Data protection and privacy policy
Voluntary Action Camden (“VAC” or “We” or “Our”) promises to respect any personal data you share with us, or that we get from other organisations, and keep it safe. We aim to be clear when we collect your data and not do anything with it you wouldn’t reasonably expect.
We have made improvements to this policy to make it more understandable to supporters and to ensure that it meets the requirements for GDPR compliance. You can download and print a PDF copy here, or read the policy by clicking through the links below.
IT Systems
VAC cares to ensure the security of personal data. When VAC collects information about you, we also make sure that your information is protected from unauthorized access, loss, manipulation, falsification, destruction or unauthorized disclosure. This is done through appropriate technical measures. For example, emails and our online forms are encrypted, our network is protected and routinely monitored, remote devices e.g. mobile phones and laptops are encrypted and there are password policies and 2-step authentication in place for staff to securely access the organisation’s IT systems. Our IT support company undertakes periodic review of our security to ensure we are protected.
Staffing & Internal Management
We undertake regular reviews of who has access to information that we hold to ensure that your information is only accessible by appropriately trained staff, volunteers and contractors. Staff have access to personal information on a ‘need-to-know’ basis, so for example, highly sensitive data e.g. employment records, are only available to managers with the designated permissions to access and process that data. VAC also operates a ‘clear –desk’ policy so that any hard-copy paperwork is kept off the desk and safely stored in secure storage units.
All staff, trustees, volunteers (and third-party consultants, should we use them) receive initial data protection training at induction with a refresher every ///years. VAC has reviewed the following internal policies & procedures to ensure they meet the requirements for GDPR compliance: Acceptable Use of ICT, Confidentiality, Customer Service, Data Protection, Grievance & Disciplinary, Outside Consultancy, Staff Development & Training, Volunteers, Whistleblowing and Working from Home.
Retention & Disposal of Information
VAC will only keep your information for as long as we have consent, a legitimate interest, or statutory requirement, to keep it. When we come to delete your data we can permanently erase any digital records we hold on you. Paper confidential records are disposed of using cross cut shredders and secure bins.
Who we share data with & how they protect it
Where we use external companies to collect or process personal data on our behalf, we do comprehensive checks on these companies before we work with them, and have in writing a document that sets out how they manage the personal data they collect or have access to. Data sent to third parties will always be encrypted.
Some of our suppliers e.g. Microsoft and PayPal run their operations outside the European Economic Area (EEA). Although they may not be subject to same data protection laws as companies based in the UK, we will take steps to make sure they provide an adequate level of protection in accordance with UK data protection law. By submitting your personal information to us you agree to this transfer, storing or processing at a location outside the EEA.
VAC’s third party data processors
Microsoft: has extensive expertise in protecting data, championing privacy, and complying with complex regulations, and currently complies with both EU-U.S. Privacy Shield and EU Model Clauses. VAC makes use of the tools available by Microsoft to aid GDPR compliance, including Azure Active Directory, email encryption and Enterprise Mobility + Security. Find out more about Microsoft tools for GDPR compliance here: https://www.microsoft.com/en-us/TrustCenter/Privacy/gdpr/readiness
Lamplight: has been making a number of changes over the last few months to help users meet GDPR requirements. In particular, they are updating their system, training key staff, working towards Cyber Essentials certification (and will then seek ISO27001:2013 certification), and producing a GDPR implementation workbook and producing some advice about the use of Lamplight. You can read more about Lamplight GDPR compliance here: https://www.lamplightdb.co.uk/the-system/gdpr/
Salesforce: In November 2015, Salesforce became the first top-10 software company to achieve approval for binding corporate rules for processors from European data protection authorities. In August 2016, Salesforce became one of the first companies to certify compliance with the EU-U.S. Privacy Shield Framework. You can find details of Salesforce’s Data Processing Addendum here: https://www.salesforce.com/content/dam/web/en_us/www/documents/legal/Agreements/data-processing-addendum.pdf, along with Trust & Compliance documentation for all services here: https://help.salesforce.com/articleView?id=Trust-and-Compliance-Documentation&language=en_US&r=https%3A%2F%2Fwww.salesforce.com%2Fblog%2F2017%2F07%2Fsalesforce-gdpr-july-2017.html&type=1
Eventbrite: Eventbrite does not sell your personal information to third parties. They have a full time legal and security team focused on privacy and security issues. They participate in and comply with the EU-U.S. Privacy Shield Framework. You can read further information about Eventbrite security here: https://www.eventbrite.co.uk/security/
PayPal: is subject to a number of regulations to ensure that the financial data you provide when making payments is kept safe and secure. VAC does not receive any personal payment information directly. We will only ever receive from Paypal your name, email, the amount paid, and details of what you paid for. You can read Paypal’s privacy policy here: https://www.paypal.com/en/webapps/mpp/ua/privacy-full
NESTA: for employees only. NESTA privacy policy can be found here: https://www.nestpensions.org.uk/schemeweb/nest/nestcorporation/privacy-policy.html
SAGE: Sage is actively working on its GDPR strategy and has a project team who are mobilised and focussing on Sage’s strategy and implementation of GDPR, which is endorsed by the Sage Board. Further details of how they comply with GDPR can be found here: https://www.sage.com/imagine-media/global/feature/pdf/sage-gdpr-preparations.pdf
We may need to disclose your details if required to the police, regulatory bodies, legal advisors.
We will only ever share your data in other circumstances if we have your explicit and informed consent.