Wooden Spoon Personal and Sensitive Data Policy – Updated December 2022
Scope
This policy applies to all personal and sensitive data processed and accessed by employees and volunteers of Wooden Spoon.
Context
The General Data Protection Regulation (GDPR) is a regulation by which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify data protection for all individuals within the European Union (EU) and has been fully adopted by the UK.
The General Dara Protection Regulation (GDPR) requires holders of data to protect that data from causing harm to living individuals and to demonstrate respect for people.
Principles
The GDPR is based around a set of data principles, which encourage an emphasis on transparency and accountability, which should drive how we record and store data as follows:
- Lawfulness, fairness and transparency – Only record data that you would be happy for the individual to see – facts.
- Purpose limitation – Use/process the data recorded as minimally as possible.
- Data minimalisation – We ask for and record the minimum of personal data.
- Accuracy – We ensure that all data is recorded as accurately as possible and make any changes requested by individuals promptly.
- Storage limitation – Wooden Spoon has a policy of cleansing data in accordance with Gift aid retention rules, e.g. seven years.
- Integrity and confidentiality (security) – Our database is encrypted and secure. Personal data is only to be recorded here and paper records should be secured at the end of each day.
Lawfulness fairness and transparency
Wooden Spoon will only process personal data where the charity has at least one of six ‘lawful bases’ (legal reasons) to do so under data protection law (UK GDPR Article 6):
Consent: the individual has given clear consent for you to process their personal data for a specific purpose.
Contract: the processing is necessary for a contract you have with the individual, or because they have asked Wooden Spoon to take specific steps before entering into a contract.
Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).
Vital interests: the processing is necessary to protect someone’s life.
Public task: the processing is necessary for Wooden Spoon to perform a task in the public interest or for the charity’s official functions, and the task or function has a clear basis in law.
Legitimate interests: the processing is necessary for the legitimate interests or the legitimate interests of Wooden Spoon or a third party, unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.
Whenever Wooden Spoon first collects personal data directly from individuals, the charity will provide them with the relevant information required by data protection law on how their data is processed through the use of the relevant privacy notice.
Good practice principles
- Wooden Spoon does not use information that identifies individuals unless it is absolutely necessary.
- We keep the use of such information to a minimum and only use for the stated purpose.
- We are always able to justify why we are using the information.
- We do not leave confidential files and correspondence where they can be read by unauthorised people.
- We password protect confidential files and keep passwords secure – change regularly, with no sharing.
Limitation, data minimisation and accuracy
Wooden Spoon will only collect personal data for specified, explicit and legitimate reasons.
The charity will explain these reasons to the individuals when first collecting their data by issuing them with the relevant privacy notice.
If the charity wants to use personal data for reasons other than those given when originally obtained, Wooden Spoon will inform the individuals concerned before proceeding, and give them the option to object.
Staff and volunteers must only process personal data where it is necessary in order to fulfil their role. When staff and volunteers no longer need the personal data they hold, they must ensure it is deleted or anonymised. This will be done as set out in Wooden Spoon’s privacy notices available on the charity website.
Data collection
We collect, store and use the following kinds of personal information:
- Full Name
- Contact details (including postal address, telephone number, e-mail address and/or social media identity);
- Date of birth;
- Gender;
- Bank or credit card details where these are provided to make a donation or payment;
- For volunteers and staff, information necessary for us to process these applications and assess their suitability (which may include things like employment status, previous experience depending on the context, as well as any unspent criminal convictions or pending court cases they may have);
- Information about individuals’ activities on our website(s) or social media platforms when they interact with us, and about the device they use to access these, for instance their IP address and geographical location;
- Information about events and activities that may be of interest to supporters;
- Where an individual has left us a legacy, any information regarding next of kin or executors whose information they may have provided to administer their gift;
- Information as to whether an individual is a taxpayer and pays sufficient tax in order to enable us to claim Gift Aid;
- Age and ethnicity information for monitoring purposes; and any other personal information provided to us.
- Certain types of personal information are in a special category under data protection laws, as they are considered to be more sensitive. Examples of this type of sensitive data (known as “special category data”) would be information about health, race, religious beliefs, political views, trade union membership, sex life or sexuality or genetic/biometric information.
We only collect this type of information about our supporters or beneficiaries where there is a clear reason for us to do so, for example asking for information on the beneficiaries’ medical conditions for monitoring and reporting purposes and to ensure we are providing funds to charities that need the most support.
Wherever it is practical for us to do so, we will make clear why we are collecting this type of information and what it will be used for.
How we use personal information
We use personal data for a number of purposes. We will use personal information for the following purposes:
Charity Management
- To further our charitable objectives
- Administer our websites and to troubleshoot, perform data analysis, research, generate statistics and surveys related to our technical systems
- Test our technical systems to make sure they are working as expected
- display content in a way appropriate to the device a supporter is using (for example if they are viewing content on a mobile device or a computer)
- Generate reports on our work, services and events
- Safeguard our staff and volunteers
- Meet our legal obligations, for instance to perform contractsor our obligations to regulators, government and/or law enforcement bodies
- Carry out fraud prevention and money laundering checks
- Undertake credit risk reduction activities and/or establish, defend or enforce legal claims
- Conduct training and quality control
Supporter Care
- Provide supporters with the services, products or information they have asked for
- Keep a record of our relationships with supporters
- Respond to or fulfil any requests, complaints or queries made to us
- Check for updated contact details against third party sources so that we can stay in touch if supporters move (see “Keeping your information up to date” below);
- To send our supporters correspondence and communicate with them, using traditional channels and via social media platforms
- Process applications for job or volunteering position
Finance
- Administer donations or support fundraising, including processing Gift Aid
- Audit and administer our accounts
Fundraising
- Understand how we can improve our services, products or information by conducting analysis and market research
- Manage our events
- To send our supporters correspondence and communicate with them, using traditional channels and via social media platforms
- Identify potential supporters, donors, researchers or other partners
- Monitor website use to identify visitor location, guard against disruptive use, monitor website traffic, personalise information which is presented to supporters
Project Funding
- Process applications for funding and for the administration of our role in the projects we fund
- Monitor the appropriate use of grant funds
- Conduct due diligence and ethical screening
Consent
The GDPR states that there are some forms of communication, and some type of processing of data, that always require you to have consented.
You specifically need consent to send direct marketing by:
- Email to email addresses owned by individuals;
- SMS;
- making automated telephone calls; or
- making telephone calls to individuals who are on the Telephone Preference Service (TPS).
Obtaining consent
- We check that consent is the most appropriate lawful basis for processing.
- We make the request for consent prominent and separate from our terms and conditions.
- We ask people to positively opt in to email and SMS and opt out of postal mail and telephone.
- If people choose to opt out we offer them the option to choose ‘No fundraising communications’ option’ / ‘No newsletter’ ‘No to legacy marketing’ or ‘No to any contact whatsoever’.
- We don’t use pre-ticked boxes or any other type of default consent unless the consent has been previously given.
- We use clear, plain language that is easy to understand.
- We specify why we want the data and what we’re going to do with it.
- We give separate distinct (‘granular’) options to consent separately to different purposes and types of processing. (See point 3 above).
- We name our organisation and any third party controllers who will be relying on the consent.
- We tell individuals they can withdraw their consent.
- We ensure that individuals can refuse to consent without detriment.
- We avoid making consent a precondition of a service.
Recording consent
- We keep a record of when and how we got consent from the individual.
Managing consent
- We regularly review consents to check that the relationship, the processing and the purposes have not changed.
- We have processes in place to refresh consent at appropriate intervals, including any parental consents.
- We make it easy for individuals to withdraw their consent at any time and publicise how to do so.
- We act on withdrawals of consent as soon as we can.
- We don’t penalise individuals who wish to withdraw consent.
Legitimate Interest
We have a basis to use an individual’s personal information if it is reasonably necessary for us (or others) to do so and in our/their “legitimate interests” (provided that what the information is used for is fair and does not unduly impact theirur rights).
We consider our legitimate interests to include all of the day-to-day activities Wooden Spoon carries out with personal information. Some examples not mentioned under the other bases above where we are relying on legitimate interests are:
- Updating our supporters on fundraising activities that they have signed up to;
- analysis and profiling of our supporters or potential supporters;
- updating individuals address using third party sources if they have moved house;
- use of personal information when we are monitoring use of our website or apps for technical purposes;
- use of personal information to administer, review and keep an internal record of the people we work with, including supporters, volunteers and funders;
- where an individual has signed up with us on a charity place for a third party event (for example a sponsored run not organised by Wooden Spoon), sharing personal information with the third party event organiser so they can administer the event;
- Wooden Spoon may contact an individual by telephone for marketing purposes only if it is a live (person to person) call and the person has not opted-out of telephone marketing, either by contacting us directly, or via the Telephone Preference Service.;
- Legitimate interest is a lawful condition for sending direct marketing by post, or for live calls to telephone numbers not on the TPS, or by email to email addresses owned by corporate bodies.
We only rely on legitimate interest where we consider that any potential impact on individuals (positive and negative), how intrusive it is from a privacy perspective and their rights under data protection laws do not override our (or others’) interests in us using your information in this way.
Specialist research
As a fundraising organisation, we undertake specialist research and from time to time engage specialist agencies such as Prospecting for Gold to gather information from publicly available sources, for examples, Companies House, the Electoral Register, company websites, ‘rich lists’, social networks such as LinkedIn, political and property registers and news archives.
We may also carry out wealth screening to fast track the research using our trusted third party partners. Our supporters will always have the right to opt out of this processing. We may also carry out research using publicly available information to identify individuals who may have an affinity to our cause but with whom we are not already in touch. This may include people connected to key supporters and volunteers. We may also carry out due diligence on supporters in line with the charity’s gift acceptance policy and to meet money laundering regulations.
Sharing Data With Third Parties
Wooden Spoon does not sell data to any third parties. We only share personal data with third parties (referred to in the GDPR as Processors) suppliers and sub-contractors who may process information on our behalf, for example enable fulfilment of a mailing, or the organisation of an event. We have contracts in place with all third party suppliers to ensure they are obligated to treat our customers’ personal data in compliance with the General Data Protection Regulation 2018.
Sensitive Data
The GDPR defines some type of personal data as “Sensitive” for example; racial/ethnic classification, political opinions, religious beliefs, trade union membership, genetic data, biometric data, health/sex life, sexual orientation and criminal records.
Data Retention
All supporter personal data collected by Wooden Spoon is held on our secure and encrypted CRM – Salesforce. As a basic guideline, supporter /donation information is held on our CRM for seven years after their last donation/fundraising activity/membership cessation. This baseline has been selected as it is in line with HMRC Default Standard Retention Periods rules.
Some supporter personal data is also held in additional secure and encrypted systems to enable Wooden Spoon to operate. For example, we use a financial provider to take credit card payments, however, all providers need to adhere to strict GDPR policies and data is only held for processing purposes.
All communications from Wooden Spoon offer supporters a clear option to opt out at any time.
Keeping information up to date
Wooden Spoon may use information from external sources such as the post office national change of address database and/or the public electoral roll to identify when we think supporters have changed address so that we can update our records and stay in touch. We only use sources where we are confident that the supporter has been informed of how their information may be shared and used.
We do this so we can continue to contact supporters where they have chosen to receive marketing messages from us and contact them if we need to make them aware of changes to our terms or assist you with problems with donations.
This activity also prevents us from having duplicate records and out of date preferences, so that we don’t contact supporters when they have asked us not to.
We’re committed to putting our supporters in control of their data. We encourage them to contact us if they would like to opt out of activity.
Destruction of records
Private or confidential obsolete records must be permanently destroyed using one of the following:
- Shredding
- Outsourcing confidential disposal
- Physical destruction of hard disks
- Use of approved data erasure software
Media
- Where Wooden Spoon media (videos and photographs) are taken by Wooden Spoon or received from projects, volunteers or supporters, careful consideration should be given as to whether the use of such photographs or videos could render them as personal data within the GDPR.
- Photographs meet the definition of personal data where they can be related to an identifiable individual. Where a photograph is stored with other personal information about the subject, such as employment records, it will be personal data. In such cases, consent must be obtained by the individual at the time of taking the image.
- All photographs and video taken of individuals taken or used by Wooden Spoon in promotional material, PR or digital channels are treated as personal data and held by marketing and communications. The marketing and communications department records all consent in writing and records this on the Salesforce database.
- Should Wooden Spoon wish to use a photograph or video as part of a multi-channel campaign, marketing and communications will advise the individual in advance, the reason for its use and asks for written consent for publication.
- Marketing and communications hold its photographs and videos on a secured digital drive.
- Marketing and communications also hold a ‘case study’ stories of individuals, staff and volunteers to raise awareness of its work. These stories are held and employed under the same guiding parameters as the photographs and videos above.
Subject access requests
Individuals have a right to make a ‘subject access request’ to gain access to personal information that Wooden Spoon holds about them. This includes:
- Confirmation that their personal data is being processed
- Access to a copy of the data
- The purposes of the data processing
- The categories of personal data concerned
- Who the data has been, or will be, shared with
- How long the data will be stored for, or if this isn’t possible, the criteria used to determine this period
- The source of the data, if not the individual
- Whether any automated decision-making is being applied to their data, and what the significance and consequences of this might be for the individual
Subject access requests should be submitted in writing, either by letter or email to Wooden Spoon. They should include:
- Name of individual
- Correspondence address
- Contact number and email address
- Details of the information requested
If any staff receive a subject access request they must immediately forward it to the Data Protection Officer.
Responding to subject access requests
When responding to requests, Wooden Spoon:
- May ask the individual to provide two forms of identification
- May contact the individual via phone to confirm the request was made
- Will ordinarily respond without delay and within one month of receipt of the request
- Will provide the information free of charge
- May tell the individual that Wooden Spoon will comply within 3 months of receipt of the request, where a request is complex or numerous.
Wooden Spoon will not disclose information, for example if it:
- Might cause serious harm to the physical or mental health of the subject or another individual
- Results in the disclosure of information relating to another individual who can be identified and where such information cannot be reasonably or sufficiently redacted by Wooden Spoon
- If the request is unfounded or excessive, Wooden Spoon may refuse to act on it, or charge a reasonable fee which considers administrative costs. A request will be deemed to be unfounded or excessive if it is repetitive or asks for further copies of the same information.
Individuals also have the right to:
- Withdraw their consent to the processing of data, where consent is needed to process it, at any time
- Ask the charity to rectify, erase or restrict processing of their personal data, or object to the processing of it (in certain circumstances)
- Prevent use of their personal data for direct marketing
- Challenge processing which has been justified on the basis of public task and legitimate interest
- Request a copy of agreements under which their personal data is transferred outside of the European Economic Area
- Object to decisions based solely on automated decision making or profiling (decisions taken with no human involvement, that might negatively affect them)
- Prevent processing that is likely to cause damage or distress
- Be notified of a data breach in certain circumstances
- Make a complaint to the ICO
- Ask for their personal data to be transferred to a third party in a structured, commonly used and machine-readable format (in certain circumstances). With such a request, they must immediately forward it to the Data Protection Officer.
The above rights apply only in certain circumstances. They are not absolute or unqualified rights. Guidance can be provided by the Data Protection Officer in each individual case.
Duties
The Data Protection Officer is responsible for notification of Wooden Spoon’s data holdings to the Information Commissioner Office. They are responsible for monitoring all Wooden Spoon GDPR processes and practices.
The Data Protection Officer must maintain an internal register of data users and the data held. This is to be updated annually.
All staff and volunteers (including trustees) are required to complete data protection training as part of their mandatory induction process. Data protection will also form part of continuing professional development, where changes to legislation, guidance or Wooden Spoon’s processes make it necessary.
Managers must ensure that all staff and volunteers are aware of and adhere to this policy and are updated annually as a reminder.
Employees and volunteers must process data in accordance with this policy and the data protection guidelines.
Review
- Data protection policy and activity is to be reviewed at Board level annually.
- Staff and volunteers are to receive training on our GDPR policy on induction and annually.