“Personal data” means any data about a living individual who can be identified by use of that data. “Processing” such information, that is storing and using it, is governed by the General Data Protection Regulation (the “GDPR”) under which the OHCT as “Data Controller” has certain obligations. Contact details for OHCT are given below.
How do we process your personal data?
The OHCT complies with its obligations by keeping personal data up to date; by storing and destroying it securely; by not collecting or retaining excessive amounts of data; by protecting personal data from loss, misuse, unauthorised access and disclosure, and by ensuring that appropriate technical measures are in place to protect personal data.
We use personal data for the following purposes:
- Administration of OHCT membership including sending out membership materials;
- Responding to requests for support and for tickets for our events;
- Administration of donations, benefactions, legacies;
- Administration and payment of our grants;
- Administration of contracts with us; and
- Limited research and statistical analysis to inform the work of the Trust.
Personal data provided to us will be used for the purposes for which you submit it and in accordance with whatever consent you may give for its future use.
- If you are a member of the OHCT, the uses will include sending you confirmation of your membership, subscription, and membership materials such as the annual review and newsletters with details of our events and other activities.
- If you book with us to attend an event, we shall use your data to collect payment and to send you any ticket or joining instructions.
- If you sign up for Ride and Stride in any one year or for some other activity, you will be able to choose whether your details will be saved for future use so that we shall be able to contact you about related events in the future.
- When you book online to participate in one of our events, you may choose to ‘Create an Account’ which will hold your details for future use; you will then be able to make further bookings online more simply without having to re-enter those details. (Alternatively, you may supply your details afresh each time by booking as a ‘guest’.)
- If you provide us with personal data in connection with a grant application or potential application, you will be able to choose whether to go on a mailing list to receive further relevant information from us that may interest you.
- If you donate to the Trust, have done so in the past or pledge to do so in the future, we would like to report to you periodically on the Trust’s progress and plans and to invite you to events, and you will be asked whether you would like to stay in touch in this way.
You can, at any time, ask us to take you off a specific circulation list that you have joined or withdraw your consent for us to hold your data by contacting firstname.lastname@example.org.
Personal data relating to children under a legally determined age (currently, 16 years) cannot be processed without the consent of a parent or legal guardian.
What personal data do we process?
OHCT processes personal data that you give to it when you become a member of the Trust, register for one of its events, make a donation, apply for a grant or claim payment of a grant, or enter into a contract with the Trust. The personal data collected will typically include your name, billing and delivery addresses, email address, telephone number, and banking details connected with any payment you are making.
We keep the details of any banker’s standing order which you ask us to set up, and we hold Gift Aid declarations to allow the proper recording of your donations and to meet the legal requirements for audit. The law currently requires us to keep this information for a period of six years after the relevant payment date.
If you make an online payment through our website using a credit or debit card, your payment details are not stored by us but are passed to a secure third-party payment gateway, currently “Stripe”, which holds and processes those details according to high standards of security.
For further information, see https://stripe.com/gb/checkout/legal.
We manage our e-mail circulations through a widely used third-party e-mail handler, currently “MailChimp”. This provides for the secure storage of contact details drawn from information that you have provided to us via our website or in writing or other means, and it uses mailing lists for circulations in line with preferences that you have expressed. For further information, see https://mailchimp.com/legal/privacy/.
Information collected from visits to our website
As is common practice, whenever anyone visits our website, we use third-party suppliers to collect information about how people arrive at our site and navigate through it so that we can make the website easier to use and better suited to the interests of our users. This information is collected and analysed securely by “Google Analytics” in a way which does not tie the data to identifiable individuals. We also use “HotJar” for similar purposes: HotJar collects additional information such as the type of device and browser being used so that we can improve the usability of our website. HotJar anonymises the information and stores it securely. The operation of HotJar may put small files known as ‘cookies’ on your computer: this is normal practice as it improves the way your computer interacts a website (you can set your browser so that it does not accept cookies, but this is not recommended as it will prevent some website features from working properly).
For further information, see https://support.google.com/analytics/answer/6004245?hl=en
We may, in the future, update this policy to include the use of similar specialist suppliers chosen to meet the same high standards of security.
What are the legal grounds for our processing your personal data?
- That the processing is necessary to fulfil a request which you have made such as establishing your membership and providing membership materials, providing you with a ticket for an event, or processing a donation or grant application made by you.
- That you have consented to our processing your personal data for some specific purpose which we have offered to you as an option.
- That the processing is necessary to fulfil a contract made with the Trust, e.g. contracts between the Trust and its service providers.
- That the processing is necessary to meet a legal requirement, e.g. for financial or tax audit.
- That the processing serves some legitimate purpose justifiable in the context of individual’s interests and rights by the value it brings to the work of the Trust, e.g. research undertaken by the Trust to inform its overall planning to raise awareness of the needs of the county’s historic churches, to support their sustainability, and to broaden participation in the Trust’s activities.
With whom do we share your personal data?
Personal data may be shared where necessary as follows:
- With OHCT Trustees and officers of the Trust;
- With your specific consent, with other organisations such as local churches, trusts or other relevant funding bodies (we might recommend applicants to other funders or share details of applications with them – all applicants are asked if we may share their application details as part of our application process);
- With agents and other third parties acting for the Trust under contract or subcontract to undertake work such as maintaining our database and website, and sending out mailings.
Personal data is collected and processed according to this policy and the Trust’s security procedures. Under these procedures, an audit of categories of data held and permissions to access and use that data is undertaken by the Trustees at least annually. Third parties may use your data only for the purposes for which we pass it to them, and they follow security procedures which are at least as stringent as the Trust’s.
How long is your data kept?
Your data is held only for so long as the legal grounds for processing set out above apply. Records required for financial or tax audit have to be held for six years after the relevant transaction.
The nature of our work is such that we may have lifelong relationships with donors, beneficiaries and members. Legacy income is important to the running of the charity. We keep data as necessary to carry out legacy administration and communicate effectively with the families of people leaving us legacies.
Your rights and your personal data
Unless subject to an exemption under the GDPR, you may exercise the following rights with respect to your personal data free of charge: –
- The right to request a copy of your personal data which the Trust holds (in certain circumstances, that information to be available on request in transmissible digital form);
- The right to request that the Trust correct any personal data if it is found to be inaccurate or out of date;
- The right to request that your personal data be erased where it is no longer necessary for the Trust to retain such data;
- The right to withdraw any consent that you have given for your data to be processed;
- The right to object to the processing of personal data where the processing is justified by legitimate interests including research and statistical analysis;
- The right, where there is a dispute in relation to the accuracy or processing of your personal data, to request that a restriction be placed on further processing such that it may be held but no longer used while the matter is addressed; and
- The right to lodge a complaint with the Information Commissioners Office*
Revision of this policy
This policy will be reviewed regularly by the Trustees and up-dated as necessary: it was most recently reviewed on 16 April 2018.
If we wish to use your personal data for a new purpose not covered by this Policy, then we shall provide you with a new Policy explaining this new use prior to commencing the processing and setting out the relevant purposes and processing conditions. Where and whenever necessary, we shall seek your prior consent to the new processing.
Contacting us about your data or this policy
If you need to correct or update your basic membership details, please email: email@example.com.
For other matters connected with your data, or its use, or this policy, or to see your personal data held by us, please email: firstname.lastname@example.org or write to the Secretary at OHCT’s registered address: 20 Portland Road, Oxford OX2 7EY.
*You can contact the Information Commissioners Office on 0303 123 1113 or via email https://ico.org.uk/global/contact-us/email/ or at the Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire. SK9 5AF.