Trust Website Privacy Notice - Postcode Care Trust
About this Privacy Notice
At Postcode Care Trust we take the protection of Personal Data seriously. In this Privacy Notice we'll explain what Personal Data we collect from you, how we use and share that data, how we keep your Personal Data safe, and how long we keep it for. We'll also explain how we Process your data (and the Legal Basis for doing so) and help you to understand your Personal Data Rights.
Although we have made every effort to keep things simple throughout this Privacy Notice, there are some concepts and legal terms that we'll sometimes need to use. We've tried to use plain English wherever possible.
If you have any questions about this Data Privacy Notice or would like additional clarification, please contact us at email@example.com or Postcode Care Trust, 28 Charlotte Square, Edinburgh, EH2 4ET.
What do we mean by Personal Data?
Personal Data is any information that (directly or indirectly) identifies you. That could be anything from your name and address, your bank details, your email address, an image or recording of you, your IP address or any other data that could be used to identify you. In some circumstances we may collect and Process Special Category Personal Data, this can include information about your gender, health or other sensitive information. If we collect Special Category Personal data we will always inform you.
What do we mean by processing your Personal Data?
Processing simply means doing something with your Personal Data. That could be as straightforward as collecting it or sharing it, or as complex as modelling the data or appending values to the data. If a company or organisation does anything with your Personal Data, they are Processing it.
The Personal Data we collect
We record all our calls so that we can refer back to them. We do this to manage enquiries and applications, improve our services and deal with any queries or complaints that may arise. These activities are within the Trust's legitimate interests in supporting the effective management of the Trust (this is our Legal Basis for processing any Personal Data recorded on calls). We keep our call recordings, for 3 years.
The Personal Data we collect when you apply for funding
To enable us to process your online application for funding, we will ask for the following information:
- Your name, address, email address and phone number
- Details about the organisation you represent
- Detailed information about your proposed project
- Any communication preferences you may have.
What we do with your Personal Data
In this section we'll explain how we Process your Personal Data and the Legal Basis for doing so. We'll also explain what a Data Controller and a Data Processor is. We have tried to use plain English wherever possible but it is important you understand what these legal terms mean.
What is a Data Controller?
Postcode Care Trust is a Data Controller. That means we're responsible for determining what happens to the Personal Data we collect, including how we Process it. As a Data Controller we're also responsible for monitoring and approving the Data Processors we pass your Personal Data to.
What is a Data Processor?
Postcode Care Trust uses Data Processors to provide Personal Data processing services. A Data Processor carries out Processing on behalf of a Data Controller. We might employ the services of another company to carry out Data Processing for us. As an example we (the Data Controller) might ask another company (the Data Processor) to send you an email or letter. We'd need to give that company your contact details so they know where to send the letter.
What is a Legal Basis to collect and Process Personal Data?
Under the Data Protection Act 2018 (DPA) there are a number of Legal Bases (legal reasons) that a Data Controller can use to Process or share Personal Data.
Consent means you've given us clear and informed permission to Process your Personal Data. Consent is a Legal Basis on which we may Process Personal Data. An example might be where you have asked us to send you promotional (marketing) materials. Remember, you can withdraw your Consent at any time.
Where we are Processing your Personal Data for the purposes of taking steps to enter into a contract with you or for the purposes of giving effect to that contract, we can rely on the Legal Basis of contract when Processing your Personal Data. Please note that we rarely use this basis with individuals as our contracts are generally with your organisation or good cause, not with you as an individual.
Legal and regulatory
Sometimes we have a legal or regulatory obligation to Process your Personal Data. For example, that might include submitting gambling statistics to the Gambling Commission, submitting financial reporting to the Office of the Scottish Charity Regulator or retaining records of the Trust's accounts and financial activities.
Sometimes we have a Legitimate Interest in Processing your Personal Data. Where we are Processing your Personal Data on the basis of Legitimate Interests (ours or those of another party) we'll ensure that our Legitimate Interests are proportionate to the purposes for which we are Processing your Personal Data and do not unduly compromise your Personal Data rights. You can object to us Processing your data for Legitimate Interests at any time. In some circumstances we may continue to Process your Personal Data on the basis of Legitimate Interests where we can demonstrate that our interests (or the interests of another relevant party) override your Right to Object. We Process information for the purposes of assessing funding applications, granting awards and managing our relationship with our charity beneficiaries and potential beneficiaries (which may include some of your Personal Data if you are a key contact for one of our beneficiaries). Our Legal Basis for processing your Personal Data in this way is our Legitimate Interests in managing contact with our beneficiaries and potential beneficiaries (through you) or assessing the suitability of a potential beneficiary if it is made up of/managed by a group of individuals (including you).
Where you don’t provide us with information required
Where we need to collect personal data by law, or under the terms of a contract we have with you, and you fail to provide that data when requested, we may not be able to perform the contract we have or are trying to enter into with you (e.g. to provide funding). In this case, we may have to cancel our grant but we will notify you if this is the case at the time.
Managing relationships with our charity beneficiaries
We use a third party Data Processor (Salesforce.com a company based in the UK) which provides us with a Customer Relationship Management system. This helps us process grant applications and manage our relationships with our charity beneficiaries. The Personal Data we collect in order to assess funding applications, grant awards and manage our relationship with our charity beneficiaries (which may include some of your Personal Data if you are a key contact for one of our beneficiaries) is stored for six years after funding has come to an end in order to meet our legal obligation to help prevent financial fraud.
Sharing information with our lottery operator
We share information about our charity beneficiaries with the People's Postcode Lottery Ltd, who operate our lottery. This information is used for analysis, research, marketing and to help coordinate events. Such information may contain your name and contact details or, where you have provided your approval, more detailed feedback on your experience working with the Trust or case studies relevant to the funding your organisation has received. Our Legal Basis for Processing this information is our Legitimate Interests in sharing this information with our lottery operator (to comply with our contractual commitments to the operator) and our lottery operator's Legitimate Interests in organising events and marketing material.
If you are a player of our lottery and make a complaint to People's Postcode Lottery Ltd, our lottery operator, they may provide us with limited (anonymised) information about complaints, if they are escalated in line with the lottery operator's procedure.
Sharing information with our other service providers
We work with Edelman Dale Financial Communications Limited and NFP Synergy Limited both based in the UK which provide us with PR assistance and research and consultancy services and which may be provided with your details in that capacity.
Collecting and Processing Grant Applications
We use a third party Data Processor survey tool operated by FormAssembly LLC whch processes data for us in the UK, to help us collect, store and collate grant applications. We keep unsuccessful grant application data for three years for reporting and fraud detection purposes. We Process information for the purposes of assessing funding applications, granting awards and managing our relationship with our charity beneficiaries and potential beneficiaries (which may include some of your Personal Data if you are a key contact for one of our beneficiaries). Our Legal Basis for processing your Personal Data in this way is our Legitimate Interests in managing contact with our beneficiaries and potential beneficiaries (through you) or assessing the suitability of a potential beneficiary if it is made up of/managed by a group of individuals (including you).
Sending you information you have requested
When you complete a grant application on behalf of your organisation, you have an opportunity to request information about news, events and funding opportunities. We use your Consent as the Legal Basis to send you that information.
What are cookies?
Cookies are small data files that are downloaded to your computer when you visit our website. Cookies help us manage how our website operates and understand how you use it. They also help us integrate social media feeds into our website.
The cookies we use
This website uses a Google Analytics tracking cookie to collect anonymous traffic data about your use of this website. Google may also transfer this information to third parties where required to do so by law, or where such third parties process the information on Google's behalf. Google will not associate your IP address with any other data held by Google. You can reject or delete this cookie here: http://www.google.com/intl/en/privacypolicy.html.
Google Analytics collects information such as pages you visit on this site, the browser and operating system you use and time spent viewing pages. The purpose of this information is to help us improve the site for future visitors.
The social plug-ins for Twitter and Facebook at the top of the page may also set or retrieve cookies on your machine, if you are logged into these websites, or have previously downloaded cookies controlled by these sites.
Cookies are not used to collect any personal information.
If you'd prefer not to allow cookies, you can choose to disable cookies via your web browser. Your experience of our website may be compromised if you choose to disable cookies. Disabling cookies varies from web browser to web browser but the links below have instructions for some common browsers.
Please be aware that disabling cookies will disable all cookies in your web browser. If you'd prefer to stop online advertising only you can use ad blocking in your browser. Many web browsers now come with this as standard. For more information about online advertising you can visit www.youronlinechoices.com/uk/.
Your Data Subject Rights
Under the DPA you have a number of Personal Data Rights you can exercise over your Personal Data. We’ll explain those rights and how you can exercise them here.
Where you exercise your data subject rights we may ask you for additional information to verify your identity. You can exercise any of your rights by emailing firstname.lastname@example.org.
The more information you provide when you make your request the sooner we'll be able to respond. We aim to deal with your request within one month of your request but more complex requests may take longer. We'll let you know if we believe your request could take longer to respond to than one month.
We won’t charge you for making a data subject rights request unless your request is unfounded, repetitious or excessive in which case we may refuse it or charge a small fee, but we'll always make it clear why we believe that to be the case.
Your Right to be Informed
We believe it is important that you fully understand what we do with your Personal Data. This is known as the Right to be Informed. This Privacy Notice gives detailed information about the type of Personal Data we collect, how we Process that data, and how we share that data with Data Processors and other Data Controllers.
Your Right to correct Personal Data we hold
Although we make every effort to ensure your Personal Data is complete, up-to-date and accurate we recognise that sometimes mistakes happen. You can ask us to correct your Personal Data at any time. This is known as the Right to Rectification.
Your Right to access your Personal Data
You have the right to ask for a copy of your Personal Data we hold. You can also request copies of any Personal Data we have shared with our Data Processors and any other Data Controllers.
Your Right to object to processing
You might not want us to Process your Personal Data in a certain way or for a specific reason, and can ask us not to where we use Legitimate Interests as the Legal Basis for Processing. What does that mean in plain English? When we're using Legitimate Interests as the basis for Processing your Personal Data, you can ask us not to do this at any time. If we want to continue to process the data we must be able to show that our continued processing is on compelling legitimate grounds which override your rights and freedoms.
Your Right to erasure
We recognise that sometimes you'd rather we erase some or all of the Personal Data we hold. This is known as the Right to Erasure. You might ask us to do this where:
- We no longer need the data for the purpose it was gathered
- You gave us Consent but want to withdraw that Consent
- You object to the automated Processing we carry out
- We have Processed your data unlawfully
- We have a legal requirement to erase your Personal Data.
Your Right to restrict processing
You have the right to ask us to restrict the way we Process your Personal Data. You can ask us to restrict the ways in which we Process your Personal Data because:
- You believe the Personal Data we hold is inaccurate and you'd like us to stop processing your Personal Data until it has been corrected
- You believe your Personal Data has been unlawfully processed and you would like us to restrict our Processing while we investigate
- You may not need the Personal Data any more but you'd like us to retain it while a legal claim is in process.
Your Right to move your Personal Data
If you want a copy of your Personal Data that you'd like to give to someone else, you can ask us to give you that data in a common, user-friendly and secure format. We can send your Personal Data directly to you or to a third party you specify. This is known as your Right to Portability.
You should be aware that asking for a copy of your Personal Data doesn't mean we'll erase that data unless you specifically ask us to. You can find more about erasure in your Right to Erasure.
Your Right to complain
We pride ourselves on our high standards of customer service. If you want to complain about the way we undertake activities under our licence from the Gambling Commission, this may be dealt with through our Complaints Procedure.
If your complaint relates to your Personal Data you can complain to the Information Commissioner's Office (ICO). You can find out more about that right and the process at http://www.ico.org.uk or by writing to the ICO at:
Information Commissioner's Office
Tel: 0303 123 1113 (local rate) or 01625 545 745 if you prefer to use a national rate number.
Fax: 01625 524 510
We would, however, appreciate the chance to deal with your concerns before you approach the ICO so please contact us in the first instance.
The information you send us online
The methods we use to ensure data is safeguarded while being sent over the internet are industry-standard. When information reaches us we store it securely and only provide access to authorised personnel or Data Processors.
How we restrict data access to your Personal Data
Postcode Care Trust maintains strict physical, electronic and administrative safeguards to protect your Personal Data from unauthorised or inappropriate access. Personal Data collected by us is stored in secure operating environments that are not accessible by the public. In the unlikely event that an employee or a Data Processor misuses that information they will be liable to appropriate legal and disciplinary sanctions.