WHY – Objective and Purpose
Why do we require this policy/procedure? What is its purpose, objectives and intent?
If Only … Charity (the Charity) have this Policy in order to notify survivors, donors, volunteers and other stakeholders how we:
- Protect their privacy
- Ensure compliance with Data Protection (GDPR) regulations
The Policy Statement is published externally including on the Charity’s website
WHAT – Scope and Exclusions
What is within the content scope and what is out of scope of this policy/procedure area?
This Policy Covers:
- Privacy of all stakeholders information – Survivors, Donors etc etc.
- Data Protection (GDPR) regulations for Personally Identifiable Information
This Policy Excludes:
- The Charity currently does NOT perform profiling of donors or other stakeholders and does NOT share contact information with any partner organisations.
NB: This is in contrast to standard policy provisions for many other organisations.
- Internal Data Protection & Privacy Procedures – See IOC231
- Other aspects of Safeguarding the wellbeing of stakeholders – See IOC310 & 311
- See also Change Management Policy and Procedures.
WHO – Stakeholders
Who owns this Policy? Who carries out this Process? Who is the internal customer?
Procedure Owner: The Charity’s Data Protection Compliance Officer (DPCO) – Who is responsible for implementation of this Policy and for assuring compliance with it. This responsibility includes the distribution to and acknowledgement by all Trustees, Volunteers, Employees, reminding them of their responsibilities under this Procedure.
The Role is initially held by Mark Johnson
Policy Applies to: All Trustees, Volunteers, Employees, Volunteers; Fundraisers, and Service providers.
WHEN – Review Period
In order to keep this policy/procedure up to date, accurate and effective it must be regularly reviewed.
Review Every: 1 year
This policy provides the Privacy and Data Protection Policy Statements for the Charity.
This is the master from which the Policy Statement will be published in identical form on the Website and other relevant places to ensure awareness to all who interact with the Charity of its policies and how to apply them.
If Only… Charity Privacy Notice
1. What data do we collect?
The Charity collects the following data:
While using our Service, we may ask you to provide us with certain personally identifiable information that can be used to contact or identify you (“Personal Data”). Personally identifiable information may include, but is not limited to:
- Email address
- First name and last name
- Phone number
- Address, Post Code, City, Area
- Any information that you share with us about your personal story
- Cookies and Usage Data
We may use your Personal Data to contact you with newsletters or other information that may be of interest to you. You may opt out of receiving any, or all, of these communications from us by emailing us at: firstname.lastname@example.org.
We may also collect information how the Service is accessed and used (“Usage Data”). This Usage Data may include information such as your computer’s Internet Protocol address (e.g. IP address), browser type, browser version, the pages of our Service that you visit, the time and date of your visit, the time spent on those pages, unique device identifiers and other diagnostic data.
We may use and store information about your location if you give us permission to do so (“Location Data”). We use this data to provide features of our Service, to improve and customise our Service.
You can enable or disable location services when you use our Service at any time, through your device settings.
2. How do we collect your data?
You directly provide the Charity with most of the data we collect. We collect data and process data as follows:
Information you give us directly
For example, we may obtain information about you when you take part in one of our events, make a donation, apply to volunteer for us, purchase products and services or when you contact us to receive information.
Information you give us indirectly
Your information may be shared with us by third parties, which might include:
- independent event organisers, and fundraising sites like Just Giving;
- professional fundraisers;
- service providers acting on our behalf such as those who provide us with technical, payment or delivery services, analytics providers and search information providers.
When you visit this website
We, like many organisations, automatically collect the following information:
- Technical information, including the type of device you’re using, the IP address, browser and operating system being used to connect your computer to the internet. This information may be used to improve the services we offer.
- Information about your visit to this website, for example we may collect information about pages you visit and how you navigate the website, e.g. length of visits to certain pages, products and services you viewed and searched for, referral sources (e.g. how you arrived at our website).
When you interact with us on social media platforms such as Facebook and Instagram we may obtain information about you (for example, when you publicly tag us in an event photo). The information we receive will depend on the privacy preferences you have set on those types of platforms and their privacy policies.
We may supplement information on our donors etc. with information from publicly available sources such as annual reviews, corporate websites, public social media accounts, the electoral register, Google and Companies House in order to create a fuller understanding of someone’s interests and support.
3. How will we use your data?
The Charity collects your data so that we can:
- provide and maintain our Service, including articles and discussion points and maintaining a community
- notify you about changes to our Service
- allow you to participate in interactive features of our Service when you choose to do so
- provide customer support
- gather analysis or information so that we can improve our Service
- monitor the usage of our Service
- detect, prevent and address technical issues
- provide you with news, offers and general information about other goods, services and events which we offer that are similar to those that you have already enquired about or purchased unless you have opted not to receive such information
- carrying out our obligations under any contracts entered into between you and us;
- keeping a record of your relationship with us;
- checking for updated contact details against third party sources so we can stay in touch if you move. We take reasonable steps to ensure your information is accurate and up to date. We really appreciate it if you let us know when your contact details change;
- seeking your views or comments on the services we provide;
- sending you communications which you have requested and that may be of interest to you. These may include information about activities, fundraising appeals and telling you about services and products; and
- checking donations for the purposes of prevention of prevention of fraud or other crime;
The Charity currently does NOT share your data with any partner organisations.
4. How do we store your data?
Keeping your information safe
When you give us personal information, we take steps to ensure that appropriate technical and organisational controls are in place to protect it.
Any sensitive information (such as credit or debit card details) is encrypted and protected. When you are on a secure page, a lock icon will appear on the bottom of web browsers such as Microsoft Internet Explorer, Google Chrome and Apple Safari.
Non-sensitive details (your email address etc.) are transmitted normally over the internet, and this can never be guaranteed to be 100% secure. As a result, while we strive to protect your personal information, we cannot guarantee the security of any information you transmit to us, and you do so at your own risk. Once we receive your information, we make our best effort to ensure its security on our systems. Where we have given (or where you have chosen) a password which enables you to access certain parts of our website, you are responsible for keeping this password confidential. We ask you not to share your password with anyone.
Retention of Data
We keep your information for no longer than is necessary for the purposes it was collected for. The length of time we retain your personal information for is determined by operational and legal considerations. For example, we are legally required to hold some types of information to fulfil our statutory and regulatory obligations (e.g. health/safety and tax/accounting purposes).
We review our retention periods on a regular basis.
5. Privacy of Children and Vulnerable Adults
18 or Under
Our website services do not address anyone under the age of 18 (“Children”) without parental consent.
We do not knowingly collect personally identifiable information from anyone under the age of 18 on our website. If you are a parent or guardian and you are aware that your child has provided us with Personal Data, please contact us. If we become aware that we have collected Personal Data from children without verification of parental consent, we take steps to remove that information from our servers.
We are committed to protecting vulnerable supporters, customers and volunteers, and appreciate that additional care may be needed when we use their personal information. In recognition of this, we observe good practice guidelines in our interactions with vulnerable people.
6. Legal basis for data processing
Data protection law requires us to rely on one or more lawful grounds to process your personal information. We consider the following grounds to be relevant:
Where you have provided specific consent to us using your personal information in a certain way, such as to send you social media, email, text and/or telephone information.
Performance of a contract
Where we are entering into a contract with you or performing our obligations under it, like when you buy the Charity’s products and services.
Where necessary so that we can comply with a legal or regulatory obligation to which we are subject, for example where we are ordered by a court or regulatory authority like the Charity Commission or Fundraising Regulator.
Where it is necessary to protect life or health (for example in the case of medical emergency suffered by an individual at one of our events) or a safeguarding issue which requires us to share your information with the emergency services.
Where it is reasonably necessary to achieve our or others’ legitimate interests (as long as what the information is used for is fair and does not duly impact your rights).
We consider our legitimate interests to be running the Charity as a charitable organisation in pursuit of our aims and ideals. For example to:
- send postal communications which we think will be of interest to you;
- conduct research to better understand our supporters and to improve the relevance of our fundraising;
- understand how people choose/use our services and products;
- determine the effectiveness of our services, products, events and promotional information;
- monitor who we deal with to protect the charity against fraud, money laundering and other risks;
- enhance, modify, personalise or otherwise improve our services /communications for the benefit of those to whom we provide services and products; and
- better understand how people interact with our website.
When we legitimately process your personal information in this way, we consider and balance any potential impact on you (both positive and negative), and your rights under data protection laws. We will not use your personal information where our interests are overridden by the impact on you, for example, where use would be excessively intrusive (unless, for instance, we are otherwise required or permitted to by law).
When we use sensitive personal information, we require an additional legal basis to do so under data protection laws, so will either do so on the basis of your explicit consent or another route available to us at law (for example, if we need to process it for employment, social security or social protection purposes, your vital interests, or, in some cases, if it is in the public interest for us to do so).
7. Service Providers, Marketing & Analytics
We may use your contact details to provide you with information about the vital work we do, our fundraising appeals and opportunities to support us, as well as the services you can use and the products you can buy, if we think it may be of interest to you.
Social media message/Email/Text/Phone
We will only send you marketing and fundraising communications by email, text and telephone if you have explicitly provided your prior consent. You may opt out of our marketing communications at any time by emailing email@example.com.
We may send you marketing and fundraising communications by post unless you have told us that you would prefer not to hear from us.
The Charity would like to send you information about our services and products that we think you might like, as well as those of our partner organisations from time to time.
If you have agreed to receive marketing, you may always opt out at a later date.
You have the right at any time to stop the Charity from contacting you for marketing purposes. If you no longer wish to be contacted for marketing purposes, please contact: firstname.lastname@example.org.
We may employ third party organisations and individuals to facilitate our Service (“Service Providers”), to provide the Service on our behalf, to perform Service-related services or to assist us in analysing how our Service is used.
Any third parties we may use have access to your Personal Data only to perform these tasks on our behalf and are obligated not to disclose or use it for any other purpose.
We may use third-party Service Providers to monitor and analyse the use of our Service.
Google Analytics is a web analytics service offered by Google that tracks and reports website traffic. Google uses the data collected to track and monitor the use of our Service. This data is shared with other Google services. Google may use the collected data to contextualise and personalise the ads of its own advertising network.
For more information on the privacy practices of Google, please visit the Google Privacy Terms web page: http://www.google.com/intl/en/policies/privacy/
Mailchimp is a customer management system in which we sometimes store customers’ contact details in order to send you marketing that we believe will be useful to you.
To opt out of any emails received from the Charity via Mailchimp, please click the link at the bottom of the email you receive.
For more information on the privacy practices of Mail Chimp, please visit their data policy: https://mailchimp.com/legal/privacy
8. What are your data protection rights?
The Charity would like to make sure you are fully aware of all of your data protection rights. Every user is entitled to the following:
The right to access – You have the right to request the Charity for copies of your personal data. We may charge you a small fee for this service.
The right to rectification – You have the right to request that the Charity correct any information you believe is inaccurate. You also have the right to request the Charity to complete the information you believe is incomplete.
The right to erasure – You have the right to request that the Charity erase your personal data, under certain conditions.
The right to restrict processing – You have the right to request that the Charity restrict the processing of your personal data, under certain conditions.
The right to object to processing – You have the right to object to the Charity’s processing of your personal data, under certain conditions.
The right to data portability – You have the right to request that the Charity transfer the data that we have collected to another organization, or directly to you, under certain conditions.
If you make a request, we have one month to respond to you. If you would like to exercise any of these rights, please contact us at: email@example.com
What are Cookies?
Cookies are text files placed on your computer to collect standard Internet log information and visitor behaviour information. When you visit our websites, we may collect information from you automatically through cookies or similar technology.
‘Cookies’ are small pieces of information sent by an organisation to your computer and stored on your hard drive to allow that website to recognise you when you visit. Cookies are sent to your browser from a website and stored on your device.
Other tracking technologies that may also be used are beacons, tags, and scripts to collect and track information and to improve and analyse our Service.
For further information, visit allaboutcookies.org.
Examples of Cookies we may use:
There are a number of different types of cookies. Our website may use:
Session Cookies – to operate our Service.
Preference Cookies – to remember your preferences and various settings.
Security Cookies – for security purposes.
How to manage cookies
You can set your browser not to accept cookies, and the above website tells you how to remove cookies from your browser. However, in a few cases, some of our website features may not function as a result.
10. Privacy policies of other websites
Our website may contain links to other websites run by other organisations. This policy applies only to our website‚ so we encourage you to read the privacy statements on the other websites you visit. We cannot be responsible for the privacy policies and practices of other websites even if you access those using links from our website.
If you access our Facebook, Instagram or other social media sites directly, or interact with posts or stories on those sites, then you are covered by the Privacy Policies of those social media platforms.
11. Transfer of data
Your information, including Personal Data, may be transferred to, and maintained on, computers located outside of your state, province, country or other governmental jurisdiction where the data protection laws may differ from those from your jurisdiction.
If you are located outside the United Kingdom and choose to provide information to us, please note that we transfer the data, including Personal Data, to the United Kingdom and process it there.
13. How to contact us
Email us at: firstname.lastname@example.org
14. How to contact the appropriate authority
Should you wish to report a complaint or if you feel that the Charity has not addressed your concern in a satisfactory manner, you may contact the Information Commissioner’s Office:
Phone: 0303 123 1113
Live Chat: https://ico.org.uk/global/contact-us/live-chat/