This policy describes how and why Active Prospects uses your personal information, how we protect your privacy when doing so, and your rights and choices regarding this information. We promise to respect any of your personal information which is under our control and to keep it safe. We aim to be clear when we collect your information about what we will do with it.
We are a growing charity with relationships with fundraisers, volunteers, supporters and researchers, so we use personal information on a day to day basis in order to operate. Our use of personal information allows us to make better decisions, fundraise more efficiently.
This policy is effective from 25th May 2018.
Personal data shall be;
- Processed lawfully, fairly and in a transparent manner
- Collected for a specified and legitimate purpose
- Adequate, relevant and limited
- Kept no longer than is necessary
- Processed in line with your rights
- Not transferred to countries outside the European Union
We are Active Prospects, a society registered under the Community Benefit Act 2014, registered society number 26618R, with exempt charitable status, and is also a social enterprise. We enable people with learning disabilities, physical and mental health needs to live full and aspiring lives. We are registered at 1 Castlefield Court, Church Street, Reigate, RH2 0AH.
We collect information in the following ways:
Information you provide to us directly
You may give us your information in order to sign up for one of our events, make a donation, purchase our products, register as a volunteer.
In addition, in accordance with common website practice, we will receive information about the type of device you’re using to access our website or apps and the settings on that device may provide us with information about your device, including what type of device it is, what specific device you have, what operating system you’re using, what your device settings are, and why a crash has happened. Your device manufacturer or operating system provider will have more details about what information your device makes available to us.
Information you provide to us indirectly
Your information may be shared with us by third parties, for example:
- professional fundraising agencies;
- if you sign up as a volunteer for us;
We also may receive data about you from subcontractors acting on our behalf who provide us with technical, payment or delivery services, and from business partners, advertising networks and search/analytics providers used on our website.
Information from other sources
We also use information from the following sources:
Depending on your settings or the privacy policies for social media and messaging services like Facebook, WhatsApp or Twitter, you might give us permission to access information from those services, for example when you publicly tag us in an event photo.
Information available publicly
We supplement information on our supporters with information from publicly available sources such as charity websites and annual reviews, corporate websites, public social media accounts, the electoral register and Companies House in order to create a fuller understanding of someone’s interests and support of CRUK. For more information, please see our section on “Building profiles of supporters” below.
What personal information we collect:
We, collect, store and use the following kinds of personal information.
In the normal course of human resources and business activities, we process the following categories of personal information: •
- Personal identification information, such as your name, home address, date of birth, gender, work- related photographs, and home phone number; •
- Government-issued identification numbers, such as national ID for payroll purposes;
- Immigration, right-to-work and residence status;
- Family and emergency contact details;
- Job-related information, such as years of service, work location, employment ID, work record, vacation absences, and contract data;
- Educational and training information, such as your educational awards, certificates and licenses, vocational records and in-house training attendance;
- Recruitment and performance-related data, such as objectives, ratings, comments, feedback results, career history, work equipment, career and succession planning, skills and competencies and other work-related qualifications;
- Information related to your usage of Johnson Control’s assets, in particular its computers and telecommunication systems, and traffic generated on Internet;
- Information needed for compliance and risk management, such as disciplinary records, background check reports and security data;
- Payroll and payment or benefits related information, such as salary and insurance information, dependents, government identifier or tax numbers, bank account details, and employment related benefits information, family and dependent information.
- Travel and passport information
In addition, we may process Special Categories of your Personal Information, for example:
- Health and sickness information, such as medical certificates;
- Trade union membership;
- Criminal convictions and prosecutions (in certain countries)
We may hold other information about you for specific purposes for services we provide. We try to ensure information is accurate, up to date and not kept for longer than necessary.
To assist with personal security and crime prevention we may capture your image on our CCTV systems if you visit an office, estate or communal area which is covered by this facility.
Information We Collect Automatically:
We also collect some information automatically:
- Log Information: Like most online service providers, we collect information that web browsers, mobile devices, and servers typically make available, such as the browser type, IP address, unique device identifiers, language preference, referring site, the date and time of access, operating system, and mobile network information. We collect log information when you use our Services in order to assess the performance of our systems.
- Usage Information:We collect information about your usage of our Services. For example, we collect information about the actions that administrators and users perform – in other words, who did what, when and to what thing on our system (e.g. with our hosting control panels) along with information about your device (e.g., mobile screen size, name of cellular network, and mobile device manufacturer). We use this information to, for example, provide our Services to you, as well as get insights on how people use our Services, so we can make our Services better.
- Location Information: We may determine the approximate location of your device from your IP address. We collect and use this information to, for example, calculate how many people visit our Services from certain geographic regions. We may also collect information about your precise location via our mobile apps if you allow us to do so through your mobile device operating system’s permissions.
- Information We Collect from Other Sources: We may also get information about you from other sources. For example, if you create or log into your account through another service (like Google) or if you connect your website or account to a social media service (like Twitter), we will receive information from that service (such as your username, basic profile information, and friends list) via the authorization procedures used by that service. The information we receive depends on which services you authorize and any options that are available.
We may also obtain information from third party services about individuals who are not yet our users (…but we hope will be!), which we may use, for example, for marketing and advertising purposes.
If You’re 16 Or Under
If you’re 16 or under, you must get your parent/guardian’s permission before you provide any personal information to us.
- Provide you with the services, products or information you asked for;
- Administer your donation or support your fundraising, including processing Gift Aid;
- Manage your tenancy, lease or other services you have engaged with
- Keep a record of your relationship with us;
- Respond to or fulfil any requests, complaints or queries you make to us;
- Understand how we can improve our services, products or information by conducting analysis and market research;
- Manage our events;
- Check for updated contact details against third party sources so that we can stay in touch if you move;
- Further our charitable objectives;
- Register, administer and personalise online accounts when you sign up to products we have developed;
- Send you correspondence and communicate with you;
- Process applications for funding and for administration of our role in the projects we fund;
- Administer our websites and to troubleshoot, perform data analysis, research, generate statistics and surveys related to our technical systems;
- Testing our technical systems to make sure they are working as expected;
- Contact you if enter your details onto one of our online forms, and you don’t ‘send’ or ‘submit’ the form, to see if we can help with any problems you may be experiencing with the form or our websites;
- Display content to you in a way appropriate to the device you are using (for example if you are viewing content on a mobile device or a computer);
- Generate reports on our work, services and events;
- Safeguard our staff and volunteers;
- Conduct due diligence and ethical screening;
- Monitor website use to identify visitor location, guard against disruptive use, monitor website traffic and/or personalise information which is presented to you;
- Process your application for a job or volunteering position;
- Conduct training and quality control;
- Audit and administer our accounts;
- Meet our legal obligations, for instance to perform contracts between you and us, or our obligations to regulators, government and/or law enforcement bodies;
- Carry out fraud prevention and money laundering checks;
- Undertake credit risk reduction activities; and/or
- Establish, defend or enforce legal claims.
To understand how we are performing we undertake call recording in some of our service areas for training and quality monitoring purposes. We also hold records of any contact we have with you and any contact from third parties representing you.
The organisation does not use any system based automated decision process for any significant processes. You will always be able to query decisions with staff.
Information will be used across the organisation to ensure you are receiving all services you have requested.
Minimal information will be shared with authorised third party Contractors to provide Landlord services, for example repairs. Where we need to share personal data with our contractors the relationship is governed by a contract which will include strict data sharing and confidentiality protocols. We only share personal information that is necessary to deliver the service.
We will not provide your information to any unauthorised third parties or share information except where we are required to by law.
We do not sell our users’ private personal information.
We share your personal data in the limited circumstances spelled out below and with appropriate safeguards on your privacy:
- Our contractors to carry out landlord services i.e. repairs, maintenance etc
- Local authority teams such as social services, benefit agencies, council tax
- Utility companies
- Third party services acting on our behalf i.e. mailing company distributing Rent statements or a debt collection agency pursuing former tenant arrears
- Police and other relevant statutory agencies i.e. HM Revenue and Customs, Department of Work & Pensions
- To Protect Rights and Property: We may disclose information about you when we believe in good faith that disclosure is reasonably necessary to protect the property or rights of Active Prospects, third parties, or the public at large. For example, if we have a good faith belief that there is an imminent danger of death or serious physical injury, we may disclose information related to the emergency without delay.
We may also share information when required by law or to protect the legitimate interest of an individual.
With your consent or when considered a legitimate interest that does not negatively affect your rights and freedoms as an individual, we may also share your data with other third parties. These third parties and the reason for sharing your data with them is listed below:
- Microsoft Corporation – Office 365 and Azure services
- 123-Reg Ltd. – Domain registration
- InfoSec Cloud Ltd. – Cyber security awareness training
- Class Networks – Telephony and data services
- Mobile Computer Services Ltd. – Support services
- Compucare Systems – Support Services
- Advanced – Healthcare software services
- Bitdefender – Endpoint security tools
- EE – Mobile telephony services
- Three – Mobile telephony services
- Egress Software Technologies – Encrypted data services
- Computer Security Technology Ltd. – Cyber defence and information protection
- RISC IT Solutions – Encrypted data storage services
Legal basis for processing
Data protection laws mean that each use we make of personal information must have a “legal basis”. The relevant legal bases are set out in the General Data Protection Regulation (EU Regulation 2016/679) and in current UK data protection legislation.
Consent is where we ask you if we can use your information in a certain way, and you agree to this (for example when we send you marketing material via post, phone, text or e-mail). Where we use your information for a purpose based on consent, you have the right to withdraw consent for any future use of your information for this purpose at any time.
We have a basis to use your personal information where we need to do so to comply with one of our legal or regulatory obligations. For example, in some cases we may need to share your information with our various regulators such as the Fundraising Regulator or Information Commissioner or to use information we collect about you for due diligence or ethical screening purposes.
Performance of a contract / take steps at your request to prepare for entry into a contract
We have a basis to use your personal information where we are entering into a contract with you or performing our obligations under that contract. Examples of this would be if you are buying something from us (for instance some branded merchandise or, in some cases, an event place), applying to work/volunteer with us, or being funded to undertake research.
We have a basis to use your personal information where it is necessary for us to protect life or health. For instance if there were to be an emergency impacting individuals at one of our events, or a safeguarding issue which required us to contact people unexpectedly or share their information with emergency services.
We have a basis to use your personal information if it is reasonably necessary for us (or others) to do so and in our/their “legitimate interests” (provided that what the information is used for is fair and does not unduly impact your rights).
We consider our legitimate interests to include all of the day-to-day activities Active Prospects carries out with personal information. Some examples not mentioned under the other bases above where we are relying on legitimate interests are:
- Analysis and profiling of our supporters using personal information we already hold;
- Updating your address using third party sources if you have moved house (please see the “Keeping your information up to date” section below for more on this).
- Use of personal information when we are monitoring use of our website or apps for technical purposes;
- Use of personal information to administer, review and keep an internal record of the people we work with, including supporters, volunteers and researchers;
- Sharing of personal information between relevant teams and committees within Active Prospects;
- We only rely on legitimate interests where we consider that any potential impact on you (positive and negative), how intrusive it is from a privacy perspective and your rights under data protection laws do not override our (or others’) interests in us using your information in this way.
- When we use sensitive personal information (please see the “What personal information we collect” section above), we require an additional legal basis to do so under data protection laws, so will either do so on the basis of your explicit consent or another route available to us at law for using this type of information (for example if you have made the information manifestly public, we need to process it for employment, social security or social protection law purposes, your vital interests, or, in some cases, if it is in the public interest for us to do so).
Your personal information is stored on our electronic filing system and our servers based in the UK, and is accessed by our employees for the purposes set out above. Where hard copies of documentation are retained in line with Active Prospects data retention schedule, these will be stored securely at Active Prospects Head Office (or secure offsite storage).
While no online service is 100% secure, we work very hard to protect information about you against unauthorized access, use, alteration, or destruction, and take reasonable measures to do so. To enhance the security of your account, we encourage you to observe good security best practices with your account information, such as choosing strong passwords when registering with our systems and keeping this information secret.
We employ a range of security controls throughout our organisation to ensure that we look after your personal data and protect it from loss, corruption or unauthorised access. Our Data and Information Security Policy which outlines our commitment to protecting your data is available on request.
- We will keep your personal information in respect of financial transactions for as long as the law requires us to for tax or accounting purposes (which may be up to six years after a particular transaction). http://activeprospects.org.uk/content/uploads/2018/05/GDPR-Retention.pdf
- If you request that we stop processing your personal information for the purpose of marketing we may in some instances need to add your details to a suppression file to enable us to comply with your request not to be contacted.
- In respect of other personal information, we will retain it for no longer than necessary for the purposes for which it was collected, taking into account guidance issued by the Information Commissioner’s Office.
Active Prospects is committed to upholding your rights in respect of your personal data
The law provides the following rights for individuals:
- Right to be informed
- The right of access
- The right to rectification
- The right to erase
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision making and profiling
Further information can be found on the Information Commissioner’s Office website
Access to Personal Information:
You have the right to request access to personal information we may hold about you by making a Subject Access Request application. If you would like to do this you can complete the subject access request form or make a written request to our Data Protection Officer at the address provided above.
If you have any complaints about the way in which your personal data is being handled, then please contact us using the contact details below. Alternatively, you may also contact the national supervisory authority to register a complaint, their details can be found at https://ico.org.uk
To contact us about your personal data or with any data requests, you may contact us via firstname.lastname@example.org.
The data controller is Ian Temple, Director of Finance, 01737 924235, 1 Castlefield Court, Church Street, Reigate, RH2 0AH.
Our Privacy Notices
In order to be open and transparent about how we use your data, we have prepared a range of privacy notices, which explain why and how we use your data, who we might pass your data to and why, how long we will hold your data for, and your rights in relation to your data. Click on the links below to view the privacy notice relevant to you: