GDA is committed to protecting the privacy of the people whose personal information we process and to meeting our obligations under Data Protection legislation.
GDA collects and processes the personal data of:
- our members
- people who sign up for our Newsletters and e-bulletins
- people who attend our events
- other contacts required for business purposes
- our Board of Directors
- GDA employees, former employees, job applicants
We only collect, use and otherwise handle personal data for purposes where we have a legal basis to do so under Data Protection legislation.
- to fulfil a contract with an employee or business contractor / service provider
- where subjects have consented to this for specified, explicit and legitimate purposes
- to meet specific legal and statutory obligations such compliance with employment and health and safety legislation
- where it is necessary for our legitimate interests relating to running our daily operations, as long as, in each case, these interests are in line with applicable law and legal rights and freedoms
- for research, historic and statistical purposes
GDA processes personal data for a variety of purposes, including:
- to manage and administer our services
- to report to our funders
- to monitor the diversity of our membership and services
- to meet our responsibilities as a charity and company limited by guarantee
- to inform members and partners about our work, including events and learning
- to give opportunities to be involved in focus groups, policy work, campaigns, events consultations, research, personal stories/case studies and so on
- to improve the services we provide
- to influence and shape policy
- to publicise our work
- to recruit and manage our employees and volunteers
- to administer and maintain our accounts
- to maintain our records
What information we collect
The type and quantity of data we collect and use depends on why it has been provided.
Personal information collected may include: name, address, telephone number and e-mail address.
For those involved in focus groups, consultations, blogs, campaigns, awareness raising, personal stories/case studies, events and so on we may also collect feedback, comments, personal circumstances and photographs. We may also capture views on video or audio, depending on the activity. If we are filming or photographing an event, this will be made clear to all attendees in advance and there will be the option of not being photographed. We will only use information and/or images if agreed.
We will keep records of skills, attendance and training specific to our staff, Board and volunteers.
We will keep records of bank account details, contractual information, attendance and absence, training and performance of our employees. Our staff are provided with a detailed privacy notice outlining the information we hold about them, the purposes of collection, retention and destruction procedures.
We sometimes need to process more sensitive personal information, which we collect and handle in compliance with the more robust rules around special category data under Data Protection law. This is includes information relating to any accessibility or dietary requirements and information regarding health, gender, sexual orientation, race/ethnicity, criminal proceedings, outcomes and sentences, offences and alleged offences.
Personal data will be only be shared internally with those GDA staff who have a legitimate reason to access it.
We may need to share personal information with other organisations to carry out our work, for example taxi companies, tutors or care agencies. Where this is necessary, we are required to comply with data protection legislation. We will only disclose or share personal information with your consent or where there is a legitimate and lawful purpose to do so.
GDA will never sell or inappropriately disclose your personal data to any other external organisation or individual. Any information shared with funders or other external agencies is done so on a statistical and/or completely anonymised basis, unless we have specific consent to do otherwise.
Transfer of data overseas
It may sometimes be necessary to transfer your personal information overseas, out with the European Economic Area (EEA). Any transfers made will be in full compliance with all aspects of Data Protection legislation. Mailchimp, for example, are a US-based third-party provider that we use to deliver our newsletter: Mailchimp are signed up to the EU-US Privacy Shield.
How long we retain personal data
We will only retain personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. At the end of this period the information will be destroyed or deleted in line with our confidential destruction procedures. We retain anonymised statistical information to help inform our work, but you cannot be identified from that data.
Security of your Information
We are committed to ensuring the right to privacy is respected and that personal information is secure and only available to those who have a right to see it.
We have monitoring and incident management procedures in place to detect, resolve and report any personal data breaches as quickly as possible and to improve our controls by addressing the underlying causes of such breaches.
Under the GDPR, you have a number of rights in relation to your personal information. You have the right to:
- know what data we hold relating to you and why, and to receive a copy of it,
- request rectification of your personal information which means you are able to have inaccurate personal information corrected without undue delay;
- request erasure of your personal information when certain conditions apply;
- restrict processing under certain circumstances;
- object to processing;
- data portability in some circumstances.
There are also specific legal rights relating to automated decision making but GDA does not use any such processes.
Requests that relate to rectification, erasure or restricting data processing will be passed to any recipients of your personal information.
There may be occasions when GDA is unable to comply with requests to exercise the rights detailed above. Should this apply to a request you make, it will be explained to you why we are unable to comply with the request and any options available.
Where your personal information is being processed using consent, one further right is the right to withdraw your consent at any time. You should be aware that, while we will stop using your information for that purpose with immediate effect, it may not always be possible to remove information from the public domain, for example where it has been used in hard copy publications. You should also be aware that the ability to withdraw consent only applies to information considered to be personal. It does not usually apply to information about groups or organisations.
You are not required to pay any charge for exercising your rights. If you make a request, we will respond without undue delay and at least within one month.
For more information on your data protection rights see https://ico.org.uk/forthepublic .
To exercise any of these rights or for more information, please contact our Data Protection Compliance Officer, via the GDA office.
If you are dissatisfied with our response to a complaint you send us, or have any concerns about our handling of your personal data, you can complain to the Information Commissioner’s Office by using the details below:
- Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
- Telephone: 0303 123 1113
- Online: https://ico.org.uk/concerns/handling/
Changes to our Privacy Notices
We will keep our privacy notices under regular review to make sure they are up to date and accurate. This notice is due for review in December 2019.