Working Together
Privacy Statement
Introduction
This Privacy Statement sets out how we collect, use and store your personal information (this means any information that identifies or could identify you).
Protecting personal information and being transparent about how we use it is important to us. It is core to how we build and maintain trust in our work: the trust people place in us when they approach us for advice and support, and the trust placed in us by people involved in resourcing and delivering our work, including donors, volunteers, funders, partners, employees, suppliers and other stakeholders.
This statement explains how we gather and use personal information, depending on your relationship with OCWA and how the personal information is stored and transmitted. For more information on data protection and your rights as an individual, see https://ico.org.uk/
When you interact with OCWA, we will communicate how we collect and work with your personal information in various ways. Such communications are underpinned by this privacy statement. We want to make it easy for you to find out more, and for you to exercise your rights.
Please take the time to read this privacy statement: as an organisation that gives advice, we think it is important for people to understand how their personal information is used by organisations and what their rights are. If you are short of time, look first at the things that apply to all personal data collected and used by OCWA, and then at the sections that apply to your particular relationship(s) with OCWA.
Contact and Further Information
OCWA is a registered charity (no. 1049343) and a company limited by guarantee (no.1785651). We are registered with the Information Commissioner’s Office (registration number Z7242012). See https://ico.org.uk/about-the-ico/what-we-do/register-of-data-controllers/ for further details.
For all enquiries related to data protection and privacy, including your rights under data protection legislation, please contact: The Centre Manager either by email to sdarby@oxfordshirewelfarerights.org.uk or on 01865 744165 or by dropping into the Centre at Barton Neighbourhood Centre, Underhill Circus, Barton, OX3 during our opening hours (9.00am – 5pm Mon – Fri).
When exercising your rights, it may be necessary for us to verify your identity (e.g. security questions or photo ID) before we can respond: this is to protect your personal data and confidential information.
Who’s personal date do we collect and work with?
People getting advice, information and support from OCWA and those connected with them.
Supporters, donors and individuals involved in our fundraising, campaigning and policy work.
Our volunteers and trustees.
People representing partner organisations, funders and other stakeholders relevant to our work, including our suppliers.
Our employees and others working on our behalf.
People visiting our website.
Things that apply of all our processing of personal data
We collect and work with personal data. Personal data is information that can be used to identify a living individual, such as names, addresses, phone numbers, e-mail addresses, postcodes, case and client files, details of enquiries, IP addresses, location data, online identifiers, pictures or other biometric data, service records, attendance lists, minutes of meetings, mailing lists, bank account details and other financial records.
We need to collect and use personal data to provide advice, information and support services, to fundraise and generate income for our work, to fulfil our charitable objectives, to run the organisation efficiently and effectively, to meet our legal obligations and to contract with individuals and organisations. We give more detail for each group of people listed in the section above. However, the following points apply to all personal data processed by OCWA.
We only collect personal data that we need. If we need your consent to collect or use your personal data, we will ensure that we have this consent from you.
We will do our best to keep personal information secure by taking appropriate technical and organisational measures. We will never sell personal information to third parties.
We will never give personal data to third parties, with the following exceptions:
Where you have given us your consent to share your personal data, for example to get help or advice related to your case or enquiry from another organisation.
To further the legitimate interests of those seeking advice, information and support from OCWA, for example sharing personal data of volunteers and employees with third parties in the normal course of giving advice, or processing the personal data of third parties involved in beneficiary cases and enquiries.
Where we use third party organisations to process your personal data on our behalf as set out in this privacy statement, for example organisations that provide us with cloud-based ICT services. Such processing is governed by written agreements.
Where we have legal obligations, for example, our legal obligations to prevent terrorism and money laundering, or to provide personal data to HMRC.
In a life or death situation where we need to protect your vital interests or the vital interests of a third party, for example if you needed urgent medical assistance and were unable to give your consent to us seeking such assistance on your behalf.
Where we have reasonable grounds for believing that not sharing personal information will result in serious harm to you or a third party, in line with our confidentiality policy and legitimate charitable purposes.
Where we judge that sharing personal information is justified for the prevention of crime, in line with our confidentiality policy and legitimate charitable purposes.
We are committed to ensuring that suppliers who process personal data on OCWA’s behalf as ‘data processors’ treat your personal data carefully and in accordance with our written instructions and data protection legislation. We regularly review the written agreements we have with organisations and individuals that process personal data on our behalf. These include services such as postal delivery, e-mail communication, marketing support, market research, data analysis, payment processing, data storage and backup, payroll and other administrative and HR functions. They have access to personal information needed to deliver the service, but may not use this personal information for other purposes.
What are my rights?
Under data protection legislation applying from May 25 2018, you have the rights listed below. Get in touch as described in the ‘Contact and further information’ section if you wish to exercise any of your rights. We will respond within one month, though in some circumstances we may need to extend the time for a full response for a further two months. You will not usually need to pay us for making the request.
For further, independent information and detail about your rights, see https://ico.org.uk/for-the-public/
The right to be informed – we inform you through this privacy statement and through other privacy-related communications, whether you interact with us in person, by telephone, by e-mail, online or using other channels.
The right of access – you have the right to ask us for confirmation that your data is being processed and to access this data (a ‘subject access request’).
The right to rectification – you have the right to have inaccurate or incomplete personal data corrected or completed.
The right to erasure – you have the right in some circumstances to ask us to erase your personal data (the ‘right to be forgotten’). Sometimes, this right may not apply, for example when the personal data needs to be retained for insurance purposes, or in relation to legal claims.
The right to restrict processing – you have the right to ask us to limit how we collect and use your personal data, for example, to stop us deleting data that you might need in relation to a legal claim.
The right to data portability – you have the right in some circumstances to be given your personal data in a structured, commonly used and machine readable form. This only applies to personal data you have given directly to us, where processing is carried out by automated means, and where the personal data is being processed based on your consent or in relation to a contract.
The right to object – you have the right in some circumstances to object to processing of your personal data. This includes your right to object to: processing that we justify as being based on our legitimate interests; direct marketing; and processing of personal data for research and statistical purposes.
Rights in relation to automated decision making and profiling – OCWA has not identified any processing of personal data that currently involves solely automated decision-making or profiling.
Security and measures to protect personal data, including secure disposal
We maintain appropriate levels of security in relation to the collection, storage and disclosure of your personal data and confidential information. Information is stored securely by OCWA in electronic files and databases on servers at our offices, off-site locations and in the cloud. We also store information in paper files and records.
We have security measures in place to protect against the loss, misuse and alteration of personal data under our control. These include: limiting access to personal information to authorised individuals; encrypting information; protecting systems, drives, folders and files by password; physical security measures; and regular backups of information to protect against ransomware and systems failure.
While we cannot guarantee that loss, misuse or alteration of data will not occur while it is under our control, we take appropriate measures to try to prevent this.
Any sensitive or special categories of data collected and used by OCWA are only shared on a need-to-know basis. In the course of providing our advice services, we may collect certain categories of sensitive data, including details of race; ethnic origin; politics; religion; trade union membership; genetics; biometrics (where used for ID purposes); health; sex life; and sexual orientation. Such processing typically relates to our legitimate interests as an advice provider, employer and in some limited circumstances, enables us to comply with our duty of care to people who contribute to our work on a voluntary basis. In some situations, we will process such data with your consent, for example when providing it to third party organisations in connection with your advice and support needs.
Debit or Credit Card Payments
If you use your credit or debit card to donate to us, or pay online or over the phone, we will ensure that this is done securely and in accordance with the Payment Card Industry Data Security Standard. Find out more information about PCI DSS standards by visiting their website at www.pcisecuritystandards.org
Only those staff authorised to process payments will have access to card details. Once your transaction is completed, we do not store your full credit or debit card details.
We hold bank account details for the purpose of collecting direct debits in accordance with direct debit mandate rules.
Where your information is no longer required we will ensure that it is disposed of in a secure manner (e.g. physical destruction such as shredding and electronic deletion of information stored electronically).
How can I complain?
We want to improve the ways in which we work. Please tell us if something has gone wrong or not happened as it should. We will try to put things right if we can. We also want to take every opportunity to learn from your comments and feedback, both positive and negative. There is a feedback/complaints box in our office for general feedback or complaints.
If you wish to make a formal complaint you will find our Complaints Procedure form in our office, and on our website. Alternatively you can email sdarby@oxfordshirewelfarerights.org.uk.
You have the right to lodge a complaint with the Information Commissioner’s Office. For more information, visit https://ico.org.uk/
How can I complain?
We want to improve the ways in which we work. Please tell us if something has gone wrong or not happened as it should. We will try to put things right if we can. We also want to take every opportunity to learn from your comments and feedback, both positive and negative. There is a feedback/complaints box in our office for general feedback or complaints.
If you wish to make a formal complaint you will find our Complaints Procedure form in our office, and on our website. Alternatively you can email sdarby@oxfordshirewelfarerights.org.uk.
You have the right to lodge a complaint with the Information Commissioner’s Office. For more information, visit https://ico.org.uk/
What about personal date transferred to other countries?
OCWA makes use of cloud-based services where personal data is not transferred outside the EEA.
We use cloud-based client and case management services where data is stored in secure data centres within the UK or other EEA countries.
OCWA also makes use of cloud-based services where personal data may be transferred outside the European Economic Area (EEA). For Office 365, Monkey Survey for example, this involves transfers to the United States of America. More information can be found on the European Commission’s website. We only use data processors that are part of the Privacy Shield framework. These data processors may provide us with the following services:
Calendar and appointment management
Electronic survey and online form processing services
Event management services
File backup and storage
E-mail services
Website management and hosting
Online platforms for processing payments and donations