“Personal data” means any data about a living individual who can be identified by use of that data. “Processing” such information, that is storing and using it, is governed by the General Data Protection Regulation (the “GDPR”) under which the OHCT as “Data Controller” has certain obligations. Contact details for OHCT are given below.
How do we process your personal data?
The OHCT complies with its obligations by keeping personal data up to date; by storing and destroying it securely; by not collecting or retaining excessive amounts of data; by protecting personal data from loss, misuse, unauthorised access and disclosure, and by ensuring that appropriate technical measures are in place to protect personal data.
We use personal data for the following purposes:
Personal data provided to us will be used for the purposes for which you submit it and in accordance with whatever consent you may give for its future use.
You can, at any time, ask us to take you off a specific circulation list that you have joined or withdraw your consent for us to hold your data by contacting [email protected].
Personal data relating to children under a legally determined age (currently, 16 years) cannot be processed without the consent of a parent or legal guardian.
What personal data do we process?
OHCT processes personal data that you give to it when you become a member of the Trust, register for one of its events, make a donation, apply for a grant or claim payment of a grant, or enter into a contract with the Trust. The personal data collected will typically include your name, billing and delivery addresses, email address, telephone number, and banking details connected with any payment you are making.
We keep the details of any banker’s standing order which you ask us to set up, and we hold Gift Aid declarations to allow the proper recording of your donations and to meet the legal requirements for audit. The law currently requires us to keep this information for a period of six years after the relevant payment date.
If you make an online payment through our website using a credit or debit card, your payment details are not stored by us but are passed to a secure third-party payment gateway, currently “Stripe”, which holds and processes those details according to high standards of security.
For further information, see https://stripe.com/gb/checkout/legal.
We manage our e-mail circulations through a widely used third-party e-mail handler, currently “MailChimp”. This provides for the secure storage of contact details drawn from information that you have provided to us via our website or in writing or other means, and it uses mailing lists for circulations in line with preferences that you have expressed. For further information, see https://mailchimp.com/legal/privacy/.
Information collected from visits to our website
As is common practice, whenever anyone visits our website, we use third-party suppliers to collect information about how people arrive at our site and navigate through it so that we can make the website easier to use and better suited to the interests of our users. This information is collected and analysed securely by “Google Analytics” in a way which does not tie the data to identifiable individuals. We also use “HotJar” for similar purposes: HotJar collects additional information such as the type of device and browser being used so that we can improve the usability of our website. HotJar anonymises the information and stores it securely. The operation of HotJar may put small files known as ‘cookies’ on your computer: this is normal practice as it improves the way your computer interacts a website (you can set your browser so that it does not accept cookies, but this is not recommended as it will prevent some website features from working properly).
For further information, see https://support.google.com/analytics/answer/6004245?hl=en
We may, in the future, update this policy to include the use of similar specialist suppliers chosen to meet the same high standards of security.
What are the legal grounds for our processing your personal data?
With whom do we share your personal data?
Personal data may be shared where necessary as follows:
Personal data is collected and processed according to this policy and the Trust’s security procedures. Under these procedures, an audit of categories of data held and permissions to access and use that data is undertaken by the Trustees at least annually. Third parties may use your data only for the purposes for which we pass it to them, and they follow security procedures which are at least as stringent as the Trust’s.
How long is your data kept?
Your data is held only for so long as the legal grounds for processing set out above apply. Records required for financial or tax audit have to be held for six years after the relevant transaction.
The nature of our work is such that we may have lifelong relationships with donors, beneficiaries and members. Legacy income is important to the running of the charity. We keep data as necessary to carry out legacy administration and communicate effectively with the families of people leaving us legacies.
Your rights and your personal data
Unless subject to an exemption under the GDPR, you may exercise the following rights with respect to your personal data free of charge: –
Revision of this policy
This policy will be reviewed regularly by the Trustees and up-dated as necessary: it was most recently reviewed on 16 April 2018.
If we wish to use your personal data for a new purpose not covered by this Policy, then we shall provide you with a new Policy explaining this new use prior to commencing the processing and setting out the relevant purposes and processing conditions. Where and whenever necessary, we shall seek your prior consent to the new processing.
Contacting us about your data or this policy
If you need to correct or update your basic membership details, please email: [email protected].
For other matters connected with your data, or its use, or this policy, or to see your personal data held by us, please email: [email protected] or write to the Secretary at OHCT’s registered address: 4 Haslemere Gardens, Oxford, OX2 8EL.
*You can contact the Information Commissioners Office on 0303 123 1113 or via email https://ico.org.uk/global/contact-us/email/ or at the Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire. SK9 5AF.