Privacy Notice

Introduction

The General Data Protection Regulation (GDPR) forms part of the data protection regime in the UK, together with the new Data Protection Act 2018 (DPA 2018).

To operate efficiently, the Cotswold Canals Trust (CCT) needs to collect and use information about the people with whom we work. This includes our members, volunteers, employees, sponsors and donors, suppliers, customers and other supporters.

CCT regards the lawful and correct treatment of personal information as integral to our purposes and maintaining the confidence of those who support our charity.

Purpose

This privacy notice addresses the individual’s Right to be Informed, which is one of eight individual rights that must be enforced under the GDPR. This privacy notice was last updated in July 2018.

More information on individual’s rights can be found at Individual Rights on the Information Commissioner’s Office (ICO) website and in this notice.

Controller’s contact details

The data controller is the Cotswold Canals Trust (CCT) who is registered with the Information Commissioners Office (ICO), registration number ZA248641. Our address is:

Bell House, Wallbridge Lock
Stroud GL5 3JS.

The principal point of contact about privacy information is the Trust Administrator who may be contacted by email at data.protection@cotswoldcanals.com or phone number 01453 752568. However, all Trustees, volunteers and staff are responsible for the implementation of privacy information procedures.

CCT is not required to appoint a Data Protection Officer (DPO) under the GDPR because we are not a public authority or body and the nature of our processing activities (e.g. small scale, limited range of data items) does not require it. Our Trust Administrator has independence and reports directly to Trustees on data protection matters.

Complaints may also be directed to the Trust Administrator on the same contact details. If the data subject feels that their complaint has not been dealt with satisfactorily, they may contact the Information Commissioner’s Office (ICO) at http://ico.org.uk/concerns or call 0303 123 1113.

How do we get information?

Purposes of the processing

CCT collects data that has been given directly by you to our charity as part of our core activities.
These activities include:

  • Growing our membership base and providing member services
  • Growing our volunteer database and maintaining communications
  • Managing our employees
  • Fundraising
  • Providing news through our website https://cotswoldcanals.com/ or newsletters
  • Operating our Visitor Centres
  • Maintaining our website (including online shopping)
  • Providing services such as private boat charters, presentations, events, bench seat sales, log sales and second‐hand book sales
  • Communicating with the public (e.g. enquiries, suggestions, complaints)

We may also receive personal information indirectly, such as when an employee or volunteer provides the details of an emergency contact or job referee.

Bases for processing

The lawful bases for processing data are consent, contract, legal obligation, vital interests, public tasks or legitimate interests. The basis for much of CCT’s processing is legitimate interests, which applies when we process people’s data in ways they would expect, and which have a minimal privacy impact, or where there is justification for the processing. This includes the use of member names and addresses to distribute CCT’s quarterly magazine, ‘The Trow’, or informing volunteers of work parties by email, for example.

Legitimate interests may include commercial interests, individual interests or broader societal benefits. Legitimate interests may also include marketing activities if the use of data is proportionate and people would be unlikely to object. An example might be the inclusion of a fundraising appeal insert in ‘The Trow’. However, data subjects have the right to object to marketing and CCT will cease processing of their personal data for this purpose if requested.

The other bases that CCT most relies upon for data processing are consent and contract. We will seek consent if we are communicating with non‐members. Persons receiving communications on the basis of consent, may withdraw their consent at any time by contacting our Trust Administrator by email at data.protection@cotswoldcanals.com, phone 01453 752568 or in writing to Cotswold Canals Trust Bell House, Wallbridge Lock Stroud GL5 3JS.

We rely upon the basis of contract for agreements where:

  • Our terms have been offered and accepted;
  • All parties intend them to be legally binding; and
  • There is an element of exchange – such as exchange of goods or services for money (but this
    can be anything of value).

Categories and source of personal data obtained

Most of the personal information we obtain and process is provided directly to us, such as when a new person joins the Trust. This means that we do not obtain data from other sources for most of our information processing. This data usually comprises the person’s name, address and contact details.

Personal data may also be provided directly to us for the following reasons:

  • Request for a boat charter
  • Attendance at an event
  • Registration or profile on our Volunteer Management System
  • Recording of volunteer hours
  • Application for a job or secondment
  • An enquiry about our projects and activities
  • Donations and sponsorship

We will be clear about the use of personal data at the time of collection, either in hard copy or online. In some cases, the use of your personal data may require your consent. You may withdraw your consent at any time by contacting the Trust Administrator.

We may receive personal data from yourself that is about someone else. Examples include emergency contacts and health and safety/incident reports, where the contact details of the affected person/s may be reported. We would seek consent where this is the case.

Children’s information

We do not provide services directly to children or proactively collect their personal information. If we are given information by children, the relevant parts of this notice apply to children as well as adults. For children less than 13 years of age, we recommend they ask a person with parental responsibility to read through this notice with them.

Your data protection rights

Data subjects (e.g. members, volunteers, sponsors, suppliers, employees) have rights under data protection law. These rights are summarised below.

  • The right to be informed: the purpose of this Privacy Notice
  • The right of access: to submit a request in writing or verbally to see a copy of the information we hold. Read the ICO’s guidance here.
  • The right to rectification: to ask us to rectify information that is inaccurate or incomplete. Read the ICO’s guidance here.
  • The right to erasure: to ask us to erase personal information in certain circumstances. Read the ICO’s guidance here.
  • The right to restrict processing: to ask us to restrict the processing of information in certain circumstances. Read the ICO’s guidance here.
  • The right to data portability: to ask that we transfer information from one organisation to another or to the data subject in certain circumstances. Read the ICO’s guidance here.
  • The right to object: to the processing of personal data in some circumstances. Read the ICO’s guidance here.
  • Rights related to automated decision‐making including profiling that has legal or significant effects on the subject. CCT does not undertake this type of processing. Read the ICO’s guidance here.

When we may need to share your information

CCT will not share your information with any third parties for direct marketing purposes. CCT does use data processors, who are third parties that provide services using personal data provided by us.
Examples include:

  • Bookkeeping services related to employee payroll management
  • Provision of a digital platform to manage email campaigns
  • Companies to process debit or credit card payments

We have contracts in place with our data processors, which means that they will only use and disclose your information to the extent necessary to allow them to perform the required services. Data processors must be able to demonstrate compliance with the GDPR and have the necessary precautions in place to preserve the security of personal data. They will not share your personal information with any organisation apart from us and will retain it for the period we instruct.

Our arrangements with digital service providers include agreement with their Terms & Conditions and Privacy Policy. Digital service providers may have offices outside Great Britain and/or the European Union. Only digital service providers that demonstrate compliance with the General Data Protection Regulation (GDPR) of the European Parliament will be used. Recipients of emails through a digital platform may unsubscribe by following the unsubscribe link in the email.

If we are legally obliged to share information, such as under a court order, we´ll make sure we have a lawful basis on which to share the information and document our decision‐making.

How we keep your data

Data retention

CCT assigns data retention periods for each data type, which are no longer than is necessary for the purposes for which the personal data are processed. We keep transactional records (which may include personal information) for longer periods if necessary to meet legal, regulatory, tax or accounting needs. At the end of this retention period category, CCT erases or anonymises information that is no longer needed. Individuals have a right to erasure if CCT no longer needs the data.

However, CCT is a canal restoration group and may wish to keep personal data indefinitely for public interest archiving, scientific or historical research or statistical purposes only (this means that the data cannot later be used for another purpose). These data types will be identified as part of our documentation procedure and appropriate safeguards put in place to protect individuals.

Security

We are committed to doing all that we can to keep your data secure. We have set up systems and processes (physical, managerial and electronic) to prevent unauthorised access or disclosure of personal data and protect against accidental loss, destruction of, or damage to personal data. We also make sure that any third parties that we deal with keep all personal data they process on our behalf secure. CCT will record, and report if necessary, any data breach.

CCT uses a modern email service with encryption technology such as Transport Layer Security (TLS), which is the industry standard, to protect email traffic. Most webmail such as Gmail and Hotmail/Outlook use TLS by default. We’ll also monitor any emails sent to us, including file attachments, for viruses or malicious software. You must ensure that any email you send is within the bounds of the law.

Visitors to our website

The use of our website is governed by our Terms and Conditions. Links to these are available in the footer of our main web page.

Analytics

When a person visits the CCT website, the date and time, their IP address, the browser they are using (e.g. Microsoft Internet Explorer, Google Chrome), the type of operating system (e.g. Windows) and the pages that they visit are recorded in the database. This data powers some statistics on the site, such as which pages are most popular.

Cookies

When you visit any web site, it may store or retrieve information on your browser, mostly in the form of cookies. Cookies are small text files that are used to make websites work or work more efficiently. The information might be about you, your preferences or your device. This information does not usually directly identify you, but it can give a personalised web experience.

Some cookies are essential for the site to work. For example, cookies are used to remember the goods a user wishes to buy when they add goods to their online basket or proceed to the checkout on an internet shopping website.

Cookies may also provide information to the owners of the website such as how visitors use the website (e.g. Universal Analytics (Google)).

You can choose to accept or decline cookies. You can modify your browser setting to decline cookies at any time. To find information relating to browsers, such as Microsoft Internet Explorer and Google Chrome, visit the browser developer’s website. Look for settings/clear browsing data.

Purchasing

CCT uses an online payment gateway (Barclaycard Payment Solutions) for purchases (in person or by telephone) through our Visitor Centres (including boat charters), which is a direct connection to a payment service provided by a company.

Our website uses the payment gateway PayPal (which offers a PayPal Guest Checkout option). Payment gateways such as this have their own privacy policies and terms and conditions.

Purchase information provided to us either directly or via the website is retained for as long as necessary to complete the transaction and/or service and as required for accounting purposes.

Links to other websites

Our website may contain links to other websites of interest. These links include Facebook, Twitter, Instagram and You Tube. This privacy notice does not cover how the organisations of other websites process personal information. Users should read the privacy notices on the websites that they visit.

Social media

The following types of social media are embedded on the CCT website: public Facebook posts from Cotswold Canals Restoration, Tweets from @CotswoldCanals and YouTube videos from the Cotswold Canals YouTube Channel.

Changes to our privacy notice

We review our privacy notice on a regular basis to make sure it is up to date and accurate.

This Privacy Notice was last updated in August 2018.