Section two contains a template policy, which you need to tailor to your specific circumstances, but which sets out all the categories of information that you are required to give. There are sections in the template policy included in square brackets where you will need to complete details as appropriate. In some cases we have also given examples of the details you might include. However all provisions of the template should be reviewed against your own practices and completed or revised as necessary.
Given the new emphasis on accountability, one of the key requirements is ability for you to prove that individuals have been given the information contained within this policy. If online, you may be able to do this by asking individuals to tick a box to say that they have read and understood the policy. If in paper format, you may want to consider asking individuals to sign to say that they have received it.
How you do this will depend upon how you collect the information, the individuals about whom you are collecting information, and your reasons for doing so, but remember that it is not enough to have the notice on your website – you have to demonstrate that individuals have been given the opportunity to read and understand it at the relevant point of collection/dissemination.
Further official guidance in relation to the introduction of the General Data Protection Regulation may also affect matters in the Policy and may necessitate changes.
Information you have collected from the data subject
At the point at which you collect the information, you are required to provide the following information:
- The identity and contact details of the Data Controller (usually CFD), and details of any representative (usually the job title of the person within CFD who deals with data protection);
- Contact details for the Data Protection Officer (if applicable);
- The purposes for which you have collected the information – if possible by isolating each use, and the data to which it relates, but in event so that it is clear to the individual why are you collecting their data;
- The legal basis for each use of the information (i.e. consent, entering into a contract at the individual’s request, etc.). If you are relying on the use being necessary for your legitimate interests, or the legitimate interests of a third party, you need to state what those interests are, and this must be provided for each use or purpose for which you have collected the information; The legal basis should be made clear when personal data is collected, for example on your membership or donation forms.
- Any recipients of the information or the categories of recipients;
- If information will be transferred to a country outside of the EEA where there is no EU Adequacy decision, then you need to set out what safeguards are in place, and how the individual can obtain a copy of those safeguards, or details of where they can be accessed;
- The period for which the information will be stored, or if not known, the criteria used to determine how long information is stored;
- The existence of the rights for access to information, rectification, erasure, to restrict or object to processing, and data portability;
- If you are relying on consent for processing, the existence of the right to withdraw that consent at any time, including a statement making it clear that withdrawal does not render any processing carried out before the withdrawal unlawful;
- The right to complain to the Information Commissioner’s Office (the “ICO”);
- If provision of the information is a statutory requirement, or is required to enter into a contract, this must be stated, and it must be clear whether or not the individual is obliged to provide this information, and the consequences of not doing so. (This may be better indicated in the form requesting the information, rather than listing in this notice, and so this is not included in the template below);
- If automated decision making is being used, what the logic is, and the significance and consequences for the individual.
The only exception to the provision of this information is where the individual already has it.
Where, at a later date, you intend to further process information for a purpose not provided to the individual, you have to provide all relevant information from the list above. In practice, this means you must provide everything relating to why the proposed new processing is lawful, but you do not have to provide information again that has not changed as the individual will already have this.
Information you hold which is not provided to you by the data subject
If information has been provided to you by a third party, you are still required to give the individual the information set out above. The information has to be provided within a reasonable period from the date on which it is given to you, and in any event within one month of that date. If the individual is to be contacted, then you should provide this information at the time of the first contact, or if disclosure to another recipient is the purpose, the information must be provided at least when the information is disclosed, but in any event, the earlier the better. As above, you need to consider carefully how you will prove that the individual has received this information.
The requirements are the same as for the information that you collect yourself, with the addition of details of the categories of information obtained and of where the information was obtained, and whether this is a publicly available source.
There are exemptions to the requirement to provide information where the individual already has the information and also where the provision of the information would prove impossible or would involve a disproportionate effort – particularly in cases where the information is being used for purposes that are in the public interest (e.g. medical), for scientific or historical research purposes or statistical purposes. There is also an exemption if the receipt of this information relates to a legal obligation which provides adequate measures to protect the individual’s interests, or where there is a legal requirement for confidentiality or secrecy. You will need to be prepared to defend this if questioned, so you must understand which exemption applies, and if it is a legal one, to what law you are referring.
GDPR and fundraising/direct marketing
Direct marketing covers promotion of your aims and activities, not just appeals for funds or sales of products and services.
Whilst the ICO regulates data protection in the UK, the Fundraising Regulator (FR) is the body responsible for fundraising. The FR also runs the Fundraising Preference Service (FPS) which allows anyone to stop contact by email, telephone call, addressed post and/or texts from selected charities. Notification of FPS requests to you are through your FPS portal. If you do not have significant fundraising expenditure you will not already have a portal but the FPS will contact you on the receipt of your first FPS request. Individuals may also register with the Telephone Preference Services (TPS) and Mailing Preference Service (MPS). You must not call any number on the TPS unless the
subscriber concerned has specifically told you they do not object to the calls. In practice therefore the list of telephone members you intend to call should be screened against the TPS register. The MPS works in a similar way to the TPS.
In many cases direct marketing requires consent, and under the GDPR the standard of consent is enhanced so it must be clear, specific and freely given (and you must retain records). Consent is always necessary for direct marketing by email, SMS, automated telephone calls or to anyone on the TPS.
Under GDPR you may be able to rely on your actions being necessary to promote or further a “legitimate interest” to send marketing by post or to make live calls to people who have not objected (opted out) or registered with TPS. Your legitimate interests can however be overridden by the rights and freedoms of the individuals concerned and you must therefore carefully assess the circumstances.
Both ICO and FR have said that consent is the safest basis to rely on for direct marketing. The FR also recommends that you should only rely on legitimate interest as the legal basis for your processing if you can prove the data was obtained fairly and lawfully and you publish your reasoning to show you are not harming the rights and freedoms of individuals.
Where you are relying on consent, it is important that it meets GDPR requirements, which is where “opt-in” comes into play. The ICO draft guidance states that consent requests must be separate from, or ‘unbundled’ from, other terms and conditions and that they must be prominent, concise, easy to understand and require a positive action to opt in. You can not rely on non-objection or pre-ticked boxes.
This is a thumbnail sketch of a complicated topic – so for more detail do look at the ICO and FR websites:
CFD is committed to protecting and respecting your privacy. For the purposes of the General Data Protection Regulations (GDPR) and any subsequent UK legislation covering data protection the Data Controller is CFD.
This Policy sets out why we collect personal information about individuals and how we use that information. It explains the legal basis for this and the rights you have over the way your information is used.
This Policy covers CFD in relation to the collection and use of the information you give us. We may change this Policy from time to time. If we make any significant changes we will advertise this on the website or contact you directly with the information. Please check this page occasionally to make sure you are happy with any changes.
If you have any questions about this Policy or concerning your personal information please contact Data Protection Officer.
What type of personal information we collect
The type and amount of information we collect depends on why you are providing it.
The information we collect when you make an enquiry includes your name, date of birth, email address, postal address and phone number etc – list as applicable.
If you are a supporter, for example making a donation, volunteering, registering to fundraise, signing up for an event in addition to asking for your name and contact details (your full address, email address and your phone number; we may also ask you for your personal information during the signup process to become a member; this will include your ethnicity, disabilities age, sexual orientation etc.
How we collect information
We may collect information from you whenever you contact us or have any involvement with us for example when you:
- visit our website (see our Cookies policy)
- donate to us or fundraise for us
- enquire about our activities or services
- sign up to receive news about our activities
- create or update a profile
- post content onto our website/social media sites
- volunteer for us
- attend a meeting with us and provide us with information
- take part in our events
- contact us in any way including online, email, phone, SMS, social media or post
Where we collect information from
We collect information:
(1) From you when you give it to us directly: You may provide your details when you ask us for information or make a donation, volunteer, attend our events contact us for any other reason.
(3) When you have given other organisations permission to share it: Your information may be provided to us by other organisations if you have given them your permission. This might for example be a BW working with us or might be when you buy a product or service from a third party organisation. The information we receive from other organisations depends on your settings or the option responses you have given them.
(5) When it is in available on social media: Depending on your settings or the privacy policies applying for social media and messaging services you use, like Facebook, Instagram or Twitter, you might give us permission to access information from those accounts or services.
Note: We have not included public sources used in data matching and teleappending on which further advice should be sought.
How we use your information
We will use your personal information in a number of ways which reflect the legal basis applying to processing of your data. These may include:
- providing you with the information or services you have asked for
- processing donations you make, including processing for Gift Aid purposes
- organising volunteering activity you have told us you want to be involved in and in relation to the fundraising for us you are involved in
- sending you communications with your consent that may be of interest including marketing information about our services and activities, campaigns and appeals asking for donations and other fundraising activities and promotions for which we seek support
- when necessary for carrying out your obligations under any contract between us
- seeking your views on the services or activities we carry on so that we can make improvements
- maintaining our organisational records and ensuring we know how you prefer to be contacted
- analysing the operation of our website and analysing your website behaviour to improve the website and its usefulness
- processing grant or job applications
Our legal basis for processing your information
The use of your information for the purposes set out above is lawful because one or more of the following applies:
- Where you have provided information to us for the purposes of requesting information or requesting that we carry out a service for you, we will proceed on the basis that you have given consent to us using the information for that purpose, based on the way that you provided the information to us. You may withdraw consent at any time by emailing us at firstname.lastname@example.org. This will not affect the lawfulness of processing of your information prior to your withdrawal of consent being received and actioned.
- It is necessary for us to hold and use your information so that we can carry out our obligations under a contract entered into with you or to take steps you ask us to prior to entering into a contract.
- Where the purpose of our processing is the provision of information or services to you, we may also rely on the fact that it is necessary for your legitimate interests that we provide the information or service requested, and given that you have made the request, would presume that there is no prejudice to you in our fulfilling your request.
- There may be other uses to which you put information where you are reliant on the legitimate interests condition – such as the provision of information to a third party to enable them to fulfil part of a request for assistance. You must specify that you are relying on the legitimate interests condition, and specify what those interests are.
- Other possible options include processing necessary to protect the vital interests of the individual concerned or other individuals and processing necessary for a task carried out in the public interest or in the exercise of official authority vested in the CFD.
If you want to contact us about your marketing preferences please contact our office Manager on 07783996918
How we keep your information safe
We understand the importance of security of your personal information and take appropriate steps to safeguard it.
We always ensure only authorised persons have access to your information, which means only our staff, volunteers and contractors, and that everyone who has access is appropriately trained to manage your information.
No data transmission over the internet can however be guaranteed to be 100% secure. So while we strive to safeguard your information, we cannot guarantee the security of any information you provide online and you do this at your own risk.
Who has access to your information?
- Third parties who provide services for us, for example funded providers. We select our third party service providers with care. We provide these third parties with the information that is necessary to provide the service and we will have an agreement in place that requires them to operate with the same care over data protection as we do.
- Third parties if we run an event in conjunction with them. We will let you know how your data is used when you register for any event.
- Analytics and search engine providers that help us to improve our website and its use.
- Third parties in connection with restructuring or reorganisation of our operations, for example if we merge with another BW. In such event we will take steps to ensure your privacy rights will be protected by the third party.
Owing to matters such as financial or technical considerations the information you provide to us may be transferred to countries outside the European Economic Area (EEA), which are not subject to the same data protection regulations as apply in the UK. [Explain why you may do this e.g. because it is stored on servers outside the EEA or you use suppliers based outside the EEA]. We meet our obligations under GDPR by ensuring that the information has equivalent protection as if it were being held within the EEA. We do this by ensuring that any third parties processing your data outside the EEA either benefits from an adequacy determination for GDPR purposes and/or, where appropriate, we have entered into a Data Processing Agreement which contains model EU clauses.
We may also disclose your personal information if we are required to do so under any legal obligation and may use external data for the purposes of fraud prevention and credit risk reduction, or where doing so would not infringe your rights, but is necessary and in the public interest.
Other than this, we will not share your information with other organisations without your consent.
Keeping your information up to date
We really appreciate it if you let us know if your contact details change. You can do so by contacting us at email@example.com
Our use of “cookies”
“Cookies” are small pieces of information sent by a web server to a web browser, which enable the server to collect information from the browser. They are stored on your hard drive to allow our website to recognise you when you visit. Please read our cookies policy here Cookies policy
We appreciate that our supporters are of all ages. Where appropriate we will ask for consent from a parent or guardian to collect information about children (under 16s).
How long we keep your information for
We will hold your personal information for as long as it is necessary for the relevant activity. By way of example, we hold records of donations you make for at least six years so we can fulfil our statutory obligations for tax purposes.
Where we rely on your consent to contact you for direct marketing purposes, we will treat your consent as lasting only for as long as it is reasonable to do so. This will usually be for two years. We may periodically ask you to renew your consent.
If you ask us to stop contacting you with marketing or fundraising materials, we will keep a record of your contact details and limited information needed to ensure we comply with your request.
You have the right to request details of the processing activities that we carry out with your personal information through making a Subject Access Request. Such requests have to be made in writing, no charge may be made under GDPR except in very limited circumstances which will be explained to you if relevant. More details about how to make a request, and the procedure to be followed, can be found in our Data Protection Policy. To make a request contact us firstname.lastname@example.org.
You also have the following rights:
- the right to request rectification of information that is inaccurate or out of date;
- the right to erasure of your information (known as the “right to be forgotten”);
- the right to restrict the way in which we are dealing with and using your information; and
- the right to request that your information be provided to you in a format that is secure and suitable for re-use (known as the “right to portability”);
- rights in relation to automated decision making and profiling including profiling for marketing purposes.
All of these rights are subject to certain safeguards and limits or exemptions, further details of which can be found in our Data Protection Policy. To exercise any of these rights, you should contact Office Manager at the above address.
If you are not happy with the way in which we have processed or dealt with your information, you can complain to the Information Commissioner’s Office. Further details about how to complain can be found here.
This Policy may be changed from time to time. If we make any significant changes we will advertise this on our website or contact you directly with the information.
Do please check this Policy each time you consider giving your personal information to us.