Purpose of this statement
This privacy statement describes how The Royal Society for the Support of Women of Scotland (“The Society”, “we”, “us” or “our”) collects and uses Personal Data, in accordance with the General Data Protection Regulation (GDPR), the Data Protection Act and any other applicable data protection law in the United Kingdom (collectively “data protection law”).
It applies to Personal Data provided to us, both by individuals or by others. Personal Data is any information relating to an identified or identifiable living person. Words used with first letter capitalisation (e.g. Personal Data), unless otherwise defined in this policy, have the same definition and meaning as under data protection law.
For almost 170 years the Society has provided assistance to women suffering from financial hardship, and who met the other criteria specified by its trustees from time to time. While the qualifying criteria have changed, and the make-up of the Roll of Beneficiaries has evolved during this time, a constant requirement has been that applicants and beneficiaries provide information about themselves to demonstrate that they meet the criteria for support. The nature of the Society’s work has always involved the collection, assessment and storage of personal information for these purposes – the reason for doing so has always only been to assess eligibility or monitor continuing compliance with prevailing criteria and for the delivery of charitable assistance.
The Trustees and staff of the Society understand not only the need for the lawful and proper treatment of personal information but also the importance to the reputation and ongoing work of the charity of confidence that this is observed in practice. We have implemented this policy for reasons of lawfulness, fairness and transparency in relation to our use of Personal Data.
The Society acts as a controller and processor of data, and is registered with the Information Commissioner. Our Registration Reference is Z1255385. Personal information is collected, stored and processed on the one hand to establish initial, and ongoing, entitlement to financial support to those seeking the Society’s assistance, and on the other about individuals (staff, trustees, suppliers, donors) involved in the running of the charity and the delivery of that support.
Types of Personal Data
The Society identifies the following categories of individual about whom it holds information, in each case with an indication of the types of information held.
- Enquirers… names and addresses of individuals seeking application forms for assistance.
- Applicants…information provided on application forms, supporting information, initial Caseworker visit reports, pre-admission.
- Beneficiaries…cumulative information from application forms and follow up contact, personal details of emergency contacts (name, address and contact details).
- Past-Beneficiaries…as (3) above for former beneficiaries and those withdrawn from the Roll. This data is progressively reduced in accordance with the Society’s Data Retention and Destruction Policy.
- Donors and Legacies… names, addresses, contact details and some financial information.
- Staff…routine employment details, including next of kin and health issues, for current and former staff. Data on former staff is reduced according to legal retention rules.
- Trustees…names, and addresses, telephone & e-mails, age and NI Numbers all for contact and reporting processes
- Suppliers...names and addresses of individuals and businesses (named contact) supplying goods and services to the Society.
- In respect of those individuals above to whom the Society is currently making, or expecting to make payments, the information held will include bank details.
Collection of Personal Data
We will only collect such Personal Data as is necessary for the Society to perform its services and undertake its operations.
With respect to those seeking or receiving financial assistance from the Society, we will only collect and hold information provided initially and over time by the individual herself, by those acting on her behalf and from documents provided by the individual or her representative. The Society does not collect information about potential or existing beneficiaries from other sources.
With respect to staff, trustees, suppliers and donors, appropriate information is collected on first contact and developed through the duration of the relationship. Information will be held where references or testimonials have been obtained.
Use of Personal Data
Here we set out the basis upon which we process Personal Data. Please note that we may process Personal Data for more than one lawful basis, depending on the specific purpose for which we are using that information.
Performance of a contract
The provision of ongoing financial assistance to qualifying individuals, and the assessment of ongoing qualification for that assistance, requires us to process Personal Data so that the Society can meet the undertakings given to beneficiaries when they are admitted to its Roll of Beneficiaries.
Personal information concerning staff is collected, held and processed as part of employment contracts.
We may process Personal Data for the purposes of our own legitimate interests in the effective delivery of information and services and in the effective and lawful operation of our businesses, provided that those interests do not override the interests, rights and freedoms of a Data Subject which require the protection of that Personal Data.
Examples of such processing activities include assessment of applicants’ eligibility for financial assistance; assessing applicants for staff or trustee positions; trustee administration and contacts with donors.
Compliance with a legal obligation
We will process Personal Data as necessary to comply with statutory and legal obligations. Examples of such processing include retention of financial records for 6 years, staff payroll.
We are also to keep certain records to demonstrate that our services are provided in compliance with our legal, regulatory and professional obligations.
In very limited circumstances we may process Personal Data by consent, for example if a beneficiary wishes the Society to contact another charity or organisation on her behalf. Where consent is the only basis upon which Personal Data is processed, the relevant Data Subject shall always have the right to withdraw their consent to processing for such specific purposes. It is our policy to only process Personal Data by consent where there is no other lawful basis for processing.
We retain the Personal Data processed by us for only as long as is considered necessary for the purpose for which it was collected (including as required by applicable law or regulation).
The Society has a detailed Data Retention and Destruction Policy which determines the timescale and extent by which Personal Data is reduced and finally destroyed, according to the category of individual described above. We continually review our data retention policies, and we reserve the right to amend retention periods without notice.
While we will progressively reduce the information held about former beneficiaries over a number of years, to observe legal obligations, the Society believes it has a legitimate interest in retaining basic personal information (name, address, date of birth, years on the Roll, marital status) as part of the Society’s historical records.
The retention of employee and prospective employee personal data, and that for trustees/prospective trustees, is addressed in the Society’s Data Retention and Destruction Policy.
We take the security of all the data we hold very seriously. We have a framework of policies, procedures and training in place covering data protection, confidentiality and security and regularly review the appropriateness of the measures we have in place to keep the data we hold secure.
We have put in place appropriate security measures to prevent Personal Data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. This is not only in accordance with our obligations under GDPR, and with our regulatory obligations of confidentiality, but also to protect confidence in the charity.
In addition, we limit access to Personal Data to those employees, agents, contractors and other third parties who have a business need to know, and our IT systems operate on a ‘least privileged’ basis by default. Third parties will only process Personal Data on our instructions and they are subject to a duty of confidentiality.
We have put in place procedures to deal with any suspected data security breach and will notify any affected Data Subject and any applicable regulator of a suspected breach where we are legally required to do so.
The Society does not engage in direct marketing and does not pass Personal Data to third parties, other than to those engaged in delivery of the Society’s services. For example, we use third party agents to deliver banking services and to maintain our IT equipment and databases, but all of our third-party service providers are required to take commercially reasonable and appropriate security measures to protect your personal data. We only permit our third-party service providers to process your personal data for specified purposes and in accordance with our instructions.
We will share Personal Data with third parties where we are required by law, for example for payroll purposes, other HMRC enquiries, or where we have another legitimate interest in doing so.
The Society has no reason to actively transfer Personal Data to other parties within, or outside of the EU, but it recognizes that in the use of cloud-based email systems (Microsoft Office 365) such transfers may take place within the terms of doing so. We rely upon the data protection measures implemented by Microsoft in these circumstances.
Rights and responsibilities
A Data Subject’s duty to inform us of changes
It is important that the Personal Data we hold about you is accurate and current. Should your personal information change, please notify us of any changes of which we need to be made aware by contacting us, by using one of the means set out at the end of this privacy notice.
A Data Subject’s rights in connection with Personal Data
Data Subjects may have certain rights under UK or EU law in relation to the Personal Data held by us about them. In particular, they may have a right to:
- request access to their Personal Data. This enables a Data Subject to receive details of the Personal Data we hold about them and to check that we are processing it lawfully;
- ask that we update the Personal Data we hold about them, or correct such Personal Data that they think is incorrect or incomplete;
- request erasure of their Personal Data. This enables a Data Subject to ask us to delete or remove Personal Data where there is no good reason for us continuing to process it. Data Subjects also have the right to ask us to delete or remove Personal Data where they have exercised their right to object to processing (see below). Please note that we may not always be able to comply with a request for deletion of Personal Data for legal reasons which will be notified, if applicable, after receiving such a request;
- object to processing of their Personal Data where we are relying on a legitimate interest (or those of a third party) and there is something about their particular situation which makes them want to object to processing on this basis. They also have the right to object where we are processing their personal information for direct marketing purposes;
- request the restriction of processing of their Personal Data. This enables a Data Subject to ask us to suspend the processing of Personal Data about them, for example if they want us to establish its accuracy or the reason for processing it;
- request the transfer of their Personal Data to them or another Controller if the processing is based on consent, or carried out by automated means .
It should be clear that if an existing beneficiary asks the Society to erase, transfer or limit its use of Personal Data, then the Society will no longer be in a position to continue the provision of financial assistance to them.
Withdrawal of consent
Where we process Personal Data based on consent, individuals have a right to withdraw consent at any time. To withdraw consent to our processing of your Personal Data please email the Chief Executive at email@example.com
Contacting us to exercise a right
Any request by a data subject in accordance with data protection legislation to see any information that is held about them by us will be dealt with in accordance with our Subject Access Request Policy (see attached).
Data Subjects also have the right to make a complaint to the ICO, the UK supervisory authority for data protection issues. For further information on individual rights and how to complain to the ICO, please refer to www.ico.org.uk
Changes to this notice
We recognise that transparency is an ongoing responsibility so we will keep this privacy statement under regular review. This privacy statement was last updated in May 2018. Updated statements will be published on our website at www.igf.org
If there are any questions regarding this notice or if anyone would like to contact us about the manner in which we process their Personal Data, please email our Chief Executive at firstname.lastname@example.org
Alternatively, you should write to The Chief Executive, The Royal Society for the Support of Women of Scotland, 14 Rutland Square, Edinburgh EH1 2BD.
To notify a change in your personal details, please write to the Society at the address above: email to email@example.com or call 0131 229 2308...