Privacy Notice for Charity Clients (HRNet)
What is the purpose of this document?
The Cranfield Trust collects and processes personal information about you during and after your relationship with us in order to manage that relationship. We are committed to being transparent about how we collect and use your data to meet our obligations under the General Data Protection Regulation (GDPR).
What personal information do we collect and how is it used?
Personal information means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).
Data we collect
What we use it for
Names, addresses, telephone numbers, email addresses
To contact you in connection with a specific enquiry, question or advice case; to keep you updated on our other services or activities and events; to send you HRNet bulletins, materials or other communications
Information related to case monitoring such as hours spent on a particular case and confidential case notes
To record details of any advice given, including confidential details of organisational HR issues; to maintain case details for a minimum of 6 years following the advice given for legal and insurance purposes; to use anonymised case monitoring data for statistical analysis and reporting and to inform the development of new services or marketing materials
IP Addresses (Contact Forms)
IP Addresses (Google Analytics)
As an extra cyber security measure, we may log the IP address of the computer used to email us a contact form as part of our registration process. This type of data does not normally identify an individual
Visitors to our website for general enquiries may have their IP address logged for the purposes of tracking site traffic. Such logging is covered by Google Analytics’ own data privacy policies which include anonymization and automated data retention controls
Some of the above grounds for processing will overlap and there may be several grounds which justify our use of your personal information.
If you fail to provide certain information when requested, we may not be able offer you the full range of our services.
We will only use your personal information for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason, and that reason is compatible with the original purpose. If we need to use your data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.
Please note that we may process your personal information without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.
How is your personal information collected?
We collect information through our HRNet registration process. We may sometimes collect additional information from third parties including business and social media searches such as LinkedIn, and publicly available sources such as Companies House and Charity Commission. We may collect personal information in the course of our service-related activities throughout the period of our relationship with you.
Automated Decision Making
We do not envisage that any decisions will be taken about you using automated means, however we will notify you in writing if this position changes.
Who has access to your data?
Your information may be shared internally, including with our volunteers offering pro bono consultancy and advice and with staff members responsible for managing and administering HRNet, events and marketing activities.
We may have to share your data with third parties, including third-party service providers, for example in connection with supporting our CRM system and IT network (including remote support). We will seek your specific consent when we need to share your details with professional advisers who are party to confidential discussions related to HRNet members. In most cases, HRNet questions are put to third party professional advisers anonymously.
We require third parties to respect the security of your data and treat it in accordance with the law. We will share your information with third parties where required by law, where it is necessary to administer our relationship with you or where we have another legitimate interest. All our third party service providers are required to take appropriate security measures to protect your personal information in line with our policies. We only permit them to process your personal data for specified purposes and in accordance with our instructions.
The Cranfield Trust takes the security of your data seriously. We have internal policies and controls in place to ensure that your data is not lost, accidentally destroyed, misused or disclosed, or subject to unauthorised access. Where necessary, we implement appropriate network access controls, user permissions and encryption to protect data.
Where we engage third parties to process personal data on our behalf, they do so on the basis of written instructions, are under a duty of confidentiality and are obliged to implement appropriate technical and organisational measures to ensure the security of data.
We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.
We will only retain your personal information for as long as necessary to fulfil the purposes we collected it for, including the purposes of satisfying any legal, accounting or reporting requirements. Details of retention periods, archiving and destruction policies for different aspects of your personal information are available in our retention policy which is available from the person responsible for data protection.
Your legal rights
As a data subject, you have a number of rights, details of which can be found at https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/
If you have provided your consent to the collection, processing and transfer of your personal information for a specific purpose, you have the right to withdraw your consent at any time. Once confirmed, we will no longer process your information for the purpose you originally agreed to, unless we have another legitimate basis for doing so in law.
If you believe that the organisation has not complied with your data protection rights, you can complain to the Information Commissioner (ICO).
Accessing your data
You will not have to pay a fee to access your personal information. However, if we think that your request is unfounded or excessive, we may charge a reasonable fee or refuse to comply with the request. We may need to confirm your identity or ensure your right to exercise your legal rights. This is another appropriate security measure to ensure that personal information is not disclosed to any person who has no right to receive it.
Changes to this privacy notice
We reserve the right to update this privacy notice at any time, and we will provide you with a new privacy notice when we make substantial updates. We may also notify you in other ways from time to time about the processing of your personal information.
Queries and Further Information
The Cranfield Trust (Court Room Chambers, 1 Bell Street, Romsey, SO51 8GY) is the Data Controller.
For any queries, please contact James Lennard, Head of Finance, Administration & Control([email protected]).