Privacy Policy

1. INTRODUCTION

In line with the requirements of the EU’s General Data Protection Regulations 2018, One Can Trust Ltd., is required to provide you with a Privacy Notice.

This Privacy Notice provides you with details of how we collect and process your personal data through your use of our website, including any information you may provide through our site when you register for information, sign up to our newsletter, make a donation, volunteer or complete a referral form or otherwise apply for a referral.

By providing us with your data, you warrant to us that you are over 13 years of age.

The One Can Trust Ltd. including the volunteers, staff and Trustees are collectively referred to as the Trust for the purposes of this Privacy Notice.

One Can Trust is the data controller and we are responsible for your personal data (referred to as “the Trust”, “we”, “us” or “our” in this Privacy Notice).

The Data Protection Officer for the Trust is Mr. Philip Hynard who oversees privacy related matters for us and is responsible for ensuring that our policies are regularly reviewed in line with the requirements of the General Data Protection Regulations.

Philip Hynard can be contacted directly by:

• emailing hynard@onecantrust.org.uk
• telephoning 01494 512277 or
• by writing to One Can Trust, 11B Duke Street, High Wycombe, Bucks HP13 6EE

If you are not happy with any aspect of how we collect and use your data, you have the right to complain to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues (www.ico.org.uk). We would be grateful if you would contact us first if you do have a complaint, so that we can try to resolve it for you.

It is very important that the information we hold about you is accurate and up to date. Please let us know if at any time your personal information changes by emailing us in the first instance at office@onecantrust.org.uk.

2. WHAT DATA DO WE COLLECT ABOUT YOU

Personal data means any information capable of identifying an individual. It does not include anonymised data. We may process certain types of personal data about you as follows:

• Identity Data may include your first name, last name, gender and job role.
• Contact Data may include your delivery address, email address and telephone numbers.
• Financial Data may include your bank account and payment card details.
• Transaction Data may include details about payments between us and other details of purchases made by you.
• Technical Data may include your login data, internet protocol addresses, browser type and version, browser plug-in types and versions, time zone setting and location, operating system and platform and other technology on the devices you use to access this site.
• Profile Data may include your username and password, purchases or orders, your interests, preferences, feedback and survey responses.
• Usage Data may include information about how you use our website, products and services.
• Marketing and Communications Data may include your preferences in receiving marketing communications from us and our third parties and your communication preferences.

We may also process Aggregated Data from your personal data, but this data does not reveal your identity and as such in itself is not personal data. An example of this is where we review Usage Data to work out the percentage of website users using a specific feature of our site. If we link the Aggregated Data with your personal data so that you can be identified from it, then it is treated as personal data.

Personal data includes your personal details and contact information, and details relating to the issue you, or someone on your behalf, wishes to raise with the Trust.  Personal data may come directly from you, a third party acting on your behalf, or from third parties such as those contacted by the Trust in relation to your referral or enquiry.

The personal data we collect from you, or from third parties about you, is used by the Trust for the following purposes:

• the administration of a referral
• providing as appropriate relevant information to third parties to assist with your referral or enquiry
• recording of relevant data relating to your referral
• seeking your help as a volunteer or donor
• any purpose required of the Trust in law

Certain forms of personal data are classified as special categories data under the General Data Protection Regulations and these include, but are not limited to racial, ethnic origin, religious beliefs and health data.

Examples of special category data that may be used by the Trust for referrals and other enquiries are National Insurance information for matters involving benefits.

If special category data is needed in order for the Trust to assist you with your referral or enquiry, we will tell you why we need it and how it will be used.

By contacting the Trust to request assistance, you are giving us permission to process your personal data for the purposes of making enquiries and seeking resolution for your referral or enquiry, as set out in this Privacy Notice.

The Trust’s legitimate purpose for the processing of personal data would usually be because the data subject (or a third person able to do so in law on their behalf e.g. under a Lasting Power of Attorney) has freely given clear consent for the Trust to do so but the Trust may process personal data without explicit written consent from the data subject under the Elected Representatives condition.

However, having given consent to the Trust to use your personal data you may request to withdraw consent at any time by contacting the Data Protection Officer, Mr. Philip Hynard, who’s contact details are given elsewhere in this Privacy Notice.

3. HOW WE COLLECT YOUR PERSONAL DATA

We collect data about you through a variety of different methods including:

• Direct interactions: You may provide data by filling in forms on our site (or otherwise) or by communicating with us by post, phone, email or otherwise, including when you:
• create an account on our site;
• subscribe to our service, communications or publications;
• request resources or marketing be sent to you;
• enter a competition, prize draw, promotion or survey;
• give us feedback;
• create a referral form or otherwise apply for a referral;
• apply to become a volunteer; or
• make a donation.
• Automated technologies or interactions: As you use our website, we may automatically collect Technical Data about your equipment, browsing actions and usage patterns. We collect this data by using cookies, server logs and similar technologies. We may also receive Technical Data about you if you visit other websites that use our cookies. Please see our cookie policy for further details.
• Third parties or publicly available sources: We may receive personal data about you from various third parties and public sources as set out below:
• Technical Data from the following parties:
• WordPress, Mailchimp, Gravity Forms, Mail Crunch;
• analytics providers such as Google based outside the EU;
• advertising networks such as Facebook, Twitter, LinkedIn and other social media platforms;
• Contact, financial and transaction data from providers of technical, payment and delivery services including Local Giving and Stewardship our donation management partners;
• Identity and contact data from data brokers or aggregators.
• Identity and contact data from publicly availably sources such as Companies House and the Electoral Register based inside the EU.

In order to assist clients, the Trust needs to collect personal data for correspondence purposes and the pursuance of referrals, donations and other enquiries. We are committed to ensuring the personal data we collect and use is appropriate for this purpose.

The Trust will collect, process and store information you provide in a manner compatible with the General Data Protection Regulations. The information you provide will be held securely, subject to strict measures and procedures to minimise the risks of unauthorised access or disclosure and so as to not constitute an invasion of your privacy. The Trust aims not to be intrusive, and we undertake not to ask irrelevant or unnecessary questions.

For the purposes of processing and storing referrals, the Trust uses a secure referrals management system whose servers are based in the UK and therefore maintained in accordance with, and subject to, the General Data Protection Regulations.

4. HOW WE USE YOUR PERSONAL DATA

We will only use your personal data when legally permitted. The most common uses of your personal data are:

Purpose / Activity	Type of Data	Lawful Basis for Processing
To manage our relationship with you including responding to an enquiry, notifying you about changes to our terms or privacy policy, marketing and communication.	(a) Identity (b) Contact details (c) Profile	To comply with a legal obligation, for our legitimate interests, to keep our records updated and to study how individuals and businesses use our resources and services.
Where we need to process a referral	(a) Identity (b) Contact details (c) Dietary needs (d) Profile	To determine your requirements and arrange for it to be correctly delivered.
Answer an enquiry	(a) Identity (b) Contact	To be able to respond promptly and correctly.
Respond to an offer of volunteering	(a) Identity (b) Contact details (c) Profile	To determine how and when you can assist us and keep you informed of our requirements.
Respond to a donation	(a) Identity (b) Contact (c) Bank details	In order to be able to administer your donation, to thank you and explain how the donation may be used.
Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.	(a) Identity (b) Contact details (c) Referral (d) Profile	To comply with a legal obligation.
Where we need to comply with a legal or regulatory obligation.	(a) Identity (b) Contact details (c) Referral (d) Profile	To comply with a legal obligation.

Generally, we do not rely on consent as a legal ground for processing your personal data, other than in relation to sending marketing communications to you via email or text message. You have the right to withdraw consent to marketing at any time by emailing us at philip.hynard@onecantrust.org.uk

The Trust may use personal data for analysis for trends such as in subject matter or geographical location of correspondents.  Where such data is used it will be anonymised.  If for any reason the Trust wishes to use identifiable personal data for promotional purposes such as obtaining donations we shall contact you directly to get your express consent.

The Trust may also be required to retain certain personal data where the law requires it.

The Trust may pass your personal data on to a third-party or parties only where it/they are relevant to the referral or enquiry you have raised with the Trust.  Such third parties could include local authorities, government agencies, public bodies, health trusts, charities and regulators.

We will make it known to any third parties that we share your data with that we require them to keep your details securely and in line with the General Data Protection Regulations.  If we wish to pass your special categories of personal data to a third party we will not do so without your consent, unless we are legally required to do so by law.

5. INTERNATIONAL TRANSFERS

Countries outside the European Economic Area (“EEA”) do not always offer the same levels of protection to your personal data, so European law has prohibited transfers of personal data outside of the EEA unless the transfer meets certain criteria.

Many of our third-party service providers such as Gmail, Dropbox and MailChimp are based outside the EEA so their processing of your personal data will involve a transfer of data outside the EU.

Whenever we transfer your personal data out of the EEA, we do our best to ensure a similar degree of security of data by ensuring that we use reputable organisation that have been deemed to provide an adequate level of protection.

6. RIGHT OF ACCESS

At any point while the Trust is in possession of your personal data you, as the data subject, have the following rights:

• Right of access – you have the right to request a copy of the information the Trust holds about you. This is known as a Subject Access Request (SAR) and more details can be found at: https://ico.org.uk/for-organisations/guide-to-data-protection/principle-6-rights/subject-access-request/
• Right of rectification – you have a right to correct data that we hold about you if it is inaccurate or incomplete.
• Right to be forgotten – in certain circumstances you can ask for the data we hold about you to be erased from our records.  Please note that this right is not absolute and only applies in certain circumstances.  More details about this can be found at: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-erasure/
• Right to restriction of processing – where certain conditions apply to have a right to restrict the processing of data.
• Right of portability – you have the right to have the data we hold about you transferred to another organisation.
• Right to object – you have the right to object to certain types of processing such as direct marketing.
• Right to object to automated processing, including profiling – you also have the right to be subject to the legal effects of automated processing or profiling.

All the above requests will be forwarded on should there be a third party involved as stated above in the processing of your personal data.

If the Trust refuses your request, we will provide you with a reason why.  You have the right to complain as outlined in the Complaints section (in the final section of this Privacy Notice).

At your request, the Trust can confirm what information we hold about you and how it is processed.  If the Trust does hold personal data about you, you can request the following information:

• The Trust’s identity and contact details;

• Contact details of the Data Protection Officer;

• The purpose of the processing as well as the legal basis for processing.
• If the processing is based on the legitimate interests of the Trust or a third party, information about those interests.
• The categories of personal data collected, stored and processed.
• Recipient(s) or categories of recipients that the data will be/has been disclosed to.

• If the Trust intends to transfer the personal data to a third country or international organisation, information about how we ensure this is done securely.  The EU has approved sending personal data to some countries because they meet a minimum standard of data protection.  In other cases, we will ensure there are specific measures in place to secure your information.
• How long the data will be stored.
• Details of your rights to correct, erase, restrict or object to such processing.
• Information about your right to withdraw consent at any time,
• How to lodge a complaint with the supervisory authority.
• Whether the provision of the personal data is a statutory or contractual requirement, or a requirement necessary to enter in to a contract, as well as whether you are obliged to provide the personal data and the possible consequences of failing to provide such data.
• The source of personal data if it wasn’t collected directly from you.
• Any details and information of automated decision making, such as profiling and any meaningful information about the logic involved, as well as the significance and expected consequences of such processing.

The Trust will need at least one form of current photographic evidence and one form of proof of address from the data subject when information on their personal data is requested.

Current photographic identification will usually be a passport or photographic driving licence, and proof of address an original utility bill or similar issued within the last three months.

The Trust will process your personal data until the referral or enquiry is concluded.  It is the Trust’s policy generally to then retain the personal data for a retention period of up to five years, depending on the reason that it was collected.  This provides for situations such as data subjects bringing new information to the attention of the Trust on which the retained data may have a bearing.  However, if it is clear at the conclusion of the issue or enquiry, that no legitimate reason to retain the personal data exists, the personal data will be deleted.

If the Trust still holds the personal data after five years from the conclusion of the referral or enquiry and there is legitimate purpose under the General Data Protection Regulations to continue doing so, the decision to continue retaining this personal data will then be reviewed annually.

The Trust would not usually hold any original hard-copy documents on behalf of the data subject, but should any have been supplied by the data subject and retained by the Trust, these will be returned to the data subject at the conclusion of the referral or enquiry, or, where this is not possible, securely destroyed as confidential waste.  Electronic copies of data pertinent to the referral or enquiry will be held securely on the Trust’s referral management system.

Please note that deletion of personal data means where the personal data has been held electronically the Trust will delete it from the referral management system.  Where the personal data has been held in hard copy i.e. paper form this would be destroyed irretrievably as confidential waste.

7. COMPLAINTS

If you wish to make a complaint about how your personal data is being processed or has been handled by the Trust, you have the right to lodge a complaint directly with the supervisory authority the Information Commissioner’s Office:

Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
SK9 5AF

Telephone: 01625 545745

For more details please go to:  https://ico.org.uk/

Last reviewed 21 June 2020