Personal Data Management Policy
11th May, 2018
This document is the Policy Statement on data protection and management for Charlie’s Gift, registered charity 1154056.
This document sets out for grant applicants and the public, the approach, standards and detail of how the Trustees of Charlie’s Gift will manage any personal data shared with the charity by those seeking grants in line with the charities charitable objectives.
As a small, volunteer run charity, we are pleased to confirm that we do not run active electronic promotions or seek to market or capitalise on the value of your personal data in any way. Our purposes for holding personal data are purely for:
- Understanding grant applications
- Assessing the expressed needs against our stated charitable objectives
- Administration of grant payments
- Demonstrating for audit purposes that we have made grants
- Ensuring that we comply with our stated charitable objectives, and
- Ensuring we comply with our own grant making rules and protocols
We will not release your data to any other organisation unless you have given express consent for our sharing of that data, or unless compelled to do so.
We do operate a FaceBook page to promote the Charity’s grant making and fund raising activities. Members of the Public are able to “follow” that page. The page is subject to the normal FaceBook rules for data and “followers” need to understand the purposes for which FaceBook may use their data, which is separate from Charlie’s Gift’s use of your data.
As Trustees, we also utilise email (Yahoo; Gmail and a work email server owned and operated by one of our Trustees) and Whatsapp to ensure our process for grant making is as quick and efficient as possible for our geographically disparate Trustees. Images of grant applications are shared by way of these systems, to Trustees’ personal, password and biometric protected Apple iOS devices, which all of our Trustees use. Our hard copy records are kept in a secure filing cabinet at the Charity’s registered address, which is also the private home of our founders.
We have used the Information Commissioner’s Office publication “Preparing for the Genera Data Protection Regulation – 12 steps to take now” in preparing this Policy.
The Trustees consider that this policy document demonstrates Charlie’s Gift’s compliance with the General Data Protection Regulations 2018, in force from 25th May 2018.
Information we hold
Our grant application forms request the following personal data from applicants:
- Post code
- Date of birth
- Phone Number
- Email Addresses
- Bank account details
- Child’s name
- Details of the reason for the grant application, which may include high level medical or educational information about the child
We hold the data contained in grant application forms (whether successful or not) for a period of 5 years. This is so as we can comply with Charities Commission advice and have an auditable record of grants made and declined and can check on the number of times any particular grant applicant has approach Charlie’s Gift for funds, in accordance with our charitable purposes and governing documentation.
Sources of Personal Information
All personal information shared with us and which we hold has been shared by family members and guardians who are seeking financial grants on behalf of their children/ wards. Bank account details are typically for the family member, or establishment seeking the grant, rather than the child themselves.
Our FaceBook page identifies “followers” by way of their email address and FaceBook ID. We do not analyse or process this information, simply updating our FaceBook page and allowing the FaceBook systems to operate and share our updates.
We have no other sources of personal data and do not actively seek out such sources.
Who we Share Data with
We will only share personal data with:
- Trustees of the Charity
- The Charities Commission (if requested in writing)
- Our auditors
- An entity capable (with legal authority to do so) of compelling the production of such personal data. In such a circumstance, we will alert you to the request, unless compelled not do so.
Communicating Privacy Information
Charlie’s Gift is a small Hertfordshire based registered charity (1154056) that undertakes fund raising in order to make financial grants to children in Hertfordshire, Bedfordshire and Buckinghamshire who are deprived by way of family bereavement; ill-health, educational needs or poverty.
Our Trustees are:
- Jason Fidler
- Nicole Fidler
- David Hawes [Secretary]
- Kirsty Hawes
- Rebecca McClelland
- Kyle McClelland [Chair of Trustees and nominated Data Protection Officer]
We consider we have the following lawful bases for holding and processing personal data:
- All personal information is volunteered and consent given for us to hold that information
- We consider that a contract for us as Trustees to review a grant application is formed. This does not mean a grant can or will be made, just that we will review the application and consider the request made
- Legal Obligation
- As a registered Charity, we have a statutory obligation to demonstrate to the Charities Commission and our auditors that the Charity is being run appropriately and is achieving its charitable objectives
- Further we have to be able to evaluate and ascertain that grant applications meet our charitable objectives and purposes
- Legitimate Interests
- We believe that applicants would reasonably conclude that the information requested was necessary for us to fulfil our role as Trustees and administer the grant making process
We have amended our grant forms to clearly reflect that any such grant application, once signed, is giving consent to Charlie’s Gift to hold and process the contained personal information. We have also included a codicil identifying our data retention periods and that the applicant has a right to complain to the Information Commissioner’s Office, should they believe there is a problem with the way we have handled their data.
Rights of Individuals
As a small, volunteer run charity, we use our reasonable endeavours to respect the following rights for individuals:
How we seek to recognise that right
To be informed of the data we hold
All personal data we hold is provided by applicants, themselves.
To have access to the data we hold on them
Any historic grant applicant can apply to the Charity’s Secretary or Chair for a copy of the information we hold.
To be able to seek rectification of any erroneous information we hold on them
Any error in data should be advised to the Secretary or Chair of the Charity and will be corrected by the Trustees.
To be able to request that we erase their data.
Any such request should be made to the Secretary or Chair of the Charity. However, we would need to maintain a record of the name (only) of any individual seeking to exert this right, so as we can continue to demonstrate compliance with our governance arrangements
To be able to restrict processing of their data
Any such request should be made to the Secretary or Chair of the Charity.
To be able to have the data we hold on them, made “portable”
Most grant applications are hand written by the applicant. Typically we scan to pdf and jpg files. Any such request should be made to the Secretary or Chair of the Charity.
To be able to object to our holding of such information
Any such request should be made to the Secretary or Chair of the Charity.
To not be subject to automated decision-making, including profiling
We do not operate any such systems.
The Chair of the Trustees and Data Protection Officer is contactable at: firstname.lastname@example.org.
The Charity Secretary is contactable as email@example.com
The Charity generically, is contactable at firstname.lastname@example.org
Subject Access Requests
We are a volunteer run charity, but recognise and acknowledge the one-month response period for information access requests.
We note that we are able to refuse or charge for requests we consider to be manifestly unfounded or excessive and that, should we refuse such a request, we must inform the individual promptly as to the reasons why we have rejected and inform them at the same time that they may complain to the Information Commissioner’s Office or pursue a judicial remedy.
As a small, volunteer run charity, we are reliant on systems provided by major IT and communications hardware, software and service providers.
We do not provide Trustees with mobile phones or IT, encouraging them to use their own for the Charity’s purposes. Our Trustees all use Apple iOS devices with password and/ or biometric protection deployed. Further we use WhatsApp, which is end to end encrypted. Were there to be a data breach of one of our major hardware, software or service providers, then we would be alerted by that provider and would then consider what actions to take to remedy the breach, with our service provider.
Any complaints or concerns about how Charlie’s Gift manages personal data, should be raised with the Chair/ Data Protection Officer:
If a complaint is either rejected or not satisfactorily responded to within one calendar month, then referral should be made to:
The Information Commissioner’s Office