Privacy Policy
1. Introduction
Time and Talents takes your privacy seriously. We are committed
to protecting your personal information. New data protection legislation, known
as GDPR (General Data Protection Regulations) come into effect in May 2018.
T&T already takes great care with your data and ensures that all your
personal information is held securely, fairly, and only ever used for the
purposes for which you have given it to us.
However, we are taking steps to ensure that we ‘go the extra
mile’ in line with the new legislation, which is designed to make sure that
your data is used in a clear, transparent, and fair way. This policy sets out
how T&T uses the information that you provide us with in order to help
further our work in building community and supporting vulnerable people.
This policy forms a key part of how we work with people’s
personal information at Time and Talents. We also have a more practical set of
guidelines and internal processes for staff and volunteers, and regular
training to ensure that staff understand.
2.
Who we are
Time and Talents is a company limited by
guarantee and registered in England no. 4009766. Registered charity no. 1084545
For the purposes of legislation, our Trustees are the data
processor. To contact the trustees, contact The Chair, c/o info@timeandtsalents.org.uk
For day to day queries, our lead
data protection officer is our Services and Operational Manager, Alyson Moore,
who can also be contacted at the above email, or on our main telephone number.
3. Handling Information: Our Principles
This document sets out our privacy policy as a whole, focusing
on the specific and most common uses of data at T&T at present. As time
goes on, the information, and how we will use it will change, and the policy
will need to adapt. Therefore, we want to start by setting out our general
principles of data use and privacy:
·
We will not unduly prioritise our
interests as a charity over your interests as an individual - we will always
balance our interests (needs) with your rights
·
We will only use personal
information in a way, and for a purpose, that you would reasonably expect in
accordance with this Policy
·
We will always act with fairness,
transparency, equity and in good faith
·
We will always recognise the
trust you have put in us by sharing any of your personal data – and that even
accidental misuse or mishandling of your data could have serious effects on
individuals
4. About GDPR
What the Law says about protection of personal information
The Law on Data Protection is derived from various pieces of
legislation (which can be found in a number of places). These include the Data
Protection Act and the General Data Protection Regulation (the ‘GDPR’) which
became enforceable from May 2018. The GDPR states that personal data
(information relating to a person that can be individually identified) can only
be processed if there is a legal ground to do so. Activities like collecting,
storing and using personal information would fall into the GDPR’s definition of
processing. The GDPR provides six legal grounds (reasons) under which personal
information can be processed (used) in a way that is lawful. For the processing
to be permitted by law (lawful), at least one of the legal grounds must apply.
The six legal grounds relevant to Time and Talents’ use of your
personal information are:
•
Consent
•
Vital Interests
•
Public Task
•
Legitimate Interest
•
Contract
•
Legal Obligation
5.
How the law applies to Time and Talents’ use of
personal information
We will only process (use) your personal information when we
have:
•
asked you and have a record of
your express and recent consent for
us to do so;
•
a ‘Legitimate
Interest’ to do so in order to support our charitable mission, or to
provide you with help or support you have requested
•
a contract with you that we can only fulfil by using your
personal information - this would include your making applications to volunteer
or work with us, or supply of a service
•
a legal obligation to use or disclose information about you,
e.g. we are required by law to keep records of gifts that are given to us with
Gift Aid for 4 years, and we are compelled to disclose information relating to
safeguarding incidents
•
there is a vital interest in doing so - your life or someone else’s is in
danger. This could also apply in the case of safeguarding issues
•
On occasion, to undertake a public task
There are times when it is not practical to obtain and record
consent – if we asked for your consent every single time you spoke to us, this
would be impractical for you and us! At those times, we will only process
personal information if that processing would meet another legal ground e.g.
Legitimate Interests, in which case we would only process in accordance with
the law’s strict rules on legitimate interest processing.
Below we have set out some ways we use your data in accordance
with the above, so you can see clearly what we do, and why.
6.
Your Information – what we collect and how we use it
T&T collects information from the public in a number of
different ways. To help you understand this, we have set out the most
common uses.
6.1
Attendees at our open activities and events
Example: recording your name and
postcode when you come to our mindfulness group or a children’s activity.
T&T runs a range of fun activities events, support groups,
and activities for all ages. We collect limited information on current and past
users of our services, activities, and events. We will use this to understand
who uses our activities, to prove that people are using our services to funders,
and to keep in touch with you about similar events and activities.
T&T’s primary charitable purpose is to support the local
community, and bring people together for fun and friendship. We therefore have
a legitimate interest in making sure people are aware of our activities, where
they have shown interest or attended previously. Therefore, we may use your
data to keep you up to date with activities that are happening at T&T where
we think there is a reasonable expectation that you may be interested in
participating in other community activities.
If you attend our activities or events, we may often ask you for
your name, gender, age range, and postcode so that we can accurately count and
report to our funders and regulators on the number of, and what kind of, people
use our services.
Sharing this information
When we share that information, it will always be provided as an
aggregate (X people from Y postcode, Z people between 20 and 50 years of age,
and so on). Individual information on who has attended will not be shared. We
will never give anyone information on the individuals who attended an activity
or event without the individual’s express consent (unless required to do so by
law).
How it’s stored
Mostly, this kind of generic information is kept digitally via
our mailing list and database. However, as we use sign-up sheets and similar,
there are also hard copies made, which have signatures. These are kept secure,
in locked filing cabinets when they are not in use.
You can always unsubscribe from emails or other types of contact,
or ask us to remove all of your data from our systems.
How long we will keep your information
3 years or until you ask us to stop
6.2
Users of our services and support
Example: recording and storing
information that you give us when we do an assessment for our older people’s
programme, or when we make a befriending match.
Some of our other services are much more personal and individual
in nature. This includes groups which support people with health conditions
(such as our ‘Stroke Club’), or where referrals are made from health and social
care professionals. It also includes individual and one to one support we might
give, via assessments, advocacy, case management, or counselling.
In such cases, with your consent, we will securely and
confidentially store more detailed information. This will often include
information such as your name, date of birth and contact information, and in
the case of our support services, will often include personal information on
your needs, health, and welfare.
This information is required to be able to provide you with a
service or support. For example, we will need your address to send you letters,
or your phone number to let you know when we are visiting. We will need to know
about food allergies or specific health conditions in some of our groups, or your
next of kin in some situations. We will ask you questions, and store your
answers, about your personal circumstances so we can give you the right help.
Guarding such highly personal data is of the utmost importance
to us, and we recognise the level of trust that you are putting in us if you
give us this information. We will only ever use this information:
·
To help provide ongoing care and
support to individuals where it has been requested
·
To help us understand who is
using our services, and identify emerging or existing needs in our community
·
Ensuring we are reaching the
right people, identifying for example where participants come from, what age
ranges they fall into, and so on
·
As an aggregate, to help us
demonstrate to funders and others to whom we are accountable the work that we
do and impact we have
·
To create aggregated,
non-identifiable case studies which may be shared with funders to help them
understand the impact of our work.
We only ever capture data that is necessary to help provide a
service. If you ever feel the information we request is excessive or intrusive,
you do not need to provide it, and we welcome feedback good or bad. We will
always endeavor to still work with you if you don’t want to give us information
which is not absolutely essential to the delivery of the support.
Sharing this information
In the case of our support work, we will share your information
with others who can help you (‘make a referral’) if you consent to us doing this.
This could be, for example, phoning your doctor if you ask us to, or linking
you with a specialist support worker. With your consent, giving your contact
details and some agreed personal information to your befriender is a key part
of our befriending service.
We will only ever do the above with others who are either signed
up to our data protection policies (eg in the case of our volunteer
befrienders) or who have the same rigorous data protection policies that we do,
and only:
·
If you have consented, or asked
us to do so
·
To allow you to get the help and
support you need, and in your interests alone
·
To those whom we are sure share
our standards of information use, our values and charitable goals
·
In very rare cases where there is
a ‘vital interest’ – we are worried that you or someone else could be in
serious danger. This would include where we had a concern about safeguarding
·
In any case where we provide a
public task – for example, if we deliver a service on behalf of the NHS or
similar.
How it’s stored
This information is stored digitally via our database. Additionally,
we may keep hard-copy case notes. These are kept secure, in locked filing
cabinets, when they are not in use. They are only accessible to staff responsible
for our support work. We may keep this information in note books used by
peripatetic staff (for example when we are travelling to and from assessments),
but it will be kept in notational form and full names not used, as an extra
precaution.
How long we will keep this information:
For as long as you receive support from us, plus 3 years, or
until you withdraw your consent
6.3
Statistical analysis and social
research
Example: finding out the number of
people over 65 with diabetes who attend our groups, or how many people live in
a certain postcode and use our play clubs who are from an ethnic minority.
In order to ensure we understand the needs in our community and
what we can best offer to help people, we may analyse your data in combination
with that of others. We will do this, for example, to aid the development of
services and activities, to demonstrate need for our services, or to show
effectiveness of certain interventions. We may also look for common themes and
qualitative information across our data, which will be anonymized, or used only
with the consent of any individuals who are identifiable.
6.4
Volunteers or applicants to volunteer
Example: processing somebody’s
application to volunteer, including taking up references and an enhanced DBS
check.
Every year up to 150 people give their time and talents to help
their local community. When you do this, we follow a recruitment process. This
includes you completing an application form, usually via our website, which we
receive and then process. With your consent, we will take up two references,
usually by telephone. We keep paper copies of these references for the length
of time you volunteer and a reasonable period afterwards.
For volunteers as well as staff, we need to undertake an
enhanced DBS (Disclosure and Barring Service) check. We ask you to manage this
process yourself online. We do not keep copies of your personal documents which
need to be provided for proof of identity.
When your DBS certificate returns, we don’t keep a copy, and
only record whether there was any issue.
We use your data to:
·
check whether you are suitable
for a volunteering role
·
find you the right volunteering
placement
·
know what skills we have
available to us in our volunteer pool
·
make befriending matches and
placements
·
record your volunteering activity
How we store it
We keep your volunteering and personal details in our database, and
hard copies in our locked filing cabinets. Only relevant staff will have access
to these details.
How long we will keep this information:
We will store your application form and information for as long
as you continue to volunteer with us, plus 3 years, unless you tell us
otherwise.
6.5
Staff information
Information on use of employee data can be found in our employee
handbook.
6.6 Still
and Moving Images
Example: Taking a picture of people
dancing at our summer party and putting it on Facebook, a portrait of 2 members
of our stroke club wearing a funny hat.
We often take photographs and video at events and activities and
will ask for your permission before we record your image, wherever you are
featured prominently.
You may withdraw your consent for us to use your image in the
future. We will ask about specific types of use for your images. We will pay
particular attention to any images which feature children.
In the case of large group shots or edited films, and images
which have been shared widely, it may not be practically possible to remove
your individual image. For example, we would be unlikely to be able to remove a
brief shot of you from a substantial edited video with many participants, in
the event that you later choose to withdraw permission.
In such a case, we may have a legitimate interest to continue
using that image or film. We would always balance this legitimate charitable
interest with the impact on the needs and rights of any individual concerned.
GDPR takes into account the level of investment, and legitimate interests of an
organization when considering the approach which must be taken to images.
It is not always practical to seek written permission for use of
photographs of large groups at public events - for example, images of a large
outdoor party with 300 attendees.
In such cases, we will make all attendees aware that group
photographs are being taken, and offer them the option to be excluded from
images, or not to attend.
Sharing images
We will use images for publicizing our work, reporting to
funders, and for historical archiving. We may use the images on social media,
our website, or for print media. We will ask separately whether you are happy
for us to use your image for specific purposes, especially where it may be in
the context of any commercial or fundraising request.
How will we store it?
We will store videos and images in digital format, in cloud
storage, and on hard media such as DVDs and Blu-Rays.
How long will we keep your information?
For individual images, 3 years; for material featuring multiple
subjects and edited films, 5 years.
6.7 Fundraising
and donor information
Example: making a donation to T&T
via the ‘make a donation’ link on the website
Time and Talents receives a limited number of donations from
individuals and does not currently have an extensive individual fundraising
programme, or lists of individual donors.
When you make a donation, unless you make it anonymously, we
will ask for information that enables us to administer your donation. This
will normally include information such as your name, contact details, and your
payment details. We will not retain payment information beyond the immediate
use. If you use our third party payment services, you can choose whether or not
your financial information is stored for future use.
Sharing your information
We will never share your information with any other parties,
unless it is
·
in order to process the donation,
payment or gift aid
·
in order to comply with a legal
requirement
·
in any other case, with your
express consent
How will we store it?
We will store this information in our secure accounting
software, and on paper financial records in a locked filing cabinet.
How long we will keep your information?
7 years, to comply with HMRC regulations, and 4 years to comply
with Gift Aid regulations
6.8
Historical Connections
Example: Sending a Christmas card or
newsletter to one of the oldest members of T&T from the 1930s.
Although we are no longer an official membership organisation, Time
and Talents has been a society of friends and supporters for 131 years. Our
long relationships, deep roots, history, and transgenerational links are among
our greatest strengths.
Some of our existing/ remaining personal connections predate any
kind of data protection legislation, were based on personal trust in the
Settlement, and were never entered into on the expectation that they would need
to give signed consent etc. This includes many people who are now very elderly,
and would not necessarily be able to re-sign up for consent via email, or send back
letters telling us to continue contacting them. Some may be very lonely, and
their sense of continued connection to their past is very important. We
therefore have a legitimate charitable interest in maintaining those links and
holding that information.
In those particular cases of lifetime friends of T&T, we
will continue to hold those details for the rest of that person’s lifetime. Of course,
any further correspondence or contact will maintain the option to remove their
data from our systems.
6.9
Historical Archives
Example: Keeping the minutes from a
meeting about redevelopment in the 1990s, or sharing an archive image online, featuring
the first children’s computing classes in the 1980s.
Time & Talents has an historical archive held at the London
Metropolitan Archive. It also has an archive from the 1980s onwards which we
currently hold in our own secure storage. Our goal is to find funding to
catalogue and log the more recent archive fully in the near future, with a view
to storing this also with the LMA.
This material is of historical significance and therefore
subject to certain exemptions under GDPR for libraries and historical archives
which may contain personal information.
Sharing this information
There are many potential purposes that historical information
can be put to – we may wish to create historical materials and museum exhibits,
or to post blog posts on the website. We will share any archive historical
materials with caution, especially where it may have any forseeable impact on
people who are still living, while keeping it safely for future or present
study.
How we store your information and data
Most of our archive material is stored in paper copy in our
secure storage room. Some material is digitized, although most of this is in
the London Metropolitan Archive.
7. Online and digital privacy
We know that online and digital privacy is something that people
take increasingly seriously, and we welcome people taking more care with how
their data is shared online. Although we are very small charity, we have some
digital services we use which store and process information from the public,
and you can find out more about these below.
7.1
Website
Our website is hosted by a US company, Siteground, a trusted and
high-quality web hosting company. We pay them to store and look after our
website rather than having to have it on a machine here at T&T, which would
be a lot harder to keep going. That means that when you submit a form via our
website – for example, applying to be a volunteer – that information goes via
another computer in the US.
You can find information on how Siteground is preparing for GDPR
here. https://www.siteground.com/blog/gdpr-siteground-getting-ready/
As of writing, they are preparing their final terms of service
for 25th May 2018. Their current terms can be found here: ww.siteground.com/terms.htm
7.2 Cookies
Because cookies are such an integral
part of the internet, we assume you consent to cookies by using our site.
However, you can always choose to remove or refuse them.
Cookies are little bits of information
stored in your browser (Chrome, Firefox, Edge, etc) to make browsing between
pages in a site work better, or to make sure a site remembers you when you come
back. Most websites use them – without cookies, pages tend to be quite limited
in what they can do.
We use two specific types of cookies on our
website:
We will use the session cookies to keep the
continuity of your session while you navigate the website (eg. so that if you
click an action on one page, the next page knows what action has been taken).
We will use the persistent cookies to enable our website to recognise you when
you return to the site.
We use Google Analytics to analyse the use of this
website. Google Analytics generates statistical and other information about
website use by means of cookies, which are stored on users’ computers. The
information generated related to our website is used to create reports about
the use of the website. Google will store this information. Find out more about Google's position on privacy as regards its analytics service.
Most browsers allow you to reject all
cookies. For example in Internet explorer you can refuse all cookies by
clicking “Tools”, “Internet Options”, “Privacy” and selecting “Block all
cookies” using the sliding selector. As with all websites, locking all
cookies will make the website much less easy to use.
Third Party Cookies are cookies set on your machine by external websites whose services
are used on this site. Cookies of this type are the sharing buttons across the
site which allow visitors to share content onto social networks such as Twitter
and Facebook. In order to implement these buttons, and connect them to the
relevant social networks and external sites, there are scripts (little snippets
of programmes) from domains outside of our website. We include these links
because most other sites do, and it makes it easier for you to share our
content with your friends online, if you wish to.
You should check the respective policies of each of these sites
to see how exactly they use your information and to find out how to opt out, or
delete, such information.
7.3
Office systems
Our email, calendar, and general office IT uses Microsoft Office
365 technology, which meets GDPR requirements. They have extensive privacy terms
which you can find here http://www.microsoftvolumelicensing.com/DocumentSearch.aspx?Mode=3&DocumentTypeId=31 Our cloud servers store data in the UK/ EU, and are fully GDPR
compliant.
7.4
Keeping in touch via email
We regularly send out emails like newsletters or announcements. Some
emails that we send you have no tracking in at all e.g. service emails with
invoices attached. Other emails we send we can track whether the user has
opened and clicked on the email. We don’t use this information at a personal
level -we just use it to understand open and click rates on our emails to try
and improve them. If nobody opens an email, we go back to the drawing board on
what to include in future. If you want to be sure that none of your email
activity is tracked then you should opt out of our emails which you can do via
the unsubscribe link at the bottom of every email we send.
We use an industry standard email tool, MailChimp, to send bulk
emails. Mailchimp’s servers are in the US, so you need to be aware that in
principle, when you sign up to a newsletter, your information is being stored
in the US. Again, this is in common with many other websites across the world.
Mailchimp have rigorous privacy and data protection policies,
have readied themselves for GDPR, and are signed up to the EU-U.S. Privacy Shield Framework and the Swiss-U.S.
Privacy Shield Framework.
You can see their data protection policy here:
https://mailchimp.com/legal/privacy/?_ga=2.122759821.744864651.1524845882-548677225.1389091954
7.5
Online Donations and Payments
Our online donations, and marathon fundraising, are processed by
Virgin Money Giving. You can find their privacy policy here: https://uk.virginmoneygiving.com/giving/terms/privacy-policy.jsp
Financial transactions made online to Time and Talents using the
Virgin Money website link are secured by Virgin Money. No one can access your
credit card details via the internet.
Our online bookings system is managed by Kajima (Bookings plus).
Their privacy policy can be found here: https://www.bookingsplus.co.uk/privacy-policy/
Payments through the bookings system are through ‘Stripe’. Their
privacy policy is here: https://stripe.com/gb/privacy
We will never, ever, contact you by email asking you for
payments, passwords or credit card details. If anyone ever claims to be from
T&T, please end the call and call us back at the office to notify and check
with us.
7.6
Database
Our user database is stored ‘in the cloud’ (that means it isn’t
stored on our own computers, but with a larger company in a secure internet
‘data warehouse’). This is generally much safer for small companies, helping us
avoid hacking, viruses, and so on. The database is run by Lamplight, and a
summary of the protections for this very sensitive database and the information
it holds can be found here. https://www.lamplightdb.co.uk/the-system/gdpr/system-security/ They too are making
preparations for GDPR and will be ready for the May deadline.
8. Making Changes
You can request changes to, or ask to remove, to the data we
hold, and how we use it.
Should you wish to change your contact preferences, or to remove
yourself from our records, you can do this by writing to us at info@timeandtalents.org.uk, or by telephone to our main office number.
You can request to see
your personal data. We will always comply wherever we can, where the request is
proportionate, realistic, and reasonable. We can refuse to comply with a request for
erasure if it is manifestly unfounded or excessive, taking into account whether
the request is repetitive in nature.
You can also request erasure from our records.
9. Legal requirements
Like all organisations, we comply with requests for the
disclosure of personal information where this is required or permitted by law. This
could include requests from law enforcement or tax agencies. In these
circumstances, the request must be submitted in writing and in accordance with
the relevant legal requirements.
10. Complaints
And finally, if you believe your privacy rights have been
violated, you may file a complaint with us or with the Information Commissioner’s
office https://ico.org.uk/. We would
always prefer you talk to us first, however, as usually it is very easy to fix
any errors or problems.
