George House Trust is committed to protecting the rights and privacy of service users, volunteers, staff, Trustees and other stakeholders, where personal data is held, in accordance with the General Data Protection Regulation (GDPR). The Regulation, effective from 25th May 2018, protects the rights and privacy of individuals and gives more control over how data is used and gathered, giving better protection overall of personal data.
In carrying out the work of George House Trust personal data is recorded and processed about people who receive advice or support services from us; about those who attend our training courses or activities and events; about visitors to our website; about those who work for us; and about those who support us through campaigning, giving donations, other fundraising activities or volunteering.
We are committed to protecting personal data and being transparent about what information we hold. This Policy has been developed to help set out how personal data will be treated where there is either online or in-person engagement.
It’s important that everyone we work with knows about, and has confidence and trust in, how we record and process their personal data. We are committed to ensuring that we use the information shared with us in accordance with all applicable laws concerning the protection of personal data.
WHO THIS POLICY COVERS
The Policy applies to staff, volunteers and Trustees and covers any person who has provided their personal data to George House Trust, be they staff, volunteers, service users, or third parties.
This Policy sets out:
- what information we may collect about individuals;
- where we collect personal data from;
- why we collect personal data;
- the legal basis for processing personal data;
- who we may share personal data with;
- how we keep personal data secure;
- how long we keep personal data;
- updating and accessing personal data
- data breaches and more information
By signing up to George House Trust’s campaigns, giving support as a donor or volunteer, using our services, accepting and signing a Contract of Employment, the respective Privacy Notice is deemed to be accepted and authorisation given to George House Trust to collect, store and process personal data in the ways set out. Data processing may include obtaining, recording, retaining, disclosing, destroying, or otherwise using data.
George House Trust is registered as a data controller with the Information Commissioner’s Office under the Data Protection Act 1998 under the registration number Z2788095.
The Finance Director is accountable for ensuring that all personal data is processed in compliance with this Policy.
2.0 WHAT INFORMATION DO WE COLLECT ABOUT INDIVIDUALS?
This type of information does not identify the individual, but it does help us to improve our services. When visitors look around our website, we record things like their IP (internet protocol) address – the unique number of the device being using to access our website, which pages are visited (on our website only), when they were visited, and the type of device being used. This information helps us create a better experience for everyone who uses our website. Examples of the type of information that can be collected using an IP address include the type and version of browser, and the location from which the site is being accessed. This helps us improve how our page templates appear and change content to make it relevant to our website visitors..
This means any information that may be used to identify individuals, such as:
- full name
- contact details including postal address, telephone number(s) and email address
- bank details if it is a donor or, for example, if we need to pay expenses to a volunteer
- records of correspondence and engagement with us and any membership held with us
- donation history and Gift Aid details
- information which may have been entered on the George House Trust website
- occupation or other biographical information
- other information shared with us
- details of advice or support received
We sometimes also collect sensitive information about individuals. This includes information about health (which may include HIV status), religion, sexuality, ethnicity and criminal records. We will normally only record this data where we have explicit consent, unless we are permitted to do so in other circumstances under data protection law. For example, we may make a record that a person is in a vulnerable circumstance to comply with legal requirements.
Children and young people
Protecting children's privacy is paramount. However to deliver a service we need to collect and manage personal data about children and young people and aim to manage it in a way which is appropriate to the age of the child.
Information is usually collected when we are working directly with children and young people. Consent from a parent or guardian, if the child is under 16, or consent from the young person, if they are aged 16 or over, is required before collecting personal data.
3.0 WHERE DO WE COLLECT DATA FROM?
We collect information in the following ways:
When it is given to us DIRECTLY
We collect personal information for many reasons, for example to provide a service, to enable employment, to communicate information and send information that’s has been requested, and to run campaigns and process donations. Depending on how individuals interact with us, we may process data when they:
- register on our website to receive updates from us;
- request a service from us such as an appointment with a Services Adviser;
- become a Member or Trustee;
- register for our training courses, events or activities;
- fundraise on our behalf;
- donate to us or allow us to claim Gift Aid on donations;
- campaign for us;
- apply for jobs or volunteer opportunities, or act as a freelancer for us;
- complete a survey or take part in research; or
- give personal data to us.
This information may be collected via any paper forms that are completed, telephone conversations, emails, face-to-face interactions, digital forms completed via our website, online surveys, third-party companies and websites such as JustGiving, publicly available sources, or communication via social media. Our donations and payment pages are provided by third-party secure payment processors.
When it is given to us INDIRECTLY
Information may be shared with us by independent event organisers, for example the London Marathon or fundraising sites like JustGiving or Virgin Money Giving. These independent third parties will only share personal data when the individual has indicated that they wish to support George House Trust and with their consent. We may also receive information from online services such as Facebook or Twitter if permission has been given to share this with us.
When permission is given to OTHER ORGANISATIONS to share personal data or it is available publicly.
We may combine information provided to us with information available from external sources in order to improve our services or fundraising approaches. This information could come from social media accounts, for example Twitter or Facebook and we may also access information available publicly, such as via Companies House or information that has been printed in newspapers.
When it is collected at the time of using our WEBSITE or SOCIAL MEDIA
4.0 WHY DO WE COLLECT PERSONAL DATA?
Service users and volunteers
Where anyone is receiving support from us, or volunteering with us, we will need to process their personal data because of the specific relationship with us. We use a Customer Relationship Management system (CRM) to support our work. This means that we can keep the information provided to see the history and relevant details of our work, and the interactions that have taken place.
When we work either face to face or by phone with service users or volunteers relevant notes may be taken of the information that is given to us and recorded on our database. Where communication is by email, these will be recorded on our database. This information is used to enable us to provide the most appropriate and relevant support. It is also used for quality assurance, complaint investigations, to support our policy work, to fulfil our obligations to our funders, and for anonymised statistical reporting. Individuals are informed of this before any data collection occurs.
We keep service users and volunteers up to date about our activities, including events, training, information sessions, volunteering opportunities, campaigns and fundraising events. We use a range of methods to keep in touch including our website, social media, email, telephone calls and occasionally by post. We will always gain consent to make contact and request contact preferences.
Individuals can withdraw consent, unsubscribe, or update their contact preferences at any point.
We often keep our supporters, including Members, donors or other stakeholders up to date about our activities, forthcoming events or meetings, campaigns and fundraising events. We will always gain consent to make contact and request contact preferences. We use a range of methods to contact our supporters, including our website, social media, email, telephone and occasionally by post.
Job or volunteer applicants
When applying for a job or volunteer opportunity with George House Trust, personal data will be collected to monitor the progress of the application. Where we need to share personal data, for example to gather references, individuals will be informed beforehand unless the disclosure is required by law. These checks are only done after an employment or volunteer opportunity has been offered to the successful candidate. Personal data about unsuccessful applicants is held for 6 months. Data can be removed before this if a request is made.
To enable George House Trust to meet it’s legal employment obligations to staff, collection and use of personal data is required. Staff have the same rights of access to their data as any other individual where personal data is held.
5.0 OUR LEGAL BASIS FOR COLLECTING PERSONAL DATA
We must have a lawful basis to collect and use personal data under data protection law. The law allows for six ways to process personal data. George House Trust processes data on the basis of:
- a person’s consent, for example, to send a newsletter by email;
- a contractual relationship, for example, to provide goods or services that have been purchased from us such as room hire
- processing that is necessary for compliance with a legal obligation, for example accounting data, information needed to process a Gift Aid declaration, or to carry out due diligence on large donations;
- George House Trust’s legitimate interests; personal data may be legally collected and used if it is necessary for a legitimate interest of the organisation using the data, if its use is fair and does not adversely impact the rights of the individual concerned. When we use personal information, we will always consider if it is fair and balanced to do so, and if it is within reasonable expectations. We will balance personal rights and our legitimate interests to ensure that we use personal information in ways that are not unduly intrusive or unfair. Our legitimate interests include:
- charity governance: including delivery of George House Trust’s charitable purposes, statutory and financial reporting and other regulatory compliance purposes;
- administration and operational management: including responding to solicited enquiries, providing information and services, research, events management, administrating recruitment processes for staff, volunteers and freelancers; and
- fundraising and campaigning: including administering campaigns and donations, sending thank you letters, analysis and developing communication strategies
6.0 WHO WE MAY SHARE PERSONAL DATA WITH
Personal data may be shared internally, with staff members for purposes including project administration, service delivery, HR, health and safety, insurance, events and fundraising activities.
Personal data will not be shared with a third party – except where:
- it is in connection with supporting the CRM system and IT network
- a professional adviser may be party to confidential discussions related to an individual
- we are required to do so by law, for example to law enforcement or regulatory bodies where this is required or allowed under the relevant legislation;
- it is necessary to protect the vital interests of an individual – i.e. to protect someone’s life, and in line with our Safeguarding Policy;
- we have obtained consent;
- external auditors, such as quality assurance auditors, need to check records for compliance purposes. All auditors are bound by our confidentiality policies.
We will never share or sell personal data to a third-party organisation for marketing, fundraising or campaigning purposes.
7.0 HOW WE KEEP PERSONAL DATA SECURE
George House Trust takes the security of personal data seriously. Internal policies and controls are in place to protect personal data and to prevent loss, accidental destruction, alteration, misuse, disclosure, or unauthorised access. Where necessary we implement appropriate network access controls, user permissions and encryption to protect data. For example, using trusted third-party suppliers to provide secure pages on the website for financial transactions such as making a donation or a clinic referral.
George House Trust recognises that sending information via the internet is not completely secure, and although we will do our best to protect personal data, we cannot guarantee the security of the data sent to our website on standard pages (any pages other than those when a donation or referral is being made). Once information has been received, procedures and security features are in place to try to prevent unauthorised access.
8.0 HOW LONG WE KEEP PERSONAL DATA
We will only retain personal information for as long as necessary to fulfil the purposes for which it was collected. The length of time personal data is kept, depends on the reasons for processing it, on the law or regulations that the information falls under, such as financial regulations, Limitations Act, Health and Safety regulations, or on any contractual obligation which may be in force, such as with government contracts. For business case data, the data will be anonymised so no individual is identifiable.
Data will be retained in line with the organisations Record Retention Policy. Once the retention period has expired, personal data will confidentially disposed of or permanently deleted.
9.0 UPDATING AND ACCESSING PERSONAL DATA
Where consent has been given for George House Trust to use personal data, there is always a right to withdraw consent at any time.
If changes are made to consent, records will be updated as soon as we possibly can. Email communications will be stopped immediately where unsubscribe is clicked or if communication preferences are updated online.
Requests for updates to contact preferences received by email, given by phone or in person may take up to 30 calendar days to process, including stopping any postal communications.
Individuals have a right to access their personal data and to have any inaccuracies corrected. There is no fee to pay for accessing personal data. However, if it is believed that the request is unfounded, or excessive, a reasonable charge may be made or a refusal to comply with the request given. Where an individual wishes to exercise these rights, they may need to prove their identity with two pieces of approved identification. Any request will receive a response within 30 calendar days.
Individuals also have the right to request that personal data is erased; to object to the processing of their personal data and for a restriction on processing their personal data. Any request will receive a response within 30 calendar days.
10.0 BREACHES OF THE POLICY AND FINDING OUT MORE
Any suspected breaches to this Policy will be reported in the first instance to the Finance Director, as the person accountable for ensuring compliance with this Policy.
Where an individual believes that George House Trust has not complied with their data protection rights, they can complain to the Information Commissioner's Office (ICO)
Policy Approved: 23rd May 2018
Policy Author: Neal Sharpe, Finance Director, George House Trust