InCommon Foundation Data Privacy Policy
Last updated: December 2023
At InCommon, we are committed to protecting and respecting your privacy. If you have any questions about the below, please email us at hello@incommon.org.uk.
Last updated: December 2023
At InCommon, we are committed to protecting and respecting your privacy. If you have any questions about the below, please email us at hello@incommon.org.uk.
InCommon is committed to protecting your personal data and giving you control over how you share it with us.
InCommon in particular acknowledges how important protection of personal data is when working with groups who may be at risk or with more sensitive data.
We also have a legal duty to process data in accordance with UK Data protection and human rights law and GDPR.
“Personal data” is any information about a living individual which allows them to be identified.
As part of being accountable for how we process your personal data, InCommon has appointed a data protection officer and nominated a Trustee with particular responsibility for data protection.
Data protection officer: Hannah Kayi Mason
Trustee Data Lead: Hector Smethurst
To contact InCommon about the data we hold about you or for any other questions about this policy, please email hello@incommon.org.uk
Data protection in the UK is regulated by the Information Commissioner’s Office (ICO). You can contact them via phone on 0303 123 1113 or via email or via post to the Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF.
At InCommon we collect and process the personal data of different stakeholders.
To make it easier to find the information that is relevant to you, we have divided the policy into the stakeholder group sections below.
Each of these sections answer the questions:
What data we collect about you
What we use it for and what legal basis we are processing it unde
Under data law we need to have a ‘legal basis’ for processing your data, and know what that is for different pieces of data.
Stakeholder groups:
Programme participants (older)
Programme participants (under 18s)
Users of our digital platform
Team, volunteers, freelancers and role applicants
Supporters
Other stakeholders not covered above
There are some parts of our policy that are relevant to everyone whose data we handle. The following sections apply to everyone:
How we process and store your data
Your rights as a data subject
Name and contact details (e.g. telephone number, address and email address)
We collect the first name and last name of programme participants in order to deliver our programme effectively and keep an accurate record of participant attendance. These figures are also shared with funders.
We collect contact information for participants to invite them to events, for welfare calls or as part of programme activities. We use addresses to send post to the participant, e.g. InCommon magazine and to knock on their door to invite them to events taking place in the communal lounge
What is the legal basis?
Legitimate interest (until the registration form is completed) and consent thereafter
Photographs, audio recording and video recording
We take photos and recordings in workshops to promote the impact of the programme, e.g. via our website/social media, in the form of case studies to funders, etc.
What is the legal basis?
Consent (registration form)
Equality monitoring information including gender, sexuality and ethnicity
We collect this information to report to funders about the reach of programmes. Longer term this will enable us to learn whether our programmes are reaching people from different demographics equally, and potentially explore barriers for, or target recruitment towards, underrepresented groups
What is the legal basis?
Consent (optional questions on registration form)
Demographic and personal details including age, date of birth, marital status, nationality, education/work histories, academic/professional qualifications, hobbies, family composition, and dependants
We collect this information if it is relevant to our programme, or when provided to us. We may process demographic information and personal details, e.g. for our equality monitoring and reporting to funders.
What is the legal basis?
Consent (registration form)
Safeguarding or welfare notes from communication with older participants
Notes are recorded for the safety of participants. We take these to ensure there is an accurate record of what we observe or are told and so we can act responsibly to safeguard participants and promote their welfare.
Sometimes older participants may share sensitive details for example health issues, difficulties with finances which might be used to make a referral for further support.
What is the legal basis?
Consent (specified on registration form)
If a sensitive disclosure is made, the individual should be reminded that we may have a duty to widen confidentiality, and where possible offer the individual control over how this happens.
If necessary and consent is not given, legal obligation (e.g. duty to safeguard an adult at risk). Please see our Safeguarding Policy for more details.
Name
We collect the first and last name of participants in order to deliver our programme effectively and keep an accurate record of participant attendance. These figures are also shared with funders.
What is the legal basis?
Consent (parent permission letter) or legitimate interest in exceptional circumstances where teachers supply children’s names without/while waiting for parent consent forms.
Photographs, audio recording and video recording
We take photos and recordings in workshops to promote the impact of the programme, e.g. via our website/social media, in the form of case studies to funders, etc.
What is the legal basis?
Consent of parents (parent permission letter).
Children’s consent should also be respected, ie. children should be aware that photos are being taken and able to request that they don’t want their photo taken.
Children’s/young people’s equality monitoring data (gender, ethnicity)
We collect this information on programmes where funders request this to report the reach among certain demographics.
What is the legal basis?
Consent (collected via an optional form)
Safeguarding notes from communication with children
Notes are recorded for the safety of participants. We take these to ensure an accurate record of what we observe or are told, so we can act responsibly to safeguard participants and promote their welfare. We would share relevant information with emergency services in situations where there is a real risk of harm.
Legally we can store and share information for safeguarding purposes, including sensitive and personal information and this information should be treated as 'special category personal data'. This includes allowing practitioners to share information, regarding 'safeguarding of children at risk', without consent if it is not possible or reasonable to gain consent
What is the legal basis?
Legal obligation (e.g. duty to safeguard a vulnerable child). Please see our Safeguarding Policy for more details.
Free account holders: name and email address
We collect this information to track the engagement and use of the platform, and as a user identifier on the platform.
What is the legal basis?
Consent (on account creation)
All other account holders: name and email address (of account holder and alternative account holder), phone number and photo
We collect contact information to facilitate use of the platform and arrangement of visits. This information will be visible to some other platform users, in particular:
Linked users i.e. a school user will be able to see the contact details for their linked scheme and vice versa.
Relevant partner users i.e. a housing association commissioner can view the details from their scheme users.
We collect phone numbers and photos to facilitate relationship building and to support visits. These are optional.
What is the legal basis?
Consent (on account creation or onboarding call).
Legitimate interest for the alternative contact details to contact in emergency situations.
Name and contact details
We collect the name and contact details of team members, volunteers and role applicants. We also collect the name and contact details of people in our wider professional network, such as advisors or sector partners.
What is the legal basis?
Consent (in the application form)
Legitimate interest (for people in our network - to allow collaboration and joined up working, with minimal risk due to the small amount of personal data shared)
Application answers
We collect and store answers from volunteer and role applicants to help us make recruitment decisions.
What is the legal basis?
Consent (application form)
Name and contact details (e.g. telephone number, email address, address)
We collect this information to provide updates; support fundraising activity and process Gift Aid Claims.
We will only contact people that have not opted out of communications with us.
If you are a subscriber to our mailing list wish to no longerreceive our emails, you can click unsubscribe. If you want us to remove your information completely from Mailchimp, please contact us at hello@incommon.org.uk
What is the legal basis?
Consent (mailing list sign up, via donor platform)
Legitimate interest (e.g. contact through staff)
Financial information and records of donations
Financial reporting, for example to HMRC and our accountants, and Gift Aid claims.
What is the legal basis?
Legitimate interest and legal / best practice requirements (e.g. ‘Know your donor’ anti-money laundering practices)
Our website uses cookies. A cookie is a small file of letters and numbers that is downloaded onto your computer when you visit a website. This is anonymous information which helps us track how people use our website and is stored on Squarespace and Google Analytics.
If you continue without changing your browser settings we'll assume you are happy to receive all cookies on our site. You can find out more about managing cookies here.
We will obey the law when we process your data.
This means we will:
Keep it up to date
Store and destroy it securely
Not collect or retain excessive amounts of data
We store data on the following online systems. These organisations all have a privacy policy available to view on their websites, please contact us if you require further information on hello@incommon.org.uk.
Google (e.g. Google Drive, Gmail and Google Calendar)
Airtable
Lavarel
Mailchimp
JustGiving
We also store some personal data in hard copy in our offices. This is stored securely and destroyed securely when no longer needed.
Your personal data will be treated as strictly confidential. It will only be shared with third parties under specific circumstances:
Where it is necessary to protect harm to yourself or others
Where you give us consent to share it, for example as part of a named case study, or for a referral to a partner organisation
Where it is shared in such a way that an individual cannot be identified
We follow the general principle of keeping data only as long as is reasonable and necessary for our purposes. This length of time will vary depending on the nature of the data. Data will be deleted when it is no longer needed.
We will keep some records permanently if we are legally required to do so or it is legally advisable, for example we would keep records of the DBS status of volunteers permanently.
We may keep some other records for an extended period of time. For example, it is best practice to keep financial records for a minimum period of 7 years to support HMRC audits.
We generally keep personal information of participants while they are involved in a programme/activity and for up to three years afterwards, unless they ask for this to be deleted. This is primarily to help us re-engage past participants, for example if a project is refunded in their area after a short break.
Some data may be kept for longer. This includes:
Email correspondence, which will remain accessible in our email archive.
Photographs, which may remain published on our communications platforms and we may keep the digital images and photo permission records that accompany them for longer than 3 years
Notes of safeguarding concerns, which may be kept for longer in case they are required at a later date.
You have the following rights with respect to your personal data:
The right to access information we hold on you
At any point you can contact us to request the information we hold on you as well as why we have that information, who has access to the information and where we obtained the information from. Once we have received your request we will respond within one month.
There are no fees or charges for the first request but additional requests for the same data may be subject to an administrative fee.
The best way to do this is to email hello@incommon.org.uk
The right to correct and update the information we hold on you
If the data we hold on you is out of date, incomplete or incorrect, you can inform us and your data will be updated. The best way to do this is to email hello@incommon.org.uk
The right to have your information erased
If you feel that we should no longer be using your data or that we are illegally using your data, you can request that we erase the data we hold.
The best way to do this is to email hello@incommon.org.uk
When we receive your request we will confirm whether the data has been deleted or the reason why it cannot be deleted.
The right to object to processing of your data
You have the right to request that we stop processing your data. Upon receiving the request we will contact you and let you know if we are able to comply or if we have legitimate grounds to continue to process your data. Even after you exercise your right to object, we may continue to hold your data to comply with your other rights or to bring or defend legal claims. The best way to do this is to email hello@incommon.org.uk
The right to data portability
You have the right to request that we transfer some of your data to another controller. We will comply with your request, where it is feasible to do so, within one month of receiving your request.
The best way to request this is to email hello@incommon.org.uk
The right to withdraw your consent to the processing at any time for any processing of data to which consent was sought.
The best way to do this is to email hello@incommon.org.uk
The right to object to the processing of personal data where applicable.
The right to lodge a complaint with the Information Commissioner’s Office. You can contact them via phone on 0303 123 1113 or via email or via post to the Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF.
We will not transfer your data abroad to any country which does not have the same standards of data protection as the UK.
We use cloud-based processing software that may use servers outside the UK where this can be done in compliance with GDPR. See ‘How we store your data’ for a list of our current processing software.
If we wish to use your personal data for a new purpose, not covered by this Notice, then we will provide you with a new notice explaining this new use prior to commencing the processing and setting out the relevant purposes and processing conditions. Where and whenever necessary, we will seek your prior consent to the new processing.