Time and Talents takes your privacy seriously. We are committed to protecting your personal information. New data protection legislation, known as GDPR (General Data Protection Regulations) come into effect in May 2018. T&T already takes great care with your data and ensures that all your personal information is held securely, fairly, and only ever used for the purposes for which you have given it to us.
However, we are taking steps to ensure that we ‘go the extra mile’ in line with the new legislation, which is designed to make sure that your data is used in a clear, transparent, and fair way. This policy sets out how T&T uses the information that you provide us with in order to help further our work in building community and supporting vulnerable people.
This policy forms a key part of how we work with people’s personal information at Time and Talents. We also have a more practical set of guidelines and internal processes for staff and volunteers, and regular training to ensure that staff understand.
2. Who we are
Time and Talents is a company limited by guarantee and registered in England no. 4009766. Registered charity no. 1084545
For the purposes of legislation, our Trustees are the data processor. To contact the trustees, contact The Chair, c/o firstname.lastname@example.org
For day to day queries, our lead data protection officer is our Services and Operational Manager, Alyson Moore, who can also be contacted at the above email, or on our main telephone number.
3. Handling Information: Our Principles
· We will not unduly prioritise our interests as a charity over your interests as an individual - we will always balance our interests (needs) with your rights
· We will only use personal information in a way, and for a purpose, that you would reasonably expect in accordance with this Policy
· We will always act with fairness, transparency, equity and in good faith
· We will always recognise the trust you have put in us by sharing any of your personal data – and that even accidental misuse or mishandling of your data could have serious effects on individuals
4. About GDPR
What the Law says about protection of personal information
The Law on Data Protection is derived from various pieces of legislation (which can be found in a number of places). These include the Data Protection Act and the General Data Protection Regulation (the ‘GDPR’) which became enforceable from May 2018. The GDPR states that personal data (information relating to a person that can be individually identified) can only be processed if there is a legal ground to do so. Activities like collecting, storing and using personal information would fall into the GDPR’s definition of processing. The GDPR provides six legal grounds (reasons) under which personal information can be processed (used) in a way that is lawful. For the processing to be permitted by law (lawful), at least one of the legal grounds must apply.
The six legal grounds relevant to Time and Talents’ use of your personal information are:
• Vital Interests
• Public Task
• Legitimate Interest
• Legal Obligation
5. How the law applies to Time and Talents’ use of personal information
We will only process (use) your personal information when we have:
• asked you and have a record of your express and recent consent for us to do so;
• a ‘Legitimate Interest’ to do so in order to support our charitable mission, or to provide you with help or support you have requested
• a contract with you that we can only fulfil by using your personal information - this would include your making applications to volunteer or work with us, or supply of a service
• a legal obligation to use or disclose information about you, e.g. we are required by law to keep records of gifts that are given to us with Gift Aid for 4 years, and we are compelled to disclose information relating to safeguarding incidents
• there is a vital interest in doing so - your life or someone else’s is in danger. This could also apply in the case of safeguarding issues
• On occasion, to undertake a public task
There are times when it is not practical to obtain and record consent – if we asked for your consent every single time you spoke to us, this would be impractical for you and us! At those times, we will only process personal information if that processing would meet another legal ground e.g. Legitimate Interests, in which case we would only process in accordance with the law’s strict rules on legitimate interest processing.
Below we have set out some ways we use your data in accordance with the above, so you can see clearly what we do, and why.
6. Your Information – what we collect and how we use it
T&T collects information from the public in a number of different ways. To help you understand this, we have set out the most common uses.
6.1 Attendees at our open activities and events
Example: recording your name and postcode when you come to our mindfulness group or a children’s activity.
T&T runs a range of fun activities events, support groups, and activities for all ages. We collect limited information on current and past users of our services, activities, and events. We will use this to understand who uses our activities, to prove that people are using our services to funders, and to keep in touch with you about similar events and activities.
T&T’s primary charitable purpose is to support the local community, and bring people together for fun and friendship. We therefore have a legitimate interest in making sure people are aware of our activities, where they have shown interest or attended previously. Therefore, we may use your data to keep you up to date with activities that are happening at T&T where we think there is a reasonable expectation that you may be interested in participating in other community activities.
If you attend our activities or events, we may often ask you for your name, gender, age range, and postcode so that we can accurately count and report to our funders and regulators on the number of, and what kind of, people use our services.
Sharing this information
When we share that information, it will always be provided as an aggregate (X people from Y postcode, Z people between 20 and 50 years of age, and so on). Individual information on who has attended will not be shared. We will never give anyone information on the individuals who attended an activity or event without the individual’s express consent (unless required to do so by law).
How it’s stored
Mostly, this kind of generic information is kept digitally via our mailing list and database. However, as we use sign-up sheets and similar, there are also hard copies made, which have signatures. These are kept secure, in locked filing cabinets when they are not in use.
You can always unsubscribe from emails or other types of contact, or ask us to remove all of your data from our systems.
How long we will keep your information
3 years or until you ask us to stop
6.2 Users of our services and support
Example: recording and storing information that you give us when we do an assessment for our older people’s programme, or when we make a befriending match.
Some of our other services are much more personal and individual in nature. This includes groups which support people with health conditions (such as our ‘Stroke Club’), or where referrals are made from health and social care professionals. It also includes individual and one to one support we might give, via assessments, advocacy, case management, or counselling.
In such cases, with your consent, we will securely and confidentially store more detailed information. This will often include information such as your name, date of birth and contact information, and in the case of our support services, will often include personal information on your needs, health, and welfare.
This information is required to be able to provide you with a service or support. For example, we will need your address to send you letters, or your phone number to let you know when we are visiting. We will need to know about food allergies or specific health conditions in some of our groups, or your next of kin in some situations. We will ask you questions, and store your answers, about your personal circumstances so we can give you the right help.
Guarding such highly personal data is of the utmost importance to us, and we recognise the level of trust that you are putting in us if you give us this information. We will only ever use this information:
· To help provide ongoing care and support to individuals where it has been requested
· To help us understand who is using our services, and identify emerging or existing needs in our community
· Ensuring we are reaching the right people, identifying for example where participants come from, what age ranges they fall into, and so on
· As an aggregate, to help us demonstrate to funders and others to whom we are accountable the work that we do and impact we have
· To create aggregated, non-identifiable case studies which may be shared with funders to help them understand the impact of our work.
We only ever capture data that is necessary to help provide a service. If you ever feel the information we request is excessive or intrusive, you do not need to provide it, and we welcome feedback good or bad. We will always endeavor to still work with you if you don’t want to give us information which is not absolutely essential to the delivery of the support.
Sharing this information
In the case of our support work, we will share your information with others who can help you (‘make a referral’) if you consent to us doing this. This could be, for example, phoning your doctor if you ask us to, or linking you with a specialist support worker. With your consent, giving your contact details and some agreed personal information to your befriender is a key part of our befriending service.
We will only ever do the above with others who are either signed up to our data protection policies (eg in the case of our volunteer befrienders) or who have the same rigorous data protection policies that we do, and only:
· If you have consented, or asked us to do so
· To allow you to get the help and support you need, and in your interests alone
· To those whom we are sure share our standards of information use, our values and charitable goals
· In very rare cases where there is a ‘vital interest’ – we are worried that you or someone else could be in serious danger. This would include where we had a concern about safeguarding
· In any case where we provide a public task – for example, if we deliver a service on behalf of the NHS or similar.
How it’s stored
This information is stored digitally via our database. Additionally, we may keep hard-copy case notes. These are kept secure, in locked filing cabinets, when they are not in use. They are only accessible to staff responsible for our support work. We may keep this information in note books used by peripatetic staff (for example when we are travelling to and from assessments), but it will be kept in notational form and full names not used, as an extra precaution.
How long we will keep this information:
For as long as you receive support from us, plus 3 years, or until you withdraw your consent
6.3 Statistical analysis and social research
Example: finding out the number of people over 65 with diabetes who attend our groups, or how many people live in a certain postcode and use our play clubs who are from an ethnic minority.
In order to ensure we understand the needs in our community and what we can best offer to help people, we may analyse your data in combination with that of others. We will do this, for example, to aid the development of services and activities, to demonstrate need for our services, or to show effectiveness of certain interventions. We may also look for common themes and qualitative information across our data, which will be anonymized, or used only with the consent of any individuals who are identifiable.
6.4 Volunteers or applicants to volunteer
Example: processing somebody’s application to volunteer, including taking up references and an enhanced DBS check.
Every year up to 150 people give their time and talents to help their local community. When you do this, we follow a recruitment process. This includes you completing an application form, usually via our website, which we receive and then process. With your consent, we will take up two references, usually by telephone. We keep paper copies of these references for the length of time you volunteer and a reasonable period afterwards.
For volunteers as well as staff, we need to undertake an enhanced DBS (Disclosure and Barring Service) check. We ask you to manage this process yourself online. We do not keep copies of your personal documents which need to be provided for proof of identity.
When your DBS certificate returns, we don’t keep a copy, and only record whether there was any issue.
We use your data to:
· check whether you are suitable for a volunteering role
· find you the right volunteering placement
· know what skills we have available to us in our volunteer pool
· make befriending matches and placements
· record your volunteering activity
How we store it
We keep your volunteering and personal details in our database, and hard copies in our locked filing cabinets. Only relevant staff will have access to these details.
How long we will keep this information:
We will store your application form and information for as long as you continue to volunteer with us, plus 3 years, unless you tell us otherwise.
6.5 Staff information
Information on use of employee data can be found in our employee handbook.
6.6 Still and Moving Images
Example: Taking a picture of people dancing at our summer party and putting it on Facebook, a portrait of 2 members of our stroke club wearing a funny hat.
We often take photographs and video at events and activities and will ask for your permission before we record your image, wherever you are featured prominently.
You may withdraw your consent for us to use your image in the future. We will ask about specific types of use for your images. We will pay particular attention to any images which feature children.
In the case of large group shots or edited films, and images which have been shared widely, it may not be practically possible to remove your individual image. For example, we would be unlikely to be able to remove a brief shot of you from a substantial edited video with many participants, in the event that you later choose to withdraw permission.
In such a case, we may have a legitimate interest to continue using that image or film. We would always balance this legitimate charitable interest with the impact on the needs and rights of any individual concerned. GDPR takes into account the level of investment, and legitimate interests of an organization when considering the approach which must be taken to images.
It is not always practical to seek written permission for use of photographs of large groups at public events - for example, images of a large outdoor party with 300 attendees.
In such cases, we will make all attendees aware that group photographs are being taken, and offer them the option to be excluded from images, or not to attend.
We will use images for publicizing our work, reporting to funders, and for historical archiving. We may use the images on social media, our website, or for print media. We will ask separately whether you are happy for us to use your image for specific purposes, especially where it may be in the context of any commercial or fundraising request.
How will we store it?
We will store videos and images in digital format, in cloud storage, and on hard media such as DVDs and Blu-Rays.
How long will we keep your information?
For individual images, 3 years; for material featuring multiple subjects and edited films, 5 years.
6.7 Fundraising and donor information
Example: making a donation to T&T via the ‘make a donation’ link on the website
Time and Talents receives a limited number of donations from individuals and does not currently have an extensive individual fundraising programme, or lists of individual donors.
When you make a donation, unless you make it anonymously, we will ask for information that enables us to administer your donation. This will normally include information such as your name, contact details, and your payment details. We will not retain payment information beyond the immediate use. If you use our third party payment services, you can choose whether or not your financial information is stored for future use.
Sharing your information
We will never share your information with any other parties, unless it is
· in order to process the donation, payment or gift aid
· in order to comply with a legal requirement
· in any other case, with your express consent
How will we store it?
We will store this information in our secure accounting software, and on paper financial records in a locked filing cabinet.
How long we will keep your information?
7 years, to comply with HMRC regulations, and 4 years to comply with Gift Aid regulations
6.8 Historical Connections
Example: Sending a Christmas card or newsletter to one of the oldest members of T&T from the 1930s.
Although we are no longer an official membership organisation, Time and Talents has been a society of friends and supporters for 131 years. Our long relationships, deep roots, history, and transgenerational links are among our greatest strengths.
Some of our existing/ remaining personal connections predate any kind of data protection legislation, were based on personal trust in the Settlement, and were never entered into on the expectation that they would need to give signed consent etc. This includes many people who are now very elderly, and would not necessarily be able to re-sign up for consent via email, or send back letters telling us to continue contacting them. Some may be very lonely, and their sense of continued connection to their past is very important. We therefore have a legitimate charitable interest in maintaining those links and holding that information.
In those particular cases of lifetime friends of T&T, we will continue to hold those details for the rest of that person’s lifetime. Of course, any further correspondence or contact will maintain the option to remove their data from our systems.
6.9 Historical Archives
Example: Keeping the minutes from a meeting about redevelopment in the 1990s, or sharing an archive image online, featuring the first children’s computing classes in the 1980s.
Time & Talents has an historical archive held at the London Metropolitan Archive. It also has an archive from the 1980s onwards which we currently hold in our own secure storage. Our goal is to find funding to catalogue and log the more recent archive fully in the near future, with a view to storing this also with the LMA.
This material is of historical significance and therefore subject to certain exemptions under GDPR for libraries and historical archives which may contain personal information.
Sharing this information
There are many potential purposes that historical information can be put to – we may wish to create historical materials and museum exhibits, or to post blog posts on the website. We will share any archive historical materials with caution, especially where it may have any forseeable impact on people who are still living, while keeping it safely for future or present study.
How we store your information and data
Most of our archive material is stored in paper copy in our secure storage room. Some material is digitized, although most of this is in the London Metropolitan Archive.
7. Online and digital privacy
We know that online and digital privacy is something that people take increasingly seriously, and we welcome people taking more care with how their data is shared online. Although we are very small charity, we have some digital services we use which store and process information from the public, and you can find out more about these below.
Our website is hosted by a US company, Siteground, a trusted and high-quality web hosting company. We pay them to store and look after our website rather than having to have it on a machine here at T&T, which would be a lot harder to keep going. That means that when you submit a form via our website – for example, applying to be a volunteer – that information goes via another computer in the US.
You can find information on how Siteground is preparing for GDPR here. https://www.siteground.com/blog/gdpr-siteground-getting-ready/
As of writing, they are preparing their final terms of service for 25th May 2018. Their current terms can be found here: ww.siteground.com/terms.htm
Cookies are little bits of information stored in your browser (Chrome, Firefox, Edge, etc) to make browsing between pages in a site work better, or to make sure a site remembers you when you come back. Most websites use them – without cookies, pages tend to be quite limited in what they can do.
We use two specific types of cookies on our website:
We will use the session cookies to keep the continuity of your session while you navigate the website (eg. so that if you click an action on one page, the next page knows what action has been taken). We will use the persistent cookies to enable our website to recognise you when you return to the site.
We use Google Analytics to analyse the use of this website. Google Analytics generates statistical and other information about website use by means of cookies, which are stored on users’ computers. The information generated related to our website is used to create reports about the use of the website. Google will store this information. Find out more about Google's position on privacy as regards its analytics service.
Most browsers allow you to reject all cookies. For example in Internet explorer you can refuse all cookies by clicking “Tools”, “Internet Options”, “Privacy” and selecting “Block all cookies” using the sliding selector. As with all websites, locking all cookies will make the website much less easy to use.
Third Party Cookies are cookies set on your machine by external websites whose services are used on this site. Cookies of this type are the sharing buttons across the site which allow visitors to share content onto social networks such as Twitter and Facebook. In order to implement these buttons, and connect them to the relevant social networks and external sites, there are scripts (little snippets of programmes) from domains outside of our website. We include these links because most other sites do, and it makes it easier for you to share our content with your friends online, if you wish to.
You should check the respective policies of each of these sites to see how exactly they use your information and to find out how to opt out, or delete, such information.
7.3 Office systems
Our email, calendar, and general office IT uses Microsoft Office 365 technology, which meets GDPR requirements. They have extensive privacy terms which you can find here http://www.microsoftvolumelicensing.com/DocumentSearch.aspx?Mode=3&DocumentTypeId=31 Our cloud servers store data in the UK/ EU, and are fully GDPR compliant.
7.4 Keeping in touch via email
We regularly send out emails like newsletters or announcements. Some emails that we send you have no tracking in at all e.g. service emails with invoices attached. Other emails we send we can track whether the user has opened and clicked on the email. We don’t use this information at a personal level -we just use it to understand open and click rates on our emails to try and improve them. If nobody opens an email, we go back to the drawing board on what to include in future. If you want to be sure that none of your email activity is tracked then you should opt out of our emails which you can do via the unsubscribe link at the bottom of every email we send.
We use an industry standard email tool, MailChimp, to send bulk emails. Mailchimp’s servers are in the US, so you need to be aware that in principle, when you sign up to a newsletter, your information is being stored in the US. Again, this is in common with many other websites across the world.
Mailchimp have rigorous privacy and data protection policies, have readied themselves for GDPR, and are signed up to the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework.
You can see their data protection policy here:
7.5 Online Donations and Payments
Financial transactions made online to Time and Talents using the Virgin Money website link are secured by Virgin Money. No one can access your credit card details via the internet.
We will never, ever, contact you by email asking you for payments, passwords or credit card details. If anyone ever claims to be from T&T, please end the call and call us back at the office to notify and check with us.
Our user database is stored ‘in the cloud’ (that means it isn’t stored on our own computers, but with a larger company in a secure internet ‘data warehouse’). This is generally much safer for small companies, helping us avoid hacking, viruses, and so on. The database is run by Lamplight, and a summary of the protections for this very sensitive database and the information it holds can be found here. https://www.lamplightdb.co.uk/the-system/gdpr/system-security/ They too are making preparations for GDPR and will be ready for the May deadline.
8. Making Changes
You can request changes to, or ask to remove, to the data we hold, and how we use it.
Should you wish to change your contact preferences, or to remove yourself from our records, you can do this by writing to us at email@example.com, or by telephone to our main office number.
You can request to see your personal data. We will always comply wherever we can, where the request is proportionate, realistic, and reasonable. We can refuse to comply with a request for erasure if it is manifestly unfounded or excessive, taking into account whether the request is repetitive in nature.
You can also request erasure from our records.
9. Legal requirements
Like all organisations, we comply with requests for the disclosure of personal information where this is required or permitted by law. This could include requests from law enforcement or tax agencies. In these circumstances, the request must be submitted in writing and in accordance with the relevant legal requirements.
And finally, if you believe your privacy rights have been violated, you may file a complaint with us or with the Information Commissioner’s office https://ico.org.uk/. We would always prefer you talk to us first, however, as usually it is very easy to fix any errors or problems.