Privacy Policy
Privacy statement
At Thames Reach we value the support and engagement people have with our charity. From our service users, Trustees, employees, volunteers, donors and campaigners, each person is a valued part of the organisation and the support we provide. We are committed to keeping your data safe and we will be honest about what information we are collecting, why we do this and how we use this.
The purpose of this privacy policy is to set out how Thames Reach obtains, stores and uses your personal information.
Our legal basis
Thames Reach will only process your personal information where we a have a clear legal basis for doing so in accordance with the UK Data Protection Act 2018, which is the UK’s implementation of General Data Protection Regulations (GDPR).
UK GDPR defines six legal bases that can be used to collect and process your data.
- We have obtained your consent.
- We have a contract or agreement with you.
- We have a legal requirement to fulfil.
- We have a vital interest, or are fulfilling the vital interest of an individual.
- We have a legitimate interest for doing so.
- We have a public interest.
Where we have obtained your consent for processing your information, we will keep a record of this and should you wish to withdraw your consent at any time under your UK GDPR rights, we will record this.
Our commitment to you
We value the relationships that we have with our service users and applicants, volunteers, supporters and donors and it is important that respect your data protection rights. The information you provide will be held securely by us and /or our data processers, whether the information is in electronic or physical format.
We will ensure that your personal data is:
- Processed lawfully, fairly and in a transparent manner;
- Collected for specified, explicit and legitimate purposes;
- Adequate, relevant and limited to what is necessary;
- Accurate and current;
- Kept for no longer than is necessary;
- Processed in a manner that ensures appropriate security of your personal data
Thames Reach is committed to fully complying with the principles of data protection detailed in UK GDPR.
Your data protection rights
Under the data protection law, you have rights including:
- Your right of access – you have the right to ask us for copies of your personal information.
- Your right to rectification – you have the right to ask us to rectify personal information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.
- Your right to erasure – you have the right to ask us to erase your personal information in certain circumstances.
- Your right to restriction of processing – you have the right to ask us to restrict the processing of your personal information in certain circumstances.
- Your right to object to processing – you have the right to object to the processing of your personal data in certain circumstances.
- Your right to data portability – you have the right to ask that we transfer your personal information to another organisation, or to you, in certain circumstances.
You are not required to pay any charge for reasonably exercising your rights. If you make a subject access request, we have one month to respond to you unless your request is complex, in which case we may extend this up to 3 months.
Please contact us at datacontroller@thamesreach.org.uk if you wish to make a request.
Whose data do we collect?
This privacy policy relates to the data we collect from people who:
- use our services,
- visit our website,
- subscribe to our newsletters,
- make a donation,
- apply to work or volunteer with Thames Reach,
- visit our projects or services,
- attend our events,
- or support us in other ways.
How we collect or obtain personal information about you
We collect personal information about you in a number of ways:
- When you interact with us directly
This could be if you ask us about our activities, register with us for an event, make a donation to us, subscribe to our newsletter or other marketing or fundraising communications, access our support services, apply for a job or volunteering opportunity or otherwise provide us with your personal information. This includes when you phone us, visit our website, get in touch through the post, or in person. We will use various platforms to enable this interaction.
- When you interact with us through third parties
This could be if you provide a donation through a third party such as JustGiving or one of the other third parties that we work with and provide your consent for your personal information to be shared with us.
- When you visit our website
We gather general information which might include which pages you visit most often and information is of most interest to you. We may also track which pages you visit when you click on links in emails from us. We use proprietary tools that collect information from and about our website visitors. For example we have enabled Google Analytics Advertising Features which means that Thames Reach collects certain information from and about our website visitors. See ‘Use of cookies’ below for more information. We use technology services to optimise users’ needs and experience, such as Hotjar.
We also use a ‘Meta pixel’ on our websites and on some third-party processor websites to track how Facebook and Instagram users have interacted with our site(s).
We also use ‘cookies’ to help our site run effectively. There are more details in our Cookie Policy.
- When you interact with us through partners or suppliers working on our behalf
This could be if you access a service delivered through a trusted organisation working on our behalf and always under our instruction.
In order to tailor our communications with you to your background and interests we may collect information about you from publicly available sources or through third party subscription services or service providers.
How we use your data
We need to collect certain types of personal data as part of our legitimate business activities but we will only use your personal data as the law allows us to. We will not collect any more personal data from you than we need nor use your personal data for any purpose other than that for which we originally collected it.
Most commonly, we will use your personal data in the following circumstances:
- Where you ask us to do something for you, such as send you information or provide you with a service and we need to use your personal information to do so. This constitutes a contract that we have entered into with you.
- Where we make a decision to use your data for general administrative purposes, for example keeping a record of our communication history or your attendance at one of our events, or confirming receipt of a donation. It is in our legitimate interest to keep accurate records and provide you with a good customer service.
- Where there is a legal requirement to process your personal data, for example, the requirement to keep financial records for a period of six years, this is in compliance with a legal obligation.
- To provide you with information about our services, news and events that we think may interest you. This includes direct marketing. We will do this either where you have given us clear consent, or where we assess it is within our legitimate interest to do so.
- Whenever we send you marketing materials, we will always make clear how you can ask us to stop providing this type of information.
The Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR), sits alongside the General Data Protection Regulations and sets out more-specific privacy rights governing the use of electronic communications.
Building profiles of our supporters and targeting communications
Thames Reach tries to identify the personal preferences of its donors and supporters to help us select the particular type of information that we think will be of interest to you. We may do this by reviewing our previous contact with you. We may conduct automated profiling.
We may analyse the details you have provided to us along with further information about you that we have obtained from public and/or private sources, where it is in our legitimate interest to do so. If we do this we will make sure it is compliant with GDPR. In some instances, we may make use of additional factors such as demographic information.
We may on occasion use third party suppliers to undertake these activities on our behalf and provide them with your information to the extent required, but this will only be done where we have a legitimate legal basis to do so. All of our suppliers are GDPR compliant.
Marketing online
In order to ensure our online advertising is effective and cost efficient, we sometimes share data with Google and social media sites.
Data shared with Facebook, Twitter and Google platforms is used for no other purposes than described above and is not shared with any third parties.
When you apply for a job
Thames Reach will collect and store certain information about you when you apply to work for us. This information will be accessed through the recruitment process. This will be mostly information that you provide but some information will come from third parties.
We process the personal data you provide for the purpose of processing your job application and to meet statutory requirements. With your permission, the data you provide may be used to check your right to work, validate references or carry out background checks. We will keep you informed throughout the application process of how we are using your personal data. We will keep the data you provide as long as necessary to complete the application process and to meet statutory requirements.
We collect this information in a variety of ways. For example, through your application form, CV, identity documents such as your driving licence, health and criminal record declaration, from general correspondence with you and through interviews and other assessments.
We seek information from third parties such as previous employers and referees and the Disclosure and Barring Service (DBS). We will only seek this information with your explicit and unambiguous consent.
In some cases, Thames Reach will process data to ensure that it is complying with its Legal Obligations. For example, entitlement to work in the UK and equal opportunities.
Thames Reach has a Legitimate Interest in processing certain data for other purposes, for example safeguarding and general administration. For certain roles within Thames Reach, we will seek a criminal records check from the DBS, we will also keep information following the recruitment process to provide feedback and in case of a dispute.
Some special categories of personal data, such as information about ethnicity, race, is processed for the purposes of equal opportunities monitoring.
Your information will be stored on our People database, which is currently hosted in the UK, and only shared within the People team and the recruitment panel until such time as you are offered a position.
If you become an employee of Thames Reach, we will hold your personal data for the duration of your employment or in compliance with statutory retention periods. If your application is unsuccessful, we will hold your information for six months.
Sharing your data
There are some circumstances where we share your personal data with a third party, for instance, registering you for a challenge event with the event organiser or if a mailing house sends out mailings on our behalf. When we work with other organisations or individuals in this way, we always set up a written contract with them to protect your data. The third parties we work with at no point ‘own’ your data, so you will never hear from them independently and they will always delete your data from their systems when they have completed the task in hand. We always send your data to partner organisations securely, to minimise the risk of it being intercepted by unknown individuals and/or organisations.
Storing your data
The information that you give us via our website when you make a donation or fill out a volunteer application form will be stored on the website, in the UK and EU.
Your personal information will also be stored on a secure supporter database which is hosted in the UK.
If you use Thames Reach services, your personal information will be stored on secure client databases including InForm, which is provided by Salesforce and is hosted in the UK.
Data retention
We will only retain your personal data for as long as is necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting or reporting requirements.
To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure, any legal requirement, the purposes for which we process your personal data and whether we can achieve those purposes through other means.
By law we have to keep basic information about financial transactions for six years, and information relating to Gift Aid claims for six years beyond the last tax year Gift Aid was claimed in.
Keeping your data secure
Thames Reach are committed to ensuring that your information is secure. In order to prevent unauthorised access or disclosure, we have put in place suitable physical, electronic and managerial procedures to safeguard and secure the information we collect about you.
We will notify you and any applicable regulator of a breach where we are legally required to do so.
How to update your information
Service user
If you use one or more of Thames Reach’s services you can update the information we hold about you by talking to one of the team who are working or have worked with you.
Candidate
Candidates can update the information we hold about you by talking to the People team or raising with your hiring manager.
Donors and volunteers
If you are a donor or a volunteer you can update the information we hold about you by informing your usual contact within Thames Reach or by emailing fundraising@thamesreach.org.uk if you are a supporter, and volunteer@thamesreach.org.uk for volunteers.
If you receive our supporter newsletter, you can also update your contact preferences at the bottom of emails we send you.
Your legal rights
Thames Reach recognises that your personal data belongs to you and we would not wish to use it in ways that you wouldn’t want us to. Under the General Data Protection regulations, you can exercise a variety of rights regarding our use of your data:
- You can ask us to tell you what information we hold about you
- You can ask us to correct any incorrect data we have about you.
- You can ask us to delete your data
- You can ask us to provide you with a copy of your data in a common, machine-readable format
- You can object to any processing we do on the basis of legitimate interests
For more information on your rights, please visit: https://ico.org.uk/
Complaints
We welcome, and take seriously, all complaints and feedback about our work. If you make a complaint to us, we will collect and use your information to respond to your concerns.
If your complaint relates to an area of our work where we employ a third-party processor or product provider, we may share your personal information with that third party to investigate your concerns.
We will keep a record of your complaint for seven years from the date that we deem the complaint closed.
Should you wish to talk to us about the information we are holding or how we process your data, please feel free to contact us at datacontroller@thamesreach.org.uk.
If you remain dissatisfied with the way we are processing your data, you have the right to make a complaint to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues).
Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Helpline number: 0303 123 1113
ICO website: https://www.ico.org.uk
Changes to this policy
Any changes we may make to this policy in the future will be posted on this website so please check this page occasionally to ensure that you’re happy with any changes. If we make any significant changes, we’ll make this clear on this website.
November 2023