Data Protection and Information Security Policy
The General Data Protection Regulation is European wide data protection legislation that requires organisations working with individuals based in the European Economic Area (EEA) or where the organisation is based in the EEA to meet certain requirements regarding the collection, processing, security and destruction of personal information.
3. General Data Protection Regulation (GDPR)
4. Handling personal information, lawfully, fairly and transparently
5. Fair treatment
6. Minimum amount of personal data
7. Accurate and kept up-to-date
8. Special Category Information
9. Lawful Basis for Processing
10. E privacy and Marketing
11. Rights of Individuals
12. Subject Access Requests
13. Requests for information from law enforcement agencies
14. Data security
15. Managing and monitoring staff
18. Restrictions on transferring information to non EEA countries
19. Data loss
20. Data retention
21. Secure disposal of records and computer equipment
22. Data Protection Impact Assessments (DPIA)
23. Data Protection Officer
24. Monitoring & Reporting
This policy sets out how Jami will seek to ensure compliance with the legislation.
This policy applies to Jami’s dealings with beneficiaries, contacts, volunteers, supporters and third parties that may be involved in processing personal information. It covers the way personal information should be obtained, used, shared, physically stored and destroyed.
General Data Protection Regulation (GDPR)
The General Data Protection Regulation (GDPR) in conjunction with the Data Protection Act 2018 governs the processing (i.e. obtaining, storing, organising, recording, retrieval, use, disclosure, transmission, combination and destruction) of personal and sensitive data (i.e. information relating to a living individual – the data subject) and sets out the rights of individuals whose information is processed in manual or electronic form or held in a structured filing system. There are six principles that describe the legal obligations of organisations that handle personal information about individuals. These Principles are:
- Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the individual.
The information we gather about an individual will be collected in a way where they are fully informed how we intend to use that information, for what purposes and how we will share it.
- Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes.
We will explain why we need the information we are collecting and will not use it other than for those purposes.
- Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
We will only collect the information we need to provide the services required.
- Personal data shall be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.
The information we collect will be accurate and where necessary kept up to date. Inaccurate information will be removed or rectified as we become aware of the changes. We will request that information is updated by the individual wherever possible.
- Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals.
We will not hold personal information for longer than is necessary.
- Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
We will make sure that the personal information we have is held securely to ensure that it does not become inadvertently available to other organisations or individuals.
In addition to the above principles relating to personal information, there is also a principle of accountability. This principle states that the organisation responsible for the personal information shall be able to demonstrate its compliance with data protection legislation. Jami demonstrates its compliance with data protection legislation by implementing appropriate policies and procedures to protect the personal and business information in its custody.
Handling personal information, lawfully, fairly and transparently
The first and second principles require Jami to acquire and process personal information lawfully, fairly and in a transparent way. Jami therefore is clear at the outset about the purpose for which information is obtained and processed. Jami aims to ensure that:
- the purpose or purposes for which the information is to be used is made clear to individuals and they have a choice as to whether to provide the information, wherever possible;
- Individuals are provided with easy to read and understand privacy notices when information is collected;
- personal information is not used in ways that would have adverse effects on individuals;
- personal information is collected and used only when there are legitimate business reasons which are balanced against the interests of the individual concerned;
- on request, we can provide to the individual a copy of the personal information we hold about them;
- personal information will only be handled in ways that individuals would reasonably expect; and
- there are comprehensive marketing plans and operational procedures in place for initiating contact with prospects and generating sales in a manner that complies with the General Data Protection Regulation;
Appropriate records will be maintained to demonstrate compliance with the above-mentioned requirements.
Fairness generally requires us to be transparent, i.e. clear at the outset and open with individuals about why the information is being collected and how it will be used. Assessing whether information is being processed fairly depends partly on how it is obtained. In particular, if anyone is deceived or misled when the information is obtained, then this is unlikely to be fair.
Jami aims to ensure that, in all cases, consent and privacy statements will:
- be clear, fair and not misleading;
- explain the consequences of not providing the required information;
- explain how long the information will be kept for;
- explain if the replies to questions are mandatory or voluntary;
- explain if the information will be transferred overseas;
- explain that if the information will be shared, who with and how they will use it;
- explain how individuals may be contacted e.g. telephone, email, SMS, post;
- explain individuals’ rights – e.g. they can obtain a copy of their personal information;
- explain who to contact if they wish to know more information about how their information is held or to opt-out of receiving further information or if they need to complain; and
- explain an individual’s right to complain to the Information Commissioner’s Office.
Jami is responsible for ensuring that the following details are communicated to those it works with:
- our organisation name or other trading name as well as the name of any nominated representative where this is appropriate;
- the purpose(s) for which we intend to process the individuals personal information and if the information is to be shared or disclosed to other organisations (so that the individual concerned can choose whether or not to enter into a relationship with the company sharing it);
- any additional information that will enable us to process the information fairly; and
- how individuals can access the information held about them (as this may help them to spot inaccuracies or omissions in their records – see section below on Rights of Individuals).
Minimum amount of personal data
Under the principles of GDPR, Jami identify the minimum amount of personal data we need so as to properly fulfil our purpose. We ensure that we hold that much information, but nothing further. If we need to hold particular information about certain individuals, we only collect the information for those individuals and nothing more. Jami does not hold personal data on the off-chance that it might be useful in the future.
Accurate and kept up-to-date
- take reasonable steps to ensure the accuracy of any personal information they obtain;
- ensure that the source of any personal information is clear;
- establish if the individual has challenged the accuracy of the information, this is evaluated and recorded carefully; and
- consider whether it is necessary to update the information, particularly if the purpose relies on the information being current.
Jami understands that an expression of an opinion about an individual is classed as their personal information. The record of an opinion (or of the context it is held in) will contain enough information to enable a reader to interpret it correctly. If an opinion is likely to be controversial or very sensitive, or if it will have a significant impact when used or disclosed, Jami understands that it is even more important to state the circumstances or the evidence it is based on. Any remarks made in emails or system notes would need to be disclosed if the individual makes a subject access request. Therefore, Jami ensure that records do not contain anything that might be considered derogatory, or offensive, even though the record may only be for internal use.
Special Category Information
Special category data is more sensitive information, and so needs additional protection, both when collected and then when it is stored. Special Category data includes information about an individual’s:
- race or ethnic origin;
- political opinions;
- religious or philosophical beliefs;
- trade union membership;
- biometrics (where used for ID purposes);
- sex life or sexual orientation.
This type of data could create more significant risks to a person’s fundamental rights and freedoms, for example, by putting them at risk of unlawful discrimination.
In order to be able to process special category information, we shall have one of the following secondary conditions in place:
(a) the individual has given explicit consent to the processing of the personal data for the specified purposes. This usually means ticking a box or signing to acknowledge the information being gathered;
(b) processing is necessary for carrying out the obligations and exercising our specific rights relating to employment and social security;
(c) processing is necessary to protect the vital interests of the individual or of another natural person where they are physically or legally incapable of giving consent;
(d) processing is carried out in the course of our legitimate activities, with appropriate safeguards. This is applicable where the organisation is a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members, former members of the body or to persons who have regular contact with the organisation in connection with its purposes. The personal information shall not be disclosed outside the organisation without the consent of the individual;
(e) processing relates to personal data which is already made public by the individual;
(f) processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity;
(g) processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the individual;
(h) processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services;
(i) processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices;
(j) processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.
Before any special category information is processed, there needs to be in place one of the conditions outlined above.
Lawful Basis for Processing
One of the requirements of data protection legislation is that there is a lawful basis in place for processing personal information. There are six bases which may be used and the bases may vary for each activity we undertake.
The lawful bases are:
- Legal Obligation
- Vital interests
- Public interest
- Legitimate interests.
At Jami we generally use consent, contract, legal obligation, and legitimate interests.
Consent will be required for certain types of information usage, generally relating to mailing lists and marketing communications.
When consent is required, it must be freely given, specific for the reason that the information is being collected, informed by providing privacy information and unambiguous. Requests for consent should be separate from other terms, and be in clear and plain language. The individuals consent to using their personal data must be as easy to withdraw as to give.
Consent must be “explicit” for sensitive data. Jami is required to be able to demonstrate that consent was given.
Contract can be used as the lawful basis when Jami is looking to enter into a contract or has a contract in place. This could be used for processing staff and contractor information.
The legal obligation must be laid down by UK or EU law but does not have to be an explicit statutory obligation. The processing of National insurance and pension information would be processed using legal obligation as there is a requirement for these transactions. Your overall purpose must be to comply with a legal obligation which has a sufficiently clear basis in either common law or statute.
Legitimate interests is a flexible lawful basis for processing of personal information. It is used as a lawful basis where you are processing an individuals information in a way they would reasonably expect it to be used and which has a minimal impact on their privacy.
There are three elements to using legitimate interests as a lawful basis for processing. These are:
- The need to identify the legitimate interest;
- Show that the processing is necessary to achieve it; and
- Then balance this against the individual’s interests, rights and freedoms.
Jami always balances its interests against those of the individuals whose information it is using to ensure that the individual could reasonably expect their information to be used in this way or the use would not cause them unjustified harm, Jami’s interests do not override the interests of the individual.
Jami may rely on legitimate interests for marketing activities, where the use of the individual’s data is proportionate, has a minimal privacy impact and the individual would not be surprised or likely to object to the processing.
E privacy and Marketing
Under the Privacy and Electronic Communication Regulations (PECR) there are specific requirements relating to unsolicited direct marketing communications. A solicited communication is one that is actively invited, either directly by the client or via a third party. An unsolicited communication is one that the client has not invited but they have indicated that they do not, for the time being, object to receiving it. If challenged, we would need to demonstrate that an individual has positively opted in to receiving further information from us.
Jami understands that it is unlawful to contact individuals or organisations that have informed us that they do not wish to receive unsolicited marketing material. Therefore, Jami is aware of and complies with the following:
Emails and text message – Jami will not contact individuals by email or via text message without obtaining prior consent.
Jami maintains internal logs of individuals and organisations that have indicated that they do not wish to receive unsolicited marketing information.
Rights of Individuals
Data protection legislation creates specific rights of individuals. These include:
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision making and profiling.
Subject Access Requests
An individual has the right to see the information that Jami holds about them and can make a request to access this information. Requests may be made verbally or in writing. Requests must be responded to within a calendar month of receipt, unless the request is complex.
In line with the GDPR, Jami will request certain information before responding to a request:
- enough information to judge whether the person making the request is the individual to whom the personal information relates. This avoid personal information about one individual being sent to another, accidentally or as a result of deception.
- Sufficient information that would reasonably be required to find the personal information amongst the records held by us and covered by the request.
In the event of an individual making a subject access request via a third party Jami will obtain written consent from the individual to confirm that the third party can request and receive information on the individual’s behalf.
When we respond to a subject access request, we will provide them with the following information:
- whether any personal information is held and being used;
- a description of the personal information, the reasons it is being processed, and whether it will be shared with any other organisations or individuals;
- a copy of the information; and
- details of the source of the information (where this is available).
Requests for information from law enforcement agencies
The General Data Protection Regulation includes exemptions, which allow personal information to be disclosed to law enforcement agencies without the consent of the individual who is the subject of the information, and regardless of the purpose for which the information was originally gathered. Jami will release personal information to law enforcement agencies if required to do so.
Jami has implemented appropriate security measures to prevent personal information held being accidentally or deliberately compromised. In particular, Jami:
- have designed and organised security to fit the nature of the personal information held and the harm that may result from a security breach;
- are clear about everyone’s responsibility for ensuring information security;
- make sure that the correct physical and technical security is in place, backed up by robust processes and procedures and reliable, well-trained staff;
- provide regular training to employees so that they may understand their responsibilities; and
- are ready to respond to any breach of security swiftly and effectively.
Jami recognises that information security breaches may cause real harm and distress to individuals if their personal information is lost or abused (this is sometimes linked to identity fraud).
Managing and monitoring staff
Jami ensures that staff or those acting on their behalf are aware of, trained and comply with regulatory requirements and company policies on data protection and information security matters.
There are controls in place to ensure that those people handling client or confidential business information are honest and trustworthy and do not disclose information about clients without checking the identity of callers and verifying that they are entitled to the information being requested.
There are controls in place to ensure that only authorised personnel can access, alter, disclose or destroy personal information and only act within the scope of their authority. All paper records containing personal information and commercially sensitive information are stored securely when not in use and desks are cleared at the end of the working day.
Jami has procedures in place when we use third parties to process information to ensure that we:
- only choose a data processor that provides sufficient guarantees about its security measures to protect the information and the processing it will carry out;
- take reasonable steps to check that those security measures are working effectively in practice; and
- put in place a written contract setting out what the data processor is allowed to do with the personal information or business information.
Jami requires third parties that it works with to ensure that there are adequate security measures in place to secure the information that is being held.
Much of the work that Jami undertakes is conducted by volunteers. We have robust processes in place when recruiting and vetting volunteers to work with us. All volunteers are subject to regular training and have access to policies and procedures to ensure good practice. All volunteers sign a confidentiality agreement on appointment which sets out Jami’s expectations.
Restrictions on transferring information to non EEA countries
There are no restrictions on moving personal information within EEA countries. Jami uses various cloud services, some of which are based within the EEA, whilst other providers are not. We are open and transparent with individuals whose data we collect about where their information is processed and accessed.
Jami considers the following factors when deciding whether or not to transfer information overseas:
- the nature of the personal information being transferred;
- how the information will be used and for how long; and
- the laws and practices of the country where information is being transferred to.
We also consider additional factors such as:
- the extent to which the country has adopted data protection standards in its law;
- whether there is a way to make sure the standards are achieved in practice; and
- whether there is an effective procedure for individuals to enforce their rights or get compensation if things go wrong.
If we are unable to gain assurance for the security of the information that it is proposed to transfer, then the transfer will not take place.
If personal information is accidentally lost, altered or destroyed, attempts to recover it will be made promptly to prevent any damage or distress to the individuals concerned. In this regard Jami consider the following:
- containment and recovery – the response to the incident includes a recovery plan and, where necessary, procedures for damage limitation.
- assessing the risks – assess any risks and adverse consequences associated with the incident, as these are likely to affect how the incident needs to be contained.
- notification of data breaches – informing the Information Commissioner’s Office or other relevant Supervising Authority as necessary (within 72 hours), law enforcement agencies and individuals (whose personal information is affected) about the security breach is an important part of managing the incident.
- evaluation and response – it is important to investigate the causes of the incident, as well as, the effectiveness of controls to prevent future occurrence of similar incidents.
- Additionally, Jami would also look to ensure that any weaknesses highlighted by the information incident are rectified as soon as possible to prevent a recurrence of the incident.
More details about how an incident will be handled are to be found in the Data Incident Policy.
To comply with information retention best practice, Jami establishes standard retention periods for different categories of information, keeping in mind any professional rules or regulatory requirements that apply and ensuring that those retention periods are being applied in practice. Any personal information that is no longer required will either be archived or deleted in a secure manner.
Jami’s retention periods for different categories of personal information are based on individual business needs.
Jami understands the difference between permanently deleting a record and archiving it. If a record is archived or stored offline, it will reduce its availability and the risk of misuse or mistake. If it is appropriate to delete a record from a live system, Jami will also delete the record from any back-up of the information on that system, unless there are business reasons to retain back-ups or compensating controls in place.
Full details of our retention programme can be found in the Retention and Destruction Policy.
Secure disposal of records and computer equipment
Once the retention period expires or, if appropriate, the personal or business information is no longer required records will be disposed of in a secure manner. All paper records containing client or business information are disposed of by shredding. This includes all archived records.
All used computers, fax machines, printers and any other electronic equipment that may contain or that will have stored personal or business information in electronic format will be disposed of in an appropriate manner after the information has been completely wiped. An external provider will be used to ensure that the memory on the devices is completely clean of information before the item is disposed of and confirmation of cleansing or destruction obtained.
Data Protection Impact Assessments (DPIA)
What is a data protection impact assessment?
Data Protection Impact Assessments or DPIAs (previously known as privacy impact assessments or PIAs) are a process to help us identify the most effective way to comply with data protection obligations and meet individuals’ expectations of privacy. By undertaking a DPIA we should be able to identify and fix any data protection issues early.
When do we need to conduct a DPIA?
We must carry out a DPIA before we process personal information where that processing may result in a high risk to the rights and freedoms of individuals or uses innovative technology.
We will take into account the nature, scope, context and purposes of the processing when deciding whether or not it is likely to result in a high risk to individuals’ rights and freedoms.
What does a DPIA cover?
A DPIA must contain:
- at least a general description of the processing operations and the purposes;
- an assessment of the risks to the rights and freedoms of individuals;
- the measures envisaged to address those risks;
- the safeguards, security measures and mechanisms in place to ensure the protection of the personal information; and
- take into account the rights and legitimate interests of the individual’s and any other people concerned.
Data Protection Officer
Under the GDPR, an organisation must appoint a DPO if:
- it is a public authority or body (except for courts acting in their judicial capacity);
- the core activities require large scale, regular and systematic monitoring of individuals (for example, online behaviour tracking); or
- the core activities consist of large scale processing of special categories of data or data relating to criminal convictions and offences.
As Jami does not currently meet these conditions we have not appointed a Data Protection Officer.
Monitoring & Reporting
The Operations Manager will monitor the adherence to this policy and report to the Trustees any issues or concerns regarding its compliance.
This policy will be reviewed periodically in light of changing business priorities and practices and to take into account any changes in legislation.
We take your privacy seriously and we will look after any personal data you share with us in accordance with the General Data Protection Regulation 2018 (GDPR)
When you contact Jami about services your details are stored in our secure, cloud-based contact management system. This enables us to record the work we do and provides anonymised data to our stakeholders. Access to the data base is password protected and staff have access only to the information they require.
Your information will be shared with relevant Jami staff who are able to offer you the best possible service or signpost you to another organisation for support.
We will not share your information with anyone without your consent. Further details are available in the Consent to Share and Consent to Request Information forms which will be explained to you if and when you meet with a member of staff.
You have the right to withdraw your consent at any time. If you want to withdraw consent you can do so by emailing [email protected] or writing to The Data Controller at Jami Martin B Cohen Centre Gould Way, Deansbrook Road, Edgware, HA8 9GL or by telephoning Jami on 0208 458 2223.
You have the right to access the personal data we hold about you and you can ask us to rectify any data you consider inaccurate. Please see the Data Subject Access Request Process
You have the right to complain using the Complaints Procedure which you will find at https://jamiuk.org.
You can choose whether you receive information from us or not. We will ask you whether you wish to be contacted by email, telephone, text or post. We will ask for your consent to contact you about Jami services and about our fundraising and marketing activities.
Cookies are small text files placed on your device which uniquely identify your device. Cookies cannot be used to run programs or deliver viruses to your device.
For more information about our use of these technologies please contact us by calling us on 020 8458 2223, emailing us on [email protected] or writing to us at The Data Controller, Jami, Martin B Cohen Centre, Gould Way, Deansbrook Road, Edgware HA8 9GL.
The Jewish Association for Mental Illness (Company No: 02618170) is the controller and responsible for your personal data (collectively referred to as “Jami”, “we”, “us” or “our” in this Policy).
We have appointed a data privacy manager who is responsible for overseeing questions in relation to this Privacy. If you have any questions about this Policy, including any requests to exercise your legal rights, please contact the data privacy manager using the details set out below.
2. Contact details
If you have any questions about this Policy or our privacy practices, please contact our data privacy manager in the following ways:
- Full name of legal entity: The Jewish Association for Mental Illness (Company No: 02618170)
- Email address: [email protected]
- Postal address: The Data Controller, Jami, Martin B Cohen Centre, Gould Way, Deansbrook Road, Edgware HA8 9GL
- Telephone number: 020 8458 2223
You have the right to make a complaint at any time to the Information Commissioner’s Office (“ICO”), the UK supervisory authority for data protection issues (www.ico.org.uk). We would, however, appreciate the chance to deal with your concerns before you approach the ICO, so please contact us in the first instance.
3. How will you collect my information?
We may collect personal information (for example your name, postal address, email address, date of birth, telephone number, or billing, transaction and payment card information) from you when you:
(a) Make a donation (financial or goods) to Jami by post, telephone, in person or online.
(b) Apply for a job or a volunteering role within Jami, for the processing of your application.
(c) Attend a fundraising or educational event, training or seminar organised by Jami.
(d) From a third-party source such as Just Giving or VirginMoneyGiving or other event organisers such as community organisations or synagogues.
(e) Order materials, resources or training from us.
(f) Contact us or provide us with details at an event.
(g) Correspond with us by email, phone, by post or become involved with us in another way, for example with our governance or as an organisation or committee contact.
(h) Via our IT systems e.g. door entry systems and reception logs, automated monitoring of our website and other technical systems (such as our computer networks, CCTV, email and instant messaging systems).
4. Why do you need my details and how do you use them?
There are different reasons why we might need your personal details – the main ones are:
- To comply with our legal and regulatory obligations.
- For the performance of any contract with you or to take steps at your request before entering into a contract.
- Where you have given consent.
- To process and record your donation to us and other financial or gift in kind transactions.
- If you agree that we can claim Gift Aid on your donations we are legally required to keep a record of the claim and your Gift Aid declaration.
- If you commit to future support to Jami, for example through a gift in your will or a pledge we will keep a record.
- To record details of volunteering you have carried out with Jami or to inform you of future volunteering opportunities. If applying to become a volunteer with Jami if appropriate we may use your information to make further checks including whether you have any criminal convictions by seeing the results of a DBS check.
- We may also use your information to detect and reduce fraud and credit risk and help review our services.
- We may, carry out prospect research using publicly available information to identify further fundraising and marketing opportunities and carry out market research.
- We may use it to process your application or payments for events and training attendance and to send you details and reminders about them.
- We will also use your information to:
- keep you up to date about the work we’re doing and tell you about the difference your contribution is making by sending you information by post, email and phone.
- To ask for your financial support to help more people with mental illness.
If you are a new supporter, we will only do this if you tell us that you are happy for us to contact you (this is ‘opting-in’) by completing a contact form. These forms can be found on this website and anywhere where we ask for personal details.
- Processing of your personal data is necessary for the purposes of legitimate interests pursued by Jami, or those of a third party, where such interests have not ignored your rights or freedoms concerning your privacy. Processing is necessary to perform a public task in the public interest and comply with CC20 guidance from the Charity Commission.
5. Do you pass my details to any other organisations or individuals?
Please rest assured that we will never sell your details to any third party. When dealing with your personal information we comply with the General Data Protection Regulation and the Data Protection Act 2018, and any other applicable legislation.
In addition, if we ever need to send data to a third party for processing for the purposes of legitimate interests (for example checking against the Telephone Preference Service, updating our records and prospect researching from publicly available sources such as the electoral roll) we will make sure the company we use has signed a data processing agreement with us or other contractual obligations, so that they are bound to take care of your data in the same way we do. We may also share personal information with external auditors, e.g. the Charities Commission or for the audit of our accounts.
We may disclose and exchange information with law enforcement agencies and regulatory bodies to comply with our legal and regulatory obligations.
If you have made a Gift Aid declaration, we may disclose the information you have provided as part of the declaration to HMRC for the purpose of reclaiming gift aid on your donation(s). We may share or disclose your personal information if we are required to do so by any law, regulation or court order.
6. How do you keep my information secure?
We will take precautions to prevent the loss, misuse or unauthorised alteration of personal information you give us. For example, our website does not store your personal information when you enter it into one of our contact preference forms.
We also have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.
We may send communications to you by email. Email is not a fully secure means of communication, and whilst we do our utmost to keep our systems and communications protected, we cannot guarantee this.
We make no representations about any other websites, and when you access any other website through a link on our website (including social media sites) you should understand that it is independent from us and that we have no control over that website or the way your personal information is collected through those websites. Those websites may have their own privacy policies and we encourage you to look at those policies or contact the website operators directly to understand how your personal information is used.
7. Cookies and other similar technologies
Cookies are small text files placed on your device which uniquely identify your device. Cookies cannot be used to run programs or deliver viruses to your device. For more information about our use of these technologies please contact us by using the details set out above.
8. Your rights
You have the following rights, which you can access free of charge (subject to certain restrictions):
|Access||The right to be provided with a copy of your personal information (the right of access)|
|Rectification||The right to require us to correct any mistakes in your personal information|
|To be forgotten||The right to require us to delete your personal information—in certain situations|
|Restriction of processing||The right to require us to restrict processing of your personal information—in certain circumstances, e.g. if you contest the accuracy of the data|
|Data portability||The right to receive the personal information you provided to us, in a structured, commonly used and machine-readable format and/or transmit that data to a third party—in certain situations|
|To object||The right to object:
· at any time to your personal information being processed for direct marketing (including profiling);
· in certain other situations to our continued processing of your personal information, e.g. processing carried out for the purpose of our legitimate interests.
|Not to be subject to automated individual decision making||The right not to be subject to a decision based solely on automated processing (including profiling) that produces legal effects concerning you or similarly significantly affects you|
For further information on each of those rights, including the circumstances in which they apply, please contact us.
If you would like to exercise any of those rights, please email using the contact details set out above, including: enough information to identify you (e.g. your full name and address), provide proof of your identity and address (a copy of your driving licence or passport and a recent utility or credit card bill), and let us know what right you want to exercise and the information to which your request relates.
9. Online advertising
We follow Facebook’s strict advertising policies when using that platform, and we only target based on ‘likes’ on our page or similar anonymised data using cookies. We do not ever upload our own supporters’ data to Facebook or other social media for advertising purposes. If you have any questions about this Policy, please contact us using the contact details set out above.
Privacy notice update July 2020