Data Protection Policy 2018
This policy sets out how YMCA Scotland complies with new GDPR regulations in relation to Data Protection.
Everyone has rights with regard to how their personal data is handled. Personal data is any information that a person can be identified from and about that person, such as a name, address, staff number or location. During the course of our activities, YMCA Scotland will collect, store and process personal data, and we recognise the need to treat it in an appropriate and lawful manner.
This may include data YMCA Scotland receives directly from employees (for example, by completing forms or by corresponding with us by mail, phone or otherwise) and data received from other sources including donors and volunteers. Where the policy refers to employees the same rules and regulations will apply to volunteers and donors.
Personal data, which may be held in paper or electronic form, is subject to certain legal safeguards specified in the General Data Protection Regulation EU 2016/679, as well as other data protection and privacy laws such as the Privacy and Electronic Communications Regulations 2003, as may be updated or replaced from time to time (the Data Protection Legislation).
This policy aims to fulfill the requirement for fair and lawful processing of personal information in the records which YMCA creates and receives in the course of our activities.
This policy covers:
The requirements that must be met for the processing of personal information
Staff responsibilities in relation to data protection
Provision for regular review of the data protection policy and its implementation
2 Data Protection Legislation
This policy sets out our rules on data protection and the legal requirements that must be satisfied by YMCA Scotland and our staff and volunteers in relation to the obtaining, handling, use, storage, transfer and destruction and other processing of such personal data. The types of information that YMCA Scotland may be required to handle include details of current, past and prospective employees, suppliers, customers, donors and others that YMCA Scotland communicate with.
This policy applies to all individuals, which for these purposes includes employees, temporary and agency workers, other contractors, interns, donors and volunteers (Data Users). All employees should familiarise themselves with this policy and comply with its terms when processing personal data on our behalf.
This policy balances the legitimate needs of organisations to collect and use personal information for charitable and other purposes against the right of individuals to respect for the privacy of their personal details.
YMCA Scotland regards the lawful and correct treatment of personal information as very important to successful charitable operations, and to maintaining stakeholder confidence.
This policy does not form part of any employee's contract of employment and it may be amended at any time.
3 Data Protection Officer
The [Data Protection Officer] is responsible for ensuring compliance with the Data Laws and with this policy.
That post is held by Jillian Law. If you have any questions or concerns about the operation of this policy, please refer in the first instance to the Data Protection Officer.
4 Data Protection Principles
Employees who process personal data under this policy must comply with the principles of the Data Protection Legislation. The principles provide that personal data must:
1 Be used in a way that makes it clear to individuals what is being done with their personal data, and is fair, reasonable and compliant with Data Protection Legislation;
2 Only be used in line with how we told the individual YMCA Scotland would use it and not for any wider, incompatible purposes;
3 Be adequate, relevant and limited just to what YMCA Scotland require it for;
4 Be accurate and, where necessary, kept up to date;
5 Not be kept for longer than is required; and kept secure.
In addition, when processing personal data YMCA Scotland must bear in mind that individuals have certain rights to their personal data (for example, to access it or have it deleted) and that we must not send it to companies and people outside of the EU without following certain procedures.
5 Fair and Lawful Processing
The Company must generally only process personal data if one of the lawful bases set out in the Data Protection Legislation applies. This means that YMCA Scotland will only process personal data if:
the individual has given their consent (YMCA Scotland must ensure that the consent wording and mechanism for obtaining consent meet the requirements of the Data Protection Legislation);
YMCA Scotland need to process the personal data in order to perform a contract with the individual, or because they have asked us to take certain steps before entering into a contract (for example, we require contact details so we can deliver goods ordered);
the processing is necessary to comply with other laws or regulations (not including contractual obligations);
the processing is necessary to protect someone's life;
the processing is necessary to perform a task in the public interest or for YMCA Scotland’s official functions; or
the processing is necessary for our business' legitimate interest or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those interests.
YMCA Scotland should always record our reasoning for choosing a particular lawful basis, so we can explain ourselves if an individual complains or the data protection regulator (the Information Commissioner's Officer (ICO) asks us.
6 Sensitive Personal Data and Criminal Checks
Some of the information YMCA Scotland holds as a business is particularly sensitive and we must be aware that special rules apply to it.
This includes information about an individual’s racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership, or an individual’s genetic data, biometric data (where it uniquely identifies them), or about their health, or sexual orientation (known as sensitive personal data or special categories of personal data).
YMCA Scotland will generally not collect and use such data unless the individual has given us explicit consent (for example, confirmed in writing that they agree to us holding it) or we need it in order to fulfil our obligations as an employer.
Likewise, YMCA Scotland can only carry out criminal record checks in certain limited circumstances. Where it is necessary to process such information, Data Users should consult [the Data Protection Officer] to ensure the correct compliance steps are taken.
Sometimes the Company will need consent to use someone's personal data, for example if we are sending them marketing emails, or disclosing sensitive (or special category) personal data to a third party. Where we need consent, YMCA Scotland will ensure our consent wording and mechanisms for obtaining and recording consents comply with the Data Protection Legislation.
Where YMCA Scotland rely on consent for processing sensitive (special category) personal data, we will ensure that it is explicit (expressly confirmed in words rather than by any other positive action).
Whenever YMCA Scotland requests consent for processing, it will:
present the request for consent in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language;
not make services conditional on consent to the processing of personal data that is not necessary for the performance of that contract (for example, marketing);
keep records of consent obtained so we can provide evidence if required;
enable individuals to withdraw their consent at any time. Data Users should consult with [the Data Protection Officer] if they receive a notification that an individual wishes to withdraw his or her consent.
8 Processing for Limited Purposes
Personal data may only be processed for the specific purposes notified to the data subject when the data was first collected or for any other purposes specifically permitted by the Data Protection Legislation. This means, broadly, that personal data must not be collected for one purpose and then used for another. If it becomes necessary to change the purpose for which the data is processed, YMCA Scotland will inform the individual of the new purpose before any processing occurs.
9 Notifying Individuals (Privacy Notices)
In order to satisfy the transparency requirements under the Data Protection Legislation, when collecting personal data directly from individuals, YMCA Scotland will ensure that they receive appropriate information about how YMCA Scotland will use the data.
YMCA Scotland will inform individuals of the following:
the organisation’s name and the contact details of the Data Protection Officer
why YMCA Scotland are processing personal data and the lawful basis that applies (for example, consent or legitimate interests);
if YMCA Scotland are processing the personal data on the basis of our or a third party's legitimate interests, the organisation will explain what those interests are;
anyone with whom we will share the personal data (either their name or a general description of them) – this includes any suppliers to whom we may pass the data;
details of transfers of the data outside the EU and safeguards we have put in place (for example, contractual clauses);
how long the organisation plan to retain the personal data or the criteria used to determine the retention period bearing in mind our data retention procedures;
the employee’s rights (see employee rights below);
if the employee has given consent, that they have the right to withdraw the consent at any time;
the individuals right to lodge a complaint with a supervisory authority;
whether the provision of personal data is part of a statutory or contractual requirement or obligation and possible consequences of failing to provide the data; and
the existence of any automated decision-making which could have a legal or similar significant effect for the employee, and information about how decisions are made, the significance and the consequences.
If YMCA Scotland receives personal data about an employee indirectly (for example, via third parties), we must provide the employee with the information as well as details of the categories of personal data we are processing and where we got it from (for example, whether it came from a public source),as soon as possible.
If YMCA Scotland later need to use that personal data for a different or new purpose, we will tell the employee beforehand. This information is normally given by way of a 'privacy notice' (See Appendix 1 attached).
There are some limited exceptions to this notice requirement. If in doubt as to whether a notice should be given, Data Users should contact [the Data Protection Officer].
10 Accurate Data
YMCA Scotland will ensure that personal data we hold is accurate and kept up to date. We will check the accuracy of any personal data at the point of collection and at regular intervals afterwards. We will take all reasonable steps to destroy or amend inaccurate and out-of-date data.
11 Minimal Processing and Data Retention
YMCA Scotland will not collect excess personal data or retain data for longer than is required. This means we will:
only collect personal data to the extent that it is required for the specific purpose notified to the employee
not keep personal data longer than is necessary for the purpose for which it was collected;
take all reasonable steps to destroy, or erase from our systems, all data which is no longer required, in line with data retention procedures.
YMCA Scotland will implement appropriate technical and organisational measures to ensure that our systems allow us to do this. We will also ensure that personal data is not automatically made accessible to an indefinite number of people and that access is limited appropriately.
12 Individual Rights
YMCA Scotland will observe and process all personal data in line with employees’ rights under the Data Protection Legislation, in particular, the rights to:
request access to any personal data held about them and other supplementary information (see dealing with subject access requests below);
have inaccurate or incomplete personal data corrected;
object to us profiling them or sending targeted marketing to them;
withdraw their consent at any time;
have their personal data erased from the organisations systems;
‘block’ or suppress our use of their personal data;
not to be subject to automated decisions (i.e. decisions made solely on a computer without human intervention) which that produce legal effects or similarly significantly affect them, unless they have consented or another exception applies; and
receive their data in a portable form.
Data Users should forward any requests or complaints received from individuals in respect of their personal data immediately to the [Data Protection Officer] so that they can be dealt with within the mandatory legal timescales.
13 Data Protection Procedures
As part of the accountability principle, YMCA Scotland are required to:
keep records of processing carried out; including documenting processing activities, processing purposes, data sharing and retention.
integrate privacy measures and security controls into our processing activities ('data protection by design and default');
carry out a data protection impact assessment if the use of personal data is likely to result in high risk for the rights and freedoms of individuals (for example, where carrying out large-scale systematic monitoring of a publicly accessible, such as by CCTV); and
ensure systems have appropriate functionality to allow us to fulfil all requests made by individuals (for example, for access to their data).including documenting processing activities, processing purposes, data sharing and retention.
The [Data Protection Officer] should be consulted before any significant new data processing activity is initiated to ensure that relevant compliance steps are followed.
14 Data Security
YMCA Scotland will ensure that appropriate measures are taken to keep data secure. Individuals may apply to the courts for compensation if they have suffered damage from such a loss and we may incur large fines if we are in breach of the Data Protection Legislation. You can also be liable personally for fines or imprisonment if individuals steal or recklessly misuse personal data.
The Data Protection Legislation require YMCA Scotland to put in place procedures and technologies to maintain the security of all personal data from the point of collection to the point of destruction.
YMCA Scotland will maintain data security by protecting the confidentiality, integrity and availability of the personal data, defined as follows:
Confidentiality means that only people who are authorised to use the data can access it.
Integrity means that personal data should be accurate and suitable for the purpose for which it is processed.
Availability means that authorised users should be able to access the data if they need it for authorised purposes.
Security procedures include:
Entry controls - any unfamiliar person seen in entry-controlled areas should be reported.
Secure lockable desks and cupboards - desks and cupboards should be kept locked if they hold confidential information of any kind (personal information is always considered confidential).
Methods of disposal - paper documents should be shredded. Digital storage devices should be physically destroyed or wiped when they are no longer required.
Equipment - Data Users must ensure that employee monitors do not show confidential information to passers-by and that they log off from their PC when it is left unattended.
Generally, to keep personal data secure employees must not disclose personal data - in writing or verbally –to anyone not authorised to receive it, whether internal or external, and whether within or outside the workplace.
15 Data Breaches
YMCA Scotland has specific obligations to report any breach of security involving personal data to the Data Protection Regulator, the Information Commissioner's Office.
Data Users should notify the [Data Protection Officer] immediately of any breaches of security which lead or could lead to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data – for example loss of a laptop or paper file, or sending an email to the wrong recipient. This will allow the organisation to:
investigate the failure and take remedial steps if necessary; and
make any applicable notifications within the mandatory legal timescales.
16 Third Parties
YMCA Scotland will only use processors (for example, sub-contractors) who:
can assure us they meet the standards (including security standards) required by the Data Protection Legislation; and
agree to comply with relevant procedures and policies, or agree to put in place adequate measures themselves.
A written contract must be put in place with certain mandatory clauses prescribed by the Data Protection Legislation.
17 Sending Personal Data Overseas
YMCA Scotland may need to transfer personal data outside the UK to other service providers, third parties, agents, subcontractors and regulatory authorities in countries where data protection laws may not provide the same level of protection as those in the European Economic Area.
The Data Protection Legislation imposes restrictions on the transfer of personal data outside the EEA, to third countries or international organisations. Where we need to send personal data we hold outside the EEA or make it accessible to people outside the EU, YMCA Scotland will need to follow certain procedures.
Data Users should not transfer personal data overseas or to international organisations without first consulting [the Data Protection Officer], who can ensure that the correct procedures are in place.
18 Sharing of Personal Data
YMCA Scotland may from time to time be asked to share personal data we hold with:
external providers, such as pension, insurance and occupational health providers;
in order to comply with legal obligations, or in order to enforce or apply a contract with an employee or other agreements; or to protect our rights, property, or safety of our employees, customers, or others. This includes exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction.
The organisation will only share such information if we have a lawful basis and ensure we comply with any other relevant policies. YMCA Scotland may share personal data with processors in accordance with the terms of this policy.
19 Dealing with Subject Access Requests from Individuals
Individuals may make a formal request for information we hold about them or other requests (for example, for portable data). Data Users who receive a written request should forward it to [the Data Protection Officer] immediately.
When receiving telephone enquiries, YMCA Scotland will only disclose personal data we held on the organisations systems if we verify the caller's identity to make sure that information is only given to a person who is entitled to it. If YMCA Scotland, are not sure about the caller’s identity and where their identity cannot be checked, a written request may need to be submitted.
Data Users will refer a request to [the Data Protection Officer] for assistance in difficult situations. Data Users should not be bullied into disclosing personal information.
Where a request for information is made in electronic form, we will provide the information in electronic form where possible, unless otherwise requested by the individual.
YMCA Scotland will deal with requests for information and any other requests without undue delay, within one month (30 calendar days) of a request for information, YMCA Scotland will either:
provide the information to the individual;
if the complexity or number of requests requires, extend the response period by up to a further two months and inform the individual of such extension; or
not action the information request, and inform the individual of the reason for not taking action and of the possibility for lodging a complaint or seeking a judicial remedy.
If requests are clearly unfounded or excessive (particularly if they are repetitive), we may charge a reasonable administrative fee to carry out the request or refuse to action the request but we must record our reasoning. Data Users who suspect they have received such requests should refer them to [the Data Protection Officer]. Otherwise, initial requests will be dealt with free of charge, and we may consider charging a reasonable fee for further requests.
If individuals have any questions about responding to data subject access requests, you should contact your line manager.
20 Privacy Rights
All individuals have certain privacy rights in respect of their personal data which is held and used by organisations. These are set out in more detail below. If you receive request from anyone about exercising their rights, or if you as an individual or volunteer with us wish to exercise any of these rights, please contact the Data Protection Officer.
Right to object: You can object to our processing of your personal data where the organisation are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object where the organisation are processing your personal data for direct marketing purposes. Please contact us as noted above, providing details of your objection.
Access to your personal data: You can request access to a copy of your personal data that the organisation holds, along with information on what personal data is used and why, who the information is shared with, how long it is kept for, whether it has been used for any automated decision making. Individuals can make a request for access free of charge. All requests for access should be in writing, with evidence of identity.
Consent: Most of the time, the organisation won't need employees consent to use personal data as it will be used only to fulfil obligations and exercise rights as an employer. If you have given the organisation consent to use personal data, employees can withdraw consent at any time.
Rectification: Individuals can ask the organisation to change or complete any inaccurate or incomplete personal data held about you.
Erasure: Individuals can ask the organisation to delete your personal data where it is no longer necessary for the organisation to use it, you have withdrawn consent, or where the organisation has no lawful basis for keeping it.
Portability: Individuals can ask the organisation to provide you or a third party with some of the personal data that they hold about you in a structured, commonly used, electronic form, so it can be easily transferred.
Restriction: Individuals can ask the organisation to restrict the personal information used about you where you have asked for it to be erased or where you have objected to the use of it.
No automated-decision making: Automated decision-making takes place when an electronic system uses personal data to make a decision without human intervention. Individuals have the right not to be subject to automated decisions that will create legal effects or have a similar significant impact on you, unless you have given the organisation consent, it is necessary for a contract between the individual and YMCA Scotland or is otherwise permitted by law. Individuals also have certain rights to challenge decisions made about you.
YMCA Scotland do not currently carry out automated decision-making in the course of you working with us, but we will notify you in advance if this changes.
21 What Kind Of Personal Data The Company Collect
In the course of the working relationship, YMCA Scotland will collect, store, and use the following categories of personal data about its employees:
Personal contact details such as name, title, addresses, telephone numbers, and personal email addresses
Date of birth
Marital status and dependants
Next of kin and emergency contact information
National Insurance number
Bank account details, payroll records and tax status information
Salary, annual leave, pension and benefits information
Location of employment or workplace
Identification information (including a copy of driving licence, passport and utility bills)
Recruitment information (including copies of right to work documentation, references and other information included in a CV or cover letter or as part of the application process)
Employment records (including job titles, work history, working hours, training records and professional memberships)
Disciplinary and grievance information
CCTV footage and other information obtained through electronic means such as swipe card records.
Information about your use of our information and communications systems.
22 Sensitive Personal Data
Some kinds of personal data are given special protection by the law – these are called 'special category' data. YMCA Scotland will sometimes collect, store and use the following types of 'special category' personal data:
Information about your health, including any medical condition, health and sickness records
Information about your criminal convictions and offences (for example, DVLA checks, Visa applications)
23 How the Organisation Gathers your Personal Data
YMCA Scotland will obtain personal data in different ways:
directly from individuals, for example from applications (such as a declaration of interest form);
during the application and recruitment process, from an employment agency or background check provider, former employers and credit reference agencies; and
from monitoring emails, internet and telephone usage and when we use CCTV.
24 How YMCA Scotland Uses Your Personal Data
To summarise, YMCA Scotland processes personal data for the following key purposes:
primarily, to fulfil contractual obligations and legal obligations to individuals (for example, to pay individuals and provide benefits) and to exercise legal rights;
to pursue legitimate interests of the organisation or those of third parties, provided individuals interests and fundamental rights do not override those interests, or where necessary to protect the interests of individuals or others (for example, monitoring misuse of our IT systems or tracking our vehicles);
25 How YMCA Scotland Uses Your Sensitive Data
Special protection is given to certain kinds of personal data that is particularly sensitive. This is information about individuals health status, racial or ethnic origin, political views, religious or similar beliefs, sex life or sexual orientation, genetic or biometric identifiers, trade union membership or criminal convictions or offences.
YMCA Scotland use this personal data primarily to comply with our legal obligations (including in respect of health and safety), for equal opportunity monitoring, to manage sickness and administer your benefits and where individuals drive company vehicles, DVLA will need to be supplied to the organisation.
26 If Employees Fail to Provide Personal Data
In some cases, if employees fail to provide information when requested, the organisation may not be able to perform the Contract the organisation entered into with the employee fully (such as paying you or providing benefits), or the organisation may be prevented from complying with our legal obligations (such as to ensure the health and safety of employees).
It is necessary for the organisation to monitor staff in various ways in order to ensure safety and security and protect individuals. YMCA Scotland monitors individuals in the following ways:
monitoring use of internet, i.e. looking at use of email or website visits;
monitoring excessive use of company telephones for personal reasons;
The organisation processes personal data obtained through such monitoring in accordance with our IT & Communications Policy and only carries out these activities to the extent it is necessary and proportionate and it is permitted by law.
Any concerns in relation to monitoring, should be directed to [the Data Protection Officer].
28 Sharing Your Personal Data With Others
YMCA Scotland will share personal data with third parties where required by law, or where it is necessary to administer the working relationship with you or where the organisation has a legitimate interest. The organisation will only share personal data to the extent needed for those purposes.
The organisation share personal data for these purposes with external providers such as payroll, pension administration, benefits provision, occupational health and IT services.
29 Data Retention
All employees should follow the following data retention procedures:
hard copy files relating to employees the organisation has worked with should be stored for a period of 12 months from the date of closure of the file;
electronic files relating to employees the organisation has supported should be deleted after a period of 24 months from the date of closure of the file;
all financial records should be destroyed and/or deleted after a period of 7 years;
recruitment records (such as job applications) should be destroyed after a period of 6 months; and
personnel records (including contact details, appraisals and reviews) should be destroyed 6 years after the relevant employee has left the organisation.
All personal data should be kept securely (e.g. password protection, locked safe etc.) and once it is no longer required to be kept it should be shredded or deleted.
30 Right to Complain
Employees can make a complaint to us by contacting us via the Data Protection Officer or to the data protection supervisory authority – in the UK, this is the Information Commissioner's Office, at https://ico.org.uk/.
31 Failure to Comply with This Policy
All employees must familiarise themselves with this policy and ensure they adhere to its principles when processing data. It is a criminal offence to deliberately or recklessly disclose personal information without YMCA Scotland authority.
All employees are required to sign a statement that they have read and will implement the terms of this policy.
If you have any questions about this policy or about processing data, please contact the data protection officer.
Any breach of this policy will be taken seriously and may result in disciplinary action.
32 Changes to This Policy
YMCA Scotland reserve the right to change this policy at any time. Where appropriate, the organisation will notify employees of those changes.
Responsibility for Policy –
Operational Practice: National General Secretary
Executive Responsibility: YMCA Scotland Executive Committee
ACCEPTED AS THE DATA PROTECTION POLICY BY YMCA SCOTLAND EXECUTIVE COMMITTEE AT ITS MEETING ON 9 JUNE 2018
SIGNED National Council Chairman
SIGNED National General Secretary
This policy will be reviewed at 18 month intervals
PRIVACY STATEMENT – YMCA SCOTLAND
The new General Data Protection Regulation (GDPR) gives you more control over how your personal information is used. And it makes it quicker and easier for you to check and update the information we and other organisations we work with, hold about you.
This statement outlines:
What data we collect
How we may use it
How we keep your data safe
WHO WE ARE
YMCA is a youth work organisation which works with 29 autonomous local YMCAs across Scotland and each YMCA is affiliated to YMCA Scotland. These YMCAs will have their own data protection policies and procedures. We are a charity SCO13792 and our registered office is 1 Chesser Avenue, Edinburgh, EH14 1TB.
YMCA Scotland is a data controller in respect of personal information that we process in connection with our activities.
We are committed to protecting both your data and your privacy and we want you to feel assured that any information you give us is held securely and safely, whether you are working for us, supporting us through campaigning, donations, volunteering, fundraising or events.
GETTING IN TOUCH
You have the right to ask for a copy of the information we hold about you and to have any inaccuracies in your information corrected. You also have the right to ask us to delete any personal information we hold about you. In some cases, we may be unable to delete data, such as if it is required for tax or Gift Aid purposes. In these cases, we will ensure that you are removed from future communications and processing. You can access your personal data held by us or request to receive your information in part or its entirety in machine readable format.
For all questions or concerns regarding the processing of your personal information, please do get in touch. You can write to:
Data Protection Lead
1 Chesser Avenue
Edinburgh EH14 1TB
You can email on email@example.com or call 0131 228 1464.
The Information Commissioner’s Office is the regulator for such activity and further information can be found at https://ico.org.uk
WHY AND HOW WE COLLECT YOUR DATA
When you give it to us directly
The vast majority of personal data we hold is given to us directly by our staff, campaigners, supporters, and volunteers in the course of them interacting with our services, websites or activities.
When we are working with a third party
We may work with other independent parties such as life assurance companies for staff, fundraising sites such as Just Giving or Virgin Money Giving. These independent third parties will only share your data with us when you have given permission for YMCA Scotland to contact you.
When your information is available publicly
We may combine information that we already have about you with information available publicly or information available from external sources to gain a better understanding of you. This includes the use of profiling and screening techniques to ensure communications are relevant and timely, and to provide an improved experience for our staff and supporters. Profiling also allows us to target our resources effectively, which supporters consistently tell us is a key priority for them. We do this because it allows us to understand the background of the people who support us and helps us to make appropriate requests to supporters who may be able and willing to give more than they already do. Importantly, it enables us to raise monies for the work YMCA undertakes with young people and their communities.
When building a profile of donors and supporters, we may analyse geographic, demographic and other information relating to you in order to better understand your interests and preferences in order to contact you with the most relevant communications. In doing this, we may use additional information from third party sources when it is available. We also undertake this to help us identify potential donors and supporters.
In some situations, we may update our supporters, clients and volunteers’ personal information using external organisations, for example, to check we have a valid and deliverable postal address, or to check if you are registered with the Telephone Preference Service (TPS) or Fundraising Preference Service (FPS).
Depending on your settings or the privacy policies for social media and messaging services like Facebook or Twitter, you might give us permission to access information from those accounts or services.
You can opt out of your data being used in any of the above-mentioned ways at any time by contacting us at firstname.lastname@example.org or calling 0131 228 1464.
WHAT DATA WE COLLECT
Personal information is any data that can be used to identify you. It can include, but is not limited to, any of the data listed below.
Data protection law recognises that there are sensitive categories of personal information, such as health information, racial or ethnic origin, or religious beliefs or other beliefs. We would only collect sensitive personal information where there is a clear need to do so.
Before we collect any sensitive personal information, we will make it clear what information we are collecting and the purpose we are collecting it for.
Information we collect from you directly or from third parties with whom we work may include:
bank account or credit card details where required
in relation to fundraising, employer details for processing a payroll gift and taxpayer status for claiming Gift Aid
National Insurance number
health history where required
date of birth, age, and/or gender
We may also collect and process information about your interactions with us, including details about our contacts with you through email, SMS, post, on the phone or in person. This might include the date, time, and method of contact, details about donations you make to us, events or activities that you register for or attend or any request for support.
We may also collect and record other relevant information you share with us about yourself, such as your interests or your affiliations with other charities, including local YMCAs, community or campaign groups.
HOW WE USE YOUR DATA
Delivering the services we do is something we cannot do without the help of people who share our passion for working with young people to enable them to truly belong, contribute and thrive. Supporting the work of YMCA Scotland such as being employed by us, supporting us in a variety of ways including raising funds, running campaigns and involving as wide a range of people as we can in our activities is hugely important to us.
We will only use and share your information where it is necessary for us to lawfully carry out our work.
The law allows personal data to be legally collected and used by an organisation if it is necessary for a legitimate business interest of the organisation – as long as its use is fair and balanced and does not unduly impact the rights of the individual concerned.
Where you give us your consent, we will also use your personal data in order to send you marketing and fundraising communications in connection with marketing and fundraising activities and services. This includes supporter newsletters and updates, plus appeals and fundraising activities.
Data sharing with third parties
We will not share your information with anyone outside YMCA Scotland except:
Where we have your permission
Where we are required by law and by law enforcement agencies, judicial bodied, government entities, tax authorities or regulatory bodies as required.
To protect YMCA Scotland, for example in cases of suspected fraud or defamation
Where we have legitimate situations with third parties, including fundraising agencies, whom we have contracted to fulfil specific services for us such as direct communication.
In all of these situations we set up a written contractual agreement that will ensure that those organisations can only use the data provided for the specific purposes we direct them to do, and that they have in place strict security requirements in order to protect your personal information and comply with GDPR.
To deliver services or manage our relationship with you, it is sometimes necessary for us to share your Personal Data outside the European Economic Area (EEA), e.g. – when your or our service providers are located outside the EEA; or if you are based outside the EEA.
Many non-EEA countries do not have the same data protection laws as the United Kingdom and EEA. We will, however, take reasonable steps to ensure any such supplier has in place appropriate measures to protect your information and any contract includes appropriate clauses about the use of data e.g. if the company is based in the USA, we will confirm whether it is accredited under the EU-US Privacy Shield.
Keeping your personal information safe
We take appropriate physical, electronic and managerial measures to ensure that we keep your information secure, accurate and up to date.
We also have procedures in place to deal with any suspected Data Security Breach. We will notify you and any Professional Regulators or other applicable regulator of a suspected Data Security Breach where we are legally required to do so.
How long will we keep your data?
We remove personal data from our systems in line with our data retention policy. The length of time each category of data will be retained will vary on how long we need to process it, the reason it is collected, and in line with any statutory requirements.
After this point the data will either be deleted or rendered anonymous. In certain specific situations, for example where a supporter has kindly pledged a legacy to us in their Will, we will maintain their details up to the time when we need to carry out the legacy administration and communicate effectively with their family.
Where we believe data might be relevant to a future safeguarding enquiry we reserve the right to retain data securely for up to 50 years to comply with our insurance and safeguarding guidance.
To find out more about our data retention policy, please contact us using the details above.
‘Cookies’ are small pieces of information sent by a web server to a web browser, which enables the server to collect information from the browser. Essentially it takes the form of a small text file deposited on your computer’s hard drive.
If you want to prevent our cookies being stored on your computer in future, you may do so by referring to your internet browser’s instructions. You can do this by clicking on the “Help” menu. Please note however that if you disable our cookies you may not be able to access certain services or facilities on our sites and your use of our sites may be restricted.
Cookies used on our website
Facebook and Twitter cookies, used on our website, help us to understand the effectiveness of our online advertising on those social platforms. Links to their privacy policies provided below:
The site also makes use of session cookies. Those cookies are necessary for site functionality and contain no personally identifiable information. They are deleted when the browser is closed.
Additionally, some of the pages on our website have embedded content and / or share buttons that enable users to easily share our content with their friends via a number of social networks. Those websites might set their own cookies when you log into their services. We do not control those cookies and suggest you check their websites on information on how manage them.
Our website also has links to other organisations who will have their own data protection privacy statements.
Depending on your settings or the privacy policies for social media and messaging services like Facebook, WhatsApp or Twitter, you might give us permission to access information from those services, for example when you publicly tag us in an event photo.
DATA PROTECTION GUIDE
The following guide sets out the procedures that are to be adhered to for using and storing staff, volunteer and donor information. The guide should be read in conjunction with the Data Protection Policy.
Raisers Edge Fundraising Database
1.1 Back Ups & Storage
The Fundraising Database, RE7, should be backed up at least once a month or more often if there is a heavy usage or data import changes. The files are to be saved to a memory stick and stored in a locked cabinet, the information contained on the memory stick should be password protected and can only be viewed on the database management system by those authorised to do so.
1.2 Queries and Reports
When printing queries and reports, do not include address of donors if unnecessary. If reports do contain donor addresses, then the report must be shredded after use and not recycled. Storage of these reports that are working documents must be stored overnight in a locked cabinet.
1.3 Gift Aid
Working Gift Aid data which contains donors information giving history and address must be shredded after use. Storage of these reports that are working documents must be stored overnight in a locked cabinet.
1.4 Appeal Data
When sending data to a mailing house, the excel spreadsheet must be securely sent by email with encrypted data or uploaded onto Secure website.
The mailing house carrying out a mailing on our behalf must fully comply with GDPR regulations
When an envelope is returned by Royal Mail, donor is marked as reason given and should be removed from the database. Each year all appeal letters returned that contain personal information are to be shredded.
2.0 Financial Details
2.1 Standing Orders
Personal banking details for standing orders must not be entered onto Fundraising Database and original forms must be stored in a locked cabinet.
2.2 Credit/Debit Card Details
Credit/Debit Card details must not be entered onto fundraising database and original donor forms with this information must be stored in a locked cabinet. Security codes included on each form must be ‘blacked out’ following confirmation of money received.
2.3 Salary Information
2.3.1 Salary information stored on Pegasus, the salary payment programme must be password protected.
2.3.2 Printed personal bank details and salary information must be kept confidential and working documents must be locked away overnight in a filing cabinet.
Pegasus and Sage data must be backed up on a memory stick and password protected.
Salary information and banking details of head office staff and local association staff that have left the payroll must be removed on a quarterly. Suppliers banking details should be removed if they have not been used or accessed for over a year.