April 2024
Notice to volunteers and staff using a paper copy of this guidance, the Intranet holds the most recent version of this guidance. Volunteers and staff must ensure they are using the most recent guidance.
Owner: Operations Lead
Policy Information Chart
Title | Reach Privacy Policy (also known as Privacy Notice) |
Document purpose/summary | The purpose of this policy is: To enable and support our members and volunteers to understand what information we keep, where we keep it, and for how long.To understand how we use members’ information, who we share it with, where when and why we share it. To understand what steps we take to keep personal/sensitive information safe To understand members’ right to access data held by Reach and the process for withdrawing permission for Reach to hold personal data. |
Owner | Operations Lead – Senior Responsible Individual (SRI) |
Policy Department | GDPR |
Ratification date | 27 April 2024 |
Review date and frequency | Every two years NB: Policy to be reviewed June 2024 as the Data Protection Act is updated. |
Consultation process | To be reviewed by: Board of Trustees |
Ratified by | Board of Trustees |
Target audience | All Reach Volunteers, Members, Staff and Trustees |
Circulation | Electronic: Intranet Written: Upon request to Reach Business Support Please contact Reach Business Support if you require this document in an alternative format. |
Equality analysis checklist completed | |
References/ sources of information | The Data Protection Act (2018) ICO – Information Commissioners Office: https://ico.org.uk/ ICO – Guidance on Appropriate Policy Document ICO – Guidance on Data Protection Exemptions ICO – Right of Access (SARS) European Data Protection Board – Consent Guidelines |
Associated documentation/cross referenced policies | Appropriate Policy Document (APD) Data Protection Impact Assessment (DPIA) Record of Processing Activities (ROPAs) Reach Behaviour Code |
Supersedes document | Privacy and Cookie Policy (2022) |
Executive approval is subject to the understanding that the policy Owner has followed the organisation process for policy ratification.
Document Review History
Version no. | Type of Change: Major, minor, none or taken out of use | Date | Author of change | Description of change |
---|---|---|---|---|
2 | Minor | Feb 2024 | Operations Lead | Update |
Contents
Part 1:
- Introduction
- Our contact details
- The types of personal information we collect
- How we get the personal information and why we have it
- How we store your information
- Your Data Protection Rights
- How to complain
1. Introduction
We want everyone who supports Reach, or who comes to Reach for support, to feel confident and comfortable with how any personal information you share with us will be looked after or used. This Privacy Policy sets out how we collect, use, and store your personal information (this means any information that identifies or could identify you).
2. Our contact details
Name: Reach Charity Ltd
Address: Tavistock Enterprise Hub, Brook Street, Tavistock, PL21 0BH
Phone Number: 0300 365 0078
E-mail: reach@reach.org.uk
Website address: https://reach.org.uk/
Senior Responsible Individual: Sarah-Jane Lowson
Telephone: 0333 880 0350
Email: sarah-janel@reach.org.uk
3. The type of personal information we collect
We currently collect and process the following information:
- Members names, email addresses, phone numbers, Facebook URLS, and contact information (to share branch event promos and joining information, national event promos and joining information, our membership magazine Within Reach, to connect members with their local branch coordinators, members local Facebook and WhatsApp forums and the national closed Facebook forum)
- Names and mobile phone numbers of family members Reach members wish to have added to their Branch’s WhatsApp groups
- Personal information about the Reach child/young person: name, age, upper limb difference, additional needs
- Dietary requirements, food allergies and intolerances for events where food is being served
- Members financial information (for membership and activity payment)
- Applications for Bursary Award (this might include benefit information)
- More detailed personal information for children and young people taking part in activities where parents and carers will not be with them.
- Consent to act in loco parentis for young people attending Reach Activity Week (RAW)
- Photographic consent for Reach members 0-18 (for us to share images from events on our closed Facebook group, in our magazine, in reports to funders/sponsors, across our public social media platforms and on our website)
- Reach Volunteers: Branch Coordinators, Reach Team Volunteers, Ambassadors and Trustees, and Staff undertake a DBS before taking up position with Reach. Their DBS status is recorded and kept by Reach. References are taken up for Branch Coordinators, Reach Team Volunteers, Trustees, and permanent staff
- Names, phone numbers, social media URLS and email addresses for donors/potential donors
- Website and Social Media User statistics: Using cookies we analyse who and how our website and social media accounts are accessed and used. We might do this to help us target a campaign or to check if information relating to the governance of the charity is being received by members.
4. How we get the personal information and why we have it
Most of the personal information we process is provided to us directly by you for one of the following reasons:
- Joining or renewing membership with Reach
- Registering for a Reach Event: Branch events, Reach Activity Week, Annual Family Weekend
- Applying for a Reach Bursary
- Becoming a Reach Volunteer
- Donating to Reach (NB: There is always an option to do this without giving your name)
- Gift Aid: For people kindly Gift aiding their donation we ask for your name and postcode, which we submit to HMRC annually.
We also receive personal information indirectly, from the following sources in the following scenarios:
- Voting for a Trustee (NB: There is always an option for votes to be cast anonymously)
- DDC DBS Checking Service
- Two references are taken up for Reach volunteers and staff
- Donations made to Reach via a third-party platform e.g. Just Giving
We use the information that you have given us to:
- Keep Reach members connected with the Reach community
- Keep members informed about what the charity is doing
- Monitor subscription
- Ensure our closed social media platforms are only being used by members (and family members)
- Provide information about campaigns, promotions and fundraising, members, potential donors, and sponsors might like to get involved with
- Market forthcoming charity and branch events
- Market Individual membership to Reach Young adults
- Help branch coordinators plan and run events by providing maps indicating the towns or villages where members live, and the ages of their Reach children and registers for events which include names of attending adults and children, dietary requirements, and photo consent status. NB: No phone numbers of email addresses included on event registers)
- Help us plan for and run national events: Reach Activity Week (RAW) & Annual Family Weekend. We create registers, first names only, with emergency contact information for attending young people and RAW Mentors for Event leads. Event leads also have access to Individual files for each child attending which contain their registration form and any additional information provided including a one-page profile and emergency protocols for children with additional needs. All are held in a SharePoint file accessed via a tablet with a 6-digit access pin
- Ensure we have permission to use pictures of Reach children in Reach marketing/on our website
- Claim GiftAid from HMRC.
We may share this information with:
- Partners we are working with to deliver an event or where we are joining in an event, they are running e.g. LimbPower Family Funday
- Reach Magazine Editors: With permission we may connect you to enable content creation
- Research partners: With permission we may connect you with research teams working to improve learning, use learning to improve outcomes for people with upper limb differences
- The Media: With permission we may connect you with people in the media who have reached out to us as a source.
- The police, local safeguarding board, NSPCC if we suspect a child or young person is in immediate danger.
We will never sell or share your personal information with organisations so that they can contact you for any marketing activities. Nor will we sell any information about your web browsing activity.
As a charity our primary focus is to support people, in particular children and young people, with upper limb differences as such some of the data we collect/use is classified as ‘special category’ by the ICO and as such we want and need your consent.
Under the UK General Data Protection Regulation (UK GDPR), the lawful bases we rely on for processing this information are:
For marketing, use of photographs, and where we act in loco parentis:
(a) Your consent – Article 9 (2)(d).
You are able to remove your consent at any time. You can do this by contacting the Reach Team: reach@reach.org.uk T: 0300 365 0078
For membership and event booking: (b) We have a contractual obligation – Article 6 (1)(b)
For Gift Aid & disclosing salary details to HMRC: (c) We have a legal obligation – Article 6 (1)(c)
In some Safeguarding Instances (d) We may have a vital interest – Article 6 (1)(d)
With Volunteer recruitment (DBS & referencing):
(e) We need it to perform a public task – Article 6 (1)(e)
With Fundraising, marketing, Bursary applications, contacting a family member of a Reach member: (f) We have a legitimate interest: Article 6 (1)(f)
We use Forms Assembly for membership applications, bursary applications, bookings, and registration purposes.
Event registration information, photo consent information, bursary applications, volunteer applications, DBS and reference information and Individual files for young people attending Reach Activity Week and Annual Family Weekend are held on SharePoint. These files are only available to the Reach Team and Reach Volunteers on a need-to-know basis e.g. a Reach Activity Week (RAW) Mentor will have access to the RAW file on SharePoint; a Branch Coordinator will have access to the members list for their area on SharePoint.
Debit and credit card details received via our website are passed securely to PayPal our payment processing partner, according to the Payment Card Industry Security Standards. Direct Debits are processed through SmartDebit and their services comply with GDPR standards.
(a) How we store your personal information
Your information is securely stored.
Membership information is held on Salesforce in the United Kingdom.
We review membership information annually. We request an information update annually at membership renewal.
We keep membership information for 6 years after membership has transpired.
We delete expired membership information using salesforce data deleting and purging processes.
Registration information (including event registers, and individual records) is stored on SharePoint. SharePoint data created in the United Kingdom is stored by Microsoft Office 365 in the European Union.
We update registration information as required e.g. data for a regular participant in Reach Activity Week will be updated before repeat attendance.
We keep registration documentation for a maximum of 6 years after participation has concluded. Event registers and Individual records are stored in dated files to aid annual data review and purge. We use Microsoft 365 delete function to permanently delete records from SharePoint
Photographic consent is stored on SharePoint. SharePoint data created in the United Kingdom is stored by Microsoft Office 365 in the European Union. We ask new members to complete a photo consent form with their child/young person as they become members and every two years thereafter. We repeat the ask to make sure as the children/young people grow that they continue to be happy for their image to be used. Please note there is an option for images to be shared on our closed Facebook group only accessed by Reach members. We keep Photo Consent documentation for 6 years after membership has concluded. If consent is withdrawn, we will act on the wishes of the child/young person and/or their parents/carers to remove their image from website and online promotional/information material immediately and from promotional/information material going to print after consent is withdrawn.
We keep bursary applications for 6 years (reach children/young people/young adults are able to make a maximum of 3 applications over 5 years). Applications are stored on SharePoint and reviewed by the Bursary Panel using the Office 365 platform. We use Microsoft 365 delete function to permanently delete records from SharePoint.
For GiftAid we have a legal obligation to hold donor information for 7 years.
We will review all the data we hold and carry out a data purge annually.
(b) Your data protection rights
Under data protection law, you have rights including:
Your right of access – You have the right to ask us for copies of your personal information.
Your right to rectification – You have the right to ask us to rectify personal information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.
Your right to erasure – You have the right to ask us to erase your personal information in certain circumstances.
Your right to restriction of processing – You have the right to ask us to restrict the processing of your personal information in certain circumstances.
Your right to object to processing – You have the the right to object to the processing of your personal information in certain circumstances.
Your right to data portability – You have the right to ask that we transfer the personal information you gave us to another organisation, or to you, in certain circumstances.
The ICO has a useful table that show the varying rights that apply depending on the lawful basis.
You are not required to pay any charge for exercising your rights. If you make a request, we have one month to respond to you. Please contact us at reach@reach.org.uk or T: 0300 365 0078 if you wish to make a request.
(c) How to complain
If you have any concerns about our use of your personal information, you can make a complaint to our Senior Responsible Individual: Sarah-Jane Lowson email: sarah-janel@reach.org.uk T: 0333 880 0350
You can also complain to the ICO if you are unhappy with how we have used your data.
The ICO’s address:
Information Commissioner’s Office
Wycliffe House, Water Lane
Wilmslow, Cheshire
SK9 5AF
Helpline number: 0303 123 1113
ICO website: https://www.ico.org.uk