DATA PROTECTION & PRIVACY POLICY
This policy was adopted on: 14th November 2020
Review date: 5th June 2022
SPUD is currently exempt from registering with the ICO as it is a Charitable Incorporated Organisation (CIO).
Even though SPUD is exempt from registering with the ICO we understand that we are required to comply with all other obligations under the Data Protection Act 1998 as listed below.
WHO IS RESPONSIBLE FOR THE INFORMATION?
​
SPUD is responsible for information and also owns the website and it is maintained by SPUD. We collect website usage information through using cookies. Our website uses cookies to distinguish our users from other users of our website. This helps us to provide our users with a good experience when browsing our website and also allows us to improve our site.
WHAT INFORMATION DO WE COLLECT?
​
Spud is responsible for the collection and proper management of any personal information customers, sub-contractors, agents, volunteers and relevant others submit. We will keep personal details secure and use the information provided consistently with applicable privacy and data protection laws and the terms of this Policy.
HOW DO WE USE THIS INFORMATION?
​
The information provided may be used in a number of ways, for example:
​
-
to enable us to keep accurate records of how many individuals, organisations and businesses have shown an interest in SPUD through website/email/social media
-
how many individuals, organisations, businesses have received services, or engaged in person or on-line as individuals or through a business or not-for-profit organisation
-
to understand the geographical areas in which SPUD has had a presence
-
to provide the information, products and services requested and honour any contract
-
for statistical purposes when we evaluate our range and impact of services
-
to personalise repeat visits to our website
-
to inform of other products and services that may be of interest (see section 5 below)
-
to manage customer service queries
We will ensure personal information is only used for “fair and lawful” purposes consistent with the individual’s reasonable expectations about what may happen to their details; “Fair and lawful” purposes include where the use of the information:
-
is necessary to fulfil a legitimate business activity which does not harm the individual concerned – for example where necessary to provide services to the individual;
-
is necessary to comply with a specific legal responsibility – for example, to notify the tax authorities; or
-
has been specifically authorised by the individual – for example where they ask for their details to be passed to another person
If we engage a third party organisation to process personal information on our behalf (for example using external providers to provide payroll services) we will:
​
-
carry out a security risk assessment to ensure we are confident the third party can keep it safe.
-
enter into an appropriate contract with the third party before sharing personal information with them to keep personal information safe and secure;
-
ensure personal information is held within a secure IT system;
-
ensure any personal information held on laptops, mobile devices and removable data (e.g. USB sticks/ discs) are held in encrypted format;
-
limit access to personal information held within our organisation to those who will need to access it in order to perform their role;
-
ensure all personal information is disposed of in a secure manner once it is no longer needed.
-
not leave personal data insecure in any way, whether it is physical files or information held electronically
We will not hold personal information about people when it is unnecessary.
​
We will try to use anonymised personal data where this is possible (e.g. for statistical analysis).
​
We will not send personal data outside the European Economic Area without taking action to ensure this can be justified under the DPA.
​
We will not use personal information for a different purpose than that for which it was originally obtained unless it is fair to do so in the circumstances.
​
We will take care to ensure personal information is kept accurate and up to date.
​
We will allow individuals the right to access a copy of personal information held about them if they ask for it.
​
We will allow individuals the right to opt out from any direct marketing activity we may want to undertake.
​
We will be particularly careful when handling sensitive personal data concerning;
-
race or ethnic origin, sexual orientation, political opinion, religious belief, trade union membership, mental/physical health
​
We are committed to reviewing our policy regularly.