Privacy Notice to Users:
This policy sets out how Engage uses and protects the personal data that you provide to us. We treat any personal information collected, in accordance with this policy, the data protection act of 1998, the general data protection regulation of 2018 and the privacy and electronics regulations of 2003.
We collect basic personal data about you which does not include any special types of information or location-based information (race, gender, politics etc.). This does, however, include name, address, email, phone number.
Why do we need your data?
We need to know your basic personal data in order to provide you with ongoing organisational updates and services in line with this overall policy. We will not collect any personal data from you we do not need in order to provide and oversee this service to you.
What we do with your data?
All the personal data we collect is processed by our staff in the UK. No 3rd parties have access to your personal data unless the law allows them to do so.
We have a Data Protection process in place to oversee the effective and secure processing of your personal data. More information on this framework can be found in our data protection policy below.
How long do we keep your data?
Where we provide a service to you, we are required under UK tax law to keep your basic personal data (name, address, contact details) for a minimum of 6 years. This is the maximum length of time we keep your data after which it is destroyed.
Your information that we use for marketing purposes will be kept with us until you notify us that you no longer wish to receive marketing information from us.
What we would also like to do with your data
We would like to use your name and email address to inform you of our future offers and similar products. This information is not shared with third parties and you can unsubscribe at any time via phone, email or our website.
What are your rights?
If at any point you believe the information we possess on you is incorrect you can request to see this information and have it corrected or deleted. You also have the right to be told how your personal information will be used. This section along with the data protection policy is designed to give you clear understanding of how your data is stored and used by us.
For more information about your rights please consult the Information Commissioner’s guidance.
Where we rely on your consent to use your personal information, you have the right to withdraw that consent at any time.
If you wish to raise a complaint on how we have handled your personal data, you can contact us to have the matter investigated at email@example.com
If you are not satisfied with our response or believe we are not processing your personal data in accordance with the law you are free to make a complaint to the Information Commissioner’s Office.
We may process data of people under the age of 16 who participate in our programmes.
Where we do, this information will be encrypted and access to this information limited to those staff requiring it in order to run the programme and provide necessary reporting only to our funders.
We will securely store this information for a reasonable period and as required or for legal reasons.
For any sensitive information we collect we will only do so if there is a clear reason for it. We will only collect such information with your explicit permission or where the law requires us to do so.
Sensitive information collected is anonymised and only handled by staff trained to do so.
If making a purchase over the phone you will be asked to provide your credit/debit card details.
We do not store any credit/debit card details or Paypal account information on or offline under any circumstances.
We may occasionally photograph or videotape events delivered by us. If you are present at the event your permission will be individually sought.
If you wish to restrict or block web browser cookies that are set on your device then you can do this through your browser and its privacy settings; the Help function within your browser will tell you how. Alternatively, visit www.aboutcookies.org, which contains comprehensive information on how to do this on a wide variety of desktop browsers.
We use a ‘session’ cookie to know if a user is a logged in member or not. Session cookies expire when you leave our site. Personal information is not stored.
The Session cookie will be called “ASP.NET_SessionId”and its content will be a random string, looking something like this: “x4xzkbnefphj22555g1qiz1”
We use one ‘persistent’ or permanent cookie this is used for members to auto-fill the username box on the login form when you next return to the site. The permanent cookie is called ‘engage’, and its content will be of the form: “username=fred”
Third party cookies measuring Engage website usage
Third party cookies are cookies that are set by a domain other than the one being visited by the user, in this case engage. If a user visits a website and a separate company sets a cookie through that website this is a third party cookie. We use third party cookies set by Google Analytics to help engage determine popular and unpopular pages and to let us know where we need to improve and what services we may need to promote or update. Google Analytics stores information about what pages you visit, how long you are on the site, how you got here and what you click on. We do not collect or store your personal information (e.g. your name or address) so this information cannot be used by engage to identify who you are. These cookies will have names like “_utma”, “_utmb”, etc, and their value will be strings of (apparently random, but actually encrypted) characters.
We are not responsible for cookies of content embedded on our website but hosted by a third party. For information on how to manage cookies please visit, http://www.aboutcookies.org
Engage Data Protection Policy:
Conditions for processing
We will ensure any use of personal data is justified using at least one of the conditions for processing and this will be specifically documented. All staff who are responsible for processing personal data will be aware of the conditions for processing. The conditions for processing will be available to data subjects in the form of a privacy notice (Above)
Justification for use of personal data
We will process personal data in compliance with all six data protection principles under GDPR.
The data that we collect is subject to active consent by you (the data subject). This consent can be revoked at any time.
Criminal record checks
Any criminal record checks are justified by law. Criminal record checks cannot be undertaken based solely on the consent of the subject.
Upon request, a data subject has the right to receive a copy of their data in a structured format. These requests should be processed within one month, provided there is no undue burden and it does not compromise the privacy of other individuals. A data subject may also request that their data is transferred directly to another system. This must be done for free.
Right to be forgotten
A data subject may request that any information held on them is deleted or removed, and any third parties who process or use that data must also comply with the request. An erasure request can only be refused if an exemption applies.
Privacy by design and default
Privacy by design is an approach to projects that promote privacy and data protection compliance from the start. The data protection officer (DPO) will be responsible for conducting Privacy Impact Assessments and ensuring that all projects commence with a privacy plan.
When relevant, and when it does not have a negative impact on the data subject, privacy settings will be set to the most private by default.
Data Storage and Security
We take security of data extremely seriously. Appropriate measures are in place to protect the information that we hold both on and offline so that improper access, alteration or loss does not take place.
Information is only accessed and processed by appropriately trained staff and volunteers.
For the purposes of IT hosting and maintenance data is located on servers within the European Union. However, Engage may transfer or store data at a destination that is not in the EEA. If Engage does use a destination outside the EEA to store data, we will take reasonable measures to make sure the data is protected and appropriate legal agreements are in place to ensure protection.
Reviewed May 2018