.           Introduction

This document explains what personal data we collect; how and why we collect, hold and process it; the control an individual has over what we hold and how we use it.   It supports the key principles of the General Data Protection Regulations (GDPR) as set out in ‘Our Commitment to Privacy’ in section 3 of this document.

2.         Our Commitment to Privacy

3.1       We are committed to gathering and processing personal data with full regard for the General Data Protection Regulations (GDPR) and to the principles of personal choice and control, transparency, fairness and security in line with the key principles outlined in the GDPR, which state that personal data should be:

  • Processed lawfully; fairly and in a transparent manner (Lawfulness, Fairness and Transparency);
  • Collected only for specified, explicit and legitimate purposes (Purpose Limitation);
  • Adequate; relevant and limited to what is necessary in relation to the purposes for which data is processed (Data Minimisation);
  • Accurate and, where necessary, kept up to date (Accuracy);
  • Not kept in a form which permits identification of Data Subjects for longer than is necessary for the purposes for which it is processed (Storage Limitation);
  • Processed in a manner that ensures its security using appropriate technical and organisational measures to protect against unauthorised or unlawful processing and against accidental loss, destruction or damage (Security, Integrity and Confidentiality);
  • Not transferred to another country without appropriate safeguards being in place (Transfer Limitation);
  • Made available to Data Subjects and Data Subjects allowed to exercise certain rights in relation to their Personal Data (Data Subject’s Rights and Requests).

 

3.2       We respect an individual’s right to control their data. Under GDPR these rights include:

  • The right to be informed – to know how we capture, store and use and individual’s personal data.
  • The right of access – to get a record of the personal data we hold on an individual through a Subject Access Request.
  • The right to rectification – to have any inaccurate or incomplete personal data corrected or updated.
  • The right to erase – an individual can ask us to remove or randomise their personal details in our records.
  • The right to restrict processing – an individual can ask us to stop using their persona data.
  • The right to data portability – an individual can ask to obtain their personal data from us for their own purposes.
  • The right to object – an individual can ask to be excluded from marketing activity.
  • Rights in relation to automated decision making and profiling – we respect an individual’s rights not to be subject to a decision that is based on automated processing.

 

For more information on GDPR principles and individual rights, please see the Information Commissioner’s Office.

3.         Why do we collect and use personal data?

 

The Isles of Scilly Wildlife Trust holds and processes data – including personal data, so that we can deliver our charitable mission as defined by our charitable objectives. We hold and process personal data:

3.1       To build and maintain relationships: we are committed to building and sustaining strong relationships with our supporters, our partners, our funders and with other stakeholders. This involves understanding what drives and motivates them to support and work with us; tailoring our communications to better meet customer and stakeholder needs and expectations; providing a very high standard of customer care and building customer and supporter.

 

To build and maintain relationships

  • Administer general contact and membership records;
  • Provide regular information about/promote our work through range of channels – including email and social media;
  • Encourage people to get involved with campaigns, volunteering, citizen science, fundraising appeals and other ways to help the Trust;
  • Gather insight into what motivates people to work for us, support us or why they leave – i.e. through staff, volunteer and membership surveys, focus groups and other audience/market research.
  • Record and analyse complaints and compliments to help us improve and to meet legal and compliance obligations.

 

3.2       To secure the resources we need to deliver our mission: as a responsible charity, we work hard to secure the resources we need to protect the Islands amazing natural environment and to manage our resources efficiently, effectively with the highest regard for honesty, transparency and best fundraising practice. Fundraising activity includes recruiting new members and supporters;  regular fundraising asks to our current supporter base and wider networks;  regularly reviewing the financial and other impacts of our fundraising and marketing activity; ensuring that we target fundraising and commercial resources and effort to get best impact and return; integrating our fundraising approaches with our wider engagement and relationship building aims, and establishing long-term fundraising relationships with our supporters, grant funders, corporate donors and the general public.

To secure the resources we need to deliver our mission

  • Develop and promote fundraising asks to our members and our wider supporter networks – these include specific appeals, promoting gifts in Wills, selling merchandise and gift memberships, advertising fundraising events and visitor centre activities, promoting the services of our trading subsidiaries and promoting offers and other activities to recruit new members;
  • Understand the giving patterns of our current supporters so that we can develop, and target fundraising asks based on known individual preferences and interests;
  • Analyse the success and impact of our fundraising activity over time;
  • Monitor the quality and impact of fundraising activity and respond to and report (for example, to the Fundraising Regulator or Charity Commission) any concerns or issues raised by our supporters or the general public.

 

3.3       To keep our staff, volunteers, supporters and service users safe from harm: we recognise that we have a duty of care to the wide range of individuals who are involved with and affected by our work, including our staff, our contractors, our volunteers, our supporters and members, our service users and the general public.

To keep our staff, volunteers, supporters and service users safe from harm

  • Screen our Trustees to ensure that they meet the legal requirements to fulfil their roles;
  • Screen our staff, contractors and volunteers to ensure that we adhere to best practice around safeguarding, which includes securing references and undertaking criminal records checks through the Data Barring Service where appropriate;
  • Respond to any health and safety concerns and issues and to liaise with our insurers as appropriate;
  • Maintain and monitor central logs relating to complaints and incidents of whistle blowing;
  • Ensure staff and volunteers are properly managed and supported.

 

3.4       To meet our legal and contractual obligations: we are a well-run charity, supported by a range of funders and accountable to a number of regulatory bodies, including the Charity Commission, the Fundraising Regulator, Companies House, and HMRC.

 To meet our legal and contractual obligations

  • Administer individual memberships;
  • Fulfil orders for goods and services;
  • Process and acknowledge gifts and donations;
  • Provide reports to funders and funding bodies;
  • Submit reports and required information to regulatory/compliance bodies;
  • Process employee and volunteer financial data;
  • Fulfil legal requirements around our finances –payroll, pensions, VAT and Gift Aid;
  • Administer gifts in Wills;
  • Process any insurance claims.

 

4.         Our lawful basis for processing data

 

Personal data must be processed lawfully, fairly and in a transparent manner and we will only ever collect, store and use personal data when we have a clear reason and lawful basis for doing so. The lawful bases for processing data are set out in Article 6 of the GDPR some of which are set out below:           

Consent: the person has given his or her clear consent for us to process their personal data for a specific purpose. Consent must be positive, specific and unambiguous. Consent can be withdrawn at any time.

Contractual: processing is necessary for the performance of a contract with an individual, or because they have asked us to take specific steps before entering into a contract;

Legal obligation: the processing is necessary for us to comply with the law;

Vital interests: the processing is necessary to protect someone’s vital interests.

Legitimate interests: the processing is necessary for us to pursue our legitimate interests so long as the fundamental rights and freedoms of the individual are not overridden. An individual has the right to opt-out of any kind of communications that we send them on a legitimate interest basis.

We will always make the lawful basis for processing data clear on our Privacy Notices when we collect personal data.

5.         Who do we hold personal data on?

 

We process personal information about:

  • Members, donors, supporters and their representatives
  • People who participate in and benefit from our projects and activities
  • Staff and job applicants
  • Volunteers and volunteer applicants
  • Trustees and Trustee applicants
  • Service users and customers
  • Complainants
  • Enquirers
  • Advisers and representatives of other organisations

 

6.         What kind of personal data we hold and process

 

6.1       We will only gather and hold information where it is lawful to do so, and which is relevant and for defined purposes. The type/classes of information we hold depends on the individual relationship and individual has with the Trust and falls into three categories:

  • General information
  • Special Categories of Data (Sensitive Data)
  • Information to help us get to know an individual better.

 

6.2       General information processed may include:

  • personal details (name, address, phone number, email address)
  • family detail (numbers and names of children)
  • goods and services provided and received
  • financial details (eligibility for Gift Aid; bank details; pay roll information etc.)
  • education and employment details.

 

6.3       Special Categories (or ‘sensitive’) Data

6.3.1     Where appropriate (e.g. to monitor our Inclusion and Diversity Policy, to undertake checks in line with our Safeguarding Policy, to protect the health and safety of staff, customers and volunteers, or to report to specific project funders), we also process sensitive classes of information that may include:

  • physical or mental health details
  • racial or ethnic origin
  • religious or other beliefs of a similar nature
  • criminal record checks

We only collect or store sensitive personal data when we absolutely need to and only with an individual’s permission. We will always be very clear about why we are collecting such information and never use if for any purpose than that specified at the time we collect the data.

6.3.2     In line with data protection law, we will not collect, store or process personal details for anyone under 13 years of age, unless we have the express permission from a parent or guardian to do so.

6.3.3     Website and ‘Cookies’

Other ways in which we collect personal data to get to know individual better include our website.  Our website uses ‘cookies’ to help provide an individual with the best experience we can. Cookies are small text files that are placed on an individual’s computer or mobile phone when they browse websites. Our cookies help us:

  • Make our website work as an individual would expect
  • Remember a user’s settings during and between visits
  • Improve the speed/security of the site
  • Allow users to share pages with social networks like Facebook
  • Continuously improve our website

 

We are not responsible for the privacy practices or the content of any other websites linked to our website. If an individual has followed a link from our website to another website, they may be supplying information to a third party and we will make this clear in our Privacy Notices.

 

7.         How we collect data

 

Most of the time, we collect personal data from an individual directly and in person through a member of staff. Sometimes we collect data over the telephone, in writing or through an email. Occasionally we obtain information from external sources, but only where there is a contractual requirement to share this information with us and/or an individual has given permission for this information to be shared, and only governed by strict Data Processing and/or Data Sharing agreements. 

Occasionally we also obtain data from external sources. For example, we may check against Royal Mail’s National Change of Address database to ensure that the address we have listed for an individual is up to date. We know moving to a new house can be a busy time and appreciate that people don’t always have the chance to send us their new address. By undertaking this exercise, we can update an individual’s record without them needing to get in touch.

We may also collect demographic and consumption data generated through geodemographic tools as well as information related to an individual’s wealth. This may include information from public registers and other publicly available sources such as Companies House, newspapers and magazines.

Using Privacy Notices we will always make it clear for what purposes we are collecting personal information and, if processing is not based on Consent, make it easy for an individual to opt out of any processing activity.

8.         Who we share data with

 

8.1       We sometimes need to share the personal information we process. Where this is necessary we, and any third parties we share with, are required to comply with all aspects of the General Data Protection Regulations (GDPR). Sharing is always subject to a lawful basis for processing. We will never sell personal details to third parties.

8.2       Organisations that we share data with include:

  • Organisations who process data on our behalf – for example, membership recruitment providers, mail and print services, providers of other goods and services on our behalf (such as merchandise), consultants who help us to analyse and improve our performance;
  • Our partners on partnership projects – for example, for the purposes of project monitoring and delivery;
  • Our trading subsidiaries – to ensure that we are adhering to legal obligations and high levels of customer care throughout the charitable ‘group’ and to promote the work of the charity through subsidiary networks and vice versa;
  • Our funders – to demonstrate compliance to funding and service provision contracts;
  • Legal/compliance bodies where required – insurers, auditors, pension provider, HMRC, Fundraising Regulator, ICO;
  • Statutory bodies or agencies – for example, to respond to legal issues and risks;
  • Healthcare, social and welfare organisations – to manage and safeguard the wellbeing of our staff, volunteers and beneficiaries;
  • Educators and examining bodies – for example, where we are supporting trainees;
  • Current, past and prospective employers – for example, to provide references;
  • Family, associates or representatives of the person whose personal data we are processing – for example, where we are administering a legacy;
  • Survey or research organisations – for example, to verify species records.

8.3       When we work with other organisations or individuals in this way, we must always set up a written contract with them to protect personal data – Data Processing and/or Data Sharing Agreements. The third parties we work with at no point ‘own’ an individual’s data, must never contact the individual outside of their agreement with us and must always delete this data from their systems when they have completed the task in hand. We must always send data to partner organisations securely, to minimise the risk of it being intercepted by unknown individuals and/or organisations.  See our Date Security Policy for more details around secure transfer of information.

8.4       Specific Privacy Notices detail what personal data is shared, why and with whom.

9.         How we manage data and keep personal data secure

 

We adhere to the highest standards of data security. Full details can be found in our Data Security Policy.

 

10.       Data retention

 

We will only use and store information for as long as it required for the purposes it was collected for. We continually review what information we hold and delete what is no longer required.

Further information can be found in our Data Management and Retention Policy

11.       How we let people know what we are doing with their data

 

11.1     We will let people know why we are collecting their data and how we are going to use it at the point where we collect the data. We are very clear about what we will use a person’s data for, the lawful basis for doing so etc. We use Privacy Statements, which will be included on all relevant communications. These are brief paragraphs describe why the data is collected, for what purpose, who it will be shared with and signpost individuals to the relevant Privacy Notice.

 

11.2     The GDPR requires that Privacy Notices must be:

 

  • concise, transparent, intelligible and easily accessible;
  • written in clear and plain language, particularly if addressed to a child;
  • and free of charge.

 

And must include:

 

  • Identity and contact details of the Data Processor and, where appropriate, the Data Protection Officer
  • Purpose of the processing and the lawful basis for processing
  • Our or third party legitimate interests where applicable
  • Any recipients/categories of recipients of personal data
  • Details of transfers to third parties and safeguards
  • Retention period or criteria used to determine the retention period
  • The existence of each of data subject’s rights
  • The right to withdraw consent at any time, where relevant
  • The right to lodge a complaint with a supervisory authority
  • The source the personal data originates from and whether it came from publicly accessible sources
  • Whether the provision of personal data is part of a statutory or contractual requirement or obligation and possible consequences of failing to provide the personal data
  • The existence of automated decision making, including profiling and information about how decisions are made, the significance and the consequences.

 

12.       How people can access the data we hold on them

 

12.1     Individuals have the right to access their personal data and supplementary information through a Subject Access Request (SARs). SARs are most often used by individuals who want to see a copy of the information an organisation holds about them. However, the right of access goes further than this, and an individual who makes a written request is entitled to be: told whether any personal data is being processed; given a description of the personal data, the reasons it is being processed, and whether it will be given to any other organisations or people; given a copy of the information comprising the data; and given details of the source of the data (where this is available).

12.2     Information will be provided without delay and, at the latest, within one month of receipt of the request. Where requests are complex or numerous, we may take a further two months to comply, but in these cases,  we will keep the individual fully informed.

 

12.3     Information will be free of charge; however, we will charge a ‘reasonable fee’ based on the administrative cost of providing the information when a request is manifestly unfounded or excessive, particularly if it is repetitive, and where there are requests for further copies of the same information.

 

12.4     Where requests are manifestly unfounded or excessive, in particular because they are repetitive, we can also refuse to respond. Where we refuse to respond to a request, we will explain why to the individual, informing them of their right to complain to the supervisory authority and to a judicial remedy without undue delay and at the latest within one month.

 

12.5     We will use reasonable means to verify the identity of the person making the request and respond using the means of communication specified by the individual.

12.6     If an individual makes a subject access request, we will tell him/her:

  • whether or not his/her data is processed and if so why, the categories of personal data concerned and the source of the data if it is not collected from the individual;
  • to whom his/her data is or may be disclosed and the safeguards that apply to such transfers;
  • for how long his/her personal data is stored;
  • his/her rights to rectification or erasure of data, or to restrict or object to processing;
  • his/her right to complain to the Information Commissioner if he/she thinks the organisation has failed to comply with his/her data protection rights.

12.7     All SARs will be sent to the Chief Executive

 

13.       Use of Images          

 

13.1     Photos and Film

Images count as personal data and we need to have clear consent to use them. This is particularly important when it comes to images of children where the rules in our Safeguarding Policy must be strictly adhered to. In summary though we will:

  • Get explicit and written consent to use photo and film images wherever possible. In the case of children or of people who are defined as ‘vulnerable’ – i.e. at risk of neglect or abuse – we will need the consent of their parent, carer and/or other responsible person.
  • If we are collecting images at an event where this might not be practicable, make sure that there is a clear notice that we will be filming/taking photographs, what the images will be used for and that people who don’t wish to be filmed or photographed are given a sticker that clearly identifies them.
  • Be clear about how and why we are going to use the images and for how long we are going to hold them when you are asking for consent.
  • Store them securely and in folders with names that reflect a) how they can be used and b) for how long we can use them.

 

14.       Accountability and Responsibilities

 

We keep clear records of the data we process, why and lawful basis for doing so.

Our Chief Executive is responsible for all aspects of data processing and management

15.       Reporting concerns

 

15.1     Where a Member, supporter, partner, volunteer or member of the general public wishes to make a complaint about any aspect of the way we have managed their data, they should follow our Complaints Policy, which is easily accessible on our website.

We take complaints very seriously and we treat them as an opportunity to improve our practice and build our relationships with people.

 

15.2     Members of our staff team, contractors or Trustees should refer to and follow our Whistleblowing Policy where they have any concerns about serious wrongdoing on behalf of the organisation in relation to Data Protection.

 

15.3     If an individual requires further assistance with complaints regarding their data, they can contact the Information Commissioner’s Office, whose remit covers the UK.

 

Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
SK9 5AF


Telephone: 0303 123 1113
Email: [email protected]

 

Your data may also be available to our website provider to enable us and them to deliver their service to us, carry out analysis and research on demographics, interests and behavior of our users and supporters to help us gain a better understanding of them to enable us to improve our services.  This may include connecting data we receive from you on the website to data available from other sources.  Your personally identifiable data will only be used where it is necessary for the analysis required, and where your interests for privacy are not deemed to outweigh their legitimate interests in developing new services for us.  In the case of this activity the following will apply:

  1. Your data will be made available to our website provider
  2. The data that may be available to them include any of the data we collect as described in this privacy policy.
  3. Our website provider will not transfer your data to any other third party, or transfer your data outside of the EEA.
  4. They will store your data for a maximum of 7 years.
  5. This processing does not affect your rights as detailed in this privacy policy