Privacy Policy


In line with the Data Protection Act 2018, the UK’s implementation of the General Data Protection Regulation (GDPR), One Can Trust is required to provide a Privacy Notice.

This Privacy Notice provides details of how we collect and process personal data through use of our website, including any information provided through our site when registering for information, signing up to our newsletter, making a donation, volunteering or completing a referral form or otherwise applying for a referral.

By providing us with data, individuals warrant to us that they are over 13 years of age.

One Can Trust, including the Volunteers, Staff and Trustees, is collectively referred to as the Trust for the purposes of this Privacy Notice.

One Can Trust is the data controller and we are responsible for individuals’ personal data (referred to as “the Trust”, “we”, “us” or “our” in this Privacy Notice).

The Data Protection Officer for the Trust is Mr. Chris Wardle who oversees privacy related matters for us and is responsible for ensuring that our policies are regularly reviewed in line with the requirements of the General Data Protection Regulations.

Chris Wardle can be contacted directly by:

  • emailing
  • telephoning 01494 512 277 or
  • by writing to One Can Trust, 11B Duke Street, High Wycombe, Bucks HP13 6EE

If individuals are not happy with any aspect of how we collect and use their data, they have the right to complain to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues ( In the event of a complaint, we would prefer to be contacted first to try and resolve the complaint.

It is very important that the information we hold about individuals is accurate and up to date. We encourage individuals to let us know of any personal information changes by emailing us at:



Personal data means any information capable of identifying an individual. It does not include anonymised data. We may process certain types of personal data as follows:

  • Identity data may include: first name, last name, gender and job
  • Contact data may include: delivery address, email address and telephone
  • Financial data may include: bank account and payment card
  • Transaction data may include: details about payments and other details of purchases made by individuals.
  • Technical data may include: login data, internet protocol addresses, browser type and version, browser plug-in types and versions, time zone setting and location, operating system and platform and other technology on the devices used to access this
  • Profile data may include: username and password, purchases or orders, interests, preferences, feedback and survey
  • Usage data may include: information about how individuals use our website, products and
  • Marketing and communications: data may include preferences in receiving marketing communications from us / third parties and communication preferences.

We may also process aggregated data from personal data but this data does not reveal identity and as such, in itself, is not personal data. An example of this is where we review usage data to work out the percentage of website users using a specific feature of our site. If we link the aggregated data with personal data so that individuals can be identified, then it is treated as personal data.

Personal data includes personal details and contact information and details relating to the issue an individual, or someone acting on their behalf, wishes to raise with the Trust. Personal data may come directly from individuals, a third party acting on their behalf or from third parties such as those contacted by the Trust in relation to referrals or enquiries.

The personal data we collect from individuals or from third parties, is used by the Trust for the following purposes: 

  • the administration of a referral
  • providing, as appropriate, relevant information to third parties to assist with referrals or enquiries
  • recording of relevant data relating to a referral
  • seeking help from an individual as a volunteer or donor
  • any purpose required of the Trust in law

Certain forms of personal data are classified as special categories data under the General Data Protection Regulations and these include, but are not limited to: racial, ethnic origin, religious beliefs and health data. An example of special category data that may be used by the Trust is medical information for our staff and volunteer teams that may be needed in the event of a medical emergency. If special category data is needed in order for the Trust to assist with an enquiry, we will inform the individual as to why we need it and how it will be used.

By contacting the Trust to request assistance, individuals are giving us permission to process their personal data for the purpose of making enquiries and seeking resolution for their referral or enquiry, as set out in this Privacy Notice.

The Trust’s legitimate purpose for the processing of personal data would usually be because the data subject (or a third person able to do so in law on their behalf e.g. under a Lasting Power of Attorney) has freely given clear consent for the Trust to do so but the Trust may process personal data without explicit written consent from the data subject under the Elected Representatives condition.

However, having given consent to the Trust to use their personal data, individuals may request to withdraw consent at any time by contacting the Data Protection Officer, Mr. Chris Wardle, whose contact details are given elsewhere in this Privacy Notice.



We collect data through a variety of different methods including:

  • Direct interactions: Individuals may provide data by filling in forms on our site (or otherwise) or by communicating with us by post, phone, email or otherwise, including when they:
    • create an account on our site;
    • subscribe to our service, communications or publications;
    • request resources or marketing material to be sent to them;
    • enter a competition, prize draw, promotion or survey;
    • provide feedback;
    • create a referral form or otherwise apply for a referral;
    • apply to become a volunteer; or
    • make a
  • Automated technologies or interactions: As individuals use our website, we may automatically collect technical data regarding equipment, browsing actions and usage patterns. We collect this data by using cookies, server logs and similar We may also receive technical data if individuals visit other websites that use our cookies. Please see our cookie policy for further information.
  • Third parties or publicly available sources: We may receive personal data regarding individuals from various third parties and public sources as set out below:
  • Technical data from the following parties (non-exhaustive list):
    • WordPress, Mailchimp, Gravity Forms;
    • Analytics providers such as Google;
    • Advertising networks such as Facebook, Twitter, LinkedIn and other social media platforms;
    • Contact, financial and transaction data from providers of technical, payment and delivery services including Local Giving, Stripe and Stewardship, our donation management partners;
    • Identity and contact data from data brokers or
    • Identity and contact data from publicly availably sources such as Companies House and the Electoral

In order to provide assistance, the Trust needs to collect personal data for correspondence purposes and in the pursuance of referrals, donations, volunteering and other enquiries. We are committed to ensuring the personal data we collect and use is appropriate for this purpose.

The Trust will collect, process and store information that is provided in a manner compatible with the General Data Protection Regulations. The information that is provided will be held securely, subject to strict measures and procedures to minimise the risks of unauthorised access or disclosure and so as to not constitute an invasion of your privacy. The Trust aims not to be intrusive, and we undertake not to ask irrelevant or unnecessary questions.

For the purposes of processing and storing referrals, the Trust uses a secure referrals management system whose servers are based in the UK and therefore maintained in accordance with, and subject to, the General Data Protection Regulations.



We will only use personal data when legally permitted. The most common uses of personal data are:

Purpose / Activity Type of Data


Lawful Basis for Processing

To manage our relationships including responding to an enquiry, notifying re. changes to our terms or privacy policy, marketing and communication.

(a)   Identity

(b)   Contact details

(c)   Profile

To comply with a legal obligation, for our legitimate interests, to keep our records updated and to study how individuals and businesses use our resources and services.
Where we need to process a referral

(a)   Identity

(b)   Contact details

(c)  Dietary needs

(d)  Profile

To determine client requirements and arrange for food parcels to be correctly delivered.
Answer an enquiry

(a)   Identity

(b)   Contact

To be able to respond promptly and correctly
Respond to an offer of volunteering or recruitment of staff

(a)   Identity

(b)   Contact details

(c)   Profile

(d)   Allergies and/or medical information

To determine how and when individuals can assist us and keeping them informed of our requirements.

To ensure we are able to appropriately support volunteers / staff, manage appropriately any medical situations and inform emergency services in the event of a medical emergency.

Respond to a donation

(a)   Identity

(b)   Contact

(c)   Bank details

In order to be able to administer donations, to thank individuals and explain how the donation may be used.
Where it is necessary for our legitimate interests (or those of a third party) and individuals’ interests and fundamental rights do not override those interests.

a)      Identity

b)      Contact details

c)     Referral

d)     Profile

To comply with a legal obligation.


Where we need to comply with a legal or regulatory obligation.

a)      Identity

b)      Contact details

c)     Referral

d)     Profile


To comply with a legal obligation.

Generally, we do not rely on consent as a legal ground for processing personal data, other than in relation to sending marketing communications via email or text message. Individuals have the right to withdraw consent to marketing at any time by emailing us at:

The Trust may use personal data for analysis for trends such as in subject matter or geographical location of correspondents. Where such data is used, it will be anonymised. If for any reason the Trust wishes to use identifiable personal data for promotional purposes such as obtaining donations, we will contact individuals directly in order to obtain express consent.

The Trust may also be required to retain certain personal data where the law requires it.

The Trust may pass personal data to a third-party or parties only where it / they are relevant to the referral or enquiry raised by an individual with the Trust. Such third parties could include local authorities, government agencies, public bodies, health trusts, charities and regulators. We will make it known to any third parties that we share individuals’ data with, that we require them to keep details securely and in line with the General Data Protection Regulations.

Information sharing is of particular importance if we are legally required to do so by law, if there are safeguarding concerns or in the prevention, detection or investigation of a suspected crime.



Other countries do not always offer the same levels of protection to personal data. Many of our third-party service providers such as Gmail and MailChimp are internationally based, for example, in the US and so their processing of personal data will involve a transfer of data outside of the UK.

Whenever we transfer personal data out of the UK, we do our best to ensure a similar degree of security of data by ensuring that we use reputable organisations that have been deemed to provide an adequate level of protection.


At any point while the Trust is in possession of personal data, individuals, as the data subject, have the following rights:

  • Right of access – individuals have the right to request a copy of the information the Trust holds about them. This is known as a Subject Access Request (SAR) and more details can be found at: Getting Copies of your Information (SAR).
  • Right of rectification – individuals have a right to correct data that is held about them if it is inaccurate or
  • Right to be forgotten – in certain circumstances, individuals can ask for the data we hold about them to be erased from our records. Please note that this right is not absolute and only applies in certain More details about this can be found at: Right to Erasure.
  • Right to restriction of processing – where certain conditions apply, to have a right to restrict the processing of
  • Right of portability – individuals have the right to have the data we hold about them to be transferred to another
  • Right to object – individuals have the right to object to certain types of processing such as direct
  • Right to object to automated processing, including profiling – individuals also have the right to be subject to the legal effects of automated processing or

All the above requests will be forwarded on should there be a third party involved as stated above in the processing of personal data.

If the Trust refuses an individual’s request, we will provide a reason why. Individuals have the right to complain as outlined in the Complaints section (in the final section of this Privacy Notice).

At an individual’s request, the Trust can confirm what information is held about them and how it is processed. If the Trust does hold personal data, individuals can request the following information: 

  • The Trust’s identity and contact details;
  • Contact details of the Data Protection Officer;
  • The purpose of the processing as well as the legal basis for
  • If the processing is based on the legitimate interests of the Trust or a third party, information about those
  • The categories of personal data collected, stored and
  • Recipient(s) or categories of recipients that the data will be/has been disclosed
  • If the Trust intends to transfer the personal data to a third country or international organisation, information about how we ensure this is done securely. The EU has approved sending personal data to some countries because they meet a minimum standard of data protection. In other cases, we will ensure there are specific measures in place to secure
  • How long the data will be
  • Details of individuals’ rights to correct, erase, restrict or object to such
  • Information about individuals’ rights to withdraw consent at any
  • How to lodge a complaint with the supervisory
  • Whether the provision of the personal data is a statutory or contractual requirement, or a requirement necessary to enter in to a contract, as well as whether individuals are obliged to provide the personal data and the possible consequences of failing to provide such
  • The source of personal data if it wasn’t collected directly from an individua.
  • Any details and information of automated decision making, such as profiling and any meaningful information about the logic involved, as well as the significance and expected consequences of such

The Trust will need at least one form of current photographic evidence and one form of proof of address from the data subject when information on their personal data is requested. Current photographic identification will usually be a passport or photographic driving licence and proof of address,an original utility bill or similar issued within the last three months.

The Trust will process personal data until the referral or enquiry is concluded. The Trust’s policy generally to then retain the personal data for a retention period of up to five years, depending on the reason that it was collected. This provides for situations such as data subjects bringing new information to the attention of the Trust on which the retained data may have a bearing. However, if it is clear at the conclusion of the issue or enquiry, that no legitimate reason to retain the personal data exists, the personal data will be deleted.

If the Trust still holds the personal data after five years from the conclusion of the referral or enquiry and there is legitimate purpose under the General Data Protection Regulations to continue doing so, the decision to continue retaining this personal data will then be reviewed annually.

The Trust would not usually hold any original hard-copy documents on behalf of the data subject, but should any have been supplied by the data subject and retained by the Trust, these will be returned to the data subject at the conclusion of the referral or enquiry, or, where this is not possible, securely destroyed as confidential waste. Electronic copies of data pertinent to the referral or enquiry will be held securely on the Trust’s referral management system.

Please note that deletion of personal data means where the personal data has been held electronically, the Trust will delete it from the referral management system. Where the personal data has been held in hard copy i.e. paper form, this would be destroyed irretrievably as confidential waste.



If individuals wish to make a complaint about how their personal data is being processed or has been handled by the Trust, individuals have the right to lodge a complaint directly with the supervisory authority, the Information Commissioner’s Office:

Information Commissioner’s Office

Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF

0303 123 1113

For more details, go to:

Email Signup