You can contact us at any time to:

• Request access to information that VAC holds on you
• Correct any information that VAC holds on you
• Delete any information VAC holds on you
• Restrict further processing of any information VAC holds on you

For the above, or if you have questions about VAC’s collection and storage of data, please contact us at: Voluntary Action Camden | Charlie Ratchford Centre, Belmont Street, NW1 8HF| Tel: +44 207 284 6550 | Email: info@vac.org.uk

VAC follows the following principles in order to protect your privacy:

• we do not collect more information than is necessary;
• we do not use your data for purposes other than those specified;
• we do not keep your data if it is no longer needed;
• we do not share your data with third parties, unless where we have a statutory or contractual requirement to do so. We will always let you know if this is the case.

You may give us your information in order to access our services or projects, sign up for one of our events, sign up to receive our newsletters, tell us your story, make a donation, or communicate with us.

When you give it to us indirectly

Your information may be shared with us by other organisations that we work with, for example Camden Council forwarding a referral to access our services, or through Eventbrite when you sign up to book an event. You should always make sure that you have consented to your information being shared for these purpose.

When we collect it as you use our website

You can visit our website without giving away your personal information. However, once you contact us via the VAC website, VAC collects information about you.

Social Media

Depending on your settings or the privacy policies for social media and messaging services like Facebook, WhatsApp or Twitter, you might give us permission to access information from those accounts or services.

Social Media Plugins

Our website features one plug-in for easy sharing and following our social media pages: Facebook, Twitter, YouTube & Google Plus.

Information available publicly (for community groups, registered charities and companies only)

This may include information found in places such as CINDEX, the Charity Commission and Companies House, or other third-party directory sites.

Voluntary Action Camden (“VAC” or “We” or “Our”) promises to respect any personal data you share with us, or that we get from other organisations, and keep it safe. We aim to be clear when we collect your data and not do anything with it you wouldn’t reasonably expect. We have made improvements to this policy to make it more understandable to supporters and to ensure that it meets the requirements for GDPR compliance. You can download and print a PDF copy here, or read the policy online by clicking through the links below.The type and quantity of information we collect and how we use it depends on why you are providing it.

Service Users

If you want to access our services, for example get support to set up or develop your organisation, or participate in a project, we will usually collect:

• Your name
• Your personal contact details, including address phone number and email
• Your organisation’s name
• Your organisation’s contact details
• Profile data about your organisation e.g. services, beneficiaries, area of operation, no. of trustees, volunteers, income & expenditure.
• Details about why you contacted us e.g. your support needs, to join a project, sign up for an event etc.
• For events, we may ask for specific information pertaining to the event subject itself. This is to deliver a more tailored session.

Where it is appropriate, or a requirement of our funding, we may also ask for:

• Gender
• Ethnicity
• Information about any specific accessibility requirements (in order to deliver accessible services).
• Information about any specific dietary requirements (in order to accommodate your dietary needs where we offer catering for events and meetings).
• Information about your health (only for projects to refer to you voluntary services & activities that can assist with health and well-being).

Profiling

Profiling to Access Services

In some cases, we may ask for certain information about you or your organisation in order to determine your eligibility to access services. This may be because a funder has imposed restrictions on who we can provide services to, or in order to qualify that you are a voluntary group working in Camden or mainly serving Camden residents.

Building profiles of the voluntary and community sector

When building a profile of your organisation we may analyse geographic, demographic, income & expenditure and other profile information relating to your organisation in order to better understand the size and service offer of the aggregate voluntary and community sector in Camden. Such information is compiled using data we already hold, publicly available data about your organisation, for example public directories, Companies House and the Charity Commission.

Targeted Communications

Where appropriate, we use profiling techniques to ensure that we can share with you specific policy updates, news and event communications that may be of specific interest to you e.g. information relating to health & social care, where you are a health and social care organisation; or focus groups for very small organisations, where you may have a turnover less than £100k. We will always ask for your consent to send targeted communications to your organisation. We do not profile individuals but may send you targeted communications if we have your consent to do so.

Direct Marketing

Our marketing communications include information about our work, events, fundraising opportunities, local & national policy updates, as well as jobs, offers and resources from other voluntary organisations in Camden. VAC now adopts an ‘Opt-In’ only approach to marketing communications, meaning that we will not email you any information unless we have your consent to do so on file. If you would like to receive such communications but have not opted in please contact us on 0207 284 6550 or info@vac.org.uk. VAC uses MailChimp to send marketing communications and maintain records on your marketing preferences. Mailchimp has verified it is a compliant data processor under GDPR and has the relevant safeguards in place to keep your data safe. With your consent, we will contact you:

• When you sign up to receive our weekly newsletter and policy briefings
• When you sign up to receive targeted communications containing info that may be of interest or importance to you or your organisation e.g. policy changes or strategic meetings concerning organisations that deal with health & social care [where your organisation works in this sector).

For marketing communications we will usually only ask for:

• Name (individual or organisation)
• Email (personal or organisation)
• Marketing preferences.

Occasionally, we may include in our communications information from partner organisations or other organisations in Camden who want to share news and information relating to civil society. We make it easy for you to tell us how you want us to communicate, in a way that suits you. Our forms have clear marketing preference questions and we include information on how to opt out when we send you marketing. If you don’t want to hear from us, that’s fine. Just let us know when you provide your data, updates your preferences using the links in MailChimp, or contact us directly on 0207 284 6550 | email: info@vac.org.uk. We do not sell or share personal details to third parties for the purposes of marketing. But, if we run an event in partnership with another named organisation your details may need to be shared. We will be very clear what will happen to your data when you register.

Recruitment & Volunteering

Applicants

If you apply for a job or volunteering position with VAC, we will collect, process and store the information you have sent us for recruitment/volunteer-related purposes. We will only ask for sufficient information so as to contact you and assess your application against the job specification. Additionally, VAC may keep your data for a period of time / up to 1 year ?? for the purpose of considering you for a different opportunity.

Successful Applicants (employees only)

In order to fulfil your employment contract, VAC will need to ask for further personal information to set you up as an employee on our systems. This will include your bank details, national insurance number and relevant forms required by HMRC. In some cases it may require a DBS check. To fulfil our legal financial obligations, we will need to share your payroll information with HMRC and our pension provider, NESTA. In this case your data will be encrypted.

Case Studies

To monitor our services and better gauge our impact, if you have accessed our service in the past we may contact you to ask if you would be willing to participate in a case study interview. If you accept, we will ask information about the support you received from VAC. You have control of this information and decide how VAC can use it. We will provide you with a consent form specifying varying levels of consent to use this information in the public domain. You will always be sent a copy of the edited interview write up so you can approve this before signing off your consent.

Suppliers

If you are a supplier or potential supplier we will only ask for information pertaining to the services which we would like you to provide for us.

Data Collected from our Website

When you visit the website VAC uses Google Analytics and Cookies in order to improve our service, user experience and analyse how the website is used. Aside from the approximate location (IP address), the information collected by Google Analytics is mostly anonymous traffic, including browser information, device information and language. We do not collect additional information, such as your age, gender, interests, bank details or clickstream. The collected information is used to provide an overview of how people are accessing and using the VAC website. It is not used for any additional purpose, such as to profile those who access our website. In addition, the type of device you’re using to access our website or apps and the settings on that device may provide us with information about your device, including what type of device it is, what specific device you have, what operating system you’re using, what your device settings are, and why a crash has happened. Your device manufacturer or operating system provider will have more details about what information your device makes available to us.

When you contact us via the website

While you can use our website without giving out your personal information, once you contact us via the VAC website, VAC collects information about you. The information you fill in (personal information such as your name, email address, details about your organisation and why you would like our assistance) will be processed and stored so that it is possible for us to contact and respond to your request, and/or allow you access to our services.

Social Media Plugin

Being on our website does not automatically result in sharing data on these social media networks. The social media plugins remain inactive (idle) until clicked upon. Once clicked upon, you will be taken to the said social media networks with their own specific privacy policies you are recommended to consult.

Eventbrite

VAC uses Eventbrite for event management. VAC may also collect data about you when you register or pay for an event.

PayPal

VAC does not directly collect, process or store any information relating to your payment method. For paid events we use PayPal as the payment processor.

Security

Where your data is stored We may have records of your data on:

• Email (Microsoft)
• SharePoint (Microsoft)
• Lamplight Database
• Salesforce Database
• Eventbrite (event bookings)
• PayPal (paid events only)
• NESTA (employee pension records)
• Hard copy (secure storage cupboards)

IT Systems

VAC cares to ensure the security of personal data. When VAC collects information about you, we also make sure that your information is protected from unauthorized access, loss, manipulation, falsification, destruction or unauthorized disclosure. This is done through appropriate technical measures. For example, emails and our online forms are encrypted, our network is protected and routinely monitored, remote devices e.g. mobile phones and laptops are encrypted and there are password policies and 2-step authentication in place for staff to securely access the organisation’s IT systems. Our IT support company undertakes periodic review of our security to ensure we are protected.

Staffing & Internal Management

We undertake regular reviews of who has access to information that we hold to ensure that your information is only accessible by appropriately trained staff, volunteers and contractors. Staff have access to personal information on a ‘need-to-know’ basis, so for example, highly sensitive data e.g. employment records, are only available to managers with the designated permissions to access and process that data. VAC also operates a ‘clear –desk’ policy so that any hard-copy paperwork is kept off the desk and safely stored in secure storage units.

All staff, trustees, volunteers (and third-party consultants, should we use them) receive initial data protection training at induction with a refresher every ///years. VAC has reviewed the following internal policies & procedures to ensure they meet the requirements for GDPR compliance: Acceptable Use of ICT, Confidentiality, Customer Service, Data Protection, Grievance & Disciplinary, Outside Consultancy, Staff Development & Training, Volunteers, Whistleblowing and Working from Home.

Retention & Disposal of Information

VAC will only keep your information for as long as we have consent, a legitimate interest, or statutory requirement, to keep it. When we come to delete your data we can permanently erase any digital records we hold on you. Paper confidential records are disposed of using cross cut shredders and secure bins.

Who we share data with & how they protect it

Where we use external companies to collect or process personal data on our behalf, we do comprehensive checks on these companies before we work with them, and have in writing a document that sets out how they manage the personal data they collect or have access to. Data sent to third parties will always be encrypted.

Some of our suppliers e.g. Microsoft and PayPal run their operations outside the European Economic Area (EEA). Although they may not be subject to same data protection laws as companies based in the UK, we will take steps to make sure they provide an adequate level of protection in accordance with UK data protection law. By submitting your personal information to us you agree to this transfer, storing or processing at a location outside the EEA.

VAC’s third party data processors

Microsoft: has extensive expertise in protecting data, championing privacy, and complying with complex regulations, and currently complies with both EU-U.S. Privacy Shield and EU Model Clauses. VAC makes use of the tools available by Microsoft to aid GDPR compliance, including Azure Active Directory, email encryption and Enterprise Mobility + Security. Find out more about Microsoft tools for GDPR compliance here: https://www.microsoft.com/en-us/TrustCenter/Privacy/gdpr/readiness

Lamplight: has been making a number of changes over the last few months to help users meet GDPR requirements. In particular, they are updating their system, training key staff, working towards Cyber Essentials certification (and will then seek ISO27001:2013 certification), and producing a GDPR implementation workbook and producing some advice about the use of Lamplight. You can read more about Lamplight GDPR compliance here: https://www.lamplightdb.co.uk/the-system/gdpr/

Salesforce: In November 2015, Salesforce became the first top-10 software company to achieve approval for binding corporate rules for processors from European data protection authorities. In August 2016, Salesforce became one of the first companies to certify compliance with the EU-U.S. Privacy Shield Framework. You can find details of Salesforce’s Data Processing Addendum here: https://www.salesforce.com/content/dam/web/en_us/www/documents/legal/Agreements/data-processing-addendum.pdf, along with Trust & Compliance documentation for all services here: https://help.salesforce.com/articleView?id=Trust-and-Compliance-Documentation&language=en_US&r=https%3A%2F%2Fwww.salesforce.com%2Fblog%2F2017%2F07%2Fsalesforce-gdpr-july-2017.html&type=1

Eventbrite: Eventbrite does not sell your personal information to third parties. They have a full time legal and security team focused on privacy and security issues. They participate in and comply with the EU-U.S. Privacy Shield Framework. You can read further information about Eventbrite security here: https://www.eventbrite.co.uk/security/

PayPal: is subject to a number of regulations to ensure that the financial data you provide when making payments is kept safe and secure. VAC does not receive any personal payment information directly. We will only ever receive from Paypal your name, email, the amount paid, and details of what you paid for. You can read Paypal’s privacy policy here: https://www.paypal.com/en/webapps/mpp/ua/privacy-full

NESTA: for employees only. NESTA privacy policy can be found here: https://www.nestpensions.org.uk/schemeweb/nest/nestcorporation/privacy-policy.html

SAGE: Sage is actively working on its GDPR strategy and has a project team who are mobilised and focussing on Sage’s strategy and implementation of GDPR, which is endorsed by the Sage Board. Further details of how they comply with GDPR can be found here: https://www.sage.com/imagine-media/global/feature/pdf/sage-gdpr-preparations.pdf

We may need to disclose your details if required to the police, regulatory bodies, legal advisors.

We will only ever share your data in other circumstances if we have your explicit and informed consent.

Updating our records

Where possible we use publicly available sources to keep your organisation’s records up to date, such as Companies House, the Charity Commission and other third-party public directories. With your consent, we may also contact you periodically to check that the data we have on you or your organisation is up-to-date. We will do so by phone or direct email. To check we hold the right information on our database we will usually ask for:

• Organisation name and contact details
• Organisation services and beneficiaries
• Whether your organisation is actively operating in Camden or work with Camden residents
• If you have premises, room or desk-space to let out
• Whether you would like your organisation’s details published on our OneCamden directory of voluntary and community groups in Camden.

We may also ask:

• To check whether your staff members on our database are still working for your organisation.
• For your name and contact details if you are an individual.

If you want to check, update or delete from our systems what information we hold on you, you can do so by contacting us on the contact details at the top of this policy.

Access to Information

You have the right to request access to the information we hold on you. You can do this by contacting us using the contact details at the top of this policy or by completing a Subject Access Request form. You do not have to complete a Subject Access Request form to access your information but it will help speed up the process if you can complete the details on the designated form. We will make sure to provide you with a copy of the data we process about you. We will do so by sending your copy electronically, unless the request expressly specifies a different method. The personal data will be provided in a structured, commonly used and machine readable form. Open formats include CSV files. For any subsequent access request, we may charge you with an administrative fee. In order to comply with your request, we may ask you to verify your identity.

Information Correction & Deletion

If you believe that the information we have about you is incorrect, you are welcome to contact us so we can update it and keep your data accurate. We will only retain your information for as long as we have a legitimate interest in doing so, or a legal or statutory requirement to keep it. If at any point you wish for VAC to correct or delete information about you, you can simply contact us on the details given at the top pf this policy. If we are unable to comply with your request for legal or statutory reasons, we will write to you to let you know.

Objections to further processing

You can instruct us to discontinue processing your data for marketing purposes (e.g. unsubscribe from our weekly newsletter), processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling); and the processing for purposes of scientific/historical research and statistics. We will comply with your request unless there is any legal or statutory requirement to not do so. We will write to you to let you know if this is the case.

If you feel VAC has breached its duties under GDPR, or you are concerned about our organisation’s information rights practices, then you can lodge a complaint directly with the Information & Commissioners Office: Information & Commissioners Office (Head Office) Wycliffe House Water Lane Wilmslow Cheshire SK9 5AF Live chat: https://ico.org.uk/global/contact-us/live-chat Tel: 0303 123 1113 Website: https://ico.org.uk/concerns/