Data privacy – Policy statement
1. This statement explains the policy, organisation and arrangements for how the charity will collect, use, share and protect personal data, and ensure data security. If we update this policy, we will post any changes on our website.
2. The charity’s policy is to comply with the General Data Protection Regulation, Regulation (EU) 2016/679 of the European Parliament and Council.
3. The charity’s and its officers’ responsibilities will be discharged by:
a. Trustees – collectively acting as Data Controller (determining the purposes and means of processing personal data), and individually as Data Processors (processing personal data on behalf of the controller)
b. Secretary – acting as a Data Processor
Using personal data
4. We will use personal data, as defined below, about data subjects, for the purposes of our charitable objects, i.e. supporting the education of children and young people with special needs:
a. To store it securely
b. To communicate with data subjects as – current, prospective or past – one of:
(1) Beneficiary organisation
(2) Supplier, contractor or service provider
(3) Investment manager or banker
(4) Former student or staff member of our predecessor Downlands College
(5) Official body e.g. Charity Commission, Companies House, HM Revenue & Customs, Information Commissioner’s Office
(8) Representative of any of the above
c. In so doing, we may process data subjects’ data in the course of:
(1) Considering and awarding grants
(2) Keeping data subjects informed about our policies, arrangements, activities and achievements
(3) Carrying out research and analysis on how awardees use our grants
(4) Furthering public awareness of our work
(5) Preventing and detecting fraud and misuse of funds
(6) Arranging supplies, contracts or services
(7) Making payments
(8) Responding to any questions data subjects may have concerning the above
5. “Personal data” above means any data by which a data subject could be identified, directly or indirectly, in particular by reference to an identifier such as a name, location data or email address. “Data subject” means an identified or identifiable living natural person.
6. The data we collect about data subjects will depend on the nature of their relationship to us. It may include, but may not be limited to:
a. Name, address, phone number and email address; these may be “work” or “home”, depending on the nature of our relationship
b. Bank account details, if necessary for payment to a data subject
c. Data subjects’ contacts with us, such as notes of calls, emails or letters
7. Data may be held on computer files, in emails, on paper or in a file storage facility (currently Dropbox).
8. Our legal bases for processing personal data are that processing is necessary for:
a. Performing a task carried out in the public interest, by virtue of the fact that this charity exists and operates for public benefit as laid down in the Charities Act 2011
b. Performing a task carried out in the legitimate interests of this charity
9. We will store personal data for as long as we have to by law. If there is no legal requirement, we will store it for as long as we need it, including for a reasonable period after any arrangement or contract with us has finished in case either party considers renewal.
Collecting personal data
10. We can obtain personal data when data subjects or the organisations they represent:
a. Become a trustee/director or employee, and subsequently during any service
b. Apply for grants
c. Provide goods or services
d. Act as investment manager or banker
e. Contact us regarding our predecessor Downlands College
f. Deal with us on behalf of an official body
g. Request data concerning the charity
h. Engage with us in anticipation of or connection with any of the above
11. Data subjects can request that their data shall not be used for any of these purposes at any time by contacting us at firstname.lastname@example.org or otherwise as displayed on our website.
12. We will maintain data subjects’ privacy and protect their data by:
a. Keeping files secure on password-protected personal computers, paper files kept secure in, normally, domestic premises, or in a password-protected online file storage facility (currently Dropbox).
b. From time to time reviewing our measures to protect personal data from unauthorised access, accidental loss, disclosure or destruction
c. Not knowingly transmitting data outside the EU or UK.
d. Not knowingly sharing personal data with any other organisation or person without data subjects’ consent, except:
(1) If required to by an official body (see 4b(5) above)
(2) In connection with the independent examination of our annual accounts (the examiner being entitled to access all documents relevant to our accounts; some such documents may contain personal data, e.g. email addresses, bank details)
(3) During maintenance of our website and domain (through which email traffic incoming to our main address email@example.com is routed)
13. Data subjects can contact us at any time for a copy of the personal data we hold about them. If any believe we hold inaccurate information about them, they are requested to contact us.