Our Privacy Statement
Purpose of the business and our privacy statement
We are a not for profit organisation which provides education, training and support to children, young people and adults. ACE delivers education, projects and initiatives that offer opportunities to improve their life chances and enable them to take their place in society.
This privacy statement provides guidance and information in relation to the processing of personal data. We are regulated by the EU General Data Protection Regulation which is effective from 25th May 2018.
‘Personal Data’ for the purposes of the Regulation, means any information from which a person can be identified; i.e. name, e-mail address, home address and telephone number.
‘The Business’ is defined as Action Community Enterprises CIC (ACE).
This statement describes how we process in the lawful and relevant activities of the business.
The Business is committed to protecting the privacy of all contacts. We will endeavour to ensure that all information provided by you and held by The Business is kept private and confidential and will only be used in order that The Business can provide the services requested by an individual.
1.USES & DISCLOSURE OF PERSONAL INFORMATION
The Business will only share details of data internally (within The Business) and among its Employees and appointed representatives. We may also need to share your data our delivery partners for example, we may share data with referral agencies or funders when you authorise us to do so. Where this is deemed necessary explicit consent will be requested from you prior to the release of any data we hold.
When we process personal data about you, we do so with your consent and/or as necessary to provide the products you use, operate our business, meet our contractual and legal obligations, protect the security of our systems and our customers, or fulfil other legitimate interests. People we collect data on are known as ‘Data Subjects’.
If you engage with our services, we will process your personal data on the basis set out below as it is in our legitimate interests to do so following your contact with us.
If you are an employee of The Business data is captured and stored in accordance with the requirements of the standard practices of The Business, HR law and HMRC requirements. It is subject to the same rights and protocols as external data subjects.
Personal data will not be transferred to a third country or international organisation.
Personal information will only be held for as long as necessary to comply with legal obligations and the data sets will be individually assessed against specific legal bases defined as:
(a) Consent: you have given clear consent for us to process your personal data for a specific purpose.
(b) Contract: the processing is necessary for a contract we have with you, or because you have asked us to take specific steps before entering into a contract.
(c) Legal obligation: the processing is necessary for us to comply with the law (not including contractual obligations).
(d) Vital interests: the processing is necessary to protect someone’s life.
(e) Public task: the processing is necessary for us to perform a task in the public interest or for our official functions, and the task or function has a clear basis in law.
(f) Legitimate interests: the processing is necessary for our legitimate interests or the legitimate interests of a third party unless there is a good reason to protect your personal data which overrides those legitimate interests.
You must inform us of any changes to personal information so that the Business can keep data up to date.
We collect for two basic purposes: to operate our business and provide the services we offer, and to send relevant and appropriate communications, and we also obtain data from third parties you have engaged with for services.
Communications. We use data we collect to communicate with you and personalise our communications with you. For example, we may contact you by phone or email or other means to complete our applicant processes or inform /update you about an opportunity/offer.
Social media. The business promotes the business and its activities through our website and the use of social media platforms (currently Facebook, Twitter and LinkedIn). This may be a generic picture to denote organisational services, as a news item or to highlight a positive outcome for one of our participants. Where posting will identify an individual, we will seek explicit consent for this purpose and the data/graphics will be stored in accordance with the security information contained in this privacy statement.
Business Operations. We use data to develop aggregate analysis and business intelligence that enable us to operate, protect, make informed decisions and report on the performance of our business.
Data Retention. We retain data for as long as necessary to provide the services and fulfil the transactions you have requested, or for other essential purposes such as complying with our legal obligations, resolving disputes and enforcing our agreements. Because these needs can vary for different data types in the context of different products, actual retention periods can vary significantly.
The criteria used to determine the retention periods include:
- How long is the personal data needed to provide the services and operate our business? This includes such things as maintaining and improving the performance of those services, keeping our systems secure and maintaining appropriate business and financial records. This is the general rule that establishes the baseline for most data retention periods.
- Is the personal data of a sensitive type? If so, a shortened retention time would generally be appropriate.
- Have you provided consent for an extended retention period? If so, we will retain data in accordance with your consent.
- Are we subject to a legal, contractual or similar obligation to retain the data? Examples can include mandatory data retention for audit, government orders to preserve data relevant to an investigation or data that must be retained for the purposes of litigation.
Finally, we will access, transfer, disclose and preserve personal data, including your online content (such as the content of your emails) when we have a good faith belief that doing so is necessary to:
- Comply with applicable law or respond to valid legal process, including from law enforcement or other government agencies.
- Protect our customers, for example to prevent spam or attempts to defraud, or to help prevent the loss of life or serious injury of anyone.
- Operate and maintain the security of our services, including to prevent or stop an attack on our computer systems or networks.
- Protect the rights or property of the business, including enforcing the terms governing the use of the services
We share your personal data with your consent as necessary to complete our business processes or provide any information you have requested. We will ask you to give consent (opt in) as part of our standard business practice at the outset of our business relationship.
GDPR requires personal data to be processed in a manner that ensures its security. This includes protection against unauthorised or unlawful processing and against accidental loss, destruction or damage.
The Business will take the necessary steps to protect personal data and will only store information securely in accordance with the data protection and privacy and electronic communications guidance for the type of data held.
We are committed to protecting the security of your personal data. We use a variety of security technologies and procedures to help protect your personal data from unauthorised access, use or disclosure. For example, we store the personal data you provide on computer systems that have limited access and are in controlled facilities. When we transmit highly confidential data over the Internet, we protect it through the use of encryption or passwords.
- YOUR RIGHTS
Anyone has the right to find out what data the Business holds about them and request to have it amended, restricted or erased if applicable. In certain circumstances we can refuse the right and, where this is applicable, will be detailed in our response.
Your rights include
- The right to be informed of information we hold, why we hold it and how we use it.
- The right of access to that information
- The right to rectification of incorrect data.
- The right to erase data (also known as the right to be forgotten).
- The right to restrict processing of your personal data.
- The right to data portability, which only applies:
- To personal data an individual has provided to a controller.
- Where the processing is based on your consent or for the performance of a contract.
- When processing is carried out by automated means.
- The right to object to the use of your data.
- Rights in relation to automated decision making and profiling
5.WITHDRAWAL OF CONSENT
If the processing of personal data is based on your consent, you have a right to withdraw consent at any time for future processing and you can object to the processing of your personal data
You can withdraw consent or request a copy of information held about you. Your request may be requested verbally or in writing and we will reply within one month of your request.
Our designated Data Protection Manager is Karen Kerr contactable via email email@example.com or telephone 01603 720308.
You also have a right to lodge a complaint with a data protection authority if you’re unhappy with our response. A request for personal information is free unless the request is deemed ‘manifestly unfounded or excessive’. We reserve the right to charge a reasonable fee for multiple requests.
If you need any advice you should contact the Information Commissioner’s Office (ICO).
Telephone: 0303 123 1113
We will update this privacy statement when necessary to reflect updates and changes in our services. When we make changes to this statement, we will revise the “last updated” date at the top of the statement and highlight the changes in the document. If there are material changes to the statement or in how we will use your personal data, we will notify you either by prominently posting a notice of such changes before they take effect or by directly sending you a notification. We encourage you to periodically review this privacy statement to learn how we are protecting your information.
Our Data Protection Manager is Karen Kerr. If you would like a copy of our GDPR policy please email firstname.lastname@example.org or call 01603 720308.