The Heworth Moor House Trust
Data Privacy and Protection Policy
Effective 25 May 2018.
The Heworth Moor House Trust ('HMHT') treats the privacy and protection of data in respect of its grant applicants, sponsors and website users (collectively referred to as 'User/Users') very seriously and we take appropriate security measures to safeguard Users privacy. This policy explains how we protect and manage any personal data and information you share with us and that we hold about you, including how we collect, use, protect and share that data.
Personal data means any information that may be used to identify an individual, including, but not limited to, a first and last name, a home or other physical address, a date of birth an email address or other contact information, whether at home or at work.
1. Who we are
When we talk about 'HMHT', or 'us', or 'we' in this policy, we are talking about The Heworth Moor house Trust, a charity registered with the Charity Commission (No. 230045). Full information on HMHT can be found at www.hmhtrust.org.uk. A nominated member of the Trustee Board is responsible for data privacy and protection as detailed in this policy and the monitoring thereof.
The Trustee Board understands the impact of personal data and information related risks on the charity and manages them effectively in a structured way, which includes the details included in this policy. HMHT introduced new processes from October 2017, which were designed with data and information security as a core element – as a minimum, all IT systems used for personal data are password protected. Changes to systems and processing activities in the future will ensure data and information security is maintained.
2. How we collect information about Users
To preserve data security and enhance decision making, we no longer accept manually created grant application forms. We collect personal information from Users when an electronic grant application is made via HMHT's website (www.hmhtrust.org.uk). Supplementary User information in support of a grant application is sometimes obtained by email correspondence with the sponsor. Specific disclosures on HMHT's website and on the grant application form identify that by making an application, Users are accepting the need for us to collect and use the personal data in the grant application form and in supplementary email correspondence.
Our website uses 'cookie' technology. A cookie is a little piece of text that the server places on the User's device when the website is visited. They help us make the website work better for you.
When a grant application is made and particularly during the time successful grants are being fulfilled, we will need to share relevant personal information with 3rd parties as defined in Section 6 of this Policy. We and the 3rd parties will need to keep records, which will include User's personal information, to support fulfilment transactions.
As all grant applications come from sponsors, we place reliance on sponsors to explain to their applicants, that by submitting the grant application, the applicant is accepting the need for us to collect and use their personal data included in the grant application form.
HMHT does not provide online services directly to children. Some children's personal data forms part of the grant application and acceptance of this is covered by the sponsor and applicant's acceptance as described in this section.
3. How we keep User's information safe
In order to maintain confidentiality, we protect Users information with security measures under the laws and standards that apply. We keep computers, electronic files and 'hard copy' documents secure applying controls that are proportionate to the nature of the information. Data will only be accessed via systems that are appropriately password protected and secure. All information and data is stored within the European Economic Area ('EEA') to enable protection of User's rights. Data and information will not be stored on USB sticks or any easily breached system.
4. How long we keep User's information
To meet our legal and regulatory obligations, we hold User's information while we are processing grant applications, fulfilment of successful grants and for a period of time after that. We do not hold it for longer than necessary. The principal data sources are held for the following periods, after which it is securely deleted, including shredding of hard copy documentation:
| Type of information | Where held | Personal Info? | Maximum period for holding / retention. Then secure deletion |
|---|---|---|---|
| Electronic Grant Application Form and pdf letters in support [short term retention] | JotForm | Yes | Retained to end of quarter when received (i.e. June, September, December, and March). |
| Electronic Grant Application Form and pdf letters in support [longer term retention]. Argos order forms for successful grants. |
Sharefile | Yes | Retained to earlier of sign-off of financial accounts by Trustees and Independent Examiner of December 31st following the financial year of application. |
| Excel spreadsheet summarising grant application, decision, fulfilment method and 3rd party, final invoiced cost | Sharefile | Yes | As this is a main element of financial accountability, this will be held for six years following the financial year to which it pertains. Applicant and sponsor names to be redacted after two years. |
| Email correspondence with sponsors | Outlook | Yes | Retained to earlier of sign-off of financial accounts by Trustees and Independent Examiner of December 31st following the financial year of application. |
| Orders with and confirmations from 3rd party suppliers e.g. Argos, Carpet suppliers etc. Confirmations and other email correspondence from and with 3rd party suppliers |
Outlook | Yes | Retained to earlier of sign-off of financial accounts by Trustees and Independent Examiner of December 31st following the financial year of application. |
| Invoices from 3rd party suppliers and printed correspondence with 3rd party suppliers held by the Treasurers | Outlook & hard copy | Yes | As this is a main element of financial accountability, this will be held for six years following the financial year to which it pertains. |
| Receipts for payments / deliveries held by the Treasurer | Outlook & hard copy | Yes | As this is a main element of financial accountability, this will be held for six years following the financial year to which it pertains. |
| Trustee correspondence emails including requests for cheques to Treasurer, consultation on specific grant applications, grant decisions to Secretary | Outlook | Yes | Retained to earlier of sign-off of financial accounts by Trustees and Independent Examiner of December 31st following the financial year of application. |
| Grant Trustees email notification of new Grant application | Various | Yes | One week post grant application processed by Trustees for decision. |
5. How we use User's information
To use your information lawfully, we rely on one or more of the following legal bases:
- our charitable objects and legitimate interests;
- legal obligation;
- protecting the vital interests of User's; and
- your acceptance of the need for us to collect and use your personal data by submitting an application for a grant.
We use information about Users to make appropriate grant application decisions and to fulfil successfully approved applications. In addition, User's information helps to identify ways of improving our grant processes, protecting both our interests and meeting our legal obligations.
To be able to assess grant applications, we need to collect and use personal information about Users. If this personal information is not provided, we may not be able to provide a grant.
None of the HMHT processes currently use automated decision making, nor is it the intention to implement any in the future. Any information you provide to us will not be used for marketing purposes by us.
6. Sharing User's information and 3rd parties
3rd parties are defined as individuals or organisations who are necessary for their support in meeting the aims, objectives, accountability or governance of the Trust.
We will keep information about Users confidential. Sometimes we need to share User's information with third parties which, in the main, includes using 3rd party IT providers to collect and store data, for fulfilment of successful grant applications and to meet applicable laws and regulations (e.g. Independent Examination). We expect these 3rd parties (including JotForm, Sharefile, Outlook, Champagne Warehouse) to have the same levels of information protection that we have.
Additionally, to fulfil successful grant applications we need to share personal data, including first and last name, address and contact details with providers to ensure appropriate and timely delivery of goods and services.
In undertaking the year-end financial work for HMHT, the Independent Examiners may need to consider grant applications and other information that may contain personal data.
7. User's personal information rights
By accepting the need to provide personal data, Users have rights and we, as a charity, have responsibilities under the General Data Protection regulation ('GPDR'). User's rights can be exercised by writing to the contact address on our website www.hmhtrust.org.uk. We can help you with:
a) Accessing User's personal information: A User can ask us for a copy of the personal information we hold on them. The User can ask us how we collect, share and use their personal information.
b) Removing acceptance: A User can change their mind, wherever the User 'accepted the need for us to collect and use their personal data' and we will cease using the User's information.
c) Restricting and objecting: A User may have the right to restrict or object to us using their personal information.
d) Deleting a User's information (right to be forgotten). A User may ask us to delete their personal information. Deletion will be undertaken in a secure way.
e) Moving a User's information (your right to portability). Where possible we can share a digital copy of a User's information directly with the User or another organisation.
When a User contacts us to ask about their information, we may ask the User to identify themselves - this is to help protect the User's information. Upon receipt of a User request, we will take appropriate prompt action to meet the User's specific request in a timely and secure manner. We generally will not charge when a User contacts us to ask about their information. The User will be informed of any potential impact on accessing a grant by removing or restricting access to personal information.
8. Making a complaint
If a User has a complaint about the use of their personal information, then the User should write to the contact address on our website website. We ask that you supply as much information as possible to help us resolve your complaint quickly and put things right as quickly as possible.
If your complaint is not resolved to your satisfaction and you wish to make a formal complaint to the Information Commissioner's Office ('ICO'), you can contact them on 01625 545745 or 0303 123 1113.
9. Breach notification
Any HMHT individual identifying a breach in respect of this policy should contact the Trustee nominated for responsibility for data privacy and protection. That individual will implement the processes to identify, report (internally, to ICO within 72 hours as required and to individuals affected), manage and resolve any personal data breaches.
10. Communication with Users of the website and application process
For Users of the website to understand how HMHT approaches data privacy and protection, the following wording is included on the Trust's website page:
"The Trust treats the privacy and protection of data in respect of its' grant applicants seriously. Details about how we handle and store personal information and data are included in the Trust's Data Privacy and Protection Policy which can be seen at: www.hmhtrust.org.uk/privacy-policy.html."
For HMHT to have appropriately communicated with Users who are applying for a grant, the following wording is included on the JotForm application:
"All sponsors and applicants completing a grant application or interacting with Heworth Moor House Trust need to be specifically aware that, through this activity with the Trust, you are accepting the need for the Trustees to collect (including via 'cookies'), hold, use and share the information you have provided with third parties, as necessary, solely for the purpose of fulfilling our obligations in administration of the grant application in accordance with relevant data protection principles in Data Protection Act 1998 & General Data Protection Regulation 2018.
A copy of the Trust's Data Privacy and Protection Policy can be obtained from the website: www.hmhtrust.org.uk/privacy-policy.html.
The sponsor and applicant accept that personal information submitted to the Trust is used, as necessary, for administration of this grant application."
11. Trustees' & Officers' Personal Data
HMHT also holds personal information in respect of members of the Trustee Board and other Officers. By accepting a position on the Trustee Board or as an Officer, that individual has accepted the need for their personal information to be administered as detailed in, and governed by, this Data Policy, including the sharing of relevant information with the Charity Commission and other Governance Bodies.