Our commitment to privacy
Taking Pictures, Changing Lives C.I.C. (“Taking Pictures, Changing Lives”, “we”, “us”, “our”) is committed to protecting your privacy and this Privacy Notice sets out what personal data we collect, how we collect it, what we use it for and who we share it with.
By “personal data” we mean information about you which could identify you such as your name and contact details, your donation history to us, and also information about your connection with and interest in our work (e.g. ‘introduced to us by John Smith’ or ‘born in Kenya’ or ‘invited us to speak at his event’ or ‘went on trip to Uganda'). This is so that we can send you relevant updates and invite you to relevant events. Personal data does not include data where you can no longer be identified from it such as anonymised aggregate data.
For the purposes of data protection legislation, Taking Pictures, Changing Lives is considered the “data controller” of personal data processed in connection with this Privacy Notice. This means that we are responsible for deciding how we hold and use personal data about you.
Our address is Taking Pictures, Changing Lives, ℅ 44 Cambridge Road, St Albans, Hertfordshire AL1 5LD. Should you have any questions about this Privacy Notice you can contact us at the above address.
This Privacy Notice applies to personal data about you that we collect, use and otherwise process when you visit our website, attend an event, are introduced to us by an existing supporter or otherwise share your data with us. We may provide supplemental privacy notices on specific occasions when we are collecting or processing personal data about you so that you are fully aware of how and why we are using your personal data. Those supplemental notices should be read together with this Privacy Notice.
What information do we collect about you and what do we use it for?
The types of personal data about you we may collect, store and use are set out in the table below and in each case we have specified what we use it for and our ‘lawful basis’ for processing it. The law specifies certain ‘lawful bases’ under which we are allowed to use your personal data. Most commonly, we will rely on one or more of the following lawful bases for processing your personal data:
- Where we need to perform the contract we have entered into with you
- Where we need to comply with a legal obligation
- Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests
- Where you have consented to us doing so
|Description||Why is the data held and what is it used for||Basis for processing data||Who holds the data and who can access it?||What security controls are in place?|
|Supporter name and email address in Mailchimp||Sharing our stories, reports, event invitations etc||Consent. Direct Marketing is defined by the ICO as any material which promotes the aims and objectives of the organisation and direct marketing by email always requires consent, under ePrivacy laws.||Only Taking Pictures, Changing Lives employees can access data, using login/password.||All Taking Pictures, Changing Lives
users have own
Mailchimp holds all data securely with high levels of security protection.
|Donor/ Supporter contact info and donation history, also in Mailchimp (used as our CRM).||So that we can thank, report back to and engage with supporters appropriately, eg sending literature, event or meeting invitations and fundraising appeals. We will also add some ‘leads ’and ‘contacts’ to Mailchimp if they are introduced to us by an existing supporters, but we do not add them to bulk email campaigns without consent. We would only send them personal messages.||Legitimate interest. We believe our supporters would reasonably expect us to keep records of their engagement with us, send them reports, thanks or new appeals. We also believe a person (including a Trust, Foundation or Corporate) would reasonably expect to be emailed personally (not Direct Marketing) after (for example) making a gift or attending an event. We do not believe this infringes their interests, rights or freedoms.||Only Taking Pictures, Changing Lives employees can access data, using login/password. Occasionally consultants or volunteers might be given access to our CRM for a specific purpose but only after signing the Data Protection Policy and their account would be disabled after terminating the contract.||All Taking Pictures, Changing Lives
users have own
Mailchimp holds all data securely with high levels of security protection.
|Brief notes of subject’s relationship with Taking Pictures, Changing Lives||So that we can engage with our supporters appropriately.||As above||As above||As above|
|Google Suite - supporter / contact names and email addresses will be in our Gmail accounts and in some docs on the GDrive||We use Gmail for emailing supporters, partners, potential supporters etc. We store copies of thank you letters, grant application letters, reports etc in the Drive which will inevitably contain some personal contact details / data.||Legitimate interest. We believe people understand that we may email them personally when we have reason to believe they are interested in our work (NB not via DM campaigns but personally). We also believe people understand that correspondence, reports etc are often archived electronically.||As above||All Taking Pictures, Changing Lives users have own accounts with unique password. Google holds all data securely with high levels of security protection.|
Please note that we may use your personal data without your knowledge or consent, in compliance with the above rules, if we are required by law to do so or if we reasonably believe that it is necessary to protect our rights and/or to comply with judicial or regulatory proceedings, a court order or other legal process.
What if you do not provide the personal data we request?
If you do not provide us with certain information when requested, we will not be able to keep you updated on our work, invite you to events etc.
Change of purpose
We will only use your personal data for the purposes for which we collected it (as identified above in the What we use this data for column), unless we reasonably consider that we need to use it for another reason which is compatible with the original purpose. If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.
In addition to the personal information that you submit to us, we may collect aggregated data generated by our systems and third parties (Google Analytics) to assess site usage and performance. This type of data and analysis does not track or store any personally identifiable data and is collected using the following technologies:
Web Server Logs - Our web servers may collect certain information such as IP address, pages visited, time of visits, and referring website.
How do we collect this information?
We typically collect personal data about you when you sign up to our mailing list (name, email address), make a one-off or regular gift (name, contact details, bank details if you choose to give via direct debit or standing order), attend an event (name, email address) or are introduced to us by an existing supporter.
In addition, we may receive personal information about you from third parties, such as StartSomeGood.com if you choose to make a donation using these platforms.
With whom will we share your information?
We may share your personal data with third parties where this is required by law, where it is necessary to perform our contract with you, or where we have another legitimate interest in doing so.
We will need to share your personal data with others including (for example):
- Event venues which require a guest list, food allergy information etc
- Your data may be held electronically by Mailchimp (our email-list and donor database provider), FreeAgent (our accounting software provider), Google (our email provider and also used for storing our electronic documents and archives), Slack (our instant messaging service) and Santander bank (our bank),
All our third-party service providers are expected to take appropriate security measures to protect your personal data in line with our policies.
We may need to share your personal data with a regulator or to otherwise comply with the law or a judicial process. We may disclose your personal data if we are required by law to do so or if we reasonably believe that disclosure is necessary to protect our rights and/or to comply with judicial or regulatory proceedings, a court order or other legal process.
Some of the third party platforms we use eg Google, Mailchimp are headquartered in the USA and thus your data, held on their servers, may be deemed to be transferred to the USA. There is no adequacy decision by the European Commission in respect of the USA which means it is not deemed to provide an adequate level of protection for your personal data.
However, to ensure that your personal data does receive an adequate level of protection we have ensured that all of these third parties have clauses in their privacy policies or terms and conditions committing themselves to ensure that your personal data is treated in a way that is consistent with and which respects the EU and UK laws on data protection. If we become aware of a data breach, we will report it in accordance with the regulations.
How long will we retain your information?
We will only retain your personal information for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting or reporting requirements.
If you are on our mailing list (Mailchimp), we would keep your data on Mailchimp until you unsubscribe or otherwise request to be removed from the list. We may periodically ‘clean’ the mailing list of email addresses which ‘bounce back’ or subscribers who have not opened an email from us for a long time, in which case your data might be removed from the list as we would assume you were no longer interested in hearing from us. Of course you could re-subscribe at any time.
If you are a donor to Taking Pictures, Changing Lives or have been invited to one of our events, we may keep your data on Mailchimp (our CRM) indefinitely, even if you stop giving, because we use it for statistical analysis which guides our strategic decisions (eg which events have been best attended, what trends can we see in regular giving, which part of the country do most of our supporters come from etc - this helps us work out where to invest our limited fundraising resources). However, if you request to be removed from the CRM, of course we would do so. We would also cease sending you updates about our work if you requested / opted-out. If you had not made a gift for several years, we may assume that you are no longer interested and cease sending you updates etc even if you have not opted out.
Your rights in relation to your information
It is important that the personal data we hold about you is accurate and current. Please let us know if your personal data changes during your relationship with us.
You have rights as an individual which you can exercise in relation to the information we hold about you under certain circumstances. These rights are to:
- Request access to your personal data (commonly known as a “data subject access request”) and request certain information in relation to its processing
- Request rectification of your personal data
- Request the erasure of your personal data
- Request the restriction of processing of your personal data
- Object to the processing of your personal data
- Request the transfer of your personal data to another party.
If you want to exercise one of these rights please contact us (contact details above).
You also have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues.
You will not usually have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.
What we may need from you
We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is another appropriate security measure to ensure that personal data is not disclosed to any person who has no right to receive it.
Right to withdraw consent
In the limited circumstances where you may have provided your consent to the collection, processing and transfer of your personal data for a specific purpose, you have the right to withdraw your consent for that specific processing at any time. To withdraw your consent, please contact us (contact details above). Once we have received notification that you have withdrawn your consent, we will no longer process your information for the purpose(s) you originally agreed to unless we now have an alternative legal basis for doing so.
Changes to this privacy notice
We reserve the right to update this privacy notice at any time, and we will make an updated copy of such privacy notice available on our website and notify you when we make any substantial updates. We may also notify you in other ways from time to time about the processing of your personal data.
As so much of the data Taking Pictures, Changing Lives holds is held electronically, it is important to ensure that it is held securely. Taking Pictures, Changing Lives staff all use their own personal Mac laptops for work and inevitably travel with them. Staff also access Gmail emails on their phones and this IT security policy applies to all devices used for work. All staff must (source):
- Update your operating system and applications regularly
- Keep your computer firewall switched on
- Ensure your phone is also protected against malware
- Store work files in the Googledrive which is protected and backed up by Google
- Don’t use an administrator account on your computer for everyday use - use your own log in details
- Make sure your computer and phone logs out automatically after 15 minutes maximum and requires a password to log back in
- Do not set any applications (Gmail, Mailchimp etc) to open automatically - ensure you key in the password every time
- Change default passwords and PINs on computers, phones and all network devices
- Don’t share your password with other people or disclose it to anyone else
- Don’t write down PINs and passwords next to computers and phones
- Use strong passwords - at least three of upper and lower case letters, numbers and symbols, at least 8 characters long, change them regularly, and don’t use the same passwords repeatedly
- Be wary of fake websites and phishing emails
- Don’t click on links in emails or social media
- Don’t disclose passwords and other confidential information unless you are sure you are on a legitimate website
- Don’t use pirated software
- Take particular care of your computer and mobile devices when travelling.
If you have any questions, concerns, requests, or comments about privacy, you can contact us by email at: firstname.lastname@example.org
Effective: 19 May 2018