Safeguarding your personal data

This is our policy on privacy and data. We’ll do everything we reasonably can to fulfil it, but please bear in mind that we’re a small, non-profit community group made up of volunteers concerned about climate change, and not a big, well-funded organisation. We’d be pleased and grateful if you’d work patiently with us to improve our policy and practices.

This is version 1 of our policy, and was published on 16 March 2021.

We may make changes to this policy. If we do, we’ll add a list of the changes at the end. If we make significant changes, we’ll try to inform anyone who may be affected in the best way we can.

Who to contact

Data issues are the responsibility of our Secretary (or whoever is presently carrying out the Secretary’s duties). If you have any requests relating to your personal information, or any questions about how we manage it, please contact us at (website) www.minchcan.org or (email) [email protected]

Please keep us up-to-date

We can’t respect your wishes if we don’t know them. We can’t keep your information accurately if you don’t correct us when it’s wrong. We can’t know that you’re there if you don’t reply when we try to contact you.

If we feel the information or contact with you that we have is unreliable or insufficient, we may remove your details from our records, and potentially consider your relationship with us ended.

Why do we have a Privacy & Data policy?

Your personal information (data), belongs to you. As a community group, we can only store and use (process) your data with your permission (consent), we don’t have any automatic right to it.

When you consent for us (as the ‘data controller’) to use your data, there is legislation outlining what we can and can’t and must and mustn’t do with it. This is commonly referred to as the General Data Protection Regulation (GDPR).

This means we have to behave in a certain way:

  • We account for our use of your data, which is why we have this policy.
  • We store and use your data lawfully, fairly and in a transparent manner.
  • We account for the security of your data while we have it, and how, if at all, it’s shared by us with other people and organisations.
  • Our protection of your data won’t be affected by other people’s rights, eg if someone else asks to see data that requires your consent to be given, we will not share it until we have that.
  • We ask only for that data that’s necessary for our activities, as discussed in this policy. You do not have to give consent for your data to be used in all of our activities, you can restrict our use of it. You can withdraw or give consent later if you change your mind.
  • We tell you which of your data we have when you ask us to, and can provide you with a copy. This is your ‘right of access’.
  • We correct your data when you ask us to.
  • We transfer your data to someone else when you ask us to. This is commonly referred to as data portability.
  • We delete your data when you ask us to, or when we no longer need it. This is your ‘right to be forgotten’.

What counts as personal data?

Personal data is any information connected to you as an individual that identifies you, or that can be used to work out your identity.

Truly anonymous information does not count, but inaccurate information does if it can be connected to an individual.

Some of this is obvious (eg names, photos, addresses), and some less so. The less obvious information (to do eg with your physical, behavioural, economic, cultural, or social identity) can be used in combination to build a unique, identifying profile of you.

Sensitive data

Some of your personal data will be more sensitive in nature, and has stronger protection in law. We deliberately try to not record this, and urge you to be cautious about disclosing it yourself (eg in your public profile). This is data concerning your: race, ethnic origin, political opinions, religious beliefs, trade union memberships, genetics, biometrics, health, or gender.

If for any reason we do need this data (because eg we are applying for a grant to an organisation interested in the diversity of applicants), we will ask you separately for it, explain why we’re asking, make the data you submit anonymous, and respect your right to refuse.

How does consent work?

You lend us the use of your data so that we can carry out our work. You can at any time ask for it back.

Before you lend us your data, we need to tell you what we might use it for. (This policy does that.) If we add extra uses, we need to say how and why before using your data for them, and give you the chance to refuse.

Your consent needs to be clear and unambiguous. You have to clearly have the capacity to provide it. You give it to us automatically when you communicate with us for the specific reason that we’re communicating and no more, eg when you email us, you consent to our collecting your email address so that we can reply.

You can agree to lend your data for some parts of our work rather than all of it. You can change your mind as to which parts. Consent extends not only to whether we communicate, but how we communicate as well.

Contact us to change your consent.

Children and young people

We will not knowingly communicate with nor ask for or collect the personal information of anyone under the age of 13. If you are aware that we are in contact with a child, please tell us straight away. Once we know that personal information we hold relates to a child, we will delete it as quickly as possible.

We don’t want to exclude young people from our activities, but anyone under the age of 16 can only provide us with their personal information with the informed consent of an appropriate parent or guardian.

Where there’s doubt, we may ask for proof of age.

What do we use your data for?

We collect and use only the data that we need for the purposes described here. If you restrict the data we hold, we might not be able to include you in all of our activities:

  • To manage your membership of Minch CAN. This will always include your name, the nature of your connection to Minch CAN’s area of operation, and an email address by which we may contact you.
  • So that we can contact you directly to inform you of our activities, eg to send you agendas, newsletters and updates.
  • To communicate with you when we have an issue to discuss, eg for your views and opinions, to notify you of changes, as part of relevant fundraising.
  • To create a record of significant correspondence, eg complaints and how they were handled.
  • To accept and use your content on our website, in our social media, in our other publications. This includes your member profile, as seen on our website.
  • As part of your participation in one of our meetings or events.
  • So that we can track usage of and reaction to our website and social media.
  • In support of a financial or legal process, eg a grant, donation, contract, or scheme such as Gift Aid.
  • To confirm your identity for your security, eg to make sure we don’t accidentally pass on your data to someone else.
  • To otherwise be able to run Minch CAN, eg for voting purposes.

How do we look after your data?

We will do all that we reasonably can to safeguard your personal data. Whatever safeguards we take, accidents and malicious acts will still happen however, so please be aware of that and understand that you disclose your data at your own risk.

  • Anyone at Minch CAN who needs to handle personal data will know of this policy and the steps we take to ensure security. We will restrict the number of people with access to data.
  • We will take reasonable precautions, eg sending confirmation emails.
  • Any physical records will be hidden from casual sight at a safe location.
  • Any digital records will be password-protected.
  • Any third party will need to assure us their own practices are secure.

If you’re concerned we may have lost control of your data (that there’s been a ‘data breach’), please let us know. If we confirm a breach, we will do our best to promptly notify everyone we believe to have been affected.

Third parties

We don’t own all of the infrastructure we use for our activities. We don’t eg own the servers that host our website, the company we use to send out newsletters – we certainly don’t own Twitter. We sometimes need to involve a third party in our contact with you:

  • We’ll only use a third party for things we can’t do ourselves.
  • We’ll only use third parties that we feel are serious and effective about your data’s safety.
  • We’ll disclose only the data that is absolutely necessary to deliver the service.

Third parties have no authority to use your data except for the specific purpose we have engaged them to do, eg to send you a newsletter you have asked for from us. You need to report any unauthorised use to us.

The internet

It’s in the nature of the internet to enable the easy sharing of information, potentially with complete strangers. Website comments, social media postings – these kinds of things are publicly-viewable. Even if you or we subsequently remove them, they may remain viewable in cached and archived pages, or if others have otherwise saved them.

Please make yourself fully aware of the information content of anything you submit, eg images may contain embedded location data.

Tracking and analytics

Our website uses some simple tools to help us improve it for visitors.

It collects data about where visitors are geographically (we want to know that we’re being visited by local people) and where they’ve come from on the internet (eg through our social media or by a Google search). It also gathers data on whether you’ve visited before, what pages you’ve visited and how long for.

Cookies

When you visit our website for the first time, you’ll see a notification that it uses cookies. A cookie is a small file of information our website lodges on your device to track your use of our website and help it work better for you on follow-up visits.

Cookies are anonymous. The only information the cookie stores is which pages you visited, on what days, for how long – not information about you.

Session cookies are temporary and disappears after you complete your visit to our website. Persistent cookies stay on your device for future visits, to eg remember any preferences you may have made.

You can refuse and remove cookies by selecting the appropriate settings on your web browser.

Traffic logs

Traffic logs use the data gathered through cookies to help us see how busy different parts of our website are and when. We use them to judge what’s most interesting or helpful to the people that visit us.

Articles, comments and other submitted content

Our website will contain material that people have submitted to us for inclusion, eg articles for our blogs and comments on those articles.

Data security in submitted material is the responsibility of the person or organisation submitting it, though we will do our best to moderate submitted material for data issues. We will refuse to accept it or remove it at the earliest opportunity if problems are apparent.

We will do our best to highlight submitted material, eg with an appropriate disclaimer.

Links

Our website contains links to other websites, run by other organisations. Our privacy and data policy applies only to our website‚ so we encourage you to read the privacy statements on the other websites you visit. We cannot be responsible what other websites do, even if you access them using links from ours.

Our website may include ‘embedded content’ (eg videos) that is actually resident on other websites. If you activate embedded content (eg by playing a video), it behaves as if you are using it on its home website, and the rules of that website apply.

Destroying data

We keep your data only for as long as it’s needed for the purposes for which you supplied it. Be aware that this may be longer than you anticipated, eg comments on articles on our website will stay there for as long as the article itself.

When your data’s no longer needed, we will make sure the records of it are destroyed in an appropriate manner.

When would we share your data?

We may share your data under some circumstances if it means acting ethically, lawfully, and responsibly. If we do, we’ll minimise the amount of data we share and the number of people and organisations we share it with. This may include:

  • As part of a safeguarding action to protect individuals from harm.
  • As part of an action to protect or remedy ourselves or individuals from injury or loss.
  • If we think a crime or other notifiable action may be about to or has occurred.
  • If otherwise required to do so by law.
  • As a necessary part of a public document you have consented to be part of, eg a petition.

What do you do if you have a problem with our use of your data?

If you have any concerns about our use of your data, please first of all contact us to discuss the problem. If you’re not happy with our response, the Information Commissioner’s Office (ICO) is the UK’s independent authority for information rights and data privacy. We’ve based this policy on its guidance. It’s the body to complain to if you feel we’re getting things wrong, go to www.ico.org.uk