Privacy
Policy

Policy Updated September 2021

About Us 

We are a charity registered with The Charity Commission in England and Wales under registration number 1147771, and with the Office of the Scottish Charity Regulator (OSCR) in Scotland under SC048774. We are also a company limited by guarantee in England and Wales under registration number 7986971. Our registered office is at 17th Floor, Millbank Tower, 21-24 Millbank, SW1P 4QP. 

We use personal data for many purposes. We need it to employ our staff, to run our programmes, and to raise money for our charitable activities.  

You may give us your personal data directly, such as on an application or registration form or via our website, or we may collect it from another source such as a school, another partner organisation or an online fundraising website. 

We will only use your personal data in accordance with this policy, and will comply with current data protection laws at all times. 

Data Protection Laws 

Current laws guarantee the rights individuals have when it comes to their own personal data. The main laws that any organisation based in the UK that handles people’s personal data must comply with are the UK GDPR and the Data Protection Act 2018. 

This Policy aims to provide more detail around how we use your personal data, including what rights you have as an individual. 

Data Collection and Processing 

We collect personal information about you in the following ways: 

  • Information you give us. For example, when you apply to work for us, when you participate in one of our programmes, when you make a donation to us, register for an event, engage with us via email or social media or message boards, or otherwise provide us with your personal information. You may also provide us with information such as your name and contact information after speculatively inquiring about one of our programmes or supporting the charity.  
  • Information we get from your use of our website and services, including portals. We collect information about the services you use and how you use them. You will find more information about our use of cookies in our Cookies Policy. 
  • Information from third parties. Like all organisations we are able to see what browser you are using, your IP address and what computer operating systems you are using. We may use this information to improve the services we offer. 
  • Information available publicly. To inform our communications with current and potential supporters, as well as to carry out due diligence, we may supplement information you give us with publicly available information, such as biographical information and information about your interests and other charities you support. 

Special Category Personal Data 

Certain categories of personal data are more sensitive than others. This information is known as ‘sensitive personal data’ or ‘special category personal data’. This includes things like health information, race, religious beliefs and political opinions. 

We only collect special category personal data where it is necessary to achieve a certain purpose and we have a legal basis for doing so. For example, we collect information relating to the ethnicity and disability of our programme participants. We do so, in order to manage and administer our equal opportunities reporting, as well as to ensure that where applicable, applicants and participants are afforded any reasonable adjustments they may require. 

We will always make it clear to you what special category personal data we are collecting and why, and where applicable, seek your consent.

The partner organisations we may share student ethnicity data with are: university partners, charities and research grant funding bodies that support The Brilliant Club, Higher Education Funding Councils, UniConnect Partners, Department for Education (DfE), Higher Education Statistics Agency (HESA), University and Colleges Admissions Service (UCAS), Office for Students, the National Data Service (SFA), and the Higher Education Access Tracker (HEAT). You can find out more about how HEAT will use the data here.

Legal bases for processing personal data 

We will always have a legal basis in order to process your personal data and sensitive personal data. This will be one of the following: 

  • Your consent, where required; 
  • Our legitimate interests; 
  • To comply with a legal obligation that we have; 
  • To fulfil a contractual obligation that we have with you. 

Consent 

In some instances, we will ask for your consent to use your personal information. This could be when we want to send you marketing emails or where we would like to share your personal information with one of our partners in scenarios where you were not informed of this at the outset (for example, with a university that is tracking the impact of one of our programmes in scenarios where we didn’t tell you about this when you joined the programme).   

We will not use consent as our legal basis where you have no choice about giving us your information.  

Please note that if you withdraw your consent to further processing that does not affect any processing done prior to the withdrawal of that consent, or which is done according to another legal basis 

Legitimate Interests 

This is where we have a legitimate reason to process your data provided it is reasonable and does not go against your rights as an individual.  

Where we rely on a legitimate interest to process your personal data our legitimate interests are as follows: 

  • Registering and maintaining records of pupils / tutors / programme participants / supporters / potential supporters and other individuals or organisations that The Brilliant Club works with to administer all aspects of our work 
  • Some fundraising activity, including communications with current and potential supporters and donors 
  • For monitoring, evaluating, and researching the effectiveness of our programmes 
  • Contacting you to seek your consent where we need it; 
  • Giving you information about similar products or services that you have used from us recently. 

Legal Obligations 

In some instances, we need to process your data in order to comply with certain legal requirements. For example, we do this where we follow laws regarding taxes, pensions, employment, immigration, or requirements that we must follow as a company and a charity. 

Contract 

In some cases, we may need to process your personal data where we have entered into a contract with you for the provision of certain services.  

Fundraising 

We are passionate about providing a high-quality and engaging experience to all of our supporters and to raising vital funds to support our work. In order to ensure our communications are relevant and tailored to your interests, we may supplement what we know about you with information about you from publicly-available sources. 

When we have gathered information in this way, we will let you know as soon as is feasible by sharing our privacy policy with you. You can proactively opt-out of your data being used in this way, or ask to see the data we hold, by contacting data@thebrilliantclub.org  

In accordance with our legal and regulatory obligations and our internal policies and procedures, we may also supplement what we know about you with publicly available information to carry out due diligence on potential or actual donors. If you opt out of analysis of your data for due diligence purposes, we may not be able to accept donations from you. 

If you choose to donate to us via a third party, such as a money raising platform, your data will be processed by that third party as data processor for us, and will then be shared with us. 

Your debit and credit card information 

If you use your credit or debit card to donate to us, buy something or pay for a registration online or over the phone, we will ensure that this is done securely and in accordance with the Payment Card Industry Data Security Standard (PCI DSS), whether we do this through a third party or by ourselves. Find out more information about PCI DSS here. 

We do not store your credit or debit card details at all following the completion of your transaction. All card details and validation codes are securely destroyed once the payment or donation has been processed. Only staff authorised and trained to process payments will be able to see your card details. 

Overseas Transfers 

Most of the data we process is stored in the UK. However, we may transfer some of the information you provide to us to organisations outside of the UK and the European Economic Area (‘EEA’). For example, this happens when we work with organisations that provide us with a software or an application that we use to administer our Programmes. 

When we do this, we always ensure that the recipient organisation provides the same protections for your data that are available in the UK and EEA.  

Data Retention 

We will retain your personal data only for as long as is necessary for achieving the purpose for which we collected it.  

Different laws may also require us to keep different data for different periods of time. For example, we must keep payroll records, holiday pay, sick pay and pensions auto-enrolment records for as long as is legally required by HM Revenue and Customs. 

Where we have obtained your consent to process your personal data, we will do so in line with our retention policy. Upon expiry of that period we will either delete/anonymise your data or seek further consent from you to keep it for longer. Where you do not agree to this, we will stop using your data and ensure it is anonymised so that you can no longer be identified. 

Your Rights 

You have the following data protection rights: 

  • The right to be informed about which of your personal data we process 
  • The right to receive a copy of your personal data; 
  • The right to tell us to rectify your data where it is inaccurate or incomplete; 
  • The right to have your personal data erased in certain circumstances.  
  • The right to restrict processing of your personal data; 
  • The right to obtain and reuse your personal – this is also known as data portability; 
  • The right to object to the processing of your personal data in certain circumstances; 
  • The right not to be subjected to solely automated decision making and profiling; 

If you wish to exercise any of your rights please contact our Data Protection Officer via email at dpo@thebrilliantclub.org

Complaints or Queries 

If you wish to complain about this privacy notice or any of the procedures set out within it please contact our Data Protection Officer at dpo@thebrilliantclub.org

If you believe that your data protection rights have not been adhered to, you also have the right to raise concerns with the Information Commissioner’s Office on 0303 123 1113 or at https://ico.org.uk/make-a-complaint/. 

Data Security 

We take the security of your data seriously and take every precaution to protect it. Our internal policies and controls ensure that your data is not lost, accidentally destroyed, misused or disclosed, and is not accessed except by our employees in the performance of their duties or other authorised parties. We protect your data with the help of the following measures: 

  • Controlling who can gain access to our offices 
  • CCTV Cameras 
  • Intrusion alarms 
  • Regularly tested fire detection; 
  • DBS checks for all staff who need them 
  • Keeping our networks secure 
  • The ability to remotely delete data on all of our device and to track those devices at all times 
  • Restricting access to our key systems to only our system administrators and setting appropriate access controls for all other staff  
  • Full disk encryption 
  • Regularly reviewing our disaster recovery plan 
  • Regularly providing data protection and information security training to all staff 

Where we instruct third parties to process personal data on our behalf, we always do so with a written contract in place and ensure that they are under a duty of confidentiality and that they implement the appropriate measures to ensure the security of the personal data. 

Our virtual learning environment (VLE) is hosted using Amazon Web Services.  You can read about how we maintain your privacy on this platform here. 

Reporting Data Breaches 

We will be fair and proportionate when considering the actions to be taken to inform affected parties regarding breaches of personal data.  

Where a breach is known to have occurred which is likely to result in a risk to the rights and freedoms of individuals, we will inform the relevant supervisory authority within 72 hours. 

Changes to this Privacy Policy 

We will update this privacy statement from time to time. If we make any material changes, we will notify you.