Important Update regarding sharing of data and data privacy during Covid-19
As part of our activities to support the Covid-19 response, we have amended our data sharing procedures to note that the data will be shared with third parties in order to quickly and efficiently utilise offers of support where they are most needed.
Data may be shared with organisations including, but not limited to, District Councils, Norfolk County Council, the NHS, Community Action Norfolk and other voluntary groups. These organisations will hold volunteers’ data only for the purpose of contacting them about use of resources during Covid-19.
When the government advises us that the Covid-19 crisis is over, data will either be deleted or individuals will be contacted to ask if it can be retained. At no time will Voluntary Norfolk or its Covid-19 response partners sell, rent or lease your personal information to any third party.
This is the privacy notice for Voluntary Norfolk (UK registered charity number 1112017, company registration number 05616120). Our trading arm CBR Business Solutions, has a separate Privacy Statement which you can find on their website.
Our registered address is: St Clements House, 2-16 Colegate, Norwich, NR3 1BQ
We are registered with the Information Commissioner’s Office (ICO), reference no.: Z632337X
PURPOSE OF THIS NOTICE
This notice sets out how we will collect, process and use the information we hold about you. We are committed to protecting your privacy and being clear about how we use personal information that we hold. We understand that you are entitled to know that your personal data will not be used for any unintended purpose.
You have rights and we have obligations in regard to the processing and control of your personal data. You can learn more about your rights here: www.knowyourprivacyrights.org/
Our policy complies with UK law, including that required by the EU General Data Protection Regulation (GDPR). This policy is effective from May 25 2018.
HOW DO WE COLLECT PERSONAL INFORMATION ABOUT YOU?
We will collect personal information about you:
- When you give it to us directly
For example, personal information that you submit through our website by signing up to our email newsletter, or any personal data that you share with us when you communicate with us in person, by email, phone or post.
- When we obtain it indirectly
Your personal information may be shared with us by third parties, including our business partners and sub-contractors.
- When you visit our website
WHAT TYPE OF INFORMATION DO WE COLLECT?
We may collect, store and otherwise process the following kinds of personal information:
- Your name, job title, postal address, telephone number, email address
- Your date of birth, gender, disability, sexual orientation, faith or religion, employment status
- Your volunteering interests, skills and experience, photographic image
- Information about our services which you use;
- Information about your computer/ mobile device and your visits to and use of this website, including, for example, your IP address and geographical location; social media identity
- Personal information included in a CV, any application form, cover letter; details of your skills, qualifications, experience, work history with previous employers.
- Personal information provided on appointment as a member of staff or volunteer, including details of your bank account, your preferred emergency contact and your car, MOT and insurance details to ensure legal compliance
- Data to process payroll, including: marital status, National Insurance number, tax details, benefit and allowance status, student loan details
- Occupational health, sickness absence and medical records data, including data around making reasonable adjustments
- Disciplinary and grievance data; criminal records data
As Data Controller we are required to have one or more lawful grounds to collect and process the personal information we have outlined above. We consider the grounds listed below to be relevant:
Where the processing of your personal information is necessary for us to comply with a legal obligation to which we are subject, for example where we must share your personal information with regulatory bodies which govern our work.
Where it is necessary for us to process your personal information in order to perform a contract to which you are a party (or to take steps at your request prior to entering a contract), for example, if you are employed by us, volunteer for us or become a member.
The law also allows us to use personal information on the condition that to do so is reasonably necessary for our legitimate interests (and the use of your personal information is fair, balanced, and does not unduly impact your rights). We may rely on this ground to process your personal information when we believe that it is more practical or appropriate than asking for your consent.
For instance, we rely on the legitimate interest ground to process data about our service users and participants in our projects or to protect the security of our networks e.g. when we receive external emails we will scan such emails for any threats, based on a legitimate interest assessment.
We may process personal data in order to protect the vital interests of a data subject or of another natural person, for example to meet the requirements of safeguarding for vulnerable adults.
Special categories of data
Certain categories of personal information as sensitive, and therefore requiring more protection. These categories of data include information about your health, ethnicity and sexual orientation.
We may process special categories of data but will only process this data if there is a valid reason for doing so and where the GDPR allows us to do so.
We will seek your explicit consent to use such data (or of another natural person where the data subject is physically or legally incapable of giving consent), unless:
- processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity;
- processing is necessary for the purposes of the assessment of the working capacity of an employee or the provision of health or social care
- processing is necessary for reasons of substantial public interest whilst safeguarding the fundamental rights and the interests of the data subject;
HOW WE USE YOUR PERSONAL INFORMATION
Voluntary Norfolk may use your personal information:
- to provide you with services, products or information that you have requested
- to provide updates about our work, services, or activities (where necessary, and only where you have provided your consent to receive such information)
- to answer your questions/ requests and communicate with you in general
- to further our charitable aim in general, including asking for volunteer and/or fundraising support
- to analyse and improve our services, activities or information (including our website) or for our internal records
- to process your application for a job or volunteer role
- to audit and/ or administer our accounts
- to satisfy legal obligations which are binding on us, for example in relation to regulatory, government and/ or law enforcement bodies with whom we may work, or due diligence checks before entering into contracts or agreements
- for the prevention of fraud or misuse of service
DO WE SHARE YOUR PERSONAL INFORMATION?
Voluntary Norfolk will not sell, rent or lease your personal information to others. However, we may disclose your personal information to selected third party processors for the purposes outlined above. Third parties are obligated to use any personal data they receive in accordance our instructions.
Voluntary Norfolk works with the following third parties and data processors:
- Voluntary Action Sheffield provide Volunteer Connect, our volunteering platform, and are therefore a data processor, learn more about the product online:
- Studio Spark Design, provide website and design services
- Premier Links provide IT support and services
INTERNATIONAL DATA TRANSFERS
As we sometimes use third parties to process personal information, it is possible that personal information we collect from you will be transferred to and stored in a location outside the UK or the European Economic Area (“EEA”).
Please note that certain countries outside of the UK or EEA have a lower standard of protection for personal information, including lower security protections. Where your personal information is transferred, stored, and/or otherwise processed outside the UK or EEA in a country which does not offer an equivalent standard of protection to the UK or EEA, we will take all reasonable steps necessary (including entering into standard contractual clauses to protect your personal information or relying on the Privacy Shield for transfers to organisations in the US) to ensure that the recipient implements appropriate safeguards designed to protect your personal information. If you have any questions about the transfer of your personal information, please contact our Data Protection Lead, using the details at the end of this policy.
SECURING YOUR PERSONAL INFORMATION
Voluntary Norfolk will take reasonable technical and organisational precautions to prevent the loss, misuse or alteration of your personal information; we store all personal information on secure servers.
Voluntary Norfolk undertakes the following procedures to ensure good working practice when processing data:
- When unattended PCs will be locked using a password
- All cabinets containing hard copies of personal data are locked and the keys kept in a secure locked environment
We audit our procedures to ensure compliance on an at least six monthly basis. We will notify the ICO without undue delay should a data breach of significant scale be detected that warrants this.
HOW LONG DO WE KEEP YOUR PERSONAL INFORMATION?
We will generally remove your personal information from our records six years after the date that it was collected unless (a) we are required to hold for longer for legal or regulatory purposes; or (b) it is still required in connection with the purpose for which it was collected and/or processed, for example you still work or volunteer for us.
However, we will remove your personal information from our records before this date if we become aware that (a) your personal information is no longer required in connection with such purpose(s); (b) we are no longer lawfully entitled to process it; or (c) you validly exercise one of your rights of erasure.
YOUR RIGHTS AND PREFERENCES
Voluntary Norfolk may contact you by post unless you request otherwise, and by telephone, email, social media or other electronic means depending on any communication preferences you have previously indicated.
Where we rely on your consent to use your personal information, you have the right to:
- Ask us for confirmation of what personal information we hold about you, and to request a copy of that information. If we are satisfied that you have a legal entitlement to see this personal information, and we are able to confirm your identity, we will provide you with this information.
- Request that we delete the personal information we hold about you, as far as we are legally required to do so.
- Ask that we correct any personal information that we hold about you which you believe to be inaccurate.
- Object to the processing of your personal information where we: (i) process on the basis of the legitimate interests ground; (ii) use the personal information for direct marketing; or (iii) use the personal information for statistical purposes.
- Ask for processing of your personal information to be restricted if there is disagreement about its accuracy or legitimate usage.
To request a copy of your personal data please contact our Data Protection Lead, using the details at the end of this policy. At any point you can request to unsubscribe from our e-newsletter or request that your personal information is removed from our databases by contacting us at firstname.lastname@example.org
Please note that where you ask us to delete your personal information we will maintain a skeleton record comprising your name and organisation to ensure that we do not inadvertently contact you in the future. We may retain some financial records for statutory purposes, for example Gift Aid.
Please note that you also have the right to lodge a complaint with the Information Commissioner’s Office at www.ico.org.uk/concerns
Voluntary Norfolk may update this privacy statement by posting a new version on this website. If we update this privacy statement in a way that significantly changes how we use your personal information, we will use reasonable efforts to bring these changes to your attention where we have your contact details. Otherwise, we would recommend that you periodically review this privacy statement to be aware of any other revisions.
HOW TO CONTACT US
Our Data Protection Lead is Voluntary Norfolk’s Quality & Governance Manager, Clare Evans, who is responsible for monitoring compliance with relevant legislation in relation to personal data.
You can contact her if you have any questions about this privacy statement or our treatment of your personal information by:
Telephone: 01603 614474
Post: Quality & Governance Manager, St Clements House, 2-16 Colegate, Norwich, NR3 1BQ