THE HELEN FOUNDATION
- Personal Information
- The Eight Data Protection Principles
- Collecting Personal Information
- Using Personal Information
- Protecting Personal Information
- The internet and your use of the THF Website
- External Links
- Your rights with respect to your Personal Information
- Further Information
1.2 By accepting our Website Terms or by visiting our website: thehelenfoundation.org.uk (the “THF Website”), you are accepting and consenting to the practices and procedures described in this Policy.
1.3 The THF Website is brought to you by the Foundation, that believes it is important to protect your personal information and data (namely your ‘Personal Data’ as defined in both the DPA 1998 and the GDPR) (“Personal Information”) and we are committed to protect your privacy. Among other things, this Policy explains how we may collect and/or use Personal Information. It also explains the security measures we take to protect your Personal Information, and tells you certain things we will do and not do.
1.4 When we first obtain Personal Information from you, we will give you the opportunity to tell us if you do or do not want to receive information from us about the Foundation and its charitable work or other related activities or events. You may change your mind at any time by emailing us at the address referred to below.
2.1 Personal Information is any information and/or data that relates to a living individual who can be identified from such information and/or data. This includes any expression of opinion about an individual and intentions towards an individual. It also applies to Personal Information held visually in photographs or video clips or as sound recordings.
2.2 The type of Personal Information that we collect and process (or may in the future collect and process) depends on our relationship with you, and the context in which we obtain and use it.
2.3 The Foundation collects relevant Personal Information, including:
- the names and email addresses of persons requesting our email newsletter or other relevant circulars / correspondence;
- the names and addresses and other relevant details of our trustees (“Trustees”) and other volunteers, including (where applicable) for the purposes of commissioning any required Criminal Records Bureau (“CRB”) and/or Disclosure and Barring Service (“DBS”) checks with the appropriate public bodies;
- the names, addresses and other relevant details of our patrons (“Patrons”);
- the names, addresses and other relevant details of schools, artists, other charities, other Arts-related organizations or other persons with whom we do or intend to work in partnership;
- the names, addresses and ages of applicants requesting support, grants or bursaries etc from the Foundation (and, as applicable, other relevant details in support of such applications, including as to their relevant family and/or financial background and/or current circumstances);
- the names, addresses and any other relevant details of teachers (or other relevant individuals) who are acting in support of such applications; and
- the names, addresses (or the school attended) and ages of the winners of our relevant ‘Best Endeavour in the Arts’ prizes and any other relevant prizes that the Foundation may offer in connection with the Arts from time to time.
2.4 In addition, we may be required by law to collect and use certain types of information to comply with statutory obligations of relevant local authorities, government agencies and other public bodies.
- The Eight Data Protection Principles
The DPA 1998 and (following its introduction on 25 May 2018) the GDPR is based on eight data protection principles, or rules for ‘good information handling’.
3.1. Data (including Personal Information) must be processed fairly and lawfully.
3.2 Personal Information shall be obtained only for one or more specific and lawful purposes.
3.3 Personal Information shall be adequate, relevant and not excessive in relation to the purpose(s) for which it is processed.
3.4 Personal Information shall be accurate and, where necessary, kept up to date.
3.5 Personal Information processed for any purpose(s) shall not be kept for longer than is necessary for that purpose.
3.6 Personal Information shall be processed in accordance with the rights of data subjects under the GDPR.
3.7 Appropriate technical and organizational measures shall be taken against unauthorized or unlawful processing of Personal Information, and against accidental loss or destruction of, or damage to, Personal Information. Personal Information must be held securely e.g by secure servers and/or encryption.
3.8 An individual has the right to view and/or amend Personal Information held by an organization and to require that any such information and/or data be destroyed or deleted, as applicable. Namely, the ‘right to be forgotten’.
4.1 Accordingly, the Foundation must:
(a) manage and process Personal Information properly;
(b) protect the individual’s right to privacy; and
(c) if requested to do so, provide an individual with access to all Personal Information held by the Foundation on them at the relevant time.
4.2 The Foundation has a legal responsibility to comply with the DPA 1998 and (following its introduction on 25 May 2018) the GDPR, and other applicable laws on privacy and data protection from time to time in force.
4.3 The Foundation, as a relevant organization, is generally treated as being a ‘Data Controller’ under the DPA 1998 and (following its introduction on 25 May 2018) the GDPR. However, based on the outcome of certain checks carried out by the Trustees on behalf of the Foundation on or around 1 May 2018 (including the ‘Registration self-assessment’ tool on the ICO Website, as defined below), the Foundation is currently an exempt not-for-profit organization and, as the date of this Policy, does not currently need to register as a Data Controller with the ICO. Notwithstanding the foregoing, the Foundation and its Trustees will monitor this situation periodically to seek to ensure the Foundation maintains its compliance with applicable legal requirements, and (if thought fit) may also decide to make a voluntary registration of the Foundation as a Data Controller with the ICO. As at the date of this Policy the Foundation is not however registered with the ICO as a Data Controller. Data Controllers are people or organizations that hold and use Personal Information. They decide how and why the information is used and have a responsibility to establish workplace practices and policies that are in line with the GDPR. In addition, Data Controllers are responsible for ensuring that when they process Personal Information they comply with European Union and United Kingdom data protection law.
4.3 If in future the Foundation is required by applicable law to notify the ICO of the processing of Personal Information and formally register as a Data Controller, or if (notwithstanding its current exempt not-for-profit organization status) the Foundation decides to make a voluntary registration, any such notification will be included in a public register which is available on the ICO’s website, which as at the date of this Policy is at the following link: www.ico.gov.uk (the “ICO Website”).
4.4 Every Trustee that holds Personal Information has to comply with the DPA 1998 and (following its introduction on 25 May 2018) the GDPR when managing that data and information.
4.5 The Foundation is committed to maintaining the eight data protection principles at all times. This means that we will:
(a) inform our data subjects why we need their Personal Information, how we will use it and with whom it may be shared;
(b) check the quality and accuracy of the Personal Information held;
(c) apply appropriate records management policies and procedures to ensure that Personal Information is not held longer than is necessary;
(d) ensure that when Personal Information is authorised for disposal (or deletion, as applicable) it is done appropriately;
(e) ensure appropriate security measures are in place to safeguard Personal Information whether that is held in paper files or on a computer system;
(f) only share Personal Information with others when it is necessary, agreed by the individual to whom it is relevant and legally appropriate to do so;
(g) set out clear procedures for responding to requests for access to Personal Information; and
(h) inform our Trustees so that they are aware of their responsibilities.
4.5 As mentioned above, this Policy may be updated in future to the extent necessary to reflect guidance and best practice from the ICO and/or the Charity Commission, or amendments made to the DPA 1998, the GDPR, or other applicable law. Such Policy updates may be effected (via publication on the THF Website) without any notice being provided to you. You confirm that we shall not be liable to you or any third party for any change to this Policy from time to time. It is your responsibility to check our THF Website regularly to determine whether this Policy has changed, and if so what the effect of any such changes on you (or those that you are legally responsible for, e.g. any children) may be.
4.6 The ICO Website (link above) provides further detailed guidance on a range of topics including individuals’ rights, exemptions from the GDPR, dealing with subject access requests, and how to handle requests from third parties for Personal Information to be disclosed etc.
4.7 For help or advice on any data protection, privacy or freedom of information issues relating to the Foundation and/or its interaction with you (or as applicable, relevant members of your family, e.g. your children), please do not hesitate to contact our nominated Data Protection Officer. As at the date of this Policy such Data Protection Officer is Mr. Roger Kirk, the Foundation’s Chairman and one of its founding Trustees, whose contract details are set out below.
- Collecting Personal Information
5.1 Receiving the THF e-newsletter
We collect Personal Information about you when you agree to subscribe to our e-newsletter. This comprises your first and last name and your email address.
5.2 Applying for a bursary or other grant
In order to proceed with a bursary or other grant application, we collect Personal Information about you (and, as applicable, other relevant members of your family and your relevant referee) if you make an application. Such Personal Information includes all the information and/or data required on the application form and any further relevant information and/or data that you disclose to us by email, telephone or in direct conversation.
5.3 Receiving a ‘Best Endeavours in the Art’ (or other) prize
We collect certain relevant Personal Information if you win a ‘Best Endeavours in the Art’ prize from the Foundation, or other relevant prize. Such Personal Information typically includes your name, your age, the school you attend and the reason(s) why the school has determined that you should win such a prize or other commendation in respect of your efforts in, achievements and/or enjoyment of the Arts.
5.4 Other sources of Personal Information
The other sources we may also collect Personal Information from you include:
- when we meet you in person;
- when you contact us with an enquiry or in response to a communication from us, in which case, this may tell us something about how you wish to interact with the Foundation and/or become involved with its activities and/or its potential services etc.;
- via any third parties who may pass Personal Information to us to use in the course of our charitable objectives and charity work;
- from documents that are available to the public, such as the electoral register, Companies House, the Charity Commission, HM Land Registry, etc.;
- from any third parties to whom you have provided Personal Information with your consent to pass it on to other organizations or persons;
- our information technology systems; and
- automated monitoring of our THF Website and any other technical systems, such as our computer networks and connections, email, voicemail and answerphone.
- When you provide Personal Information to us relating to a third party you confirm that you have any necessary permission or authority to do so. You are also responsible for ensuring the provision of that Personal Information complies with data protection, privacy and other applicable law. In personal matters you may be providing other third party data to us, for example of your relevant family members. You must ensure that you have the authority to disclose Personal Information if it relates to someone else and all such information and/or data provided should be complete, accurate, up to date and not misleading.
- Personal Information of children
- If your contact and involvement with the Foundation and/or its Trustees or other representatives involves children then these children must be represented by their parents or legal guardians. In these circumstances we will explain to the parent or legal guardian why we will need Personal Information relating to the relevant child (or children, as the case may be) and how it will be used, both when we first collect the relevant Personal Information and as the particular matter progresses.
- If you are aged under 18, please make sure that you obtain your parent or legal guardian’s permission beforehand whenever you intend to provide Personal Information to us, whether via the THF Website or otherwise. Users without this consent are not allowed to provide us with any of their Personal Information. Also, if you do use this THF Website for information about fundraising, campaigning or supporting the work of the Foundation please let an adult know. We consider the safety and wellbeing of children and other vulnerable people to be paramount and more details can be found in our Child Protection Policy.
- Using Personal Information
6.1 Under data protection and privacy law, we can only use your Personal Information is we have a proper reason for doing so, for example:
(a) to comply with our legal and regulatory requirements;
(b) for our legitimate interests, or those of a relevant third party;
(c) for the performance of our relevant commitments, obligations or contracts with you, or to take steps at your request before entering into any such arrangement; or
(d) you have given us your consent.
A ‘legitimate interest’ is when we have a charitable, business or commercial reason to use your Personal Information, provided this is not overridden by your own rights and interests. We will seek to ensure we consider and balance any potential impact on your (both positive and negative) and your rights before we process your Personal Information for our legitimate interests. We do not use your Personal Information for activities where our interests are overriden by the impact on you (unless you have given us your consent to do so, or we are otherwise required or permitted to do so by applicable law).
6.2 Personal Information about our Trustees, Patrons, volunteers, supporters, charity partners, beneficiaries and potential beneficiaries (together “Relevant Persons”) is an important part of our work (and our charitable objectives) and we shall only use your Personal Information for the purposes we collected it, and shall not keep such Personal longer than is necessary to fulfil such purposes. In general terms, the reasons why we will collect Personal Information are:
(a) to help us to identify you when you contact us;
(b) to help us conduct checks to identify our proposed beneficiaries and verify their identity (including any required financial screening) and their potential entitlement for support under the Foundation’s trust deed;
(c) to help us to administer our communications with you now or in the future;
(d) to help us conduct our charitable works, services and objectives;
(e) to help us gather and provide information required by or relating to audits, enquiries or investigations by relevant regulatory bodies;
(f) to help us ensure our policies and procedures (including this Policy) are adhered to;
(g) to help us seek to ensure the confidentiality of any sensitive personal information or any commercially sensitive information;
(h) to help us improve our charitable work, and the charitable works and/or services we can offer;
(i) to help us with any other processing necessary to comply with professional, charitable, legal and regulatory obligations; and
(j) to help to prevent and detect fraud, bribery or corruption.
6.3 As mentioned above, we will only use your Personal Information for the purpose we collected it, unless we reasonably consider we need to use it for another reason and that reason is incompatible with the original purpose. If we need to use your Personal Information for an unrelated purpose we will notify you as soon as reasonably practicable and explain the legal basis which allows us to do so.
6.4 We may monitor and record communications with you (including phone conversations and emails) for quality assurance and compliance.
6.5 We will not disclose your Personal Information to any third party except in accordance with this Policy.
6.6 We may allow other people and organizations to use Personal Information we hold about you in the following circumstances:
(a) if we, or substantially all of our assets, are acquired or are in the process of being acquired by a third party (e.g. another charity), in which case Personal Information held by us, about our Relevant Persons, may well be one of the transferred assets; or
(b) if we have been legitimately asked to provide information for legal or regulatory purposes or as part of legal proceedings or prospective legal proceeding etc.
6.7 We will retain successful bursary applicants’ Personal Information for up to 7 (seven) years, after which it will be destroyed unless you inform us that you wish the Foundation to retain it in The Helen Foundation’s archive for historic purposes. Unsuccessful applicants will have any Personal Information that has been provided to us in connection with a relevant application destroyed or deleted as soon as reasonably practicable after we have confirmed that the application in question has been unsuccessful, and provided there is no right of challenge or appeal against any such refusal decision.
6.8 When it is no longer necessary to retain your Personal Information we will destroy, delete or anonymise it. In some circumstances, we may anonymise your Personal Information (so it can no longer be associated with you personally) for research or statistical purposes, in which case we may use this information indefinitely without further notice to you.
6.9 To help determine the appropriate retention period for Personal Information, we will consider the amount, nature and sensitivity of the relevant Personal Information, the potential risk of harm from any unauthorized use or disclosure of it, the purposes for which we process your Personal Information and whether we can achieve these purposes through other means, and the applicable legal requirements.
6.10 In some circumstances you can ask us to dele your Personal Information, as set out further below.
6.11 We may process your Personal Information without your knowledge or consent, in compliance with the above rules, where this is required or permitted by applicable law.
- Protecting Personal Information
7.1 Keeping information and data secure is a key part of data protection compliance. We have strict security measures in place to help us protect Personal Information, and to help us prevent your Personal Information from being accidentally lost, used or accessed in any unauthorized way, altered or disclosed. Also, we limit access to your Personal Information to only those of our Trustees, volunteers, advisers, agents, contractors or other third parties who have a legitimate need to know it in connection with the charitable objectives and work of the Foundation, and they are made aware of the duty of confidentiality attaching to all such Personal Information and of the need to properly protect it.
7.2 We maintain physical, electronic and procedural safeguards in connection with the collection, storage and disclosure of Personal Information.
7.3 Personal Information may be held at our offices, and those of our Trustees, our third party advisers, service providers, representatives and agents.
7.4 We may also hold your Personal Information in secure data centres whether in the United Kingdom or elsewhere in the world, with all reasonable technological and operational measures put in place to safeguard it from unauthorized access.
7.5 Some of the third parties referred to above may be based outside the European Economic Area (“EEA”).
- The internet and your use of the THF Website
8.1 If you communicate with us using the internet, we may occasionally email you about our services and products.
8.2 When you first give us Personal Information through the THF Website, we will normally give you the opportunity to say whether you would prefer us not to contact you by email. You can also always send us an email (at the address set out below) at any time if you change your mind.
8.3 Please remember that communications over the internet, such as emails and webmails (i.e. messages sent through a website), are not secure unless they have been encrypted. Your communications may go through a number of countries before they are delivered. This the nature of the internet. We cannot accept responsibility for any unauthorized access or loss of Personal Information that is beyond our control.
8.4 The THF Website – information on visitors
8.5 What is a Cookie?
When you enter a website your computer will automatically be issued with a Cookie. Cookies are text files which identify your computer to our server. Cookies in themselves do not identify the individual user, just the computer used. These days most sites do this whenever a user visits their site, in order to track traffic flows. Cookies themselves only record which areas of the site have been visited by the computer in question, and for how long. Users have the opportunity to set their computers to accept all Cookies, to notify them when a Cookie is issued, or not to receive Cookies at any time, although this of course means that certain personalised services cannot then be provided to that user. Even assuming you have not set your computer to reject Cookies, you can browse our site anonymously until such time as you register for our services.
8.6 Our information
The information contained in this THF Website is supplied by the Foundation for individuals seeking to find out more about the work we do, and how to get involved. While we try hard to ensure the accuracy of the information, neither the editors, nor the Trustees nor the Foundation can be held responsible for the consequences of any actions arising from the use of information gained from this THF Website.
- External Links
9.1 The THF Website and our e-newsletters may include links to third party websites e.g. those of other charities, schools, companies, organizations or relevant agencies (such as the ICO Website, as mentioned above). We do not knowingly provide any personally identifiable Personal Information relating to Relevant Persons to any such third party websites. We accordingly require you to accept full responsibility for the consequences of clicking on these external links and exclude all liability for loss or damage (including any damage or corruption of data) that you may suffer or incur when using these third party websites.
- Your rights with respect to your Personal Information
10.1 Subject access is one of the main rights of the DPA 1998 and (following its introduction on 25 May 2018) the GDPR. It gives people the right to access their Personal Information and also the following key rights: the right to be informed; the right to rectification; the right to erasure (i.e. to be forgotten); the right to restrict data processing; the right to data portability; the right to object; and the right not to be subject to automated decision-making (including profiling).
10.2 This means that you are entitled at any time to ask the Foundation to provide you with a copy of any Personal Information that it may hold about you. This is known as a ‘subject access request’. You are also entitled to ask that any Personal Information that we hold about you is supplemented, updated or rectified. You can now make any of these requests free of charge, by contacting us. Please see the contact information section below.
10.3 In some circumstances you can also ask us to restrict our processing of your Personal Information, e.g. if you contest the accuracy of it. In such a case, we will review your request and will let you know if we decide we are not required to act on it. If you do require us to restrict or stop processing your Personal Information in any way, this may impact our ability to provide further contact or charitable works or services to you.
10.4 If you send us a subject access request, we will reply in writing within one (1) month. In our reply, we will confirm whether or not we hold the relevant Personal Information and either provide you with such information requested or explain why in our view it is not being provided, or required to be provided. In the event that you send us a subject access request which is manifestly unfounded and/or excessive we reserve the right to refuse it and/or to charge you a relevant fee for dealing with it.
10.5 For further information on the above mentioned rights, including the circumstances in which they may apply, please contact us or see the Guidance from the ICO on individuals’ rights under the DPA 1998 and (following its introduction on 25 May 2018) the GDPR.
10.6 To submit a subject access request to the Foundation, please make your request in writing to the our Data Protection Officer (Mr. Roger Kirk) using the contact details below in section 11.1, either by post or by email.
10.7 If submitting a subject data access request to us, please note that you will need to supply proof of your identity. Identification examples include:
- for your identity, a photocopy of the identification pages of your current passport and/or a photocopy of a current photo driving licence; and
- for your current address, a copy of a recent current utilities bill, or credit card or bank statement.
- This identification information will be returned to you if requested; otherwise it will be securely destroyed once we no longer need it. In addition, it would be helpful if you can give us any information to help narrow the search, such as specific Personal Information you are looking for, or which part of the Foundation (and/or which of our Trustees) you have previously had contact with.
- Further Information
11.1 If you would like any more information or you have any comments about this Policy, please either write to us at the following address:
The Helen Foundation
or email us at: “firstname.lastname@example.org”.
11.2 You can ask us for a copy of this Policy and of any subsequent amendments to it from time to time by writing to us at the address (or email address) set out above.
11.3 This Policy applies to Personal Information we hold about individuals. It does not apply to information we hold about companies and other organizations.
11.4 If you would like to receive a copy of the Personal Information that we hold about you (or, if applicable, any children for whom you are the relevant parent or legal guardian), you can do this by writing to us at the address (or email address) set out above.
11.5 We aim to keep the Personal Information that we hold about you complete, accurate and up to date. If you tell us that we are holding any inaccurate Personal Information about you, we will delete it or correct it as soon as reasonably practicable. If you do wish to update any of the Personal Information that you have previously provided to us, you can do this by writing to us at the address (or email address) set out above.
11.6 We hope that we can promptly, and amicably, resolve any query or complaint you may wish to raise with us about our use of your Personal Information. However, if you wish to complain about how we handle your Personal Information, please contact our Data Protection Officer providing full details of the nature of the complaint. We will then investigate your complaint but if you are not satisfied with our response and/or believe we are processing your Personal Information unlawfully, you can complain to the ICO. Further information is provided on ICO Website, or telephone (+44) 0303 123 1113.
11.7 The EU General Data Protection Regulation also gives you the right to lodge a complaint with a supervisory authority, in particular in the European Union (or EEA) State where you work, normally live or where any alleged infringement of data protection laws occurred. The supervisory authority in the United Kingdom is the ICO.