Privacy Policy

Privacy and Data Protection Policy for TSC Volunteers, Employees, Trustees and Donors

For the purposes of the General Data Protection Regulation (“GDPR”)

and UK data protection laws, the controller is The Store Cupboard CIO (“TSC”) Registered Charity number: 1210998 Place of Business: 1 St Dunstans Road, Hanwell W7 2HB Registered office: 21 Rosebank Road, Hanwell W7 2EW

About this document

This privacy and data protection policy sets out the way we process personal data and we have created this privacy and data protection policy to make sure you are aware of how we use your data as a volunteer, employee, Trustee of or donor to The Store Cupboard CIO (“TSC”)

Personal data

When you are employed by or become a volunteer for TSC or make a donation to TSC via our website we will keep and use some data about you. This is “personal data” because it is about you as a particular person, and it can be linked to you. For volunteers, employees or Trustees, we may also keep and use some “sensitive personal data” about you, for example health information, but only in accordance with the provisions of GDPR (for example if you consent or if there is a clear reason for us to do so, for example, for employees, Trustees or volunteers if the processing of your health information is necessary for the provision of your health care as detailed in this Privacy and Data Protection Policy). Whenever it is practical for us to do so, we will make it clear why we are collecting this type of information and what it will be used for.

What personal data do we collect and hold?

TSC may collect personal data from you in certain ways, including:

  • from you when you interact with us by making an application for a job or as a volunteer or other position; when you come for an interview; or when you submit a formal application to work or volunteer for us and provide your personal data in application forms and covering letters, etc;
  • from third parties, for example your previous or current employers or voluntary organisations in relation to your application to work or volunteer for us or for donors with regard to donations via our website or via Zettle payments from the administrative information which our secure payment providers provide to us (currently CAF Donate and CAF Bank for online website donations (both part of the Charities Aid Foundation) and/or Pay Pal for Zettle payment donations and for Give Today food donation arrangements). CAF Donate and CAF Bank process your on-line donations to TSC and Pay Pal process your Zettle payment donations and payments in respect of Give Today food donations and they hold your credit/debit card and/or bank account details. Your credit/debit card details are not held by us and full details of your bank account are not held by us. Please refer to The Charities Aid Foundation’s privacy policy (for CAF Donate) CAF Bank’s and Pay Pal’s own privacy policies on their own websites as The Charities Aid Foundation, CAF Bank and Pay Pal as appropriate will be responsible for privacy and data protection compliance with regard to your financial information and contact details in respect of the online donations they process via the TSC website or via Zettle payments.
  • during the course of your employment or engagement as a volunteer or Trustee with us, for example, when you provide your contact details to our Trustees and the Manager; when you or a member of our Trustees and the Manager completes paperwork regarding any performance appraisals by TSC; and as may be generated in connection with your employment, your volunteering or other relationship with TSC more generally.

TSC may also collect personal data when you interact with TSC during your time as a volunteer or employee in various ways including data taken from any forms which TSC may provide to you for completion regarding your employment or volunteering.

We may collect personal data regarding contact and communications including your name, address, telephone number, notes on health issues, emergency contacts, next of kin and any associated updates, for example, regarding your contact details and any personal data we might receive from third parties and records of communications and interactions we have had with you.

We may also collect biographical, educational and social information, including your gender, nationality and date of birth, your image and likeness, including, for example as captured in photographs taken for business purposes and also details of your education and references from your institutions of study.

For employees, we may collect financial information including your bank account number(s), name(s) and sort code(s) (used for paying your salary and processing other payments) your tax status and Gift Aid information, where relevant. For employees, we may also collect work-related information including details of your work history and references from your previous employer(s), your personal data captured in any work product(s) you may create while employed by us or otherwise engaged to work for us, details of your professional activities and interests, your involvement with/membership of any industry bodies and professional associations and any other information relevant to your employment or other engagement with us.

For employees, we may collect information revealing your racial or ethnic origin (for example, recording a member of staff’s racial or ethnic origin in order to monitor our compliance with equal opportunities legislation); information regarding your health and medical conditions (for example, where required to monitor and record sickness absences, take decisions as to an individual’s fitness for work, for dietary needs, or to make reasonable adjustments to your working conditions or environment); information concerning other characteristics such as sexual orientation (for example, in the courses of investigating complaints made by you or others, for example concerning discrimination).

For volunteers and employees, we may also collect information about certain criminal convictions and offences data (including where this might be necessary for due diligence purposes and for employees, for compliance with employment law).

How is your personal data kept safe?

Your data will be kept in a secure, locked filing cabinet at TSC’s registered office or place of business (the key to which is only available to the Trustees and the Manager) and/or in your file on our password protected secure computer system which is only accessed by the Trustees and the Manager.

What is your data used for?

For volunteers, employees and Trustees, the purposes for which we may use personal data including special categories of personal data and criminal convictions and offences data, where applicable) which we collect in connection with your employment, volunteering or other engagement with us include:

  • administering job, volunteer or Trustee applications and, where relevant, offering you a job, voluntary or other position with us;
  • carrying out due diligence checks on you during the application process for a role, including, for employees, by checking references in relation to your education and your employment history;
  • for volunteers, to work out the best volunteer opportunities for you;
  • once you are employed or engaged by us in any capacity or volunteer for us, for the performance of the contract (or equivalent agreement) or volunteering arrangement between you and us;
  • for employees, to pay you and to administer benefits (including pensions if appropriate) in connection with your employment or other engagement with us;
  • for employees, for tax purposes, including transferring your personal data to HM Revenue and Customs to ensure that you have paid appropriate amounts of tax and in respect of Gift Aid claims, where relevant;
  • for employees, for other HR-related administrative purposes, for example to update you about changes to your terms and conditions of employment or engagement;
  • external and internal audit and record-keeping purposes;
  • contacting you or your family members and next of kin for business continuity purposes, to confirm your absence from work or volunteering with us, if you have an accident or are taken ill while volunteering or working for us, etc;
  • for employees, monitoring your performance in your work, including in performance appraisals;
  • monitoring and keeping a record of telephone calls, e-mails and internet use in compliance with our associated polices and our legal obligations;
  • for security purposes, including by operating security cameras in various locations at our premises;
  • for preventing and detecting crime and to investigate complaints and grievances;
  • dealing with legal claims and requests, including those made under data protection law or requests for disclosure by competent authorities;
  • communication about any TSC activities we think may be of interest to you;
  • storing your data in our hard copy files and/or on our password protected secure computer system;
  • to make sure you receive appropriate medical care, if you are taken ill when volunteering or working for us;
  • to know that you have signed a confidentiality agreement, and have been told about health and safety.

For donors who make online donations via our website, the purposes for which we may use personal data provided to us by our secure online payment providers – currently CAF Bank, CAF Donate and PayPal (as referred to above) relates to administrative purposes in respect of the limited account information which is provided to us by our secure payment providers in respect of your on-line donations.

The basis for processing your data

TSC may process your personal data for the above purposes because:

  • It is necessary for the performance of a contract with you (your employment contract or volunteering arrangement with us or donation to us) or in order to take steps at your request prior to entering into such a contract;
  • It is necessary for our or a third party’s legitimate interests. Our “legitimate interests” include our reasonable interests in the operation of TSC and its premises in accordance with all relevant legal requirements;
  • It is necessary to protect your or another person’s vital interests (in certain limited circumstances, for example where you have a life-threatening accident or illness in TSC’s premises and we have to process your personal data in order to ensure you receive appropriate medical attention);
  • It is necessary for the establishment, exercise or defence of legal claims (for example, to protect and defend our rights or property);
  • We have your specific or, where necessary, explicit consent to do so (in certain limited circumstances, for example where you consent to provide us with details of your racial or ethnic origin so that we can monitor our compliance with equal opportunities legislation);
  • For compliance with our legal obligations (e.g., to exercise or perform any right or obligation conferred or imposed by law in connection with your employment by us or your voluntary arrangement with us or for the prevention and detection of crime and in order to assist with investigations (including criminal investigations) carried out by the police and other competent authorities).

Access to and sharing your data

The only people who would usually have access to your data would be the Trustees and the Manager. However, we may share your personal data with certain third parties for the purposes set out in this Privacy and Data Protection Policy. Personal data collected and processed by us may be shared by us with certain third parties including:

  • Other employees, volunteers, agencies and contractors of TSC where there is a legitimate reason for their receiving the information, including third parties where we have engaged them to process data on our behalf as part of administering your employment by us or voluntary arrangement, donations to us or other arrangements with us, but only for a legitimate reason;
  • Internal and external auditors and legal advisers;
  • When we are legally required to do so (by a Court, government body, law enforcement agency or other authority of competent jurisdiction, for example by HM Revenue and Customs;

We will be as careful as possible to make sure no one else has access to your data. We will not sell or share your personal data for other organisations to use, other than as set out above.

How long will your data be kept?

We will keep your personal data only for as long as is necessary for each purpose for which we use it. For most employee, volunteer and Trustee data, this means we will retain your personal data for so long as you have an active employment, volunteer or Trustee relationship with us and for a period of six years thereafter for accounting, record-keeping, tax reporting and legal reasons (including any grievance, dispute or accusation relating to your employment or volunteer arrangement with us).

After six years your records will be destroyed, unless there is a reason why we are still in touch with you about your time as an employee, a volunteer or a Trustee.

What rights do you have?

You have a number of rights under Data Protection legislation, including:

  • Right to know what data we hold
    You have a right to know what personal data we hold about you.
    This Privacy and Data Protection Policy describes the data that we will hold about you. However, you can ask if we have any other data about you which is not covered by this Privacyand Data Protection Policy.
  • Right to have a copy of the data we hold
    You can ask for a copy of the data we hold about you. This is called a “subject access request”.
    If you make a “subject access request”, this enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing that data. Upon submission of a subject access request by you, we will provide your personal data to you in accordance with the relevant time limits set out in data protection legislation relevant to your employment or volunteer arrangement with us at the time of your subject access request.
  • Right to object
    You can object if you think we are using your data in the wrong way.
    You can also object if you think we don’t have “lawful grounds” for using your data.
    We will give you a statement explaining why we use your data and explaining the “lawful grounds”.
    If you are still not happy, you can complain to the Information Commissioner’s Office.
    If we find we are using your data in the wrong way, we will stop immediately and stop it happening again.
  • Right to have your data corrected
    If you think there is a mistake in your data, please tell us. You have a right to have it corrected.
    We may need to check what is the correct data but will put right any mistakes as soon as possible.
  • Right to be forgotten
    Your data is kept while you are an employee, Trustee or volunteer with TSC. If you stop being an employee, Trustee or volunteer, we will keep your data for six years.
  • Right to erasure

You can ask us to delete or remove personal data where there is no good reason for us to continue to process it. You also have the right to ask us to delete or remove your personal data where you have exercised your right to object to processing (see below).

Right to restrict the processing of your personal data

You can ask us to suspend the processing of personal data about you, for example if you want us to establish its accuracy or the reason for processing it. You can also withdraw your consent, whether this is the basis for our processing your information (without affecting the lawfulness of our previous processing based on consent).

Right to transfer your personal data

You can request the transfer of your personal data from TSC to another party.

Please note that the above rights are not absolute and we may be entitled to refuse requests where exceptions apply

Finally, if anything happened to your data that could be a risk to you, we will do our best to tell you as soon as is reasonably practicable in the particular circumstances.

Your Marketing Preferences

Should there be any marketing materials regarding TSC which ideally we would like to send to donors and to volunteers, Trustees and employees (which for volunteers, Trustees and employees would be outside of any materials you might already receive as a result of your volunteering arrangement, your employment or your Trusteeship) we would always respect your wishes in respect of what type of communications you want to receive from us and how you want to receive them.

Who can you speak to if you have questions?

If you have questions about this Privacy and Data Protection Policy or how we process your personal data or if you wish to exercise any of your legal rights, you may contact any member of the Trustees and the Manager via:

E-mail: info@store-cupboard.co.uk

Or by post to The Store Cupboard CIO, 21 Rosebank Road, Hanwell W7 2EW

If you are not satisfied with how we are processing your personal data, you can contact our Data Protection Trustee or make a complaint to the Information Commissioner. You can find out more about your rights under applicable data protection laws from the Information Commissioner’s website:

www.ico.org.uk

This Privacy and Data Protection Policy will be reviewed on a regular basis and updated from time to time as might be required in accordance with relevant legislation in effect at that time.