Greyhound Trust Data Protection Policy
- Policy Scope
This policy applies to the processing of personal data by the Greyhound Trust and its subsidiary company, Greyhound Events Limited (for the purposes of this policy, together, ‘the Greyhound Trust’). The Greyhound Trust and Greyhound Events Limited are registered as data controllers with the Information Commissioner’s Office under the EU General Data Protection Regulation.
The policy covers the processing of personal data relating to:
- Trustees, employees, and volunteers who work for and/or represent the trust.
- Individuals within organisations that the trust deals with, such as its suppliers, rescue organisations and authorities, and entities in the greyhound industry
- Donors and supporters
- Those purchasing items from our shop
- Branch and national event participants and attendees
- Visitors to our website who submit information
- People who express an interest in homing or go on to home a greyhound.
- Visitors to the Greyhound Trust’s head office and branches.
- Purpose of the policy
The Greyhound Trust’s data protection policy seeks to ensure compliance with the EU General Data Protection Regulation (GDPR) and the Privacy and Electronic Communications Regulations (PECR). It also seeks to drive best practice and ensure the development of respectful, mutually beneficial relationships with all those on whom the Trust relies in order to achieve our charitable objectives.
GDPR builds on existing data protection legislation, whose purpose was to:
- Regulate how information is used by ‘data controllers’ who obtain, hold and process personal data on living individuals
- Provide certain rights to living individuals whose data is held
GDPR enhances the control individuals have over the processing of their own data and places greater emphasis on the documentation that data controllers must keep to demonstrate their accountability.
PECR sets out more specific privacy rights on electronic communications (Marketing by electronic means, including marketing calls, texts, emails and faxes).
The Principles of GDPR
Article 5 of GDPR requires that personal data shall be:
(a) processed lawfully, fairly and in a transparent manner in relation to individuals;
(b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
(c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
(d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals;
(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
Article 5(2) requires that
“the controller shall be responsible for, and be able to demonstrate, compliance with the principles.”
How the Greyhound Trust applies these policies and principles
In order to process personal data fairly and lawfully, in addition to the information provided in this policy, the Trust ensures that at least one of the following conditions is met before processing any personal data:
- The individual has consented to the Trust processing of their information
- Processing is necessary for performance of a contract with an individual
- Processing is required under legal obligation (other than one imposed by a contract)
- The processing is necessary to protect vital interests of the individual
- The processing is necessary for administration of justice
- The processing is necessary for the legitimate interests of the Trust or a third party to whom the data are disclosed, and that such processing is not unwarranted because of the prejudicial effects on the rights and freedoms of the individual who is the subject of the data.
How we may use personal information
We will not rent, swap or sell personal information to other organisations for them to use in their own marketing activities.
The legal basis that we rely on for processing personal data will depend upon the circumstances in which it is being collected and used, but will in most cases fall into one of the following categories:
- where consent has been provided to allow us to use your data in a certain way
- where the processing is necessary to carry out for the performance of a contract
- where the processing is necessary in order for us to comply with a legal obligation; or
- where it is in our legitimate interests to perform our functions, for example, processing donations or sending administrative communications where our legitimate interest is to raise funds and/or to deliver our charitable purposes
We may use service providers (such as fundraising agencies, direct mailing companies, mobile marketing providers and software platform providers).
We may give relevant persons within these service providers access to personal information, but only to allow them to perform their services for us. Some service providers may be based outside of the European Economic Area (EEA) however, we will endeavour to ensure that any data transfers outside of the EEA are carried out in compliance with relevant data protection legislation and that the processing of your data is subject to appropriate security measures.
We may disclose personal/sensitive personal information when required to by law, for example, to HMRC for tax purposes or to police forces for the prevention or detection of crime. Further, we safeguard the sharing of such information by using formalised information sharing agreements with organisations where appropriate, or on an ad hoc basis after ensuring the request and disclosure are legally compliant.
Data research and accuracy
On occasion we may also use personal information for research purposes so that we can improve our services and better meet the needs of our beneficiaries. This may include us contacting people to see if they would like to become involved in one of our research projects. We also feature case studies on our website and materials about the work that our supporters undertake for us. In both instances we will always obtain prior consent before using data in these ways.
We continually strive to improve the quality and accuracy of the information provided to us, such as contact details, by checking against external data lists such as the Post Office’s National Change of Address database & The National Deceased Register. This helps us ensure our records are fully up-to-date and to avoid mis-directing communications.
Types of Information Processed
The types of information processed and principal purposes of processing are set out below:
- Staff, volunteers and trustees.
- contact details, including emergency contact details
- appraisal, supervision and disciplinary records
- payroll information
- sickness / absence records
- bank account details
- details of any driving licence penalties and criminal offences
- conflicts or potential conflicts of interest
We collect this and any other information required for staff and volunteer administration, for the management of the charity and to fulfil the Trust’s obligations as an employer and/or as a charity.
- Individuals within other organisations, such as suppliers, rescue organisations and authorities
- job role and/or title
- contact details
This data is processed to manage relationships or transactions between the Greyhound Trust and that organisation.
- The Public
We may collect personal information from a member of the public when someone:
- asks about our activities
- registers with us for information
- signs up for publications or newsletters
- volunteers or fundraises for us
- pledges (e.g. a legacy) or makes a donation
- signs up for an event
- homes or fosters a greyhound from us or expresses an interest in homing or fostering,
- purchases an item from the online shop or mail order catalogue
- telephones, writes, contacts us online or texts us or otherwise provides us with their personal information.
This can include information such as:
- communication preferences
- email address
- postal address
- IP address
- telephone number (landline)
- mobile number
- date of birth
- bank account details
- greyhound homing data
For donors this data is required in order to process donations, or to know whether someone is a taxpayer to allow us to claim gift aid. In some cases, we may also collect information from publicly available sources (see above, Data Research and Accuracy).
We also need this data when people wish to home a greyhound, along with more information relating to the household where it is proposed that the greyhound will live. This data is processed to deal with any queries relating to homing or proposed homing of a greyhound or for the purposes of ensuring the welfare of the greyhounds.
For branch or national event participants or attendees, people wishing to receive information or publications, volunteers or people wishing to fundraise for us, or people wishing to purchase something from our shop, we need this information to allow us to fulfil the request they have made or to support them in their chosen activities.
Sensitive Personal Data
We do not collect sensitive personal information (see also below) about our supporters unless there is a clear and specific reason for doing so, for example, relating to someone’s health, and even then, only where appropriate - such as participation in a marathon or similar fundraising event, or where we need to ensure that we provide appropriate support to enable someone to participate in an event or support us in some other way.
GDPR defines sensitive personal data as:
- the racial or ethnic origin of the data subject;
- political opinions;
- religious or philosophical beliefs;
- whether s/he is a member of a trade union;
- genetic data
- biometric data
- physical or mental health or condition;
- sexual life or sexual orientation
The Greyhound Trust will only collect and process such data if:
- There is explicit consent of the data subject, unless reliance on consent is prohibited by EU or Member State law
- It is necessary for the carrying out of obligations under employment, social security or social protection law, or a collective agreement
- It is necessary to protect the vital interests of a data subject who is physically or legally incapable of giving consent
- The data has manifestly been made public by the data subject
- It is necessary for the establishment, exercise or defence of legal claims or where courts are acting in their judicial capacity
- It is necessary for reasons of substantial public interest on the basis of Union or Member State law which is proportionate to the aim pursued and which contains appropriate safeguarding measures.
- It is necessary for the purposes of preventative or occupational medicine, for assessing the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or management of health or social care systems and services on the basis of Union or Member State law or a contract with a health professional
- It is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of healthcare and of medicinal products or medical devices
We also process personal data for the purposes of security.
Clear notices will be provided on applications for events and other relevant forms and communications, so it is explicit as to what information we need and why we need it.
Consent and Preferences
The Greyhound Trust uses a consent approach for much of its direct marketing activity that invites supporters from 25th May 2018 to opt in for direct marketing communications at a
channel level, with the option to tailor their communication preferences in
greater detail in a second stage by visiting an online consent portal or otherwise contacting the charity by phone, email or letter. Where legitimate interest is relied on for certain types of communication, this is recorded as required by GDPR.
A privacy notice appears on our website
The following consent statement will be used at the point of data collection.
We'd love to keep you updated about our work from time to time. This may include news, appeals and fundraising activities, volunteering or homing opportunities, products, raffles or events. Your details will only be used by the Greyhound Trust - we won't share your information with anyone else for use for their own marketing purposes. Please tell us how you would like to hear from us (by ticking these boxes you confirm that you're 18 or over)
Are you happy for us to contact you by:
Mail Email SMS Phone.
You can change your preferences at any time by visiting www.greyhoundtrust.accessconsent.com, calling 0208 335 3016, emailing email@example.com or writing to Greyhound Trust, Wings, Peeks Brook Lane, Horley, Surrey, RH6 9SX
Further information about how we use your personal data can be found at www.greyhoundtrust.org.uk/privacy
In line with the requirements of the EU General Data Protection Regulation, records will be kept of expressed consent and communication preferences.
We will also make it possible for supporters to amend or withdraw their consent to receive certain, or all, types of communication through certain, or all channels and will also make it possible for records to be deleted or anonymised if requested.
Existing donors, supporters, volunteers, homers, fundraisers, users of our shop and other contacts on our database who currently receive information from the Trust, will continue to be contacted from time to time by post if they have not opted in to any other form of communication, as permitted by GDPR. Each communication will provide the opportunity to opt-in or change contact preferences. However, if these individuals do not opt-in to receive post or any other form of contact for a period of 3 years (6 years for those who have homes a dog from us), we will assume that they do not wish to receive further contact and flag them as ‘no contact’ on the database.
Children’s personal information
We are committed to protecting the privacy of young people who want to fundraise for us, attend our events, take part in educational events at schools, enter competitions or engage with us through social media. Our competitions and fundraising events and activities may request specific information about the age of participants. Where appropriate we will seek the consent from a parent, guardian or carer before collecting information about young people under 16.
We place great importance on the safety of vulnerable persons. See a copy of our Vulnerable Persons policy
Storing personal data
The Greyhound trust will ensure:
- Personal data is securely stored at branch and national levels
- Personal data will only be processed by those personnel who are authorised to do so. Access to electronic customer relationship management systems (databases) as well as any other digital or paper records will be limited to these people and appropriate records of who has such permissions and access rights will be maintained.
- Robust passwords are used when accessing digital personal data
- Wherever possible, encryption is utilised when transporting data
- When required, personal details are properly and confidentially destroyed, such as by shredding, deletion of identifying electronic data or secure destruction of computer equipment or software
- No personal information will be provided to third parties unless the Trust representative is confident that the data is solely that of the enquirer or that there are clear legal grounds for the disclosure of the information
- In the event of any query relating to the processing of personal data or if there is a possibility that personal data could have been lost or accidentally destroyed or disclosed, the Greyhound Trust Data Protection Officer should be contacted immediately.
Disclosures and transfers of personal data
The Greyhound Trust will not share any data with third parties outside of the UK. Data may be shared, where necessary, with professional and trusted suppliers, in particular for the aid of posted or digital communication or in other appropriate circumstances, such as accountants, auditors, IT and merchandise suppliers. The Trust will put in place contracts with such third-party suppliers governing how they take care of the personal data on behalf of the Trust, including if their data is stored on servers outside the UK.
Personal data may also in some circumstances be shared by the Trust with third party organisations such as bona fide animal rehoming organisations and authorities such as local authority dog wardens for the purpose of pet reunification
The Trust does not transfer personal data outside the EEA to countries that do not provide adequate protection for personal data.
Data profiling and analysis
The Trust may also carry out analysis of the personal information we collect about individuals and add publicly available information to create a profile of interests, preferences and ability to support us, including the amount or level of potential donation or legacy someone may be able to give.
This is so we can contact people in the most appropriate way and with the most relevant information, which enables us to raise funds sooner and more cost-effectively.
This information is compiled from sources such as public registers (e.g. listed Directorships), the electoral roll, newspaper articles and social media posts.
Anyone who does not wish their data to be processed in this way can do so by contacting firstname.lastname@example.org, calling 0208 335 3016 or writing to Greyhound Trust, Wings, Peeks Brook Lane, Horley, Surrey, RH6 9SX
Destruction of personal data
Under GDPR personal data must not be held longer than necessary. When the data has been marked as ‘no longer necessary’ all care and appropriate measures should be taken to ensure that it cannot be reconstructed by any third parties.
Individuals’ rights of access
The Greyhound Trust will ensure that individuals can access their personal data held on file, while ensuring the needs to protect other individual’s privacy rights.
Under GDPR any individual has a right to be forgotten – having all data removed – from the Trust’s records. The Trust will be able to demonstrate its ability to do this as well as to amend any records promptly to reflect any requested changes in individuals’ communications preferences.
Individuals have a right to ask for a copy of information that the Greyhound Trust hold about themselves. Personal data held by us may be viewed by submitting a request to the address below. We will ensure data request is handled in accordance with GDPR. Reasonable requests will be responded to without charge within 30 days. Subsequent requests may incur a charge.
If there are any inaccuracies in the individual’s information the Greyhound Trust will correct it upon instruction.
Enquiries should be sent to: Greyhound Trust Data Protection Officer, Greyhound Trust, Wings, Peeks Brook Lane, Horley, Surrey, RH6 9SX or email@example.com
The responsibilities of the Greyhound Trust
The Chair and Trustees of the Trust hold overall accountability for adherence to GDPR, PECR and ensuring that staff and volunteers are carrying out their responsibilities in relation to them. Employees and volunteers of the Greyhound Trust are expected to
- Have an understanding of Data Protection principles and the principal requirements of GDPR and PECR.
- Review and have an understanding of the Trust’s data protection policy and fundraising promise
- Understand and implement the Trust’s policy as regards the acquisition, storing, use, processing and destruction of personal data
- Understand and respect the rights and communication preferences of individuals whose data the Trust stores
- Understand what data is sensitive and the appropriate way to store and process it.
The Greyhound Trust will provide training and guidance to its staff and volunteers on the interpretation of and practical compliance with this policy.
In the case of staff, failure to comply with this policy could lead to disciplinary action and could constitute gross misconduct.
This policy will be posted on the Greyhound Trust website. The policy is subject to review and may be amended at any time. Any changes will be posted on the Greyhound Trust website. Version 5 April 2018