The purpose of this policy is to give a clear explanation of how Free to Be collects and uses the personal information individuals provide to us and that we collect. We ensure that we use people’s information in accordance with all applicable laws and best practice concerning the protection of personal and/or sensitive information.
How we collect information:
We obtain personal information when an individual or someone acting on their behalf, enquires about our services, applies to us, emails us, subscribes to our newsletters/mailing lists, makes a donation to us, asks a question about Free to Be, or otherwise provides us with personal information. Sometimes we may obtain personal information from third parties (e.g. a school or other organisation referring a child to one of our services) but only if the third party provides confirmation that the individuals concerned have agreed to their personal information being shared with us for the specified purpose.
We also gather general information about the use of our website/other online presence, such as pages visited and areas that are of most interest to users. We use this information to improve our website and make it a better experience for everyone. For further information please see the cookies section.
The information we collect, and how we use it:
The potential information Free to Be may collect, and how we use this information, varies depending upon an individual's relationship with us. Please see our specific Privacy Notices for each of these relationship types at the end of this page for more information.
Data Protection law recognises that certain categories of personal information are particularly sensitive. These are known as special or sensitive categories of data and cover health information, race, ethnic origin, trade union membership, genetics/biometrics, religious beliefs, sexual orientation/activity and political opinions. Free to Be only collects special/sensitive categories of data about individuals involved with our services if there is a clear reason for doing so, (e.g. to ensure we provide the appropriate facilities or support to enable individuals to participate in a project/programme).
How we protect data and information:
We adopt appropriate data collection, storage, processing practices and security measures to protect against unauthorised access, alteration, disclosure or destruction of personal or transactional data stored on our website and systems. To find out more about these measures, please contact the Data Protection Manager, whose details are provided at the bottom of this page.
Marketing & Communications:
Being able to communicate with our supporters (donors, volunteers and others) is important, as their ongoing support helps us improve the lives of disadvantaged children.
We use the details our supporters provide to contact them via (usually) termly newsletters which contain updates about our activities, news of successes and requests for help with challenges. Supporters proactively sign up to receive these communications and data gathered for the sending of newsletters is not used for any other purpose.
We undertake to only communicate with supporters in the way they wish us to. Supporters can change their mind at any time and its quick and easy to let us know if they no longer want to hear from us by emailing us or using the automatic unsubscribe feature at the foot of each newsletter. We do not pass on our supporter's personal data to any other organisation.
We rely on the legitimate interest basis to use personal information in some circumstances.
For example, from time to time, we may contact newsletter subscribers, (who have all requested to receive regular information about Free to Be), with additional one off communications of significance. There is no overriding prejudice to these individuals by using their personal information for this purpose, however they will always have the option to opt-out of hearing from us.
Disclosure of information to third parties:
We never disclose personal information to third parties, other than in situations where we believe the welfare of an individual is at risk, or if we are ordered to do so by a Court or other legal requirement, (e.g. the duty to report criminal acts to the Police). Further details about these rare instances are laid out within the specific Privacy Notices for groups of individuals below.
Consent for children, including those aged 13 or under:
We are committed to protecting the privacy and wellbeing of all children & young people engaging with Free to Be.
Anyone aged under 18 must have specific parental/guardian consent before participating in any Free to Be project/event. Individuals aged under 18, but over 13, may consent to the gathering and use of their personal data without parental consent, but Free to Be reserves the right to contact the parents/carers of any individual aged 13-17, should we believe the young person's welfare requires it. Individuals aged 13 or under may not consent to the gathering or use of their personal data and must have parental/guardian consent for this.
Please see the Child & Family Privacy Notice below for further information.
Storing & deleting personal information:
We keep personal information for as long as required to operate our services in accordance with legal requirements and tax and accounting rules. Where personal information is no longer required and our periods of consent have expired, we will ensure it is disposed of in a secure manner. For further information regarding particular aspects of personal data, how long it will be stored for, where, and how, please contact the Free to Be Data Protection Manager using the details below.
Free to Be stores all personal data securely and trains all staff, volunteers and other individuals representing us to manage data in accordance with our Data Protection policies. Free to Be stores some personal information via cloud based applications (e.g. Google Drive). Where this is the case Free to Be ensures that these storage providers adhere to all relevant UK and EU legislation.
The Data Protection Act 1998 and the General Data Protection Regulation, in force from May 25th 2018 grants individuals the following rights:
The right to access their personal information
The right to edit and update their personal information
The right to request to have their personal information deleted
The right to restrict processing of their personal information
The right to object
The right to lodge a complaint with a supervisory authority
1. The right to access personal information
Individuals have a right to obtain confirmation that their personal information is being processed. They also have the right to request a copy of the personal information we hold about them.
We will provide a copy of personal information within 40 days of receiving a written request. We may charge a fee, not exceeding £10, for dealing with this request.
2. The right to edit and update personal information
The accuracy of personal information is important to us. Any individual can edit their personal information, including address and contact details, at any time. Any changes requested may take 28 days to take effect.
3 The right to request to have personal information deleted
Individuals have the right to request the deletion of their personal information. Any changes requested may take 28 days to take effect. In certain rare situations where we are required by law or sector best practice to maintain records, we may need to advise individuals that not all their information can be deleted. If this is the case we will notify them of this, clearly explaining what information has and has not been deleted, and why.
4. The right to restrict processing of personal information
Individuals have the right to ‘block’ or suppress processing of their personal data. In this scenario, we will continue to store data but not further process it. We do this by retaining just enough personal information to ensure that the restriction is respected in the future. Any changes requested may take 28 days to take effect.
5. The right to object
Individuals have the right to object to personal information being processed at any point, from the very first communication from us, to every marketing communication thereafter. Any changes requested may take 28 days to take effect.
If we process personal information for the exercise or defence of legal claims or we can demonstrate compelling grounds, for example in relation to child protection, we may not be able to fulfil a individual’s request. However we will always contact them to discuss further.
6. The right to lodge a complaint with a supervisory authority
If an individual wishes to lodge a complaint or seek advice from a supervisory authority, they may contact:
The Office of the Information Commissioner
Cheshire SK9 5AF
Tel: +44 (0) 01625 545 745
Anybody wishing to exercise any of the above rights will need to provide Free to Be with two pieces of approved identification. Requests should be addressed to: Data Protection Manager and sent to firstname.lastname@example.org
Other websites or online platforms/resources:
Transfer of information via the internet:
Given that the internet is a global environment, using it to collect and process personal data necessarily involves the transmission of data on an international basis. This means, for instance, that data passed to us may be processed outside the European Economic Area, although the data will always be held securely and in line with the requirements of UK data protection legislation. By communicating electronically with us individuals acknowledge and agree to our processing of personal data in this way.
A cookie is a small piece of information sent by a webserver to a web browser which enables the server to collect information from the browser. Find out more about cookies and how to turn them off at www.allaboutcookies.org.
Most browsers will allow users to turn off cookies, however, turning off cookies may sometimes restrict an individuals use of our website.
Some cookies allow us to count visits and traffic sources so we can measure and improve the performance of our website. They help us to know which pages are the most and least popular and see how visitors move around the site. The data collected is not shared with any 3rd party. The information we get through the use of these cookies is anonymous and we make no attempt to identify or influence visitors experience of the site.
Updates to this Policy & the Privacy Notices:
We may update this policy from time to time. When we do, we will revise the policy update date below. We encourage our users to frequently check this page for any changes to stay informed about how we are protecting the personal information we collect.
If there are significant changes in the way we treat personal information, we will contact the individuals whose data we hold and place a prominent notice on our website.
This document was last updated 10th May 2018.
Additional privacy notices specific to individuals' relationship to Free to Be:
Child & Family Specific Privacy Notice:
Before Free to Be can offer a young person a place on any project/programme, we have to ensure we have enough information about the young person, their family and their circumstances in order to keep them safe and to help them gain the maximum benefit from our service. We ordinarily initially obtain this information through referrals from external organisations, consent forms and direct communication with families and require parental consent for all data obtained, stored and processed for children aged 13 or under. Young people aged 14-17 inclusive may consent to the gathering, storage and usage of their personal data but Free to Be reserves the right to contact parents/carers should a young person's welfare interests indicate this. (Young People aged 14-17 must however still have parental/carer consent to participate in projects/events.)
We only use the personal information that is supplied to us for the above purposes. Separately Free to Be uses anonymised and depersonalised information, statistics and case studies to monitor project attendance and measure project impact in order to continue to improve projects for future attendees.
Should a need arise to provide information to any third party, we will not do so without seeking additional consent, unless there is a welfare risk to the child.
Personal information about children who are referred but do not attend our projects will be held until the end of the calendar year following that in which they were initially referred. (A maximum of 2 years post-referral.) Free to Be may use this data under the legitimate interests principle to contact the child's parent/guardian should a last minute place on a project open up which the family may wish to access, but will not use it for any other purpose. Following this period, all information other than name, date of birth, referring organisation and reason for non-attendance will be deleted. After a further period of three years, all remaining information will be deleted.
If a child does attend a Free to Be project, programme, or any other service, we will compile a record relating to their project history. This record and all information relating to the young person, their family and their circumstances will be kept secure and will only be used for purposes directly relevant to ensuring their wellbeing, safety and maximising the benefit of the service they receive from Free to Be.
Information held about young people and their families by Free to Be includes: name, date of birth, address, next of kin, familial contact details, referrer contact details, medical details, behavioral details, support needs, project attendance, doctor, school & any other involved professional details including Social Care/CAMHS, details of any incidents or safeguarding concerns on our projects, sibling information and consent information. Parents/carers information for during a child’s time with Free to Be includes: name, signature (to demonstrate consent), contact details inc address, any language or other communication needs, any relevant familial or wider contextual information relevant to support the child during Free to Be's involvement, indicators of need/risk in order for Free to Be to assess need/eligibility for services and to measure any resultant impact.
Once a child reaches 18, most parts of their record may be removed. We will retain name, date of birth, referring organisation, records of projects attended, records of major decisions, record of any consent provided, any safeguarding concerns, a record of any accidents or incidents. This limited information will be held for a period of 25 years since last project attendance, and will then be deleted.
Volunteer and Staff Specific Privacy Notice:
We gather information and data regarding potential new volunteers or staff via application forms and emails sent to us by the potential volunteer/staff member. We only use this information in order to process their application, and, if appointed, to ensure they access training appropriate to roles they have expressed interest in, and to facilitate their volunteering/employment with Free to Be and their participation in our projects, programmes or services. Should there be any need to share data with a third party (e.g. the Disclosure & Barring Service for the purpose of obtaining a DBS check), specific consent is obtained for this purpose. An exception may be made to this rule only if concerns have been raised around an individual volunteer or staff member posing a risk to young people. As Free to Be has a legal duty to share information with relevant agencies concerned with child protection, in this event only information may be shared with the statutarily responsible agency for investigating such concerns (Local Authority Designated Officer) without the volunteer/staff member's knowledge if informing the volunteer/staff member would potentially expose a young person to risk. Further sharing of data in this scenario, e.g. with Police, Social Care, the DBS or any other relevant agency, would be determined in discussion with the Local Authority Designated Officer and Free to Be would endeavour to inform the individual volunteer/staff member of specific data shared unless advised not to do so via the Local Authority Designated Officer or other relevant authority in the interests of child protection.
Volunteers are considered 'active volunteers' for a period of 2 years after their attendance at initial induction training, or their last Free to Be project, whichever is more recent. Additionally, individuals who have not actively volunteered in the past two years may advise us that they wish to continue to be considered an active volunteer. Staff members are considered 'active' for the duration of their employment contract with Free to Be.
Information held on active volunteers and staff members includes: name, date of birth, address, other contact details, employment/volunteering history inside and outside Free to Be, relevant training details, reference details, next of kin details, relevant medical and support need details where this may impact their role. Free to Be also maintains records of DBS certificate numbers, the outcome of DBS checks, the outcome of references, any safeguarding or other concerns or complaints, including their outcome. These records are held securely and continue to be held for as long as a volunteer or staff member remains active.
For volunteers who apply but do not attend initial induction training and hence never become an active volunteer, all personal information is deleted by the end of the calendar year, after that in which they initially applied.
For job applicants who are not appointed to a role, all details will be held on file for 3 months after the job role is filled, to offer applicants sufficient time to request feedback, after which this data will be deleted.
For volunteers who cease to be 'active' and staff members who cease their employment with Free to Be, we will delete any non-necessary personal information by the end of the calendar year after which the volunteer ceased to be active or the employment contract ends. Free to Be considers it necessary and proportionate to retain only: name of volunteer/staff member, date of birth, relevant training details, projects/services volunteered/worked upon, records of any safeguarding issue, concern or other complaint, DBS certificate number and related information, reference outcomes and related information. This limited information will be held for a period of 25 years.
Donor Specific Privacy Notice:
When individuals make a donation to Free to Be, we only use the information they supply us to process their donation and to monitor donor statistics. If we are given specific consent to do so, we share relevant details with HMRC to process Gift Aid. Free to Be aims to secure the majority of its individual donations through online platforms e.g. MyDonate, where consent for sharing of information is managed via the platform provider and where Free to Be has no access to anydonor details not actively shared with us by both the donor and the platform. Free to Be does not share donor information with any third party without specific consent, unless required to via the Courts or other legal process.
Donors are invited to self-register to receive supporter newsletters but no additional mail or correspondence is entered into with donors who do not select to receive newsletters, save a one-off thank you correspondence.
We may retain anonymised statistical information about donations to help inform our fundraising activities and financial planning, but no individuals will be identifiable from that data.
Queries or concerns:
If you have any queries or concerns about this policy or any aspect of your personal information please contact Free to Be's Data Protection Manager at email@example.com or telephone 0203 778 0323.