Full Privacy Notice
Last updated February 2023
This Privacy Notice explains when and why we collect personal information about you, how we use it and the conditions under which we may disclose it to others. Your personal data is defined as any information that can directly or indirectly identify you. This Notice also explains how we keep your data safe and secure and includes information you need to know about your rights and how to exercise them.
If you have any questions regarding our Privacy Notice and our use of your personal data or would like to exercise any of your rights, please get in touch in the following ways:
Email us: contact@elmbridgecan.org.uk
Write to us: PO Box 112, East Molesey, KT8 8EN
If you are unhappy with the way we process your data, you can also make a complaint to the Information Commissioner’s Office (ICO) which regulates the use of information in the UK. They can be contacted in these ways:
By telephone: 0303 123 1113
By letter: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Or by going online to www.ico.org.uk/concerns
If you are based outside of the UK, the complaint should be directed to the relevant Data Protection Supervisory Authority in that Country.
Table of Contents
1. Who are we?
2. The personal data we collect from you, how we collect it, on what lawful basis and how we use it
3. Fundraising and Marketing Communications
4. Your Rights
5. Keeping your information safe
6. Transferring your information outside of the United Kingdom
7. Making a complaint
8. Whistleblowing
9. Privacy Notice review
APPENDIX 1 – Human Resources
How and when do we collect information about you?
What types of information is collected about you and who provides it?
How is the information used?
Lawful basis for processing
How long do we keep your data?
Confidentiality - who do we share your data with?
APPENDIX 2 – Service Users (including Hosts and grant applicant)
How and when do we collect information about you?
What type of information is collected about you and who provides it?
How is your information used?
Lawful basis for processing
How long do we keep your data for?
Confidentiality, data sharing and safeguarding
APPENDIX 3 – Donors, website visitor and cookies
How and when do we collect information about you?
What type of information is collected about you and who provides it?
How is your information used?
Lawful basis for processing
How long do we keep your data for?
Confidentiality and Financial transaction – who do we share the data with?
Social Media
Cookies
Links to other websites
1. Who are we?
We are Elmbridge CAN and for the purposes of UK Data Protection Law we are registered as a Data Controller under registration number ZB401079.
Our charitable objects are:
1. The prevention or relief of hardship for the public benefit among refugees, asylum seekers
and their dependants living in Surrey, in particular but not limited to the
Borough of Elmbridge, through:
a. promoting the inclusion, integration and welfare of refugees and asylum-seekers, by
encouraging a public commitment to becoming a place of welcome, acceptance and
safety,
b. the provision of grants and material donations provided to the Beneficiaries and/or
other charities or organisations working to improve their conditions of life,
c. the provision of resettlement support services including activities that facilitate the
cultural, social and economic integration of the Beneficiaries.
2. To advance the education of the public in general about the issues relating to refugees,
asylum seekers and their dependents.
In this Notice, ‘Elmbridge CAN’, ‘ECAN’, 'we', 'us', 'our' means:
Elmbridge CAN
PO Box 112, East Molesey, KT8 8EN
contact@elmbridgecan.org.uk
Registration number of the charity: 1180489
2. The personal data we collect from you, how we collect it, on what lawful basis and how we use it
Appendix 1 – Human Resources (employees, trustees, job applicants and volunteers)
Appendix 2 – Service Users
Appendix 3 – Donors, website visitors and cookies
3. Fundraising and Marketing Communications
Your contact details may be used to provide you with information about our services or our fundraising opportunities via:
- Post
- Phone
- Email, text or other electronic message
When you give us consent to receive marketing and fundraising communications, we will monitor consent and ensure that you still wish to receive such communications by occasionally reaffirming your consent with us. Our approach is designed to uphold your privacy and information rights, to respect your choices, and to ensure we are not intrusive.
4. Your Rights
Under data protection laws in the UK and EU, you have certain rights over the personal information that we hold about you. If you would like to exercise your rights, please get in contact with any of the details listed above. Here is a summary of the rights we think apply:
1. Right to be Informed
You have the right to be informed as to how we use your data and under what lawful basis we carry out any processing. This Privacy Notice sets this information out; however if you would like further information or feel that your rights are not being respected, please get in contact using any of the details listed above.
2. Right of Erasure – also known as the right to be forgotten
You may ask us to delete some or all of your information we hold about you. Sometimes where we have a legal obligation we cannot erase your personal data.
3. Right to Object
You have the right to object to processing where we are using your personal information such as where it is based on legitimate interests or for direct marketing.
4. Inaccurate personal information corrected
Inaccurate or incomplete information we hold about you can be corrected. The accuracy of your information is important to us and we are working on ways to make it easier for you to review and correct the information that we hold about you. We will also carry out an annual accuracy check. If any of your information is out of date or if you are unsure of this, please get in touch through any of the contact details listed in this Notice.
5. Right of restriction
You have a right to restrict the processing of some or all of your personal information if there is a disagreement about its accuracy, or we are not lawfully allowed to use it.
6. Right to Access your information
You have a right to request access to a copy of your personal information that we hold about you, along with the information on what personal information we use, why we use it, who we share it with, how long we keep it for and whenever it has been used for automated decision making. You can make a request for access free of charge and proof of identity is required.
7. Automated decision making
Automated decision-making takes place when an electronic system uses personal information to make a decision without human intervention. You have the right to question the outcome of automated decisions that may create legal effects or create a similar significant impact on you. We currently do not undertake automated decision making.
8. Portability
You can ask us to provide you or a third party with some of the personal information that we hold about you in a structured way. Electronic form is commonly used so it can be easily transferred. This right may not apply to the type of processing undertaken by us.
9. Right to withdraw consent
Where you have provided consent to our use of your data, you also have the right to withdraw that consent at any time. This means that we will stop processing your data.
5. Keeping your information safe
We take looking after your information very seriously. We have implemented appropriate physical, technical and organisational measures to ensure that your personal information is secure when under our control, both on and offline, from improper access, use, alteration, destruction and loss.
When we are provided with personal information about you, steps are taken to ensure that it is treated securely. All information we collect about you is stored securely in the offices in locked cabinets, the keys for which are also stored securely in a locked cabinet. Electronic data is stored on a secure server and is accessed via password-protected computers that are used only by our employees.
6. Transferring your information out of the United Kingdom
Where personal data is stored outside of the UK and the EU, safeguards to protect personal data may include but are not limited to the UK Addendum used in conjunction with the EU Standard Contractual Clauses (SCCs), or UK International Data Transfer Agreement (IDTAs). Such safeguards will be subject to Transfer Risk Assessments (TRAs).
7. Making a Complaint
If you think your data rights have been breached or you are not happy with how we handle your data, please refer to our Complaints Policy.
8. Whistleblowing
If you need to whistleblow there are a number of options available to you:
For free independent advice on whether what you have witnessed is malpractice and your rights as a whistleblower can be obtained from an organisation called Protect who can be contacted on 0203 117 2520. Please note this is only for advice – Protect cannot take the issue forward for you but if you wish to proceed, you can email contact@elmbridgecan.org.uk and request our Whistleblowing Policy.
9. Privacy Notice Review
This Privacy Notice is kept under regular review. This Privacy Notice was last updated in February 2023.
APPENDIX 1 – Human Resources Job applicants and current and former employees, freelancers, trustees and volunteers
How and when do we collect information about you?
You provide several pieces of data to us directly during the recruitment period and subsequently upon the start of your employment/engagement.
In some cases, we will collect data about you from third parties, such as employment agencies or former employers when gathering references.
What type of information is collected about you and who provides it?
We keep several categories of personal data on our employees in order to carry out effective and efficient processes. We keep this data within our computer systems, for example, our holiday booking system.
Specifically, we may process the following types of data:
- personal details such as name, address, phone numbers
- name and contact details of your next of kin
- your photograph, your gender, marital status
- footage of the organisation’s events in which you may appear
- information of any disability or other medical information you have disclosed
- right to work documentation
- information gathered via the recruitment process such as that included in a CV, cover letter or application form, references from former employers, details on your education and employment history etc
- National Insurance number, bank account details and tax codes
- information relating to your employment with us (e.g job title, job description, salary, terms and condition of the contract, annual leave records, appraisal and performance indication, formal and informal proceedings involving you such as letters of concern and disciplinary, disciplinary and grievance proceedings.
- internal and external training modules undertaken
- information on time off from work including sickness absence, family related leave etc
- IT equipment use including telephones and internet access
- your biography and picture for the website (if applicable).
We may also process special category of data which include health information, sexual orientation, race, ethnic origin, political opinion, religion, trade union membership, genetic and biometric data. We may also process criminal records information if the role involves a DBS check.
How is the information used?
We are required to use your personal data for various legal and practical purposes for the administration of your contract of employment or your volunteer/trustee agreement, without which we would be unable to employ you. Holding your personal data enables us to meet various administrative tasks, legal obligations or contractual/agreement obligations.
Lawful basis for processing
We mainly use ‘contractual obligation’ as a lawful basis for processing personal data for employees, job applicants and freelancers. We mainly use ‘legitimate interest’ for trustees and volunteers. We may also have a legal obligation in order to process and share your data, for example we need to share salary information to HMRC or use some of your data to enrol a new employee on a pension scheme. When processing special categories of data or when processing videos/pictures of the organisation's events where you may appear, we may use your consent.
We may rely on our legitimate interest for processing activity such as keeping supervision and appraisal records; using your image and bio on our website or marketing/fundraising materials to promote the charity. When relying on legitimate interest, we may undertake a balancing test to ensure your rights are upheld.
When processing criminal records (for example, in order to perform a DBS check), the organisation relies on the lawful basis of legitimate interest, and Condition 10 from Schedule 1, DPA 2018, ("preventing or detecting unlawful acts")
How long do we keep your data?
We only keep your data for as long as we need it, which will be at least for the duration of your employment/engagement with us though in some cases we will keep your data for a period after your employment/engagement has ended. If you’ve applied for a vacancy but your application hasn’t been successful, we will keep your data only for 12 months.
Some data retention periods are set by the law. Retention periods can vary depending on why we need your data. Please get in touch at contact@elmbridgecan.org.uk if you want to know more about the retention period.
Data is destroyed or deleted in a secure manner as soon as the retention date has passed.
Confidentiality - who do we share your data with?
Employees within our organisation who have responsibility for recruitment, administration of payment and contractual benefits and for carrying out performance related procedures will have access to your data which is relevant to their function. All employees have been trained in ensuring data is processing in line with UK GDPR and the Data Protection Act (2018).
Data in relation to your salary is shared with HMRC as part of our legal obligation. Data may be shared with third parties for the following reasons: for the administration of payroll, pension, HR functions (for example the online holiday booking system) and administering any other employee benefits. When sharing with third parties, we have data sharing or processor agreements in place to ensure data is not compromised. Third parties must implement appropriate technical and organisational measures to ensure the security of your data.
We may have a section on our website or social media where we upload the name, photo and a short bio of our employees. It is in our legitimate interest to have such information available on the website but you have the right to object. Please see section Your rights as Data Subject.
APPENDIX 2 – Service Users (including hosts and grant applicants)
How and when do we collect information about you?
The personal information that we obtain about you is mainly collected during the referral process. It includes information provided by the organisation referring you or information that you provide yourself in case of a self-referral. Written information is submitted to ECAN via email, online forms or in paper form. Information is safely stored in our online database system.
What type of information is collected about you and who provides it?
Information provided by you or the referrer during the referral process may be: name, email address, UK address, phone number.
Information provided by you during the delivery phase for the purpose of receiving support: including but not limited to information about your children, their needs and the schools they attend; about your employment and educational history; and about your medical history and current medical requirements.
Information collected during your participation: we may take footage of our events for marketing and communication purposes where you may appear.
How is your information used?
We may use your personal information to:
- run our weekly ‘hubs’ and contact you with information relating to future hubs and events
- provide you with information that may be of interest to you in relation to your status as a refugee or asylum seeker in the UK or as a host under a government scheme;
- provide you with the support you need and wish for;
- provide progress reports to funders;
- claim payments from our funders;
- monitor and manage risk;
- safeguard either you and/or the general public;
- conduct research and evaluation;
- collate anonymised or pseudonymised statistical information for funders, the charity and delivery partners
We rely on the following lawful basis for processing your personal data:
Article 6 (1) of the UK GDPR:
(f) Legitimate interests: processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party”
How long do we keep your data for?
We retain the personal data of all service users for a period of 3 years post-service. After this time, personal data will be reviewed and securely destroyed.
Information relating to individuals who are referred to us who do not, for whatever reason, progress into one of our services will have their personal data retained for a period of 12 months.
Data is destroyed or deleted in a secure manner as soon as the retention date has passed.
Confidentiality, data sharing and safeguarding
- We don’t share any of your personal data with third parties.
- Personal data are not shared with funders. Information to funders is shared only anonymously.
- To comply with our duty of care and safeguarding, we may need to pass some information raising safeguarding concern with the authorities. Where possible we seek consent from you. However, when this is not possible, we apply the following lawful basis:
- Where an individuals or child is at risk – UK GDPR Article 6(f) legitimate interest, Article 9(g), substantial public interest, DPA 2018 Schedule 1, Part 2 paragraph 18 Safeguarding of children and of individuals at risk
- Where an individuals is at economic risk – UK GDPR Article 6(f) legitimate interest, Article 9(g), substantial public interest, DPA 2018 Schedule 1, Part 2 paragraph 18 Safeguarding of economic well-being of certain individuals
APPENDIX 3 – Donors, website visitor and cookies
How and when do we collect information about you?
The personal information that we obtain about you is collected via online forms, emails, donating processes.
We may, like many organisations, automatically collect the following information when you visit our website. We collect and use your personal information by using cookies on our website - more information on cookies can be found under 'the use of cookies' section below. Wherever we use non-essential cookies we will request your Consent.
What type of information is collected about you and who provides it?
When you visit our website, the information that is automatically collected is: technical information, including the type of device you're using, your IP address, domain name, the date and time of your visit, the pages you accessed, documents you downloaded, the previous website you have visited and type of browser you are using.
We may also collect information that are provided directly by yourself, for example via the online contact form or email (name, email address, phone number) or when completing a donation via an online platform.
How is your information used?
We may use your personal information to
- deal with your enquiry;
- administer donations; and
- send you our newsletters, if you have registered to receive them.
When processing data about donors, we mainly rely on a contractual obligation. We are legally required to hold some types of information to fulfil our statutory obligations (for example the collection of Gift Aid).
When processing information about a general enquirer, we are most likely to rely on our legitimate interest.
How long do we keep your data for?
We keep your data as long as necessary. This means that if you make an enquiry and we’ve assisted with the enquiry, we will only keep your data for a very short period after your enquiry has been made.
If you’ve made a donation, we may keep your data for 6 years.
Data is destroyed or deleted in a secure manner as soon as the retention date has passed.
Confidentiality and Financial transaction – who do we share the data with?
If you make a donation online, your card information is not held by us, it is collected by our third party payment processors, who specialise in the secure online capture and processing of credit/debit card transactions. We will share transaction data with our payment services providers only to the extent necessary for the purposes of processing your payments, refunding such payments and dealing with complaints and queries relating to such payments and refunds.
All debit and credit card details are passed securely to our payment processing partner, according to the Payment Card Industry Security Standards.
We also may disclose your information if required by law, requested by law enforcement authorities, such as HMRC when you claim Gift Aid.
We do not share or sell your data with other third parties for any marketing purposes.
Social Media
When you interact with us on social media platforms such as Facebook and Twitter, we may obtain information about you (for example, when you publicly tag us in an event photo). The information we receive will depend on the privacy preferences you have set on those types of platforms.
Cookies
Like many other websites, this website uses 'cookies'. 'Cookie' is a name for a small file, usually of letters and numbers, which is downloaded onto your device such as your computer, mobile phone or tablet. Cookies allow websites recognise your device so that the sites can work more efficiently, and also gather information about how you use the site.
How do we use Cookies?
We use Cookies to distinguish you from other users of our website. This helps us to provide you with a positive experience when you come to our website.
The Cookies we use
We use the categorisation set out by the International Chamber of Commerce in their UK Cookie Guide. We may use the following types of Cookies:
- Authentication - We use cookies to identify you when you visit our website and as you navigate our website
- Status - We use cookies to help us to determine if you are logged into our website
- Personalisation - We use cookies to store information about your preferences and to personalise the website for you
- Security - We use cookies as an element of the security measures used to protect user accounts, including preventing fraudulent use of login credentials, and to protect our website and services generally
- Advertising - We use cookies to help us to display advertisements that will be relevant to you
- Analysis - We use cookies to help us to analyse the use and performance of our website and services
No Cookies, please.
You can opt-out of all our cookies (except the essential cookies). If you have any questions about how we use Cookies, please contact us.
Links to other websites
Our websites may contain links to other sites. While we try to link only to sites that share our high standards and respect for privacy, we are not responsible for the content or the privacy practices employed by other sites. Please be aware that advertisers or websites that have links on our site may collect personally identifiable information about you. This Privacy Notice does not cover the information practices of those websites or advertisers.