At SFS, we respect the privacy of our members, supporters, stakeholders and other interested parties, and recognise that your privacy is very important and so we want you to be confident with the way we handle your personal information. We have outlined below how the Charity collects, uses, discloses, and protects this information.
Who are we?
SFS is what’s known as the data controller of the personal data you provide to us. We will usually collect basic personal data about you like your name, postal address, telephone number and email address.
Unlikely though it is, if we collect any other information about you, we will be very clear with you that we wish to collect such information, our reason for doing so and would only do so with your specific consent/permission.
Why we need it
We collect your personal data in connection with specific activities, such as applications to become a member of SFS and /or the Employability SEN, newsletter/ebulletin requests, campaign/policy updates, event registration, surveys and to allow us to evaluate our services.
The information is either needed to fulfil your request or to enable us to provide you with a more personalised service. You don’t have to disclose any of this information, however, if you choose not to supply certain information, we may not be able to provide you with certain services (for example if, when becoming a member, you do not give an email address, we will not be able to send you our ebulletin or newsletter).
Sometimes we will process your personal data to provide you with information about our work or our activities that you have requested or are expecting.
On other occasions, we may process personal data when we need to do this to fulfil a contract (for example employment contracts with our employees) or where we are required to do this by law or other regulations.
SFS also processes your data when it is in our legitimate interests to do this and when these interests do not override your rights. Those legitimate interests include providing our membership with information about our services and other relevant activities.
How we collect information
We collect your personal data in a number of ways and from a variety or stakeholders including SFS/Employability SEN members, other supporters and interested parties, employees and job applicants and volunteers (in SFS case, this is usually as a Director/Trustee of SFS):
When you provide it to us directly by joining as a SFS and/or Employability SEN member, by subscribing to take part in research, events and training, when requesting general help/support, when volunteering to become a Director/Trustee of SFS – via email, in writing, via the telephone or our website.
We may also receive information about you from third parties, for example, another member, charity, agency or other third party organisation who refers you to SFS.
Personal data may be created by your involvement with us; this could include details of how you’ve helped us by being involved with our campaigns and activities.
The only sensitive personal data we will collect will be through our Equality Opportunities monitoring form when we are recruiting.
Your details may be transferred to third party providers and held there eg, events, surveys and for ebulletin/newsletter purposes. We only use third party systems to store and process your data for which we have completed an assessment exercise to ensure your data is secure.
We will only collect the personal data that we need.
How we use information
SFS complies with its obligations under GDPR, by keeping personal destroying it securely and by not collecting or retaining excessive amounts of data. We protect personal data from loss, misuse, unauthorised access and disclosure and by ensuring appropriate technical measures are in place to protect personal data.
We may use the information we collect from you in any of the following ways:
- To enable us to provide services to SFS and the Employability SEN membership
- To administer membership records
- To enable us to respond to enquiries about our work or the work of our members
- To promote and raise the profile of the Social Firm/enterprise sector
- To inform individuals of news, events and activities of SFS and other partners
- To fundraise and promote the interests of SFS
- To operate the SFS website and deliver services that individuals have requested
- To recruit and manage our employees and volunteers (directors)
- To contact individuals via surveys to conduct research on or evaluate their opinions of current services, events held, potential new services and policy work/consultations
- For internal administration, analysis and operational/service reviews.
What is the legal basis for processing your personal data?
Article 6 processing
We need a lawful basis to collect and use your personal data under data protection law. The law allows for six ways to process personal data (and additional ways for sensitive personal data). Four of these are relevant to the types of processing that we carry out at SFS. This includes information that is processed on the basis of:
- a person’s consent, for example, to send you our ebulletin by email
- fulfilling a contractual relationship/obligation eg, for employment contracts
- processing that is necessary for compliance with a legal obligation eg, OSCR requires that we keep registers of charity trustees and of members
- SFS’s legitimate interests: please see below for more information
Personal data may be legally collected and used if it is necessary for a legitimate interest of the organisation using the data, if its use is fair and does not adversely impact the rights of the individual concerned. When we use your personal information, we will always consider if it is fair and balanced to do so, and if it is within your reasonable expectations. We will balance your rights and our legitimate interests to ensure that we use your personal information in ways that are not unduly intrusive or unfair. Our legitimate interests include:
- charity governance: including delivery of our charitable purposes, statutory and financial reporting and other regulatory compliance purposes;
- administration and operational management: including responding to solicited enquiries, providing information and services, research, events management, administrating recruitment processes for staff, volunteers and freelancers; and
- Representation: including consulting with and campaigning on behalf of members, disseminating policy information, developing key policy messages and other activities to raise the profile of the Social Firm model
If you would like more information on our uses of legitimate interests, or to change our use of your personal data, please get in touch with us using the details in the ‘Contact us’ section below.
Apart from Equal Opportunities monitoring form (used when recruiting), we do not process or hold any Special Categories of Personal Data as per Article 9
Sharing your information
Your personal data will be treated in as strictly confidential; we only disclose information to third parties or individuals when obliged to by law, for purposes of national security, taxation and criminal investigations and the following:
- If you have agreed that we may do so.
- When we use other companies to provide services on our behalf, e.g. mailchimp, survey monkey, Eventbrite and cloud-based IT/software providers (we undertake due diligence to ensure they have the appropriate data protections policies in place and can provide details of these on request)
- We may disclose aggregate statistics about our site visitors, supporters, customers and sales to describe our services and operations to prospective partners and other stakeholders, but these statistics won’t include any personally identifying information.
- If we run an event in partnership with other named organisations your details may need to be shared. We will be very clear what will happen to your data when you register.
- If we merge with another organisation to form a new entity, information may be transferred to the new entity.
We will never sell or rent your personal information.
How long do we keep your personal data?
We keep your personal data for no longer than reasonably necessary but for a period of 6 years in order to comply with our legal and funding obligations.
Your rights and personal data
Unless subject to an exemption [under the GDPR], you have the following rights with respect to your personal data: –
- Transparency over how we use your personal information (right to be informed).
- Request a copy of the information we hold about you, which will be provided to you within one month (right of access).
- Update or amend the information we hold about you if it is wrong (right of rectification).
- Ask us to stop using your information (right to restrict processing).
- Ask us to remove your personal information from our records (right to be ‘forgotten’).
- Object to the processing of your information for marketing purposes (right to object).
- Obtain and reuse your personal data for your own purposes (right to data portability).
- The right to lodge a complaint with the Information Commissioners Office.
- If your personal data is to be transferred to countries or territories outside the EU we will detail of how the data will be protected.
If you would like to know more about your rights under the data protection law see the information commissioner’s website. Remember, you can change the way you hear from us or withdraw your permission for us to process your personal data at any time. Please see the ‘Contact us’ section of this Policy to do this.
Subject access requests
All individuals who are the subject of personal data held by SFS entitled to:
- Ask what information the company holds about them and why
- Ask how to gain access to it
- Be informed how to keep it up to date
- Be informed how the company is meeting its data protection obligations
If an individual contacts the company requesting this information, this is called a subject access request. Subject access requests from individuals should be made by email, please see the ‘Contact us’ section below.
SFS will aim to respond as soon as possible and at the latest within one month of receipt. If the request is complex or numerous we may look to extend the period of compliance by a further two months. If this is the case, we will inform the individual within one month of the receipt of the request and explain why the extension is necessary.
SFS will always verify the identity of anyone making a subject access request before handing over any information.
If we wish to use your personal data for a new purpose, not covered by this Data Protection Notice, then we will provide you with a new notice explaining this new use prior to commencing the processing and setting out the relevant purposes and processing conditions.
Where and whenever necessary, we will seek your prior consent to the new processing.
Storage and security of personal information
SFS will use all reasonable endeavours to ensure that you provide personal information in a secure and confidential environment and when the information is no longer needed it will be destroyed or permanently rendered anonymous.
To prevent unauthorised access, maintain data accuracy, and ensure the correct use of information, we have put in place appropriate physical, electronic, and managerial procedures to safeguard and secure the information we collect.
By email: firstname.lastname@example.org
By post: Social Firms Scotland, c/o Senscot, 24 George Square, Glasgow, G2 1EG