DATA PROTECTION STATEMENT
CRiBS Charitable Trust (CRiBS) will only use personal data in connection
with its charitable purposes. It does not make personal data available
to any other organisation or individual for direct marketing purposes.
How we collect information about you
CRiBS does not capture and store any personal information about individuals, except where they choose to give us their personal information. This could be in connection with becoming a volunteer, staff member, requesting resources, booking into an event, making a donation, or by email.
CRiBS does not receive or hold any credit card details for donations/payments made online. All on-line payments to are handled by JustGiving, Virgin Money or Give.net. Secure Server Software (SSL) is used to encrypt all credit card information sent from these websites.
Why we collect information about you
We will keep information that is necessary for us to provide mailings, other resources and for statistical purposes.
• To provide you with information about our work including related mailings, events,
resources, fundraising and any other services.
• To make sure we have an accurate record of all donations received.
• For other legitimate interests, for example we collect information on potential staff
so that DBS checks can be made.
CRiBS communications with friends and supporters are now on an ‘opt-in only’ basis. We only send marketing information to people who have specifically said that they agree to us doing this, and only in the way(s) they have agreed to. If you want to receive this information but haven’t opted in, you can do so by emailing firstname.lastname@example.org or calling 01322 330730.
We also collect information in the course of some of our work in schools about the people we are working with, and we hold this information on the basis of our legitimate interest to do so.
Who sees your information
The information we collect will be used exclusively within CRiBS. We do not pass any of your personal information to outside organisations and/or individuals without your express consent or where there is a specific requirement. For instance, to claim Gift Aid we share data with HMRC.
Where such details are provided and where required we have confidentiality agreements in place that restrict the use of your information to the purpose for which it is provided and ensure it is kept no longer than necessary.
It is a condition of the employment of CRiBS staff that they shall not divulge or copy any confidential or commercially sensitive information concerning the business of CRiBS, its supporters, suppliers, clients, and customers.
How long do we keep your information
How long we keep your information depends on the context in which you provided it. As a general rule we will keep the time to the minimum necessary for the purpose.
We will keep records of any financial transactions you enter into with us for a minimum of six years. This will enable us to meet with accounting requirements and respond to any questions from you that arise during that period. Gift Aid forms and transactions must be kept for a minimum of 12 years after the Gift Aid is no longer valid.
Viewing the information we hold about you
You may request details of all the information CRiBS holds about you by submitting a written request to our “Data Protection Officer.” Write to: The Data Protection Officer, CRiBS, St Columba’s School, Halcot Avenue, Bexleyheath, DA6 7QB. Please include your address and a telephone number or email address to enable us to contact you.
If you think your data rights have been breached you can complain to the Information Commissioner’s Office (ICO), Wycliffe House. Water Lane, Wilmslow, Cheshire SK9 5AF, telephone 01625 545745.
This policy is reviewed annually.
CRiBS Data Protection Policy
CRiBS is committed to a policy of protecting the rights and privacy of individuals. We need to collect and use certain types of Data in order to carry on our work. This personal information must be collected and dealt with appropriately. The Data Protection Act 2018 (DPA) and the General Data Protection Regulations govern the use of information about people (personal data). Personal data can be held on computers, laptops and mobile devices, or in a manual file, and includes email, minutes of meetings, and photographs. The data controller for the information held is CRiBS Charitable Trust. The trustees, staff and volunteers will take responsibility for processing and using personal information in accordance with all relevant legislation. Trustees, staff and volunteers who have access to personal information, will be expected to read and comply with this policy.
The purpose of this policy is to set out CRiBS Charitable Trust’s commitment and procedures for protecting personal data. The trustees regard the lawful and correct treatment of personal information as very important to successful working, and to maintaining the confidence of those with whom we deal.
The General Data Protection Regulations
This contains 7 principles for processing personal data with which we must comply.
1. Must be processed lawfully, fairly and transparently
2. Can only be collected for specified, explicit and legitimate purposes
3. Must be adequate, relevant and limited to what is necessary for processing
4. Shall be accurate and kept up to date
5. Shall not be kept for longer than is necessary,
6. Shall be processed in a manner that ensures appropriate security, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures
7. As data controller, CRiBS Charitable Trust will be accountable for complying with the principles, and to have appropriate processes and records in place to demonstrate that CRiBS is compliant.
Data Controller – The legal or natural person, an agency, a public authority, or any other body who, alone or when joined with others, determines the purposes of any personal data and the means of processing it.
Data Protection Act 2018 – The UK legislation that provides a framework for responsible behaviour by those using personal information.
Data Protection Officer – The person on the management committee who is responsible for ensuring that it follows its data protection policy and complies with the Data Protection Act 2018.
Data Subject/Service User – The individual whose personal information is being held or processed by CRiBS, for example: a service user or a supporter
‘Explicit’ consent – is a freely given, specific and informed agreement by a Data Subject (see definition) to the processing of personal information about her/him.
Information Commissioner – The UK Information Commissioner responsible for implementing and overseeing the Data Protection Act 2018.
Processing – means collecting, amending, handling, storing or disclosing personal information.
Personal Information – Information about living individuals that enables them to be identified – e.g. names, addresses, telephone numbers and email addresses.
Collecting and correcting data
Whenever CRiBS staff or volunteers collect personal data from members of the public we will let people know why we are collecting their data and it is our responsibility to ensure the data is only used for this purpose. The exception to this is for the data we collect for intervention work in schools as stated later in this policy.
Employees and Individuals have a right to have data corrected if it is wrong, to prevent use which is causing them damage or distress, or to stop marketing information being sent to them.
CRiBS is the Data Controller, and is legally responsible for complying with the GDPR and all relevant legislation, which means that it determines what purposes personal information held will be used for. CRiBS will take into account legal requirements, and will through appropriate management, strict application of criteria and controls:
a) Observe fully conditions regarding the fair collection and use of information.
b) Meet its legal obligations to specify the purposes for which information is used.
c) Collect and process appropriate information, and only to the extent that it is needed to fulfil its operational needs or to comply with any legal requirements.
d) Ensure the quality of information used.
e) Ensure that the rights of people about whom information is held, can be fully exercised. These include: i) The right to be informed that processing is being undertaken ii) The right of access to one’s personal information iii) The right to prevent processing in certain circumstances, and iv) The right to correct, rectify, block or erase information which is regarded as wrong information
f) Take appropriate technical and organisational security measures to safeguard personal information,
g) Ensure that personal information is not transferred abroad without suitable safeguards,
h) Treat people justly and fairly regardless of their age, religion, disability, gender, sexual orientation or ethnicity when dealing with requests for information,
i) Set out clear procedures for responding to requests for information.
The Data Protection Officer on the management committee is: Mark Leveson
Contact Details: email@example.com
The Data Protection Officer will be responsible for ensuring that the policy is implemented and will have overall responsibility for ensuring that:
a) Everyone processing personal information understands that they are contractually responsible for following good data protection practice
b) Everyone processing personal information is appropriately trained to do so
c) Everyone processing personal information is appropriately supervised
d) Anybody wanting to make enquiries about handling personal information knows what to do
e) Any enquiries about handling personal information are dealt with promptly and courteously
f) How the charity handles personal information is described clearly
g) Regularly reviewing and auditing the ways CRiBS holds, manages and uses personal information
h) Regularly assessing and evaluating CRiBS methods and performance in relation to handling personal information.
All staff and volunteers are aware that a breach of the rules and procedures identified in this policy may lead to action being taken against them.
This policy will be updated as necessary to reflect best practice in data management, security and control and to ensure compliance with any changes or amendments made to the Data Protection Act 2018. In case of any queries or questions in relation to this policy please contact the Data Protection Officer.
Data collection: Informed consent
Informed consent is when a Data Subject clearly understands why their information is needed, who it will be shared with, the possible consequences of them agreeing or refusing the proposed use of the data and then gives their consent. We will ensure that data is collected within the boundaries defined in this policy. This applies to data that is collected in person, or by completing a form.
When collecting data, we will ensure that the Data Subject:
a) Clearly understands why the information is needed
b) Understands what it will be used for and what the consequences are should the Data Subject decide not to give consent to processing
c) As far as reasonably possible, grants explicit consent, either written or verbal for data to be processed
d) Is, as far as reasonably practicable, competent enough to give consent and has given so freely without any duress
e) Has received sufficient information on why their data is needed and how it will be used
Data collection: Legitimate interest
In the course of its intervention programmes (Boys Noise, b:You and Unlimited mentoring) CRiBS gathers and retains data regarding the children and young people we are working with. The purpose of collecting information is to check the quality of our work; to enable children, young people and schools that we are working with to see progress that is being made; and to share (anonymously) with our stakeholders, especially funders.
This data is collected in a number of ways, including but not limited to:
• Pen portraits provided by the school
• Registers of attendance at sessions
• Notes taken in sessions or from conversations with school staff
The data collected and retained may include:
• Name, school and form/class
• Family background, details of behaviour and attendance
• Any SEN diagnoses or assessments
CRiBS collects and processes this information on the basis of its legitimate interest to do so and stores it according to this policy. Our full data sharing agreement is available upon request from the data protection officer.
Data Subject Access Requests
Individuals have a right to access their personal data as well as other supplementary information. They can make a request verbally or in writing including via email or social media. CRiBS’ management understand that they have one month to respond to a request and will not charge a fee for providing a response. We are aware there are some situations where we may extend the time limit to respond to a request.
An individual is only entitled to their own personal data, and not to information relating to other people (unless the information is also about them or they are acting on behalf of someone).
CRiBS management will refer to the Guide to GDPR checklist to ensure Data Subject Access Requests are processed correctly and effectively.
The consequences of breaching Data Protection can cause harm or distress to service users if their information is released to inappropriate people, or they could be denied a service to which they are entitled. Volunteers should be aware that they can be personally liable if they use customers’ personal data inappropriately.
This policy is designed to minimise the risks and to ensure that the reputation of the charity is not damaged through inappropriate or unauthorised access and sharing.
This policy is reviewed annually.
CRiBS takes your privacy seriously. We aim to be as clear as possible about how and why we use information we hold on you. If your questions are not fully answered by the information below, please contact us for further details.