Data Protection and Privacy
The General Data Protection Regulation (GDPR) is a new law which brings a 21st century approach to data protection. Superseding the UK Data Protection Act 1998, it expands the rights of individuals to better control how their personal information is collected, processed and managed. In addition to this, it places a range of new obligations on organisations to be more accountable for data protection and can enforce significant fines for non compliance. The GDPR applies to personal data. This is any information that can directly or indirectly identify a natural person.
Our general privacy policy
This privacy policy explains the types of personal data we may collect about you when you interact with us. It also explains how we store and handle that data and keep it safe.
We know that there’s a lot of information here, but we want you to be fully informed about your rights, and how NIACRO uses your data. We hope the following sections will answer any questions you have, but if not, please get in touch with us.
Conditions for processing data
We are only entitled to hold and process your data where the law allows us to. The current law on data protection sets out a number of different reasons for which we may collect and process your personal data. These include:
- Legitimate interests
In specific situations, we require your data to pursue our legitimate interests in a way which might reasonably be expected as part of running our charity and which does not materially impact your rights, freedom or interests. This may include to satisfy our external regulators.
- Legal compliance
If the law requires us to, we may need to collect and process your data. For example, for staff members we need to collect and store certain data.
- Consent
In some situations, we can collect and process your data with your consent. For example, when you tick a box to receive email newsletters. When collecting your personal data, we will always make clear to you which data is necessary in connection with a particular service.
Registration with the ICO
We are registered with the Information Commissioner’s Office (ICO) as a data controller because the charity handles and stores a significant amount of personal data about individuals. We have notified the ICO of the purposes for which personal data are held, and as a result, the organisation’s name is on the public register maintained by the ICO as a data controller. When notifying the ICO, we provided details of the personal data that we process, the purposes for which the data are to be processed, details of who we intend to disclose data to, and a description of the security measures to be taken to ensure that personal data is protected.
What we mean when we say “your data”
“Your data” means any information about you which is personally identifiable, including, without limitation, your name, address, date of birth, telephone number, email address, other contact details, criminal record information, and other information which may allow you to be personally identified.
When do we collect your data?
We normally collect your data when you provide it to us. You may give us your data when you:
- contact us by telephone, letter or email;
- use our website or complete an online web form;
- otherwise disclose your information to us.
We will only request your information where it is necessary to carry out a particular function. You are under no obligation to provide us with your information, but this may limit our ability to help where certain information is needed to undertake a particular activity.
How do we use your data?
We process personal data for the following purposes:
- processing and dealing with any enquiries, including requests for information, advice, guidance, advocacy or other support;
- monitoring, developing and improving the support that we provide
- providing you with information about our work
Unless it falls within the above, we will always seek your explicit consent before using your data in a way that personally identifies you.
Anonymising data
With the personal data that you have provided, we may anonymise information that you have provided so that we can use it in a way that does not personally identify you, so as to support the aims, objectives or activities of the organisation. For example, we may use your case (but remove any personal information) when compiling a case study to evidence the discrimination that people with criminal records face in a particular area.
We will not seek your consent to using your information in a way that does not personally identify you. However, where there is a concern as to whether it would lead to you being personally identified, we will seek your explicit consent beforehand.
Who do we share your data with?
We may share your data with third parties outside of NIACRO in the following circumstances:
- where you (or the person to whom the data relates) consent;
- where the data is already available to the public from other sources;
- where the data is in the form of a summary or collection of data so framed that it is not possible to ascertain from it information relating to any particular person;
- when there appears to be a serious risk of harm to you
- to protect others
- to prevent a serious criminal act where others may be endangered.
Other than as set out above, we will not:
- provide your data to any third party without your explicit prior consent;
- pass your data to third parties for marketing purposes without your consent;
- share your data with any government department or agency without your consent.
How do we communicate with you?
You can sign up to receive emails by subscribing to our mailing list. This can be done by contacting our Public Affairs and Communications Team via email or telephone. In each email you receive via our mailing list there will be an option to unsubscribe from future emails.
How do we protect your data?
We take our responsibility very seriously and will treat your data with the utmost care and take all appropriate steps to protect it. We have clear information security policies and procedures in place (along with regulatory and other legal obligations to keep your data safe) and these are regularly assessed and reviewed.
We protect our IT system from cyber-attack. Access to your personal data is password-protected, and sensitive data is secured by encryption.
How long will we keep your data?
We only keep your data for as long as is necessary for the purpose(s) for which it was provided.
Who do we share your personal data with?
We sometimes share your personal data with trusted third parties. For example, secure file storage and destruction companies, auditors and the company that securely hosts our off-site cloud storage servers.
Here is the policy we apply to those organisations to keep your data safe and protect your privacy:
- We provide only the information they need to perform their specific services
- They may only use your data for the exact purposes we specify in our contract with them
- We work closely with them to ensure that your privacy is respected and protected at all times
- If we stop using their services, any of your data held by them will either be deleted or rendered anonymous.
Where is your data processed?
Your data is stored and processed principally within the EEA. The EEA includes all EU Member countries as well as Iceland, Liechtenstein and Norway.
All hard-copy documents containing personal data are stored securely. We operate a ‘clean desk’ policy to ensure that these records are not left unattended in our offices or in areas accessible to the members of the public, and only those who need to use this data have access to it.
All other forms of data will be held securely and in confidence at all times. We will take all reasonable steps to protect it from unauthorised disclosure to, or access by, a third party.
What are your rights?
You have the right to request:
- Access to the personal data we hold about you.
- The correction of your personal data when incorrect, out of date or incomplete, for example, when you withdraw consent, or object and we have no legitimate overriding interest, or once the purpose for which we hold the data has come to an end.
- That we stop any consent-based processing of your personal data after you withdraw that consent.
If we choose not to action your request, we will explain to you the reasons for our refusal.
Requests for a copy of data held
You have the right to request a copy of any information about you that we hold at any time (often known as “subject access”), and to have that information corrected if it is inaccurate. Although we have up to 30 days to supply this information, we will try our best to provide it as soon as possible.
Formal requests under the General Data Protection Regulations (GDPR) need to be sent in writing, either by post or email. To ask for your information, you can either email admin@niacro.co.uk or write to: The Data Protection Officer, NIACRO, Amelia House, 4 Amelia Street, Belfast, BT2 7GS.
To respond to a request, we require the following information:
- Your full name
- Address (including postcode)
- Telephone number
- Email address (if available)
- A description of the data that you are requesting, and any additional information which will enable us to locate it
- Evidence of your identity (e.g. a copy of your passport, driving licence – please do not send originals)
- How you would like to receive the information (either by email or by post).
- If a third party is acting on your behalf, proof of the third party’s identity and your authority to disclose your information to them must also be provided in writing.
In addition to the right to receive a copy of all the personal data held you, you are also entitled to be told that we, or somebody on our behalf, are processing data about you, to be given a description of the personal data, the purposes for which the data is being processed and a description of those to whom the data may be disclosed. This will be met by us providing you with a copy of this policy alongside a copy of any information that we hold.
You are not entitled to information relating to other people (unless they are acting on your behalf). Neither are you entitled to information simply because you may be interested in it. Subject access provides a right to see the information contained in personal data, rather than a right to see the documents that include that information.
Your right to withdraw consent
Whenever you have given us your consent to use your personal data, you have the right to change your mind at any time and withdraw that consent.
You can withdraw consent in various ways, depending on what you are withdrawing consent from. If you would like to withdraw consent completely, please provide details by email to admin@niacro.co.uk.
Where we rely on our legitimate interest
In cases where we are processing your personal data on the basis of our legitimate interest, you can ask us to stop for reasons connected to your individual situation. We must then do so, unless we believe we have a legitimate overriding reason to continue processing your personal data.
Our website
This section only applies to your use of our website.
In addition to information given explicitly by you, we also collect information about your visit to our website (for example, the date and time of your visit and the pages that you view). This information is not connected to you personally, and is in aggregate form. This kind of information helps us to understand how our visitors use our site so that future website development can better meet your needs. By using this website, you consent to the processing of statistical (non-personal) information.
We use cookies on our website to allow us to understand who has seen which pages, to determine how frequently particular pages are visited and to determine the most popular areas of our website. Most web browsers automatically accept cookies, though you do not have to. We do not control the use of cookies by third parties. If you wish to disable cookies then you can do so by readjusting your browser settings although please note that by disabling cookies you may not be able to use all features of the website. For more information on cookies and how to disable them, you can consult the information provided by the Interactive Advertising Bureau at www.allaboutcookies.org.
You can access all pages on the site without telling us who you are and without revealing any personal information. We collect some information when you visit out site but this does not allow us to identify you personally. The information we collect includes browsers’ visitors use, what time they visit and which pages are most viewed. This enables us to evaluate the site and work to improve it. We do not link any of this anonymous data with any personal data that you may provide to us.
Google analytics
NIACRO’s website uses Google Analytics, a web analytics service provided by Google, Inc. (‘Google’). Google Analytics uses ‘cookies’, which are text files placed on your computer, to help the website analyse how users use the site. You can manage how we use cookies – see the section above.
Other websites
Our website may contain links to other websites which are outside our control and are not covered by this privacy policy. If you access other sites using the links provided, the operators of these sites may collect information from you which will be used by them in accordance with their privacy policy, which may differ from ours.
The regulator
If you feel that your data has not been handled correctly, or you are unhappy with our response to any requests you have made to us regarding the use of your personal data, you have the right to lodge a complaint with the Information Commissioner’s Office. You can contact them by calling 0303 123 1114 or go online to www.ico.org.uk/concerns
Implementation of this policy
A paper copy of the policy can be obtained by sending a self-addressed envelope to our office.
This policy will be reviewed regularly.
If you have any comments or queries in connection with this policy, email admin@niacro.co.uk.