GRASAC are committed to protecting and respecting the privacy of all individuals who use and support our organisation and recognises the importance that correct and lawful treatment of this data has in maintaining confidence in the organisation.
Everyone has rights regarding the way in which their personal information is handled. During the course of our activities we will collect, store and process personal information about our service users, funders, suppliers and other third parties.
This policy sets out the basis on which any personal information we collect from you, or that you provide to us, will be processed by us. Please read the following carefully to understand our views and practices regarding your personal information and how we will treat it.
For the purpose of UK data protection laws, the data controller is Rape and Sexual Abuse Centre Gloucestershire of PO Box 16, Gloucester GL4 0RU.
- Personal data: any information that could directly or indirectly identify an individual (data subject).
- Sensitive data/ special category data: relating to an individual’s racial or ethnic origin, politics, religious beliefs, physical or mental health, sexual orientation, criminal record, trade union affiliation, finance.
- Data controller: the organisation which collects and determines the use of personal data.
- Processing: any operation performed on personal data such as collection, storage, retrieval, transfer or transmission, dissemination, deletion/destruction, or adaption and alteration.
- Consent: freely-given, specific, informed and unambiguous indication by statement or clear affirmative action, signifying agreement to the processing of personal data.
• Data breach: a breach of security leading to the accidental; or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data.
3. DATA PROTECTION PRINCIPLES
When processing your information, we comply with the six enforceable principles of good practice. These state that your personal information must be:
• processed lawfully, fairly and in a transparent manner,
• processed for specified, explicit and legitimate purposes,
• adequate, relevant and limited to what is necessary,
• accurate and kept up-to-date,
• kept for no longer than is necessary, and
• processed in a manner than ensures appropriate security.
4. INFORMATION YOU GIVE TO US
We may collect, use, store and transfer different kinds of personal information about you, including:
• Identity Data, such as your name, profile id or similar identifier, marital status, title, date of birth, gender,
• Contact Data, such as your residential address, billing address, email address and telephone numbers,
• Financial Data, such as bank account and payment details if you have provided a service to us, attended a paid event hosted by GRASAC or donated to our organisation,
• Technical Data, including IP addresses, your log-in data, browser type and version, time-zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access our website,
• Profile Data, such as your username, password, purchases or orders made by you, your interests, preferences, feedback and survey responses,
• Usage Data, including information about how you use our website, products and services,
5. ‘SPECIAL CATEGORY’ DATA
Information relating to your racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, criminal convictions, sex life or sexual orientation, or certain types of genetic or biometric data is known as ‘special category’ data.
Depending on your interaction with us, we may collect, use, store and transfer special category data.
6. HOW WE COLLECT YOUR PERSONAL INFORMATION
We may obtain personal information by directly interacting with you or a third party whom you have given consent to contact us on your behalf, such as:
• Through external referrals made either electronically, face to face or by phone, either directly from yourself or via third parties
• Contacting us via private messaging or other social media functions on our website or social media platforms,
• Accessing and using our services, including email support, helpline, groups, ISVA service and our specialist support service,
• Through fundraising and awareness raising activities, such as making donations, attending a fundraising event or taking part in fundraising/ awareness raising activities,
• Completing a survey organised by us, or otherwise providing us with feedback,
• subscribing to our services or publications, or otherwise requesting marketing material or service information to be sent to you, or
• corresponding with us by phone, email, letters, electronic applications or otherwise.
• We may obtain personal information via automated technology when you interact with our website by using cookies, server logs and other similar technologies.
We may also collect personal information about you from third parties or publicly-available sources, such as:
• analytics providers (such as Google and WordPress),
• advertising networks,
• search information providers
• providers of technical, payment and delivery services,
• This could be if you provide a donation through a third party such as Virgin Money Giving or one of the other third parties that we work with and provide your consent for your personal information to be shared with us.
• When you interact with us through partners or suppliers working on our behalf.
7. HOW WE USE YOUR PERSONAL INFORMATION
We will only use your personal information when the law allows us to. Most commonly, we will use your personal information in the following circumstances:
• you have given us consent,
• we need to perform a contract we are about to enter, or have entered into, with you,
• to report to funders and other regulatory bodies,
• to monitor and evaluate our services, including monitoring for equal opportunities purposes
• where it is necessary for our or a third party’s legitimate interests, and your interests and rights do not override those interests, or
• where we need to comply with a legal or regulatory obligation.
We will only use ‘special category’ information:
• provided we have your explicit consent to use it,
• where we believe that we need to use that data to protect your vital interests and where you are not able to provide us with your explicit consent,
• where it will be necessary to protect the vital interests of others,
• where it is necessary for reasons of substantial public interest,
• where it is necessary for the purposes of preventive or occupational medicine, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional,
• where it is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) based on Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.
• where you have previously made that data public knowledge, or
• if we need to use that data to establish, exercise or defence legal claims or processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity;
8. PURPOSES FOR WHICH WE WILL USE YOUR PERSONAL INFORMATION
We may use your personal information for a number of different purposes. For each purpose, we are required to confirm the ‘legal basis’ that allows us to use your information, as follows:
Purposes for which we will use the information you give to us Legal basis
Where you are accessing, or are making enquiries into accessing one of our specialist support services or groups It will be necessary for the performance of the contract between you and us.
It will be necessary for the purposes of preventative or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional.
Where you are applying for a volunteering or staff position within GRASAC It will be necessary for the performance of the contract between you and us.
It will be necessary for our legitimate business interests, namely, to ensure that we give you the most relevant and correct information and resolve any enquiries you may have as well as to monitor and evaluate our service activities as well as performing services.
It will be necessary for us to comply with legal obligations to which we are subject under UK employment law, UK Safeguarding laws and UK laws regulating and governing volunteers and voluntary workers.
In the event of a safeguarding concern It will be necessary for the purpose of protecting your vital interests.
It will be necessary for protecting the vital interests of another individual
It will be necessary for us to comply with legal obligations to which we are subject under UK Safeguarding laws.
Where you are making enquiries regarding our organisation and its activities It will be necessary for our legitimate business interests, namely, to ensure that we give you the most relevant and correct information and resolve any enquiries you may have as well as to monitor and evaluate our service activities
Where you are acting as a representative of a company or organisation, then to register that company or organisation It will be necessary for our legitimate business interests, namely with a view to performing services
To invite you to events, such as, workshops, fundraising and awareness raising events, and thereafter to manage your attendance at the event in questions to include managing information on your dietary preferences if the event is catered It will be necessary for our legitimate business interests to ensure you are aware of the latest legal developments in relation to the legal services we have provided to you, or are providing to you, or otherwise to develop our relationship with you outside of the working environment
Where you would not normally have a reasonable expectation of receiving such invites from us, we will only send you invites if you agree
Where the information collected relates to any dietary preference which may be considered to be ‘special category data’, for example by indicating a particular religious or philosophical view, or a medical issue or allergy, we will only process this information with your explicit consent
To obtain further information about you, any company or organisation you represent, and the matter that is the subject of the services we have agreed to provide It will be necessary for our legitimate business interests to ensure we are fully aware of all issues relating to the matter that is the subject of the services we have agreed to provide
To process personal information to help us with our work and activities It will be necessary for our legitimate business interests for the purposes of service analysis and to help us with our activities and provide you with relevant information and, where you have consented to us doing so, for direct marketing or service feedback.
To make our marketing and awareness campaigns more targeted and relevant to potential donors and service users. It will be necessary for our legitimate business interests
To process your donations or other payments, to claim Gift Aid on your donations and verify any financial transactions To comply with the Charities Act 2016 and follow the recommendations of the official regulator of charities, the Charity Commission, which require us to identify and verify the identity of supporters who make major gifts so we can assess any risks associated with accepting their donations.
It is also a requirement of HMRC.
We will only use your personal information for the purpose(s) for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal information for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.
Please note that we may process your personal information without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.
GRASAC treats your information with respect. We do not sell your details to any third parties and we do not share personal information outside of our organisation unless we have your consent or the following applies;
• the sharing is strictly for the performance of GRASAC’s operational functions (e.g. outsourcing of business functions)
• the sharing is a legal requirement or is otherwise legitimate without consent as set down in the GDPR, for example where it is necessary for protecting the vital interests of yourself or another individual.
If the above applies, we will discuss the situation with you before we share any information. If you would like more information regarding the above, please contact firstname.lastname@example.org for our confidentiality policy.
A cookie is a small file which asks permission to be placed onto your device. The benefits of enabling cookies are that they enable websites to recognise your devices and respond to you as an individual, so that sites can work more effectively.
Cookies also gather information about how you use the site. We use traffic log cookies to identify which pages are being used. This helps us analyse data about webpage traffic and improve our website in order to tailor it to our user’s needs. We only use this information for statistical analysis purposes and a cookie by itself cannot be used to identify you.
Overall, cookies help us provide you with a better website by enabling us to monitor which pages our user’s find useful and which they do not. A cookie in no way gives us access to your computer or any information about you, other than the data you choose to share with us.You can choose to accept or decline cookies. Most web browsers automatically accept cookies, but you can usually modify your browser setting to decline cookies if you prefer.
Our website, https://www.glosrasac.org, uses Google Analytics, provided by Google Inc. through WordPress plugins Google Analytics Dashboard and Jetpack to analyse traffic to our website.
10. DISCLOSURE OF YOUR INFORMATION
We may share your personal information with the parties set out below:
• providers of IT and system administration services to our organisation, including; GCC IT Solutions, Lamplight Database Systems, Egress Software Technologies Ltd. Montpellier Integrated, XCS Group, Agility Secure and Microsoft Office 365,
• providers of professional services to our organisation including; Susan Urch Freelance Finance Officer,
• organisations with whom we are affiliated, such as Rape Crisis England and Wales
• our professional advisers (including solicitors, bankers, auditors and insurers),
• HM Revenue & Customs, the Information Commissioner’s Office, Charity Commission, regulators and other authorities who require reporting of processing activities in certain circumstances,
• analytics and search engine providers that assist us in the improvement and optimisation of our website, and
• third parties to whom we may choose to sell, transfer, or merge parts of our business or our assets. Alternatively, we may seek to acquire other businesses or merge with them. If a change happens to our business, then the new owners may use your personal information in the same way as set out in this policy.
We require all third parties to respect the security of your personal information and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal information for their own purposes and only permit them to process your personal information for specified purposes and in accordance with our instructions.
11. WHERE WE STORE YOUR PERSONAL INFORMATION
All information you provide to us is stored on our secure servers located in the United Kingdom.
We will take all steps reasonably necessary to ensure that your data is treated securely, including taking the following safeguards:
• Building entry controls. Locked door at all times with pin entry control both externally and internally.
• Secure lockable desks and cupboards. Desks and cupboards are kept locked when not in use if they hold confidential information of any kind.
• Methods of disposal. Paper documents are disposed of by shredding in a manner that ensures confidentiality.
• PC Security and Anti-Virus – Through GCC IT Support all GRASAC PCs have Microsoft Anti-Virus protection and remote monitoring to maintain PC maintenance and compliance.
• Specific IT software – Electronic data is held securely with access available only to trained staff members.
• Secure Email –Egress is used to electronically transfer sensitive and personal information both within and outside of our organisation.
• Overseas transfers. Whenever we transfer your personal information outside the United Kingdom, we ensure a similar degree of protection is afforded to it by ensuring that we apply appropriate safeguards (either by transferring data only to recipients in the European Union, to recipients in countries approved by the European Commission, to recipients that are party to the EU-US Privacy Shield, or by using specific contracts approved by the European Commission).
If you are concerned about the levels of data security in any of those countries, please let us know and we will endeavour to advise what steps will be taken to protect your data when stored overseas.
Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal information, we cannot guarantee the security of your data transmitted to our website; any transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access.
12. HOW LONG WE WILL STORE YOUR PERSONAL INFORMATION
The length of time that we will store your data will depend on the ‘legal basis’ for why we are using that data, as follows:
Legal basis Length of time
Where we use/store your data because it is necessary for the performance of the contract between you and us We will use/store your data for as long as it is necessary for the performance of the contract between you and us
Where we use/store your data because it is necessary for us to comply with a legal obligation to which we are subject We will use/store your data for as long as it is necessary for us to comply with our legal obligations
Where we use/store your data because it is necessary for our legitimate business interests We will use/store your data until you ask us to stop. However, if we can demonstrate the reason why we are using/storing your data overrides your interests, rights and freedoms, then we will continue to use and store your data for as long as it is necessary for the performance of the contract between you and us (or, if earlier, we no longer have a legitimate interest in using/storing your data)
Where we use/store your data because you have given us your specific, informed and unambiguous consent We will use/store your data until you ask us to stop
To determine the appropriate retention period for personal information, we consider the amount, nature and sensitive of the personal information, the potential risk of harm from unauthorised use or disclosure of your personal information, the purposes for which we process your personal information and whether we can achieve those purposes through other means, and the applicable legal requirements.
13. YOUR RIGHTS
You have various legal rights in relation to the information you give us, or which we collect about you, as follows:
• You have a right to access the information we hold about you free-of-charge, together with various information about why and how we are using your information, to whom we may have disclosed that information, from where we originally obtained the information and for how long we will use your information.
• You have the right to ask us to rectify any information we hold about you that is inaccurate or incomplete.
• You have the right to ask us to erase the information we hold about you (the ‘right to be forgotten’). Please note that this right can only be exercised in certain circumstances and, if you ask us to erase your information and we are unable to do so, we will explain why not.
• You have the right to ask us to stop using your information where: (i) the information we hold about you is inaccurate; (ii) we are unlawfully using your information; (iii) we no longer need to use the information; or (iv) we do not have a legitimate reason to use the information. Please note that we may continue to store your information,or use your information for the purpose of legal proceedings or for protecting the rights of any other person.
• You have the right to ask us to transmit the information we hold about you to another person or company in a structured, commonly-used and machine-readable format. Please note that this right can only be exercised in certain circumstances and, if you ask us to transmit your information and we are unable to do so, we will explain why not.
• Where we use/store your information because it is necessary for our legitimate business interests, you have the right to object to us using/storing your information. We will stop using/storing your information unless we can demonstrate why we believe we have a legitimate business interest which overrides your interests, rights and freedoms.
• Where we use/store your data because you have given us your specific, informed and unambiguous consent, you have the right to withdraw your consent at any time.
• You have the right to object to us using/storing your information for direct marketing purposes.
If you wish to exercise any of your legal rights, please contact our Service Director by writing to the address at the top of this policy, or by emailing us at email@example.com.
You also have the right, at any time, to lodge a complaint with the Information Commissioner’s Office if you believe we are not complying with the laws and regulations relating to the use/storage of the information you give us, or that we collect about you.
OPTING OUT OF RECEIVING MARKETING COMMUNICATIONS
You can ask us to stop sending you marketing communications at any time by contacting our Service Director by writing to the address at the top of this policy, or by emailing us at firstname.lastname@example.org.
We do not use automated decision-making processes.
THIRD PARTY LINKS
Our website may include links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements. When you leave our website, we encourage you to read the privacy notice of every website you visit.
CHANGES TO OUR POLICY
Any changes we make to our policy in the future will be posted on our website and, where appropriate, notified to you by email. Please check our website frequently to see any updates or changes to our policy.
Questions, comments and requests regarding this policy are welcomed and should be addressed to our Service Director by writing to the address at the top of this policy, or by emailing us at email@example.com.