We are a charity registered with The Charity Commission in England and Wales under registration number 1147771, and with the Office of the Scottish Charity Regulator (OSCR) in Scotland under SC048774. We are also a company limited by guarantee in England and Wales under registration number 7986971. Our registered office is at 17th Floor, Millbank Tower, 21-24 Millbank, SW1P 4QP.
We use personal data for many purposes. We need it to employ our staff, to run our programmes, and to raise money for our charitable activities.
You may give us your personal data directly, such as on an application or registration form or via our website, or we may collect it from another source such as a school, another partner organisation or an online fundraising website.
We will only use your personal data in accordance with this policy, and will comply with current data protection laws at all times.
Current laws guarantee the rights individuals have when it comes to their own personal data. The main laws that any organisation based in the UK that handles people’s personal data must comply with are the UK GDPR and the Data Protection Act 2018.
This Policy aims to provide more detail around how we use your personal data, including what rights you have as an individual.
We collect personal information about you in the following ways:
Certain categories of personal data are more sensitive than others. This information is known as ‘sensitive personal data’ or ‘special category personal data’. This includes things like health information, race, religious beliefs and political opinions.
We only collect special category personal data where it is necessary to achieve a certain purpose and we have a legal basis for doing so. For example, we collect information relating to the ethnicity and disability of our programme participants. We do so, in order to manage and administer our equal opportunities reporting, as well as to ensure that where applicable, applicants and participants are afforded any reasonable adjustments they may require.
We will always make it clear to you what special category personal data we are collecting and why, and where applicable, seek your consent.
We will always have a legal basis in order to process your personal data and sensitive personal data. This will be one of the following:
In some instances, we will ask for your consent to use your personal information. This could be when we want to send you marketing emails or where we would like to share your personal information with one of our partners in scenarios where you were not informed of this at the outset (for example, with a university that is tracking the impact of one of our programmes in scenarios where we didn’t tell you about this when you joined the programme).
We will not use consent as our legal basis where you have no choice about giving us your information.
Please note that if you withdraw your consent to further processing that does not affect any processing done prior to the withdrawal of that consent, or which is done according to another legal basis
This is where we have a legitimate reason to process your data provided it is reasonable and does not go against your rights as an individual.
Where we rely on a legitimate interest to process your personal data our legitimate interests are as follows:
In some instances, we need to process your data in order to comply with certain legal requirements. For example, we do this where we follow laws regarding taxes, pensions, employment, immigration, or requirements that we must follow as a company and a charity.
In some cases, we may need to process your personal data where we have entered into a contract with you for the provision of certain services.
We are passionate about providing a high-quality and engaging experience to all of our supporters and to raising vital funds to support our work. In order to ensure our communications are relevant and tailored to your interests, we may supplement what we know about you with information about you from publicly-available sources.
In accordance with our legal and regulatory obligations and our internal policies and procedures, we may also supplement what we know about you with publicly available information to carry out due diligence on potential or actual donors. If you opt out of analysis of your data for due diligence purposes, we may not be able to accept donations from you.
If you choose to donate to us via a third party, such as a money raising platform, your data will be processed by that third party as data processor for us, and will then be shared with us.
If you use your credit or debit card to donate to us, buy something or pay for a registration online or over the phone, we will ensure that this is done securely and in accordance with the Payment Card Industry Data Security Standard (PCI DSS), whether we do this through a third party or by ourselves. Find out more information about PCI DSS here.
We do not store your credit or debit card details at all following the completion of your transaction. All card details and validation codes are securely destroyed once the payment or donation has been processed. Only staff authorised and trained to process payments will be able to see your card details.
Most of the data we process is stored in the UK. However, we may transfer some of the information you provide to us to organisations outside of the UK and the European Economic Area (‘EEA’). For example, this happens when we work with organisations that provide us with a software or an application that we use to administer our Programmes.
When we do this, we always ensure that the recipient organisation provides the same protections for your data that are available in the UK and EEA.
We will retain your personal data only for as long as is necessary for achieving the purpose for which we collected it.
Different laws may also require us to keep different data for different periods of time. For example, we must keep payroll records, holiday pay, sick pay and pensions auto-enrolment records for as long as is legally required by HM Revenue and Customs.
Where we have obtained your consent to process your personal data, we will do so in line with our retention policy. Upon expiry of that period we will either delete/anonymise your data or seek further consent from you to keep it for longer. Where you do not agree to this, we will stop using your data and ensure it is anonymised so that you can no longer be identified.
You have the following data protection rights:
If you wish to exercise any of your rights please contact our Data Protection Officer, Tom Vasov, via email to email@example.com or firstname.lastname@example.org.
If you wish to complain about this privacy notice or any of the procedures set out within it please contact our Data Protection Officer, Tom Vasov, at email@example.com or firstname.lastname@example.org.
If you believe that your data protection rights have not been adhered to, you also have the right to raise concerns with the Information Commissioner’s Office on 0303 123 1113 or at https://ico.org.uk/make-a-complaint/.
We take the security of your data seriously and take every precaution to protect it. Our internal policies and controls ensure that your data is not lost, accidentally destroyed, misused or disclosed, and is not accessed except by our employees in the performance of their duties or other authorised parties. We protect your data with the help of the following measures:
Where we instruct third parties to process personal data on our behalf, we always do so with a written contract in place and ensure that they are under a duty of confidentiality and that they implement the appropriate measures to ensure the security of the personal data.
Our virtual learning environment (VLE) is hosted by Titus Learning using Amazon Web Services. You can read about how we maintain your privacy on this platform here.
We will be fair and proportionate when considering the actions to be taken to inform affected parties regarding breaches of personal data.
Where a breach is known to have occurred which is likely to result in a risk to the rights and freedoms of individuals, we will inform the relevant supervisory authority within 72 hours.
We will update this privacy statement from time to time. If we make any material changes, we will notify you.