We know that there’s a lot of information here, but we want you to be fully informed about your rights, and how we use your data. We hope the following sections will answer any questions you have, but if not, please get in touch with us.
Conditions for processing data
We are only entitled to hold and process your data where the law allows us to. The current law on data protection sets out a number of different reasons for which we may collect and process your personal data. These include:
In specific situations, we require your data to pursue our legitimate interests in a way which might reasonably be expected as part of running our charity and which does not materially impact your rights, freedom or interests. This may include to satisfy our external regulators.
If the law requires us to, we may need to collect and process your data. For example, for staff members we need to collect and store certain data.
In some situations, we can collect and process your data with your consent. For example, when you tick a box to receive email newsletters. When collecting your personal data, we’ll always make clear to you which data is necessary in connection with a particular service.
Registration with the ICO
We are registered with the Information Commissioner’s Office (ICO) as a data controller. We have notified the ICO of the purposes for which personal data are held, and as a result the organisation’s name is on the public register maintained by the ICO as a data controller. When notifying the ICO, we provided details of the personal data that we process, the purposes for which the data are to be processed, details of who we intend to disclose data to, and a description of the security measures to be taken to ensure that personal data is protected.
What we mean when we say “your data”
“Your data” means any information about you which is personally identifiable, including, without limitation, your name, address, date of birth, telephone number, email address, other contact details, and other information which may allow you to be personally identified.
When do we collect your data?
We normally collect your data when you provide it to us. You may give us your data when you:
- contact us by telephone, letter or email;
- use our website or complete an online web form;
- make a donation to us;
- otherwise disclose your information to us.
We will only request your information where it is necessary to carry out a particular function. You are under no obligation to provide us with your information, but this may limit our ability to help where certain information is needed to undertake a particular activity.
How do we use your data?
We process personal data for the following purposes:
- Sending out information to members
- processing and dealing with any enquiries, including requests for information, advice, guidance, advocacy or other support;
- processing donations
- monitoring, developing and improving the support that we provide
- providing you with information about our work
Unless it falls within the above, we will always seek your explicit consent before using your data in a way that personally identifies you.
With the personal data that you have provided, we may anonymise information that you have provided so that we can use it in a way that does not personally identify you, so as to support the aims, objectives or activities of the organisation.
We will not seek your consent to using your information in a way that doesn’t personally identify you. However, where there is a concern as to whether it would lead to you being personally identified, we will seek your explicit consent beforehand.
Who do we share your data with?
We may share your data with third parties outside of Unlock in the following circumstances:
- where you (or the person to whom the data relates) consent;
- where the data is already available to the public from other sources;
- where the data is in the form of a summary or collection of data so framed that it is not possible to ascertain from it information relating to any particular person;
- when there appears to be a serious risk of harm to you, e.g. a threatened suicide;
- to protect others (e.g. information about possible child abuse will be disclosed to the appropriate agency;
- to prevent a serious criminal act where others may be endangered (e.g. an act of terrorism).
Other than as set out above, we will not:
- provide your data to any third party without your explicit prior consent;
- pass your data to third parties for marketing purposes without your consent;
- share your data with any government department or agency without your consent.
How do we communicate with you?
CLA members will receive automatic updates about the organisation including legal notices such as for an AGM.
As a user-led organisation we may from time to time seek your own experiences and opinions for a specific piece of work. If you wish to opt out of this contact you can unsubscribe.
You can sign up to receive emails by subscribing to our mailing list. Through this, we will ask you to ‘opt-in’ to receive these emails. In each email you receive via our mailing list there will be an option to unsubscribe from future emails.
How do we protect your data?
We take our responsibility very seriously and will treat your data with the utmost care and take all appropriate steps to protect it. We have clear information security policies and procedures in place (along with regulatory and other legal obligations to keep your data safe) and these are regularly assessed and reviewed.
We protect our IT system from cyber-attack. Access to your personal data is password-protected, and sensitive data (such as payment card information) is secured by SSL encryption.
How long will we keep your data?
We only keep your data for as long as is necessary for the purpose(s) for which it was provided.
Who do we share your personal data with?
We sometimes share your personal data with trusted third parties. For example, secure file storage and destruction companies, auditors and the company that securely hosts our off-site cloud storage servers.
- We provide only the information they need to perform their specific services
- They may only use your data for the exact purposes we specify in our contract with them
- We work closely with them to ensure that your privacy is respected and protected at all times
- If we stop using their services, any of your data held by them will either be deleted or rendered anonymous.
Where is your data processed?
Your data is stored and processed principally within the EEA. The EEA includes all EU Member countries as well as Iceland, Liechtenstein and Norway.
We may use systems like Campaign Monitor to send you updates and newsletters. Campaign Monitor is based in the US and therefore some limited information (your name and email address) may be transferred to campaign Monitor (and therefore to the US) for the purposes of using that system. Campaign Monitor is signed up to the US EU Data Privacy Shield and we believe that there is no material risk associated with transferring this limited information outside of the EU.
We currently store information on Microsoft 365.
All hard-copy documents containing personal data are stored in a locked cabinet. We operate a ‘clean desk’ policy to ensure that these records are not left unattended in our offices or in areas accessible to the members of the public, and only those who need to use this data have access to it.
All other forms of data will be held securely and in confidence at all times. We will take all reasonable steps to protect it from unauthorised disclosure to, or access by, a third party.
What are your rights?
You have the right to request:
- Access to the personal data we hold about you, free of charge in most cases.
- The correction of your personal data when incorrect, out of date or incomplete, for example, when you withdraw consent, or object and we have no legitimate overriding interest, or once the purpose for which we hold the data has come to an end.
- That we stop any consent-based processing of your personal data after you withdraw that consent.
- If we choose not to action your request, we will explain to you the reasons for our refusal.
Requests for a copy of data held
You have the right to request a copy of any information about you that we hold at any time (often known as “subject access”), and also to have that information corrected if it is inaccurate. Although we have up to 30 days to supply this information, we will try our best to provide it sooner than this.
Formal requests under the Data Protection Act need to be sent in writing, either by post or email. To ask for your information, you can either email firstname.lastname@example.org or write to The CLA, beehive Mill, Jersey Street, Manchester M4 6JG
To respond to a request, we require the following information:
- Your full name
- Address (including postcode)
- Telephone number
- Email address (if available)
- A description of the data that you are requesting, and any additional information which will enable us to locate it
- Evidence of your identity (e.g. a copy of your passport, driving licence – please do not send originals)
- How you would like to receive the information (either by email or by post).
If a third party is acting on your behalf, proof of the third party’s identity and your authority to disclose your information to them must also be provided in writing.
In addition to the right to receive a copy of all the personal data held you, you are also entitled to be told that we, or somebody on our behalf, are processing data about you, to be given a description of the personal data, the purposes for which the data is being processed and a description of those to whom the data may be disclosed. This will be met by us providing you with a copy of this policy alongside a copy of any information that we hold.
You are not entitled to information relating to other people (unless they are acting on your behalf). Neither are you entitled to information simply because you may be interested in it. Subject access provides a right to see the information contained in personal data, rather than a right to see the documents that include that information.
Your right to withdraw consent
Whenever you have given us your consent to use your personal data, you have the right to change your mind at any time and withdraw that consent.
You can withdraw consent in various ways, depending on what you are withdrawing consent from. If you would like to withdraw consent completely, please provide details by email to email@example.com
Where we rely on our legitimate interest
In cases where we are processing your personal data on the basis of our legitimate interest, you can ask us to stop for reasons connected to your individual situation. We must then do so, unless we believe we have a legitimate overriding reason to continue processing your personal data.
In addition to information given explicitly by you, we also collect information about your visit to our website (for example, the date and time of your visit and the pages that you view). This information is not connected to you personally, and is in aggregate form. This kind of information helps us to understand how our visitors use our site so that future website development can better meet your needs. By using this website, you consent to the processing of statistical (non-personal) information.
You can access all pages on the site without telling us who you are and without revealing any personal information. We collect some information when you visit out site but this does not allow us to identify you personally. The information we collect includes browsers’ visitors use, what time they visit and which pages are most viewed. This enables us to evaluate the site and work to improve it. We do not link any of this anonymous data with any personal data that you may provide to us.
If you feel that your data has not been handled correctly, or you are unhappy with our response to any requests you have made to us regarding the use of your personal data, you have the right to lodge a complaint with the Information Commissioner’s Office. You can contact them by calling 0303 123 1113, or go online to www.ico.org.uk/concerns
Implementation of this policy
We will ensure that all staff, volunteers and trustees understand this policy. A paper copy of the policy can be obtained by sending a self-addressed envelope to our office.
This policy will be reviewed regularly.
If you have any comments or queries in connection with this policy, email firstname.lastname@example.org