Privacy Policy


Shannon Trust is committed to protecting the privacy of all the Personal Data provided to us. This policy explains how we collect, use and store the Personal Data provided to us and how individuals can access their personal information.

Privacy Policy

Shannon Trust is committed to protecting the privacy and security of your personal data. This Privacy Notice details how Shannon Trust collects and uses personal data about you during and after your working relationship with us, in accordance with the UK General Data Protection Regulation (UK GDPR). Please read this Privacy Notice carefully before you provide us with any personal data so that you fully understand how your data is collected and used by Shannon Trust.

 

PRIVACY NOTICE

Shannon Trust is committed to protecting the privacy and security of your personal data. This Privacy Notice details how Shannon Trust collects and uses personal data about you during and after your working relationship with us, in accordance with the UK General Data Protection Regulation (UK GDPR).

Please read this Privacy Notice carefully before you provide us with any personal data so that you fully understand how your data is collected and used by Shannon Trust.

1.       Important personal data and who we are

Shannon Trust is a "data controller". This means that we are responsible for deciding how we hold and use personal data about you. We are required under data protection legislation to notify you of the personal data contained in this Privacy Notice.

This notice applies to all current and former learners and mentors, prison and other partners’ staff, supporters and donors, customers, trustees, staff and volunteers.

It is important that you read and retain this notice, together with any other Privacy Notice we may provide on specific occasions when we are collecting or processing personal data about you, so that you are aware of how and why we are using such personal data and what your rights are under the data protection legislation.

2.       Data protection principles

We will comply with data protection law. This says that the personal data we hold about you must be:

·       used lawfully, fairly and in a transparent way;

·       collected only for valid purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes;

·       relevant to the purposes we have told you about and limited only to those purposes;

·       accurate and kept up to date;

·       kept only as long as necessary for the purposes we have told you about; and

·       kept securely.

3.       The personal data we collect

Personal data means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).

Depending on how you are involved with us, we will collect your personal data under one or more of the following legal bases:

·       consent – we may be able to offer you a choice as to whether or not we collect, store, share or otherwise process your personal data. This will be made clear to you and will not be done unless we have your consent;

·       contract – in some cases we need to collect personal data to fulfil a contract, this personal data will always be anonymised.  For example, where we are required to report on learner diversity;

·       legitimate interest – where processing is necessary for the purposes of our legitimate interests, except where such interests are overridden by your interests or fundamental rights and freedoms which require protection of personal data;

·       legal obligation – sometimes we may need to store and share personal data where we have a legal obligation to do so.  For example, we may need to store personal data to comply with employment or health and safety legislation; and/or

·       public interest – where processing is necessary for us to perform a task in the public interest, and the task has a clear basis in law.

To carry out our core activities, we collect, store and use personal data about you which may include:

·       your name and title;

·       address and postcode;

·       date of birth;

·       gender;

·       marital status and dependants;

·       private and corporate e-mail address;

·       phone number;

·       employment history;

·       education history;

·       financial personal data and compliance documentation;

·       references verifying your qualifications and experience;

·       documents that verify your right to work in the United Kingdom;

·       curriculum vitae;

·       photograph;

·       employment details, including links to your professional profiles available in the public domain e.g. LinkedIn, Twitter, Facebook or a personal or corporate website.

Some of the personal data we collect about you is considered as being sensitive personal data, which requires a higher level of protection. This may include:

·       age and date of birth;

·       race or ethnicity;

·       sexual preferences;

·       alcohol and other drug use;

·       trade union membership;

·       data relating to a disability or your physical or mental health including records relating to your leaving employment for reason of ill-health, injury or disability;

·       details of any absences (other than holidays) from work including time on statutory parental leave and sick leave;

·       criminal convictions/offending behaviour;

·       experience of homelessness;

·       experience of the care system.

 

4.       How we collect this personal data

We collect personal data about current and former learners and mentors, prison and other partners’ staff, donors, supporters, customers, trustees, staff and volunteers in the following ways:

·       by corresponding with us by phone, e-mail or otherwise;

·       by engaging with us to participate in one of our programmes; and/or

·       by attending our events.

We may also obtain personal data about you from other sources such as LinkedIn, Twitter, Facebook, corporate websites, job board websites, online CV libraries, your business card, personal recommendations, and any relevant social media sites.

We may sometimes collect additional information from third parties including former employers or background check agencies.

5.       Cookies

Our website uses cookies, which are small files that are placed on your computer when you visit a website. Cookies allow the website to recognise your browser, and to distinguish you from other website users, by reading the contents of the cookie each time the user visits the website. They help us to improve users’ experiences of our website, to track usage and trends, and to generally improve the effectiveness of our website.

By using our website, you indicate that you accept our use of cookies. You may refuse the use of cookies by selecting the appropriate settings on your browser, however, please note that if you do this you may not be able to use the full functionality of this website.

Please note that third party sites that you are linked to within our website may also use cookies. We have no control over the use of cookies by third party sites. Please ensure that you read the cookie policies on any third party site to which you are linked

6.       How we use the personal data we collect about you

We will only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances:

·       where we need to perform a contract we have entered into with you;

·       where we need to comply with a legal obligation; and/or

·       where it is necessary for legitimate interests pursued by us or a third party and your interests and fundamental rights do not override those interests.

We may also use your personal data in the following situations, which are likely to be rare:

·       where we need to protect your interests (or someone else's interests); or

·       where it is needed in the public interest.

We need all the categories of information in section 3 above to allow us to perform our contract with you and to enable us to comply with legal obligations. In some cases, we may use your personal data to pursue our legitimate interests, except where such interests are overridden by your interests or fundamental rights and freedoms which require protection of personal data.  Some of these grounds for processing will overlap and there may be several grounds which justify our use of your personal data.

The situations in which we will process your personal data are listed below:

·       if you are a subscriber, supporter or donor, or a prospective donor, we will primarily use the personal data that you provide to us to contact you about our work and future fundraising initiatives.

·       if you are a learner or mentor, we will primarily use the personal data that you provide to us to allow us to enrol you in our educational programmes. However, we may also use your personal data to do the following:

o   assess the effectiveness of our programmes;

o   keep you and others safe whilst working with us;

o   in risk assessments, to put in place countermeasures for identified risks;

o   equal opportunities monitoring; and

o   comply with our health and safety obligations.

·       if you are a member of staff in a prison or another of our partner agencies, or a mentor, we will primarily use the personal data that you provide to us to allow us to manage your involvement in our educational programmes. However, we may also use your personal data to do the following:

o   maintaining records;

o   complying with health and safety obligations;

o   communicating with you about our work;

o   keep you and others safe whilst working with us; and

o   in risk assessments, to put in place countermeasures for identified risks.

·       if you are a member of staff or a trustee, or wish to apply for either of those roles with us, we will primarily use the personal data that you provide to us to allow us to perform our role as employer; to enable us to comply with legal obligations. However, we may also use your personal data to do the following:

o   making a decision about your recruitment or appointment, and determining the terms on which you work for us;

o   checking you are legally entitled to work in the UK;

o   paying you and, if you are an employee, deducting tax, National Insurance and pension contributions;

o   liaising with your pension provider, providing information about changes to your employment;

o   general administration of the contract we have entered into with you;

o   business management and planning, including accounting and auditing;

o   conducting performance reviews, managing performance and making decisions about salary reviews and compensation;

o   assessing qualifications for a particular job or task, including decisions about promotions and making decisions about your continued employment or engagement;

o   gathering evidence and any other steps relating to possible grievance or disciplinary matters;

o   education, training and development requirements;

o   dealing with legal disputes involving you, or other employees, workers and contractors, including accidents at work;

o   ascertaining your fitness to work, managing sickness absence;

o   complying with health and safety obligations;

o   to prevent fraud;

o   to monitor your business and personal use of our information and communication systems to ensure compliance with our IT policies;

o   to ensure network and information security; and

o   equal opportunities monitoring.

·       if you are a volunteer or prospective volunteer, we will primarily use the personal data that you provide to us to allow us to support and manage your volunteering role. However, we may also use your personal data to do the following:

o   assess your suitability for a volunteering role

o   maintaining records;

o   complying with health and safety obligations;

o   education, training and development requirements;

o   communicating about your volunteering role;

o   keep you and others safe while volunteering;

o   in risk assessments, to put in place countermeasures for identified risks; and

o   equal opportunities monitoring.

·       if you are a customer or prospective customer, we will primarily use the personal data you provide to us to exchange information with you regarding our products and services. However we may also use your personal data to do the following:

o   establish if you might become a customer;

o   process your order; and

o   collect payment from you.

·       if you are a member of our alumni scheme, as a former learner or mentor, we will primarily use the personal data that you provide to us to:

o   assess your suitability to join, or continue as a member of, our alumni scheme;

o   maintaining records;

o   contact you regarding our alumni activities and keep you up to date with our alumni activities; and

o   comply with our health and safety obligations.

If you fail to provide certain personal data when requested, we may not be able to perform the contract we have entered into with you, or we may be prevented from complying with our legal obligations.

We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.

Please note that we may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.

We do not envisage that any decisions will be taken about you using automated means, however we will notify you in writing if this position changes.

7.       How we use particularly sensitive personal data we collect about you

"Special categories" of particularly sensitive personal data, such as information about disability or other illness, physical or mental health and criminal convictions/offending behaviour, require higher levels of protection. We need to have further justification for collecting, storing and using this type of personal data. We have in place an appropriate policy document and safeguards which we are required by law to maintain when processing such data. We may process special categories of personal data in the following circumstances:

·       in limited circumstances, with your explicit written consent;

·       where we need to carry out our legal obligations or exercise rights in connection with employment;

·       where it is needed in the public interest; and/or

·       where it is necessary to protect you or another person from harm.

Less commonly, we may process this type of personal data where it is needed in relation to legal claims or where it is needed to protect your interests (or someone else's interests) and you are not capable of giving your consent, or where you have already made the information public.

In general, we will not process particularly sensitive personal data about you unless it is necessary for performing or exercising obligations or rights in connection with any contract between us. On rare occasions, there may be other reasons for processing, such as it is in the public interest to do so.

The situations in which we will process your particularly sensitive personal data are listed below:

·       to assess a current or former learner’s or mentor’s eligibility to participate in one of our programmes;

·       to allow us to work with government agencies to assess the effectiveness of our programmes;

·       to allow a learner or mentor to transition from a prison-based programme to a community programme;

·       to determine a potential employee’s, trustee’s or volunteer’s suitability for engagement with us, in particular whether you hold any criminal convictions which may prevent you from participating in prison work or working with certain categories of beneficiaries;

·       to assess any special needs you may have as a result of a disability or health condition;

·       to allow us to monitor the demographic profile of those that we work with. This information is held separately to any other personal data and is anonymised;

·       if we reasonably believe that you or another person are at risk of harm and the processing is necessary to protect you or them from physical, mental or emotional harm or to protect physical, mental or emotional well-being.

We do not need your consent if we use special categories of your personal data in accordance with our written policy to carry out our legal obligations or exercise specific legal rights, or if we are acting in the public interest.

In limited circumstances, we may approach you for your written consent to allow us to process certain particularly sensitive data. If we do so, we will provide you with full details of the information that we would like and the reason we need it, so that you can carefully consider whether you wish to consent. You should be aware that it is not a condition of your contract with us that you agree to any request for consent from us.

We do not need your consent where the purpose of the processing is to protect you or another person from harm or to protect your well-being and if we reasonably believe that you need care and support, are at risk of harm and are unable to protect yourself.

8.       Information about criminal convictions

We may only use information relating to criminal convictions where the law allows us to do so. This will usually be where such processing is necessary to carry out our obligations and provided we do so in line with our data protection policy.

We will hold personal data about criminal convictions, and we will process this information in the situations listed in section 7 above.

We are allowed to use your personal data in this way as part of performing or exercising obligations or rights in connection with the contract between us, or to allow us to perform tasks in the public interest. We have in place an appropriate policy and safeguards which we are required by law to maintain when processing such data.

9.       Disclosing the personal data which we collect

We will share your personal data with third parties where required by law, where it is necessary to administer the working relationship with you or where we have another legitimate interest in doing so.

We may share the personal data that you provide to us with third parties in the following situations:

·       with partner organisations, including referral partners and other specialist service providers, to facilitate the provision of our educational programmes

·       with the police or the local authorities where we consider this necessary to protect the safety of yourself or others

All our third-party service providers are required to take appropriate security measures to protect your personal data in line with our policies. We do not allow our third-party service providers to use your personal data for their own purposes. We only permit them to process your personal data for specified purposes and in accordance with our instructions.

Your personal data is not disclosed to third parties for marketing or advertising purposes unless with your express and written consent.

We will not transfer your personal data outside the EEA.

10.     How we keep your personal data safe

We have put in place appropriate technical and organisational measures to protect the personal data you provide to us. Although we take appropriate measures to prevent personal data from being lost, destroyed, damaged or unlawfully processed, we cannot guarantee this will not occur.  Further details of these measures may be obtained upon request.

To protect personal data, we use the following security measures:

·       we use a specialist database to keep the personal data of current and former learners, mentors, prison and other partners’ staff, volunteers, supporters, customers, donors, trustees and employees private. Each user of our database has a certain level of access assessed as appropriate to facilitate their work. This access is reviewed regularly and provided following a thorough induction and the signing of the relevant policies. 

·       strong passwords – we use unique passwords with multiple numbers, symbols, and letters. These passwords are used to protect documents that include personal data. The password provides an extra layer of protection to secure personal data.

·       secure networks – all of our employees make sure their system is secure when accessing personal data by using a firewall, password protecting the network, and using a virtual private network (VPN) to keep data secure.

·       awareness – cybersecurity is a top priority when handling sensitive personal data. Hackers create new and innovative threats every day. If you receive an email asking you to click on a suspicious link or provide private personal data about you or someone else, do not click on it. Report the threat to us as soon as possible and delete the email.

In addition, we limit access to your personal data to third parties who have a business need to know. They will only process your personal data on our instructions, are subject to a duty of confidentiality, and are also required to take appropriate measures to protect that personal data.

We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.

11.     How long we keep your personal data for

We retain different types of data for differing periods, but will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements

The criteria we use to determine whether we should retain your data and how long for includes:

·       the amount, nature and sensitivity of the personal data;

·       the potential risk of harm from unauthorised use or disclosure of your personal data;

·       the purposes for which we process your personal data and whether we can achieve those purposes through other means;

·       any applicable legal requirements;

·       the length and extent of your engagement with our programmes; and

·       our legal obligations.

We may archive part of or all your personal data or retain it on our financial systems but delete all or part of it from our other databases. On removal, we may anonymise parts of your personal data – particularly following a request for suppression or deletion of your personal data – to ensure we do not re-enter your personal data to our database unless you have requested us to do so.

12.     Your rights in connection with personal data

The GDPR provides you with the following rights:

·       to be informed about the personal data we process about you;

·       to request access to the personal data we process about you.  This is commonly known as a "data subject access request" and enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it;

·       to request correction of your personal data.  This enables you to have any incomplete or inaccurate information we hold about you corrected;

·       to request erasure of your personal data in certain circumstances, where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have exercised your right to object to processing (see below);

·       to request the restriction of processing.  This enables you to ask us to suspend the processing of personal data about you, for example if you want us to establish its accuracy or the reason for processing it;

·       to request the transfer of your personal data to another party;

·       to object to the processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your personal data for direct marketing purposes

·       not to be subjected to automated decision-making and profiling.

It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us.

If you want to review, verify, correct or request erasure of your personal data, object to the processing of your personal data, or request that we transfer a copy of your personal data to another party, please contact us in writing using the contact details at the end of this Privacy Notice.

You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.

We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is another appropriate security measure to ensure that personal data is not disclosed to any person who has no right to receive it.

13.     Changes to this Privacy Notice

We reserve the right to update this Privacy Notice at any time, and any changes we make to our Privacy Notice will be notified to you as soon as is reasonably practical, and will be posted on our website.

Please send any questions, comments or requests relating to this Privacy Notice to chris@shannontrust.org.uk.

 

Date of Issue: September 2021