A. HIWCF Data Privacy Notice Introduction
Hampshire and Isle of Wight Community Foundation (HIWCF) promises to respect any personal data that you share with us, or that we receive from other organisations, and keep it safe. We aim to be clear when we collect your data and not do anything you wouldn’t reasonably expect.
In the UK the Information Commissioners Office (ICO) is an independent authority which upholds the UK legislation relating to Data Protection and other public information rights. HIWCF is registered as a data controller with the ICO, registration number Z3328875. Our registered Data Protection Officer is the HIWCF Chief Executive Officer.
The General Data Protection Regulation (GDPR) came into effect from 25th May 2018. The intention behind the regulation is to give individuals more say over how companies use and process their personal data. GDPR is relevant to every organisation, no matter how large or small, who collect ‘personal data’ about UK and EU citizens. GDPR defines personal data as a person’s name, address, email addresses, date of birth, ID numbers, web data such as location, IP address or cookie tags.
From May 2018, HIWCF moved to an ‘opt-in’ communication policy. This means that we will only send marketing communications to those that have explicitly stated that they are happy for us to do so via their preferred channels of email, post, mobile phone or landline. We also use ‘Legitimate Interest’ for communications relating to grant-making, donations, our partnerships and fundraising.
Our marketing communications include information and updates about HIWCF, our grant-making, funds, events, insights and strategic programmes. If you would like to receive such communications but have not opted in, please contact us on 01962 798700 or email us at email@example.com.
B. How we collect information about you
We collect information in the following ways:
1. When you give it to us directly
HIWCF is known as the ‘controller’ of the personal data you provide to us. We will usually collect personal data about you like your name, title, organisation, postal address, e-mail address and telephone number if you are supporting or partnering with us. You may give us your information in order to make a donation, set up a fund, sign up for one of our events, or to communicate with us or through working in partnership with us.
Your activities and involvement with HIWCF will result in personal data being created. We may also collect details of your interests and preferences (such as the ways you support us or the types of causes you care about supporting).
We only collect data that is relevant and reasonable to the requirements of our business and most of the information we collect is from organisations applying for grant funding for the projects, resources and services they wish to fund. If you have applied for a grant from HIWCF, we collect the data given on your online grant application form. Not all information relating to a grant is personal data, however, a limited amount of personal data is collected to allow us to communicate with the primary contact at grantee organisations and to monitor the delivery of projects.
We do not normally collect or store sensitive data (such as information relating to health, beliefs or political affiliation) about supporters or grant recipients. However, there are some situations where this will occur including, but not exclusively, if:
- An accident or incident occurs on our property, at one of our events or involving one of our staff (including volunteers)
- You are attending one of our events and have disclosed specific access or dietary needs
- Data around an individual’s health is directly relevant to the awarding of a grant.
- You are in receipt of a grant award to support further education, and your place of education may be recorded
If this does occur we will be clear with you that we wish to collect such information, our reason for collecting such information, and that we will only do so with your specific consent and permission. We will also take care to ensure your privacy rights are protected.
2. When you give it to us indirectly
3. When it is available publicly
We may combine information you provide to us with information available from external sources in order to gain a better understanding of our supporters to improve our services and any fundraising activities. We may conduct research and analysis on the information we hold, which can in turn generate personal data. For example, by analysing your interests and involvement with our work, we may be able to build a profile that helps us decide which of our communications are likely to interest you. This may include information found in places such as Companies House and information that has been published.
From time to time, we may engage specialist agencies to gather information from publicly available sources to identify individuals who may have an affinity to our cause but with whom we are not already in touch. For example, Companies House, the Electoral Register, company websites, ‘rich lists’, social networks such as Linkedin, political and property registers and news archives.
You will always have the right to opt out of this processing.
This research helps us to understand more about you as an individual so we can focus conversations we have with you about fundraising in the most effective way, and ensure that we provide you with an experience as a donor or potential donor which is appropriate for you.
4. Social media
Depending on your settings or the privacy policies for social media and direct messaging services like Facebook, Twitter or Linked In, you might give us permission to access information from those accounts or services, such as your location or engagement with posts online.
5. Using the HIWCF and IWCF websites
In addition, the type of device you’re using to access our websites or apps and the settings on that device may provide us with information about your device, including what type of device it is, what specific device you have, what operating system you’re using, what your device settings are, and why a crash has happened. Your device manufacturer or operating system provider will have more details about what information your device makes available to us. HIWCF uses Google Analytics to track visits to our websites (e.g. which pages are the most or least popular), and this information is only processed in a way which does not identify any individuals.
Our websites may contain links to other websites of interest. However, once you have used these links to leave our site, you should note that we do not have any control over that other website. Therefore, we cannot be responsible for the protection and privacy of any information that you provide whilst visiting such sites, and such sites are not governed by this Data Privacy Notice.
6. Specific to ESF ‘Solent Supporting Employment’ Programme: As a grant recipient, HIWCF will ensure its own organisation and grantees are compliant at all times with the Data Protection Legislation and shall not perform its obligations under the Funding Agreement in such a way as to cause the Secretary of State to breach any of its applicable obligations under the Data Protection Legislation.
C. What personal data we collect and how we use it
The type and quantity of information we collect and how we use it depends on why you are providing it.
If you support us, for example by making a donation, becoming a fundholder, volunteering, or signing up for an event, we will usually collect:
- Your name
- Your contact details
- Your date of birth
- Any relevant organisations to which you are connected
- Information about how you found out about us, or people in our network with whom you are connected
We will mainly use your data to:
- Provide you with the services, products or information you asked for
- Administer your fund or donation, or support your fundraising, reclaiming any Gift Aid
- Keep a record of your relationship with us
- Ensure we know how you prefer to be contacted
- Understand how we can improve our services, products or information.
If you enter your details onto one of our online forms, and you don’t ‘send’ or ‘submit’ the form, we may contact you to see if we can help with any problems you may be experiencing with the form or our websites.
We may also use your personal information to detect and reduce fraud and credit risk in order to ensure due diligence around processing donations to ensure the source is genuine e.g. sale of shares and to protect against money laundering.
2. Grant Applicants
We may use personal information to discuss a grant application where you are an authorised named contact in the following ways:
- contact or inform you about the progress of an application where you are either the primary or secondary contact,
- contact you about an enquiry you have made
- to send you information you have requested
- monitor the delivery of projects
3. Direct marketing
With your consent, we will contact you to let you know about the progress we are making, to ask for donations or other support, and to publicise funding opportunities. Occasionally, we may include information from partner organisations or organisations that support us in these communications. We make it easy for you to tell us how you want us to communicate, in a way that suits you. Our forms have clear marketing preference questions and we include information on how to opt out when we send you marketing. If you don’t want to hear from HIWCF, that’s fine. Just let us know when you provide your data, or contact us on 01962 798700 or email us at firstname.lastname@example.org.
If we run an event in partnership with another named organisation, your details may need to be shared. We will be very clear what will happen to your data when you register.
4. Sharing your story
Some people choose to tell us about their experiences as donors or grant recipients to help further our work. They may take on a role as a patron or volunteer, attend our events or sit on our committees. This may include sharing sensitive information related to their personal life, in addition to their biographical and contact information.
If we have the explicit and informed consent of the individuals, or their parent or guardian if they are under 18, this information may be made public by us at events, in materials promoting our work, or in documents such as our annual report.
We may collect and retain your information if you send feedback about our services or make a complaint.
D. How we keep your data safe and who accesses it
1. Built-in security
We ensure that there are appropriate technical controls in place to protect your personal details. Personal data and online grant application forms are managed through the reputable Salesforce CRM system and stored on secure servers and encrypted during transmission using industry standard Transport Layer Security. Data may also be stored in documents such as email, letters and other correspondence, which is stored on our secure network.
2. Viewing your data
We undertake regular reviews of who has access to information that we hold to ensure that your information is only accessible by appropriately trained staff, trustees and volunteers.
3. Supplier compliance
Some of our suppliers run their operations outside the European Economic Area (EEA). Although they may not be subject to the same data protection laws as companies based in the UK, we will take steps to make sure they provide an adequate level of protection in accordance with UK data protection law. We will only use reputable suppliers e.g. Salesforce who can provide assurances of the security of data. By submitting your personal information to HIWCF you agree to this transfer, storing or processing at a location outside the EEA.
4. Sharing your data
We may need to disclose your details if required to the police, regulatory bodies or legal advisors. We will only ever share your data in other circumstances if we have your explicit and informed consent. Your details will never be sold, leased or rented to third parties, or shared with third parties for marketing purposes. Your data will not be passed to anyone other than those working on behalf of HIWCF.
We keep your information only for as long as it is needed to complete the task for which it was collected and only if there is a legitimate reason for us to continue contacting you. Relationships between our fundholders, donors, supporters, grantees and HIWCF are often long-term, and so we expect to keep your data for as long as that relationship exists, or until we no longer need it.
6. No further contact
If you decide not to support HIWCF any longer, or you wish to stop using our services, or request that we have no further contact with you, we will keep some basic information in order to avoid sending you unwanted materials in the future and to ensure that we don’t accidentally duplicate information.
7. Payment security
If you wish to make donations to HIWCF, we never request your bank details directly. BACS payments can be made directly to our business bank account (details of which are available upon request), or via our secure online donation pages provided by VirginMoney Giving. Of course, we cannot guarantee the security of your personal computer or the internet.
8. Legitimate Interest
Under the General Data Protection Regulation there are a number of lawful reasons that we can use (or ‘process’) your personal information. One of these lawful reasons is known as ‘Legitimate Interest’.
Broadly speaking, Legitimate Interest means that we can process your personal information if we have a genuine and legitimate reason and we are not harming any of your rights and interests. We believe that Legitimate Interest can be applied to our staff, trustees, volunteers, patrons, ambassadors, grant applicants, fundholders, donors, community partners and for prospect research. We will review this regularly.
We will not use your personal data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law).
Remember you can change the way you hear from us or withdraw your permission for us to process your personal details at any time by emailing us at email@example.com.
9. Keeping your information up to date
We would really appreciate it if you can let us know if your contact details change.
E. A summary of your data rights
The table below gives a guide to your personal data rights and shows how HIWCF will ensure these rights are protected:
|Individual Right||How HIWCF Applies This Right|
|The right to be informed||This data privacy notice sets out how we collect and use your personal data.|
|The right of access (also known as subject access requests)||You have the right to request a copy of the information that we hold about you and a small fee may be payable to cover the administration costs involved. If you’d like a copy of the personal data we hold, please email or write to us by post to Hampshire and Isle of Wight Community Foundation, Westgate Chambers, Staple Gardens, Winchester, Hampshire, SO23 8SR. Please send a description of the information that you want to see and include proof of your identity. To ensure data security we do not accept these requests by email so that we can ensure that we only provide personal data to the right person. We will endeavour to provide the information as soon as possible and never more than one month after receipt of your request.|
|The right to rectification||Where you tell us that the information we hold on our records about you is incorrect, we will update the data as quickly as possible, and no longer than one month after you have let us know.|
|The right to erasure (also known as the right to be forgotten)||The GDPR introduces the right to have your personal data erased. The right is not absolute and only applies in certain circumstances. HIWCF’s lawful basis for processing personal data is ‘legitimate interest’ we will only comply if there is no longer a legitimate interest which overrides the interests, rights and freedoms of you, as an individual or whether our interests can be satisfied through other means.|
|The right to restrict processing||You have the right to request that we restrict the processing of your personal data in certain circumstances, for example, if you no longer wish to be a primary or secondary contact for an organisation.|
|The right to data portability||You have the right to request organisations provide you with a copy of your personal data to allow you to move, copy or transfer it from one IT environment to another. This right only applies when the lawful basis for processing personal data is consent or for the performance of a contract. As our lawful basis is legitimate interest, this right does not apply.|
|The right to object||You have the right to object to processing your personal data for legitimate interests. In this instance we will consider whether there is still a legitimate interest which overrides the interests, rights and freedoms of you as an individual or whether our interests can be satisfied through other means.|
|The right to automated decision making including profiling||The right to automated decision making including profiling We do not undertake any automated decision making or profiling activities in relation to personal data.|
|The right to lodge a complaint with a supervisory authority||You can register a complaint about our handling of your personal data with the ICO, who are the UK’s supervisory authority for GDPR. You can find information on how to report a complaint here: https://ico.org.uk/concerns/|
F. Changes to this policy
We may change this Data Privacy Notice from time to time. If we make any significant changes in the way we treat your personal information, we will make this clear on our website or by contacting you directly.
If you have any questions, comments or suggestions, please let us know by contacting: Hampshire and Isle of Wight Community Foundation, Westgate Chambers, Staple Gardens, Winchester, Hampshire, SO23 8SR, telephone 01962 798700 or email us at firstname.lastname@example.org.
G. More information
For more information on the GDPR and how it governs your personal data you can access all of the detail, definitions and guidance from the ICO at the following link: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/