Privacy
Policy

About Us

The Brilliant Club is a charity registered with The Charity Commission in England and Wales under registration number 1147771, and with the Office of the Scottish Charity Regulator (OSCR) in Scotland under SC048774. The Brilliant Club is a company limited by guarantee in England and Wales under registration number 7986971. The registered office address is 17th Floor, Millbank Tower, 21-24 Millbank, SW1P 4QP.

The Brilliant Club must process personal data (including special categories of data / sensitive personal data) so that it can provide its services and deliver its programmes of work – in doing so, the charity acts as a data controller.

You may give your personal details to The Brilliant Club directly, such as on an application or registration form or via our website, or we may collect them from another source such as directly from a school,  another partner organisation or an online fundraising platform.

Our virtual learning environment (VLE) is hosted by Titus Learning using Amazon Web Services.  You can read about how we maintain your privacy on this platform here.

The Brilliant Club must have a legal basis for processing your personal data. For the purposes of administering all aspects of The Brilliant Club’s work, and for monitoring, evaluating, and researching the effectiveness of its programmes, the charity will only use your personal data in accordance with this privacy statement. At all times we will comply with current data protection laws.

If you have any queries about our Privacy Statement, please contact the charity’s Data Protection Officer, Siobhan Haire, at data@thebrilliantclub.org.

The GDPR

The EU General Data Protection Regulation (GDPR) is the most significant piece of European privacy legislation in recent history, replacing that of the 1995 EU Data Protection Directive (European Directive 95/46/EC). It aims to support the rights individuals have on data about themselves which is collected and stored. It also aims to detect, identify and mitigate against data breaches or leaks for all companies in the EU, as well as enforcing the reporting on these issues. Any business that deals with EU nationals must comply with the legislation.

In line with the changes to European Union data protection law, The Brilliant Club updated its privacy policy. These changes include explaining to you in more detail how we use your information, including your choices, rights, and controls.

The Brilliant Club also uses Third Party suppliers and software to process, control and manage data. These systems have been audited in line with GDPR commitments. In the context of this statement, ‘data subject’ refers to the person or entity submitting data and can include employees, pupils, tutors, programme participants, and other individuals or organisations that The Brilliant Club works with.

Data Collection and Processing

The Brilliant Club collects information in the following ways:

  • Information you give us.For example, when you apply to work on or participate in one of our programmes, express an interest in taking up one of our programmes or services, make a donation to us, register for an event, engage with us via email or social media or message boards, or otherwise provide us with your personal information. You may also provide us with information such as your name and contact information after speculatively inquiring about one of our programmes or supporting the charity. The Brilliant Club stores this information on its stakeholder database unless you indicate that you do not wish for us to store your data from the outset or subsequently following a request for deletion or suppression of your information.
  • Information we get from your use of our website and services, including portals. We collect information about the services you use and how you use them – please refer to our Cookies Policy below.
  • Information from third parties. Like all organisations we are able to see what browser you are using, your IP address and what computer operating systems you are using. We may use this information to improve the services we offer.
  • Information available publicly. To inform our communications with current and potential supporters, as well as to carry out due diligence, we may supplement information you give us with publicly available information, such as biographical information and information about your interests and other charities you support.
  • Data protection law recognises that certain categories of personal information are more sensitive than others. This is known as ‘sensitive personal data’ or ‘special categories of data’ and includes health information, race, religious beliefs and political opinions (please note that this is a non-exhaustive list). We only collect sensitive personal data about people engaged with us where we have a legal basis for doing so. For example, when a tutor applies to work for The Scholars Programme, we need to understand what, if any, reasonable adjustments need to be made to our assessment processes. We may also collect this information for monitoring purposes.

We may also collect sensitive personal data if you make the information public or if you tell us about your experiences on one of our programmes. In any such instances, we will always make it clear to you when we collect this information what sensitive personal data we are collecting and why, and where applicable, seek your consent for us to do this.

We must have a legal basis to process your personal data and sensitive personal data. The legal bases we rely upon to offer our programmes and services to you are:

  • Your consent, where required;
  • Where we have a legitimate interest;
  • To comply with a legal obligation that we have;
  • To fulfil a contractual obligation that we have with you or a partner organisation.

Consent

In some instances, we will rely on obtaining your consent for use of your personal information. This legal basis is most commonly used to send marketing information to you (for example, where we seek to obtain your consent to receive emails about our events) or where we would like to share your personal information with a partner (a ‘third party’) for their own purposes (for example, a university that is tracking the impact of one of our programmes where we didn’t tell you about this when you joined the programme).  We will not use consent as our legal basis where you have no choice about giving us your information.

Legitimate Interest

This is where The Brilliant Club has a legitimate reason to process your data provided it is reasonable and does not go against what you would reasonably expect from us. Where the charity has relied on a legitimate interest to process your personal data our legitimate interests is/are as follows:

  • Registering and maintaining records of pupils / tutors / programme participants / supporters / potential supporters and other individuals or organisations that The Brilliant Club works with to administer all aspects of the charity’s work;
  • Some fundraising activity, including communications with current and potential supporters.
  • For monitoring, evaluating, and researching the effectiveness of its programmes;
  • Contacting you to seek your consent where we need it;
  • Giving you information about similar products or services that you have used from us recently.

The Brilliant Club is required by law to treat certain categories of personal information with even more care. These are called sensitive or special categories of personal information and different lawful bases apply to processing them. The Brilliant Club collects sensitive personal information relating to the ethnicity and disability information of its programme participants. It does so, so that it may manage and administer its equal opportunities reporting, as well as ensure that where applicable, applicants and participants are afforded any reasonable adjustments they may require.

Statutory / Contractual Requirement

The Brilliant Club has certain legal and contractual requirements to collect personal data (e.g. to comply with immigration and tax legislation,  safeguarding requirements, processing charitable donations.) Our partner organisations may also require this personal data, and/or we may need your data to enter into a contract with you. If you do not give us the personal data we need to collect, we may not be able to continue to provide our services to you or be able to effectively administer our core programmes of work.

Fundraising

We are passionate about providing a high-quality and engaging experience to all of our supporters and to raising vital funds to support our work. In order to ensure our communications are relevant and tailored to your interests, we may supplement what we know about you with information about you from publicly-available sources.

When we have gathered information in this way, we will let you know as soon as is feasible by sharing our privacy policy with you. You can proactively opt-out of your data being used in this way, or ask to see the data we hold, by contacting data@thebrilliantclub.org

In accordance with our legal and regulatory obligations and our internal policies and procedures, we may also supplement what we know about you with publicly available information to carry out due diligence on potential or actual donors. If you opt out of analysis of your data for due diligence purposes, we may not be able to accept donations from you.

If you choose to donate to us via a third party, such as Virgin Money Giving, your data will be processed by that third party as data processor for us, and will then be shared with us.

Your debit and credit card information

If you use your credit or debit card to donate to us, buy something or pay for a registration online or over the phone, we will ensure that this is done securely and in accordance with the Payment Card Industry Data Security Standard (PCI DSS), whether we do this through a third party or by ourselves. Find out more information about PCI DSS here.

We do not store your credit or debit card details at all, following the completion of your transaction. All card details and validation codes are securely destroyed once the payment or donation has been processed. Only staff authorised and trained to process payments will be able to see your card details.

Overseas Transfers

The Brilliant Club may transfer the information you provide to us to countries outside the European Economic Area (‘EEA’) for the purposes of administering, monitoring, evaluating, and researching the effectiveness of its programmes. We will take steps to ensure adequate protections are in place to ensure the security of your information and where applicable, seek your express consent to do so. The EEA comprises the EU member states plus Norway, Iceland and Liechtenstein.

Data Retention

The Brilliant Club will retain your personal data only for as long as is necessary for the purpose we collect it and never longer than seven years. Different laws may also require us to keep different data for different periods of time. For example, we must keep payroll records, holiday pay, sick pay and pensions auto-enrolment records for as long as is legally required by HMRC and associated national minimum wage, social security and tax legislation.

Where The Brilliant Club has obtained your consent to process your personal/sensitive personal data, we will do so in line with our retention policy. Upon expiry of that period the charity will seek further consent from you. Where consent is not granted The Brilliant Club will cease to process your personal data/sensitive personal data and or anonymise it in full.

Your Rights / Rights of the Data Subject

You as the data subject have the following data protection rights:

  • The right to be informed about the personal data The Brilliant Club processes on you;
  • The right of access to the personal data the charity processes on you;
  • The right to rectification of your personal data;
  • The right to erasure of your personal data in certain circumstances;
  • The right to restrict processing of your personal data;
  • The right to data portability in certain circumstances;
  • The right to object to the processing of your personal data that was based on a public or legitimate interest;
  • The right not to be subjected to automated decision making and profiling; and
  • The right to withdraw consent at any time.

Where you have consented to The Brilliant Club processing your personal / special categories of data you have the right to withdraw that consent at any time by contacting the charity’s Data Protection Officer, Siobhan Haire, via email to data@thebrilliantclub.org. Please note that if you withdraw your consent to further processing that does not affect any processing done prior to the withdrawal of that consent, or which is done according to another legal basis.

There may be circumstances where The Brilliant Club will still need to process your data for legal or official reasons. Where this is the case, we will tell you and we will restrict the data to only what is necessary for those specific reasons.

If you believe that any of your data that the charity processes is incorrect or incomplete, please contact us using the details above and we will take reasonable steps to check its accuracy and correct it where necessary. You can also contact us using the above details if you want us to restrict the type or amount of data we process for you, access your personal data or exercise any of the other rights listed above.

Complaints or Queries

If you wish to complain about this privacy notice or any of the procedures set out within it please contact the charity’s Data Protection Officer, Siobhan Haire, at data@thebrilliantclub.org.

You also have the right to raise concerns with the Information Commissioner’s Office on 0303 123 1113 or at https://ico.org.uk/concerns/, or any other relevant supervisory authority should your personal data be processed outside of the UK, if you believe that your data protection rights have not been adhered to.

Data Security

The charity takes the security of your data seriously and takes every precaution to protect our users’ information. The Brilliant Club has internal policies and controls in place to ensure that your data is not lost, accidentally destroyed, misused or disclosed, and is not accessed except by its employees in the performance of their duties. Measures applied include:

  • Access control throughout its buildings;
  • CCTV Cameras;
  • Intrusion alarms;
  • Regularly tested fire detection;
  • All staff are DBS checked;
  • Comprehensive network security;
  • Remote wipe and location tracking on devices;
  • System administrative restrictions and controls;
  • Full disk encryption in place; and
  • Regularly reviewed disaster recovery plan.

Where the charity engages third parties to process personal data on its behalf, they do so on the basis of written instructions, are under a duty of confidentiality and are obliged to implement appropriate technical and organisational measures to ensure the security of data as outlined within the GDPR.

Reporting Data Breaches

It is The Brilliant Club’s policy to be fair and proportionate when considering the actions to be taken to inform affected parties regarding breaches of personal data. In line with the GDPR, where a breach is known to have occurred which is likely to result in a risk to the rights and freedoms of individuals, the relevant supervisory authority will be informed within 72 hours.

Changes to this Privacy Statement

We will update this privacy statement from time to time. We will post any changes on the statement with revision dates. If we make any material changes, we will notify you.