- General Info. about GDPR & Data
- Website Visitors
- Social Media
- Donors & Supporters
- Job Applicant
- Service Users/Clients
- GENERAL INFO. ABOUT GDPR & DATA
SPEAR maintains high standards of confidentiality in all aspects of its work and is committed to being transparent about how we collect and use personal data, and to meeting our data protection obligations in accordance with the General Data Protection Regulations (GDPR) and domestic laws. When you supply information to us, we are legally obliged by the Data Protection Act 1998 to ensure that the information you have provided is only used for the purpose for which it was supplied, and to ensure that the data is kept securely.
Who to contact with a query about your data
If you have a query regarding your data, then in the first instance we ask you to email the relevant team, which would be:
Social media: firstname.lastname@example.org
Donors & supporters: email@example.com
Job Applicant: firstname.lastname@example.org
Service Users/Clients: If you are currently being supported by SPEAR, please speak to your key worker who will give the correct email address. If you are an ex-SPEAR client, then please email: email@example.com
SPEAR’s Data Protection Controller
SPEAR has an independent Data Protection Controller who is our Chief Executive, who is tasked with upholding the rights of everyone we collect information about, and ensuring we meet our responsibilities to keep your information safe and use it appropriately.
How does SPEAR protect data?
SPEAR takes the security of your data seriously. SPEAR has internal policies and controls in place to try to ensure that your data is not lost, accidentally destroyed, misused or disclosed, and is not accessed except by our employees in the performance of their duties.
Where SPEAR engages third parties to process personal data on its behalf, they do so on the basis of written instructions, are under a duty of confidentiality and are obliged to implement appropriate technical and organisational measures to ensure the security of data.
For how long does SPEAR keep data?
In line with data protection principles, we only keep your data for as long as we need it for, and is different for different areas and services across SPEAR. Retention periods can vary depending on why we need your data. This may be determined by law.
The periods for which your data is held are set out in our Data Protection and Confidentiality Policy and Procedure which is available on request.
Where you have provided consent to our use of your data, you also have the unrestricted right to withdraw that consent at any time. Withdrawing your consent means that we will stop processing the data that you had previously given us consent to use. There will be no consequences for withdrawing your consent. However, in some cases, we may continue to use the data where so permitted by having a legitimate reason for doing so.
If you would like to exercise any of these rights, you may do so by contacting SPEAR’s Data Controller on firstname.lastname@example.org.
If you believe that SPEAR has not complied with your data protection rights, you can complain to the Information Commissioner. Their contact details can be found on their website (www.ico.org.uk).
Protecting your information
Any details you share with us will be used by SPEAR only for our own purposes. We will never give, sell or rent your information to other organisations for their marketing purposes.
As a data subject, you have a number of rights. These are:
- the right to be informed. This means that we must tell you how we use your data, and this is the purpose of this privacy notice;
- the right of access. You have the right to access the data that we hold on you and to receive a copy of your data and information about where it was sourced. To do so, you should make a subject access request;
- the right for any inaccuracies to be corrected. If any data that we hold about you is incomplete or inaccurate, you are able to require us to correct it;
- the right to ask SPEAR for your data to be erased, for example if you believe there is no longer any need for your data to be held for its original purpose, or if you decide to withdraw any consent that you have given for your data to be processed;
- the right to restrict the processing of the data. For example, if you believe the data we hold is incorrect, we will stop processing the data (whilst still holding it) until we have ensured that the data is correct;
- the right to portability. You may transfer the data that we hold on you to another organisation for your own purposes;
- you may have the right to object to the way we use your data if you do not agree that we are using it for our legitimate interests; and
- the right to regulate any automated decision-making and profiling of personal data. You have a right not to be subject to automated decision making in way that adversely affects your legal rights.
- WEBSITE VISITORS
Visitors to our Website including:
– General visitors to our website who do not contact SPEAR
– Visitors to our website who sign up to our News & Events Newsletter
– Visitors to our website who sign up to our Volunteering Newsletter
– Visitors to our website who contact SPEAR through our Contact Us Form
– Visitors to our website who report a rough sleeper
Visitors to our website – general visitor
Our website also holds SSL certification, ensuring encryption of personal data.
Google Analytics do this to track interest on specific pages, see how the site is being used and look at how we can make improvements to the site. The information is only processed in a way that does not identify anyone. We do not make, and do not allow Google to make, any attempts to find out the identities of those visiting the SPEAR website.
Like most websites, we use “cookies” to help us make our site – and the way you use it – better. Cookies mean that a website will remember you. They’re small text files that sites transfer to your computer (or phone or tablet). They make interacting with a website faster and easier – for example by automatically filling your name and address in text fields.
A cookie is a piece of information in the form of a small text file that is placed on an internet user’s hard drive. It is generated by a website server. The information the cookie contains is set by the server and it can be used by that server whenever the user visits the website. A cookie can be thought of as an internet user’s identification card, which tells a website when the user has returned.
We use two types of cookie on our website:
Session cookies that are deleted after each visit – These enable you to carry out some essential functions on our website, such as maintaining log in details for the session or a transaction. They also help by minimising the need to transfer information across the internet. They are not stored on your computer and they expire when you terminate your browser session.
Tracking cookies – These enable us to recognise repeat visitors to the website. By matching an anonymous, randomly generated identifier, we’re able to record specific browsing information such as how you arrive at the website, the pages you view, options you select, and the path you take through the website. By monitoring this information we’re able to make improvements to our website.
You can accept or block cookies
You can block any cookies from any website through your browser settings. For more information about how to disable cookies in your browser please visit About cookies (http://www.aboutcookies.org).
Note: If you share a computer, accepting or rejecting cookies will affect all users of that computer.
Visitors who sign up to our Events & News Newsletter and or our Volunteer Newsletter
We gather statistics around email opening and clicks using industry standard technologies to help us monitor and improve our e-newsletter.
We send our Events & News newsletter so that you can find out more about our work, our fundraising and how you can support us. We send our Volunteer Newsletter to tell you about volunteering opportunities.
We do not sell or share your details to any third party for their marketing purposes.
Any individual registering for our Events & News Newsletter or our Volunteer Newsletter via the website or in other ways will have their details added to our Salesforce database and may also be saved on our cloud system which is Sharepoint.
You can unsubscribe to our Events & News Newsletter or our Volunteer Newsletter at any time.
Our current systems (which are provided free of charge to us) mean if you are registered for our Volunteering Newsletter, you will also automatically receive our News & Events Newsletter. However if you are registered for our News & Events Newsletter you will not also receive the Volunteering Newsletter, unless you have specifically requested this.
Visitors to our Website – Contact us form
Information submitted by our general contact form will be sent to SPEAR resources staff by email, who will then forward the email on to the relevant team. Data sent here only receives basic email protections, and as such you should not submit sensitive personal data through it. Instead outline the general details of your request and a member of staff will respond or direct you to someone who can help.
For many enquiries your data will generally not be stored outside of their email account, unless you have specifically asked to be contacted again in the future over and above being contacted about your enquiry. However, if your enquiry is of a fundraising or volunteering nature your information under “legitimate interest” will be added on to our Salesforce database so the fundraising or volunteering team can continue to contact you in the future. You can of course unsubscribe at any time.
Visitors to our Website – who support a rough sleeper
Information submitted by our report a rough sleeper button will be sent directly to our Outreach team. Due to the confidentiality of their work, they will not be able to let you know any information about the rough sleeper you report or if they already know about or are working with that rough sleeper.
Your personal data will not be stored on a database by SPEAR and contact with you will only be made in relation to that enquiry. After this you will no longer be contacted by SPEAR unless you specifically request to keep in touch in the future, in which case you need to email: email@example.com so you can be added to our Salesforce database.
- SOCIAL MEDIA
People who contact us via social media
If you send us a private or direct message via social media, the message should not submit sensitive personal data through it. Instead outline the general details of your request and a member of staff will respond or direct you to someone who can help. Your message will not be shared with any other organisations. We also do not store your data at SPEAR unless specifically requested to do so, so only use this for social media contact.
SPEAR is present on Facebook, Instagram, Twitter, YouTube and LinkedIn.
Please note that our social media sites, whilst generally checked daily, are not responded to 24/7 and at weekend the checking of these is more infrequent due to the social media staff not working over weekends, so any checking and responses are done on a voluntary basis. If your query is urgent you should contact the SPEAR office. Also, the staff members managing the social media site are not frontline staff members so any information shared about rough sleepers or vulnerable people can only receive a generic response and will be forwarded to the relevant frontline team at SPEAR.
- DONORS & SUPPORTERS
Collecting donor/supporter information and protecting your privacy
In the process of making a donation, signing up to our communications, taking part in an event and/or making a supporter enquiry to SPEAR, you provide us with personal information. This may include your name and address, your contact details, your age (this is only for those taking part in events), your organisational affiliation and if relevant, your credit card or other payment details. Through making this contact with SPEAR, we consider this is a ‘legitimate interest’ meaning you want to be contacted by SPEAR through our newsletter(s) or other communications. We collect this information so we can stay in touch with you. You can of course unsubscribe at any time or contact: firstname.lastname@example.org to unsubscribe.
Updating, correcting, or deleting personal donor/supporter information
If you ever wish to change your personal information, contact preferences or request a copy of the information we have for you, please contact our fundraising team on email@example.com or phone: 020 036 9774. You can also write to us at: Fundraising, SPEAR, 89 Heath Road, Twickenham, TW1 4AW.
Retention of Supporter/Donor Data
We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.
To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements. In some circumstances you can ask us to delete your data.
Retention of data for Individual donors & supporters
Individual financial and gift aid data and donor information is stored for seven years. Beyond 7 years, we will suppress the majority of personal data and just keep very basic information of name and financial donation.
If a long term donor (longer than seven years) has continued to donate or engage, their details will not be suppressed.
Marketing for individual donors & supporters
Since the implementation of GDPR, SPEAR will cease to market to individual donors or individual supporters who have not donated or engaged with SPEAR in the last seven years unless they have specifically consented again for us to do so.
Retention of data for individuals from organisations in the public domain and marketing to these organisations
Organisations that are in the public domain such as educational establishments, schools, community groups, faith groups, trusts and corporates – we will keep ongoing data and donor information on our database and continue to market to them. However, when we are made aware of staff changes etc. we will update our database accordingly. Individuals from these organisations can unsubscribe at any time. Or indeed a senior representative from the organisation can contact firstname.lastname@example.org and ask us to change their preferences on behalf of the organisation.
How we process Gift Aid and online financial donations
Please note that if you have agreed to have your money Gift Aided, we will pass your details on to HMRC. This is a legal requirement in order to collect the Gift Aid.
Currently for the collection of online donations and sponsorship we use Just Giving and Virgin Money and for merchandise payments and eBay we use Paypal. For ticketed events we are currently using Golden Giving. These companies are subject to being compliant with Payment Card Industry Security Standards to fulfil and process your donation. You can read their Privacy Policies here:
SPEAR reserves the right to remove or amend this privacy statement from time to time. If we decide to replace or change it, we will update the statement on this page to reflect the changes made and therefore we encourage you to visit this page frequently to stay informed. Your continued use of the SPEAR website following the posting of a new statement will indicate your acceptance of the new statement or changes made.
Thank you so much for your support.
SPEAR collects and processes personal data relating to its volunteers to manage the volunteering relationship. SPEAR is committed to being transparent about how it collects and uses that data and to meeting its data protection obligations.
This Privacy Notice aims to provide you with a clear explanation of the personal data which SPEAR holds and the purpose[s] for which it is held.
What information does SPEAR collect?
SPEAR may collect? and process a range of information about you. This includes:
- your name, address and contact details, including email address and telephone number;
- your nationality and information about your entitlement to volunteer in the UK;
- the details of your volunteering agreement including start date;
- details of your qualifications, skills, experience;
- an assessment of your suitability for the activity you are volunteering to do;
- details of your bank/building society account for the reimbursement of expenses;
- information about your next of kin and emergency contacts;
- information about your criminal record;
- details of any safeguarding incidents in which you have been involved;
- details of your availability for volunteering and attendance;
- information regarding any training you receive;
- any health information if provided by you if relevant to your volunteer role
- Photo for ID card, if appropriate
- Details of your volunteer hours and tasks and
- equal opportunities monitoring information, including information about your age, ethnic origin, sexual orientation, health and religion or belief
SPEAR may collect this information in a variety of ways. For example, data might be collected through volunteer application forms or volunteer registration forms; obtained from your passport or other identity documents such as your driving licence; from forms completed by you at the start of or during volunteering (such as contact detail forms); from correspondence with you; or through interviews, meetings or other assessments.
In some cases, SPEAR may collect personal data about you from third parties, such as references from previous employers or organisations who have engaged you as a volunteer and information from criminal records checks permitted by law.
Data will be stored in a range of different places, including in your volunteering file, in SPEAR’s volunteering management systems and in other IT systems (including the organisation’s email system).
Why does SPEAR process personal data?
Your personal data will be processed to enable SPEAR to enter into a volunteer agreement with you.
SPEAR also needs to process data to ensure that it is complying with its legal obligations. For example to comply with health and safety laws.
In other cases, SPEAR may have a legitimate interest in processing personal data before, during and after the end of the volunteering relationship.
Processing volunteer data allows SPEAR to:
- run volunteer recruitment and appointment processes;
- maintain accurate and up-to-date volunteer records and contact details (including details of who to contact in the event of an emergency);
- obtain appropriate legal or HR advice, to ensure that it interprets and complies with duties in relation to legislation and its own policies, processes and procedures in a fair and reasonable manner;
- ensure that volunteers are receiving appropriate reimbursement of expenses;
- ensure effective general business administration;
- respond to and defend against legal claims; and
- maintain and promote equality in the workplace
- provide information to funders and/or senior management/trustees as part of annual reports
- provide awards or other recognition of volunteer contributions
Where SPEAR processes other special categories of personal data, such as information about ethnic origin, sexual orientation, health or religion or belief, this is done for the purposes of equal opportunities monitoring. Data that is used for these purposes is anonymised or is collected with the express consent of volunteers, which can be withdrawn at any time. Volunteers are entirely free to decide whether or not to provide such data and there are no consequences of failing to do so.
We do not need your consent if we use special categories of personal data in order to carry out our legal obligations. In some circumstances however we may ask for your consent to allow us to process certain particularly sensitive data. In these circumstances we will provide you with sufficient information about how your data will be used for you to make a choice about whether to provide your consent. You will have full control over your decision to give or withhold consent, and there will be no consequences where consent is withheld. Consent, once given, may be withdrawn at any time, with no consequences.
Who has access to your data?
Your data will be shared with colleagues within SPEAR where it is necessary for them to undertake their duties. This includes, for example, relevant managers for the purposes of assessment and supervision, the volunteer co-ordination team for maintaining records and co-ordinating volunteer activity, finance for processing payment of expenses and IT staff.
SPEAR shares your data with third parties in order to obtain references from other organisations or individuals and obtain necessary criminal records checks from the Disclosure and Barring Service.
SPEAR may be required to share your data with third parties such as the local authority, and Disclosure and Barring Service to comply with legal obligations.
Selected volunteers have limited access to your data through volunteering in the office and using the database. These volunteers will have agreed to our key policy, code of conduct and confidentiality policies.
SPEAR will not share your data with third parties for any other purpose without your express consent.
SPEAR will not transfer your data to countries outside the European Economic Area.
- JOB APPLICANT
As part of any recruitment process, SPEAR collects and processes personal data relating to job applicants. We are committed to being transparent about how we collect and use that data and to meeting our data protection obligations.
Data protection principles
In relation to your personal data, SPEAR will always strive to:
- process it fairly, lawfully and in a clear, transparent way
- collect personal data from you that is necessary to consider your application and that is subsequently necessary to collect and process as part of your employment. We will explain to you what data we collect from you and why only use it in the way that we have told you about
- ensure it is correct and up to date
- keep your data for only as long as we need it
ensure that your data is kept safe and secure and access to it is limited to those who need to process it for the purposes we explain to you.
What information does SPEAR collect?
SPEAR collects a range of information about you. This includes:
- your name, address and contact details, including email address and telephone number;
- details of your qualifications, education history, skills, experience and employment history;
- information about your current level of remuneration;
- whether or not you have a disability;
- information about your entitlement to work in the UK;
- equal opportunities monitoring information, including information about your ethnic origin, gender, sexual orientation, health and religion or belief.
SPEAR may collect this information in a variety of ways. For example, data might be contained in application forms, CVs or resumes; obtained from your passport or other identity documents, or collected through interviews or other forms of assessment including online tests.
SPEAR may also collect personal data about you from third parties, such as references supplied by former employers and information from criminal records checks. We will inform you that we are doing so.
Data will be stored in a range of different places, including on your application record, in HR management systems and on other IT systems (including email).
SPEAR will only collect criminal conviction data where it is appropriate given the nature of the role and where the law permits it. This data will usually be collected at the recruitment stage, however it may also be collected during any subsequent employment with us, should you be successful in obtaining employment.
SPEAR will not transfer your data to countries outside the European Economic Area.
Why does SPEAR process personal data?
SPEAR needs to process data to take steps at your request to evaluate your application for employment. We may also need to process your data to enter into an employment contract with you.
In some cases, SPEAR needs to process data to ensure that we are complying with our legal obligations. For example, we are required to check a successful applicant’s eligibility to work in the UK before employment starts.
SPEAR has a legitimate interest in processing personal data during the recruitment process and for keeping records of the process. Processing data from job applicants allows us to manage the recruitment process, assess and confirm a candidate’s suitability for employment, decide to whom to offer a job and make decisions about salary and other benefits. SPEAR may also need to process data from job applicants to respond to and defend against legal claims.
SPEAR may process information about whether or not applicants are disabled in order to make reasonable adjustments for candidates who have a disability. This is to carry out our statutory obligations and exercise specific rights in relation to employment.
SPEAR may, in some cases, process heath information during the application process in order to find out whether applicants will be able to carry out an intrinsic part of the job. SPEAR also processes health information about candidates after an offer of employment has been made. In each case, this will be done in accordance with Section 60 of the Equality Act 2010 for the purpose of ensuring that the candidate is able to perform the core duties of the job being offered.
Where SPEAR processes other special categories of data, such as information about ethnic origin, sexual orientation, or religion or belief, this is for equal opportunities monitoring purposes.
For some roles, SPEAR is obliged to seek information about criminal convictions and offences. Where we seek this information, we do so because it is necessary for us to carry out our statutory obligations and exercise specific rights in relation to employment.
If you are unsuccessful in obtaining employment with SPEAR, your data will not be used for any purpose other than the recruitment exercise for which you have applied.
Who has access to data?
Your data will, of necessity, be shared internally for the purposes of assessing your application. It is likely to be shared with members of the Resources Team, shortlisting team and interviewers involved in the recruitment process, managers in the business area with a vacancy and IT staff if access to the data is necessary for the performance of their roles. SPEAR will strive to limit access to your data to those staff who have a legitimate reason for seeing it and will endeavour to keep your data secure at all times.
Application assessments, pre-employment checks and references
SPEAR may share an appropriately limited amount of your data with third parties in order to obtain references for you from former employers. If references are sought before interview or before an offer of employment is made, we will do this where you have given your express consent for us to do so. If your application for employment is successful and we make you an offer of employment, we will share your data with former employers to obtain references for you and the Disclosure and Barring Service to obtain necessary criminal records checks.
SPEAR may also share your data with third parties that process data on our behalf in connection with the provision of services for the purposes of the recruitment exercise, for example to source, receive and/or shortlist applications on our behalf, and/or to carry out applicant testing such as psychometric assessments.
SPEAR endeavours to ensure specific contractual agreements are in place with any third parties who undertake this processing in order to protect your data. This is explained in more detail below.
Recruitment processes are not based solely on automated decision-making.
We will tell you beforehand if we use any automated forms of assessment in our decision making processes. You have the right to request that your application is not assessed by automated processes.
How does SPEAR protect job applicant data?
SPEAR takes the security of your data seriously. We maintain internal policies and controls that are designed to ensure that your data is not lost, accidentally destroyed, misused or disclosed, and is not accessed except by our employees in the proper performance of their duties.
Where SPEAR engages third parties to process personal data on our behalf, they do so only on the basis of written instructions, are under a duty of confidentiality and are obliged to implement appropriate technical and organisational measures to ensure the security of your data.
For how long does SPEAR keep data?
In line with data protection principles, we will only keep your data for as long as we need it. If your application for employment is unsuccessful, we will hold your data on file for twelve months after the end of the relevant recruitment process.
If your application for employment is successful, personal data gathered during the recruitment process will be kept and transferred to your personnel file and retained during your employment. The periods for which your data will be held will be provided to you in a new Privacy Notice for employees.
What if you do not provide personal data?
One of the reasons for processing your data is to allow SPEAR to carry out an effective recruitment process. Whilst you are under no statutory or contractual obligation to provide data to SPEAR during the recruitment process, if you do not provide the information, we may not be able to process your application properly or at all.
- SERVICE USERS/CLIENTS
People who use SPEAR services
SPEAR offers a wide variety of different services to adults, families and young people. We have to hold the details of the people who have requested or used the service in order to provide it. However, we only use these details to provide the service that the person has requested and for other closely related purposes.
All information held by SPEAR in this regard is subject to strict data protection principles to ensure the security, consistent management and compliance to Information Commissioner’s Office (ICO) standards are maintained at all times due to the confidential nature of the data filed.
We will ask service users how they would like us to stay in touch with them during their engagement with our services. Service users can update this information on their preferred contact methods at any time.
We normally retain service user records for five years after they finish engagement with SPEAR, and delete their files after this.
Our organisational duty to report a breach
Public service providers are required to consider reporting serious security breaches to the Information Commissioner’s Office (ICO). We provide a form for this purpose, we use the data collected by the form to record the breach, to make decisions about the action we may take, and as relevant in order to carry out those actions .
We retain personal information only for as long as necessary to carry out these functions, and in line with our retention schedule. This means that logs and breach reports will be retained for two years from receipt and longer where this information leads to regulatory action being taken. SPEAR has measures in place to ensure the security of data collected and only processes personal information in line with our policies and procedures.
Complaints or queries
SPEAR tries to meet the highest standards when collecting and using personal information. For this reason, we take any complaints we receive about this very seriously. We encourage people to bring it to our attention if they think that our collection or use of information is unfair, misleading or inappropriate. We would also welcome any suggestions for improving our procedures. This privacy notice was drafted with brevity and clarity in mind. It does not provide exhaustive detail of all aspects of SPEAR’s collection and use of personal information. However, we are happy to provide any additional information or explanation needed. Any requests for this should be sent to the address below.
Access to personal information
SPEAR tries to be as open as it can be in terms of giving people access to their personal information. Individuals can find out if we hold any personal information by making a ‘subject access request’ under the Data Protection Act 2018. If we do hold information about you we will:
- give you a description of it;
- tell you why we are holding it;
- tell you who it could be disclosed to; and
- let you have a copy of the relevant information requested in an intelligible form.
To make a request to SPEAR for any personal information we may hold you need to put the request in writing addressing it to the Resources Co-ordinator or writing to the SPEAR Head Office address.
You can also get further information on:
- agreements we have with other organisations for sharing information;
- circumstances where we can pass on personal data without consent for example, to prevent and detect crime and to produce anonymised statistics;
- our instructions to staff on how to collect, use and delete personal data; and
- how we check that the information we hold is accurate and up to date.
Changes to this privacy notice
SPEAR keep this and all current privacy notice or confidential agreements with clients under annual review or as and when required by legislation. The next review for this privacy notice will be Oct 2020.
SPEAR Head Office Address:
9 Briar Road