Voluntary Action Camden (“VAC” or “We” or “Our”) promises to respect any personal data you share with us, or that we get from other organisations, and keep it safe. We aim to be clear when we collect your data and not do anything with it you wouldn’t reasonably expect.
We have made improvements to this policy to make it more understandable to supporters and to ensure that it meets the requirements for GDPR compliance. You can download and print a PDF copy here, or read the policy online by clicking through the links below.
- Request access to information that VAC holds on you
- Correct any information that VAC holds on you
- Delete any information VAC holds on you
- Restrict further processing of any information VAC holds on you
- we do not collect more information than is necessary;
- we do not use your data for purposes other than those specified;
- we do not keep your data if it is no longer needed;
- we do not share your data with third parties, unless where we have a statutory or contractual requirement to do so. We will always let you know if this is the case.
When you give it to us indirectlyYour information may be shared with us by other organisations that we work with, for example Camden Council forwarding a referral to access our services, or through Eventbrite when you sign up to book an event. You should always make sure that you have consented to your information being shared for these purpose.
When we collect it as you use our websiteYou can visit our website without giving away your personal information. However, once you contact us via the VAC website, VAC collects information about you.
Social MediaDepending on your settings or the privacy policies for social media and messaging services like Facebook, WhatsApp or Twitter, you might give us permission to access information from those accounts or services.
Social Media PluginsOur website features one plug-in for easy sharing and following our social media pages: Facebook, Twitter, YouTube & Google Plus.
Information available publicly (for community groups, registered charities and companies only)This may include information found in places such as CINDEX, the Charity Commission and Companies House, or other third-party directory sites.
Service UsersIf you want to access our services, for example get support to set up or develop your organisation, or participate in a project, we will usually collect:
- • Your name
- • Your personal contact details, including address phone number and email
- • Your organisation’s name
- • Your organisation’s contact details
- • Profile data about your organisation e.g. services, beneficiaries, area of operation, no. of trustees, volunteers, income & expenditure.
- • Details about why you contacted us e.g. your support needs, to join a project, sign up for an event etc.
- • For events, we may ask for specific information pertaining to the event subject itself. This is to deliver a more tailored session.
- • Gender
- • Ethnicity
- • Information about any specific accessibility requirements (in order to deliver accessible services).
- • Information about any specific dietary requirements (in order to accommodate your dietary needs where we offer catering for events and meetings).
- • Information about your health (only for projects to refer to you voluntary services & activities that can assist with health and well-being).
Profiling to Access ServicesIn some cases, we may ask for certain information about you or your organisation in order to determine your eligibility to access services. This may be because a funder has imposed restrictions on who we can provide services to, or in order to qualify that you are a voluntary group working in Camden or mainly serving Camden residents.
Building profiles of the voluntary and community sectorWhen building a profile of your organisation we may analyse geographic, demographic, income & expenditure and other profile information relating to your organisation in order to better understand the size and service offer of the aggregate voluntary and community sector in Camden. Such information is compiled using data we already hold, publicly available data about your organisation, for example public directories, Companies House and the Charity Commission.
Targeted CommunicationsWhere appropriate, we use profiling techniques to ensure that we can share with you specific policy updates, news and event communications that may be of specific interest to you e.g. information relating to health & social care, where you are a health and social care organisation; or focus groups for very small organisations, where you may have a turnover less than £100k. We will always ask for your consent to send targeted communications to your organisation. We do not profile individuals but may send you targeted communications if we have your consent to do so.
Direct MarketingOur marketing communications include information about our work, events, fundraising opportunities, local & national policy updates, as well as jobs, offers and resources from other voluntary organisations in Camden. VAC now adopts an ‘Opt-In’ only approach to marketing communications, meaning that we will not email you any information unless we have your consent to do so on file. If you would like to receive such communications but have not opted in please contact us on 0207 284 6550 or firstname.lastname@example.org. VAC uses MailChimp to send marketing communications and maintain records on your marketing preferences. Mailchimp has verified it is a compliant data processor under GDPR and has the relevant safeguards in place to keep your data safe. With your consent, we will contact you:
- When you sign up to receive our weekly newsletter and policy briefings
- When you sign up to receive targeted communications containing info that may be of interest or importance to you or your organisation e.g. policy changes or strategic meetings concerning organisations that deal with health & social care [where your organisation works in this sector).
- Name (individual or organisation)
- Email (personal or organisation)
- Marketing preferences.
Recruitment & Volunteering
ApplicantsIf you apply for a job or volunteering position with VAC, we will collect, process and store the information you have sent us for recruitment/volunteer-related purposes. We will only ask for sufficient information so as to contact you and assess your application against the job specification. Additionally, VAC may keep your data for a period of time / up to 1 year ?? for the purpose of considering you for a different opportunity.
Successful Applicants (employees only)In order to fulfil your employment contract, VAC will need to ask for further personal information to set you up as an employee on our systems. This will include your bank details, national insurance number and relevant forms required by HMRC. In some cases it may require a DBS check. To fulfil our legal financial obligations, we will need to share your payroll information with HMRC and our pension provider, NESTA. In this case your data will be encrypted.
Case StudiesTo monitor our services and better gauge our impact, if you have accessed our service in the past we may contact you to ask if you would be willing to participate in a case study interview. If you accept, we will ask information about the support you received from VAC. You have control of this information and decide how VAC can use it. We will provide you with a consent form specifying varying levels of consent to use this information in the public domain. You will always be sent a copy of the edited interview write up so you can approve this before signing off your consent.
SuppliersIf you are a supplier or potential supplier we will only ask for information pertaining to the services which we would like you to provide for us.
Data Collected from our WebsiteWhen you visit the website VAC uses Google Analytics and Cookies in order to improve our service, user experience and analyse how the website is used. Aside from the approximate location (IP address), the information collected by Google Analytics is mostly anonymous traffic, including browser information, device information and language. We do not collect additional information, such as your age, gender, interests, bank details or clickstream. The collected information is used to provide an overview of how people are accessing and using the VAC website. It is not used for any additional purpose, such as to profile those who access our website. In addition, the type of device you’re using to access our website or apps and the settings on that device may provide us with information about your device, including what type of device it is, what specific device you have, what operating system you’re using, what your device settings are, and why a crash has happened. Your device manufacturer or operating system provider will have more details about what information your device makes available to us.
When you contact us via the websiteWhile you can use our website without giving out your personal information, once you contact us via the VAC website, VAC collects information about you. The information you fill in (personal information such as your name, email address, details about your organisation and why you would like our assistance) will be processed and stored so that it is possible for us to contact and respond to your request, and/or allow you access to our services.
Social Media PluginBeing on our website does not automatically result in sharing data on these social media networks. The social media plugins remain inactive (idle) until clicked upon. Once clicked upon, you will be taken to the said social media networks with their own specific privacy policies you are recommended to consult.
EventbriteVAC uses Eventbrite for event management. VAC may also collect data about you when you register or pay for an event.
PayPalVAC does not directly collect, process or store any information relating to your payment method. For paid events we use PayPal as the payment processor.
SecurityWhere your data is stored We may have records of your data on:
- Email (Microsoft)
- SharePoint (Microsoft)
- Lamplight Database
- Salesforce Database
- Eventbrite (event bookings)
- PayPal (paid events only)
- NESTA (employee pension records)
- Hard copy (secure storage cupboards)
VAC cares to ensure the security of personal data. When VAC collects information about you, we also make sure that your information is protected from unauthorized access, loss, manipulation, falsification, destruction or unauthorized disclosure. This is done through appropriate technical measures. For example, emails and our online forms are encrypted, our network is protected and routinely monitored, remote devices e.g. mobile phones and laptops are encrypted and there are password policies and 2-step authentication in place for staff to securely access the organisation’s IT systems. Our IT support company undertakes periodic review of our security to ensure we are protected.
Staffing & Internal Management
We undertake regular reviews of who has access to information that we hold to ensure that your information is only accessible by appropriately trained staff, volunteers and contractors. Staff have access to personal information on a ‘need-to-know’ basis, so for example, highly sensitive data e.g. employment records, are only available to managers with the designated permissions to access and process that data. VAC also operates a ‘clear –desk’ policy so that any hard-copy paperwork is kept off the desk and safely stored in secure storage units.
All staff, trustees, volunteers (and third-party consultants, should we use them) receive initial data protection training at induction with a refresher every ///years. VAC has reviewed the following internal policies & procedures to ensure they meet the requirements for GDPR compliance: Acceptable Use of ICT, Confidentiality, Customer Service, Data Protection, Grievance & Disciplinary, Outside Consultancy, Staff Development & Training, Volunteers, Whistleblowing and Working from Home.
Retention & Disposal of Information
VAC will only keep your information for as long as we have consent, a legitimate interest, or statutory requirement, to keep it. When we come to delete your data we can permanently erase any digital records we hold on you. Paper confidential records are disposed of using cross cut shredders and secure bins.
Who we share data with & how they protect it
Where we use external companies to collect or process personal data on our behalf, we do comprehensive checks on these companies before we work with them, and have in writing a document that sets out how they manage the personal data they collect or have access to. Data sent to third parties will always be encrypted.
Some of our suppliers e.g. Microsoft and PayPal run their operations outside the European Economic Area (EEA). Although they may not be subject to same data protection laws as companies based in the UK, we will take steps to make sure they provide an adequate level of protection in accordance with UK data protection law. By submitting your personal information to us you agree to this transfer, storing or processing at a location outside the EEA.
VAC’s third party data processors
Microsoft: has extensive expertise in protecting data, championing privacy, and complying with complex regulations, and currently complies with both EU-U.S. Privacy Shield and EU Model Clauses. VAC makes use of the tools available by Microsoft to aid GDPR compliance, including Azure Active Directory, email encryption and Enterprise Mobility + Security. Find out more about Microsoft tools for GDPR compliance here: https://www.microsoft.com/en-us/TrustCenter/Privacy/gdpr/readiness
Lamplight: has been making a number of changes over the last few months to help users meet GDPR requirements. In particular, they are updating their system, training key staff, working towards Cyber Essentials certification (and will then seek ISO27001:2013 certification), and producing a GDPR implementation workbook and producing some advice about the use of Lamplight. You can read more about Lamplight GDPR compliance here: https://www.lamplightdb.co.uk/the-system/gdpr/
Salesforce: In November 2015, Salesforce became the first top-10 software company to achieve approval for binding corporate rules for processors from European data protection authorities. In August 2016, Salesforce became one of the first companies to certify compliance with the EU-U.S. Privacy Shield Framework. You can find details of Salesforce’s Data Processing Addendum here: https://www.salesforce.com/content/dam/web/en_us/www/documents/legal/Agreements/data-processing-addendum.pdf, along with Trust & Compliance documentation for all services here: https://help.salesforce.com/articleView?id=Trust-and-Compliance-Documentation&language=en_US&r=https%3A%2F%2Fwww.salesforce.com%2Fblog%2F2017%2F07%2Fsalesforce-gdpr-july-2017.html&type=1
Eventbrite: Eventbrite does not sell your personal information to third parties. They have a full time legal and security team focused on privacy and security issues. They participate in and comply with the EU-U.S. Privacy Shield Framework. You can read further information about Eventbrite security here: https://www.eventbrite.co.uk/security/
SAGE: Sage is actively working on its GDPR strategy and has a project team who are mobilised and focussing on Sage’s strategy and implementation of GDPR, which is endorsed by the Sage Board. Further details of how they comply with GDPR can be found here: https://www.sage.com/imagine-media/global/feature/pdf/sage-gdpr-preparations.pdf
We may need to disclose your details if required to the police, regulatory bodies, legal advisors.
We will only ever share your data in other circumstances if we have your explicit and informed consent.
Updating our recordsWhere possible we use publicly available sources to keep your organisation’s records up to date, such as Companies House, the Charity Commission and other third-party public directories. With your consent, we may also contact you periodically to check that the data we have on you or your organisation is up-to-date. We will do so by phone or direct email. To check we hold the right information on our database we will usually ask for:
- Organisation name and contact details
- Organisation services and beneficiaries
- Whether your organisation is actively operating in Camden or work with Camden residents
- If you have premises, room or desk-space to let out
- Whether you would like your organisation’s details published on our OneCamden directory of voluntary and community groups in Camden.
- To check whether your staff members on our database are still working for your organisation.
- For your name and contact details if you are an individual.