting us for further information
  • visiting our Websites while logged into a social media platform; and/or
  • providing us with business cards or other contact information

We also do not actively seek demographic information from visitors to the Websites.  However, you may choose to provide such information (including for example when becoming a Registered User, visiting our site from a social media site, submitting a resume, or responding to an online job application).  If you choose to provide demographic information to us, the act of doing so constitutes your explicit consent, where such consent is necessary and valid under applicable law, for us to collect and use that information in the ways descried in this section of the Privacy statement or as described at the point where you choose to disclose this information.


3.2 Third party links

The websites may link to third-party sites not controlled by Richmond Foundation and which do not operate under Richmond Foundation’s privacy practices.  When you link to third-party sites, Richmond Foundation’s privacy practices no longer apply.  We encourage you to review each third-party site’s privacy policy before disclosing any personally identifiable information.


3.3 People who get in touch with us

We collect personal data when an individual gets in touch with us with a question, complaint or feedback (such as name, contact details and contents of the communication).  In these cases, the individual is in control of the personal data shared with us.  We only use the data as necessary to respond to the communication or resolve the complaint.


3.4 Personal clients

Our policy is to collect only the personal data necessary for agreed purposes.  We ask our clients only to share personal data where it is strictly needed for those purposes.

Where we need to process personal data to provide our services, we ask our clients to provide us with the necessary information about other data subjects, such as family members or responsible carers.

Given the diversity of the services we provide to personal clients, we process different categories of personal data, as appropriate for the service/s being provided. These categories include:

  • Personal details (e.g. name, age/date of birth, gender, marital status);
  • Contact details (e.g. email address, contact number, postal address);
  • Job details (e.g. role, grade – if necessary for the service being provided)

For certain services, and when permitted by law or with an individual’s consent, we may also collect special categories of personal data.  Examples of special categories include race or ethnic origin; political opinions; religious or philosophical beliefs; trade union membership; physical or mental health; genetic data; biometric data; sexual life or sexual orientation; and, criminal records. Generally, we collect personal data from our clients or from a third party acting on the instructions of the client.


  1. Transfer of Personal Data

We will only share personal data with others when we are legally permitted to do so.  When we share data with others, we put contractual arrangements and security mechanisms in place to protect the data and to comply with our data protection, confidentiality and security standards.

Richmond Foundation may disclose personal information when explicitly requested by you and when required to deliver publications or reference materials requested by you.

Otherwise, personal data held by us may be disclosed with:

  • Third party organisations that provide applications/functionality, data processing or IT services to us; and, third party organisations that otherwise assist us in providing goods, services or information

We may transfer or disclose the personal data we collect to third party contractors, subcontractors, and/or their subsidiaries and affiliates. We use third parties to support us in providing our services and to help provide, run and manage our internal IT systems.  For example, providers of information technology, cloud based software as a service provider, identity management, website hosting and management, data analysis, data backup, security and storage services.  The servers powering and facilitating the cloud infrastructure are located in secure data centres around the world, and personal data may be stored in any one of them.

The third party providers may use their own third party subcontractors that have access to personal data (sub-processors).  It is our policy to use only third party providers that are bound to maintain appropriate levels of security and confidentiality, to process personal information only as instructed by Richmond Foundation, and to flow those same obligations down to their sub-processors.

  • Auditors and other professional advisors
  • Law enforcement or other government regulatory agencies or to other third parties as required by, and in accordance with, applicable law or regulation

Occasionally, we may receive request from third parties with authority to obtain disclosure of personal data, such as to check that we are complying with applicable law and regulation, to investigate and alleged crime, to establish, exercise or defend legal rights.  We will only fulfill requests for personal data where we are permitted to do so in accordance with applicable law or regulation. Richmond Foundation may also review and use your personal information to determine whether disclosure is required or permitted.


  1. General Introduction to Personal Data Processing

In its everyday business operations Richmond Foundation collects and stores records of many types and in a variety of different formats. The relative importance and sensitivity of these records varies and is subject to the organisation’s security classification scheme. It is important that these records are protected from loss, destruction, falsification, unauthorised access, and unauthorised release and a range of controls are used to ensure this, including backups, access control and encryption.

Richmond Foundation has a responsibility to ensure that it complies with all relevant legal, regulatory and contractual requirements in the collection, storage, retrieval and destruction of records. Of particular relevance is the European Union General Data Protection Regulation (GDPR) and its requirements concerning the storage and processing of personal data.

This control applies to all systems, people and processes that constitute the organisation’s information systems, including board members, directors, employees, suppliers and other third parties who have access to Richmond Foundation systems.

The following documents are relevant to this policy and can be provided on request:

  • Data Protection Policy
  • Data Protection Impact Assessment Process
  • Privacy Notice Procedure
  • Personal Data Analysis Procedure


5.1 Records retention and protection policy

The records retention and protection policy establishes the main principles that must be adopted when considering record retention and protection. It also sets out the types of records held by Richmond Foundation and their general requirements before discussing record protection, destruction and management.

There are a number of key general principles that must be adhered to when adopting the record retention and protection policy. These highlight that:

  • Records must be held in compliance with all applicable legal, regulatory and contractual requirements;
  • Records must not be held for a longer period of time than required;
  • The protection of records in terms of their confidentiality, integrity and availability must be in accordance with their security classification;
  • Records must remain retrievable in line with business requirements at all times; and,
  • Where appropriate, records containing personal data must be subject as soon as possible to techniques that prevent the identification of a living individual.

We will retain your personal information on our systems only for as long as we need it, given the purposes for which it was collected, or as required to do so by law.  We keep mailing list information until a user unsubscribes from our mailing list.  If you choose to unsubscribe from a mailing list, we may keep certain limited information about you so that we may honor your request.

We retain personal data processed by us for 3 years in the case of the Here To Hear client data, for the purpose for which it was collected.  Personal data may be held for longer periods where extended retention periods are required by law or regulation and in order to establish, exercise or defend our legal rights.


5.2 Record retention

In order to assist with the definition of guidelines for record retention and protection, records held by Richmond Foundation are grouped into the categories listed in the table hereunder.  For each of these categories, the required or recommended retention period, the allowable storage media, and the reason for the recommendation or requirement are provided.

In relation to data that comes through the Here To Hear App / Website:

Data received through official online portals


Data collected through the Richmond website, MHFA website, MHFA App, Here To Hear website, Here To Hear App 3 years after the date entered online or for a maximum of one week after the conclusion of administrative or legal proceedings, whichever comes last

Please note that these are general guidelines and may vary depending on specific circumstances. The keeping of records for a longer or shorter period of time is considered  on a case by case basis as part of the design of the information security elements of new or significantly changed processes and services.


5.3 Record protection and security

We take the security of all the data we hold very seriously.  We adhere to internationally recognized security standards and we operate an information security management system relating to internal and client confidential data that is periodically audited.  We have a framework of policies, procedures and training in place covering data protection, confidentiality and security and regularly review the appropriateness of the measures we have in place to keep the data we hold secure.

  • Use of Cryptography

Where appropriate to the classification of information and the storage medium, cryptographic techniques must be used to ensure the confidentiality and integrity of records. Care must also be taken to ensure that encryption keys used to encrypt records are securely stored for the life of the relevant records and comply with the organisation’s policy on cryptography, which can be provided on request.

  • Medium Selection

The choice of long term storage media must take into account the physical characteristics of the medium and the length of time it will be in use.

Where records are legally (or practically) required to be stored on paper, adequate precautions must be taken to ensure that environmental conditions remain suitable for the type of paper used. Where possible, backup copies of such records will be taken by methods such as scanning. Regular checks will be carried out to assess the  physical state of stored documents and action will be taken to preserve the records if required.

For records stored on electronic media such as tape, precautions will also be taken to ensure the longevity of the materials, including correct storage and transferring onto more advanced media when necessary. Reading the content of such electronic media (eg. tape) will be made possible by the provision of compatible devices by the Foundation. Should this not be possible, an external third party may be employed to convert the media onto an alternative format


54 Record retrieval

There is little point in retaining records if they are not able to be accessed in line with business or legal requirements. The choice and maintenance of record storage facilities must ensure that records can be retrieved in a usable format within an acceptable period of time. Richmond Foundation will do its utmost to find the appropriate balance between the cost of storage platform and the speed of retrieval so that the most likely circumstances are adequately catered for.


5.5 Record destruction

Once the required or recommended retention period is complete in accordance with the defined policy, records will be securely destroyed in a manner that ensures that they can no longer be comprehensible. The destruction procedure ensures that the details of disposal are recorded and retained as proof that the record was destroyed.


5.6 Ongoing review of record retention and storage processes

The retention and storage of records will be subject to a regular review process carried out under the guidance of management to ensure that:

  • The policy on records retention and protection remains valid;
  • Records are being retained according to the policy;
  • Records are being securely disposed of when no longer required;
  • Legal, regulatory and contractual requirements are being fulfilled; and,
  • Processes for record retrieval are meeting business requirements.

The results of such reviews are recorded to ensure that this process is carried out according to established policies and procedures.


  1. Purpose of Data Processing

Richmond Foundation processes personal data for a number of purposes. Our legal grounds for processing your personal data, rely on:

    • Our legitimate interests in the effective delivery of information and services to you and in the effective and lawful operation of our services and the legitimate interests of our clients in receiving professional services from us as part of running their organization (provided these do not interfere with your rights);
    • Our legitimate interest in developing and improving our, services and offerings and in developing new technologies and offerings (provided these do not interfere with your rights);
    • To satisfy any requirement of law, regulation or professional body of which we are a member;
    • To perform our obligations under a contractual agreement with you; or
    • Where no other processing condition is available, if you have agreed to use processing your personal information for the relevant purpose.


6.1 Providing professional services to clients

We provide a diverse range of professional services.  Some of our services require us to process personal data in order to provide advice, guidance and assistance.  For example, we need to use personal data to provide therapy. Where a supplier is helping us to deliver professional services to our clients, we process personal data about the individuals involved in providing the services in order to administer and manage our relationship with the supplier and the relevant individuals and to provide such services to our clients (for example, where our supplier is providing people to work with us as part of a Richmond Foundation team providing professional services to our clients).


6.2 Administering, managing, and developing our services

This includes:

  • Administering and managing IT systems, websites and applications;
  • Managing our relationship with personal and prospective clients;
  • Hosting or facilitating the hosting of events; and,
  • Developing our services (such as identifying client needs and improvements in service delivery).


6.3 Improving and developing our services

We are continually looking for ways to help our clients and improve our services.  Where agreed with our clients, we may use information that we receive in the course of providing professional services for other lawful purposes, including analysis to better understand a particular issue, industry sector, provide insights back to our clients, to improve our service delivery and offerings and to develop new Richmond Foundation technologies and offerings.  To extent that the information that we receive in the course of providing professional services contains personal data, we will de-identify the data prior to using the information for those purposes.


6.4 Complying with any requirement of law, regulation, or a professional body of which we are a member

As with any provider of professional services, we are subject to legal, regulatory and professional obligations.  We need to keep certain records to demonstrate that our services are provided in compliance with those obligations and those records may contain personal data.


6.5 Security, quality, and risk management activities

We have security measures in place to protect our and our clients’ information (including personal data), which involve detecting, investigating and resolving security threats.  Personal data may be processed as part of the security monitoring that we undertake; for example, automated scans to identify harmful emails.  We have policies and procedures in place to monitor the quality of our services provided to clients, which may involve processing personal data stored on the relevant client file. Policies and procedures are also in place to manage risks in relation to client engagements.  Richmond Foundation also collects and holds personal data as part of our supplier contracting procedures.  We monitor the services provided for quality purposes, which may involve processing personal data.


6.6 Providing information about us and our range of services

We use client and prospective client contact details to provide information that we think will be of interest about us and our services in accordance with permissions required by law.  This includes industry updates and insights, other services that may be relevant and invites to events.


  1. Individuals’ rights and how to exercise them

7.1 Access to personal data

You have a right of access to personal data held by us as a data controller.  This right may be exercised by emailing us at We may change for a request for access in accordance with applicable law.  We will aim to respond to any requests for information promptly, and in any event within the legally required time limits (currently one month which may be extended to two months).  We shall inform you of any such extension within one month of receipt of the request, together with the reasons for the delay.


7.2 Amendment of personal data

To update personal data submitted to us, you may email us at or by amending the personal details held on relevant applications with which you registered.  When practically possible, once we are informed that any personal data processed by us is no longer accurate, we will make corrections (where appropriate) based on your updated information.


7.3 Withdrawal of consent

Where we process personal data based on consent, individuals have a right to withdraw consent at any time.  To withdraw consent to our processing of your personal data please email us at


7.4 Other data subject rights

This privacy statement is intended to provide information about what personal data we collect about you and how it is used.  As well as rights of access and amendments referred to above, individuals may have other rights in relation to the personal data we hold, such as a right to erasure/deletion, to restrict or object to our processing of personal data and the right to data portability.


7.5 Complaints

We hope that you won’t ever need to, but if you do want to complain about our use of personal data, please send an email with the details of your complaint to  We will look into and respond to any complaints we receive. You also have the right to lodge a complaint with the Office of the Information and Data Protection Commissioner (the Malta data protection supervisory authority).