Policy written & approved by Directors May 2018
YorSpace confidentiality and data protection policy
YorSpace works to maintain standards of confidentiality and data protection in relation to personal information and / or detailed information about YorSpace's work or activities.
There are two current Acts / regulations and three pending introduction that primarily regulate YorSpace and data protection.
These are:
- Data Protection Act (DPA) 1998
- Privacy and Electronic Communications (EC Directive) Regulations (PECR) 2003
- Data Protection Bill -- currently before parliament
- General Data Protection Regulation (GDPR) 2018
- ePrivacy regulations 2018
YorSpace's policy is to comply with the latest data protection regulations and law and best practice. In addition it requires potential employees, volunteers and third party suppliers to cooperate with YorSpace in order to comply.
This policy applies to all volunteer, potential staff, contractors and those working for YorSpace, whether permanent or temporary. It must be read and agreed to before access to any information is provided.
Volunteers, including Directors who have access to Personal Identifying Information or detailed information about YorSpace's work or activities must also read and agree to this policy. This includes the Confidentiality statement form
Volunteers who do not have access to Personal Identifying Information or detailed information about YorSpace's activities must sign and agree to the confidentiality statement, in the likelihood they may come into contact with personal identifying information.
This policy applies to information about identifiable individuals. This applies even where information is technically outside the scope of the Acts or regulations, by not meeting the strict definition of 'data' in the Act or regulation.
YorSpace will:
- comply with both the law and good practice
- respect individuals' rights
- be open and honest with individuals whose data is held
YorSpace recognises that its first priority under the Data Protection Act is to avoid causing harm to individuals. In the main this means:
- keeping information securely in the right hands, and
- keeping good quality information.
The Act also aims to make sure that the legitimate concerns of individuals about the ways in which their data may be used are taken into account.
YorSpace will:
- be open and transparent
- seek to give individuals as much choice as is possible and reasonable over what data is held and how it is used.
The responsibility for observing these standards applies to every Director, volunteer and potential member of staff and any third party allowed access to personal information.
Third parties must comply with the requirements of the Data Protection Act and or GDPR in their handling of such information.
Breaches of this policy by Directors, volunteers and potential members of staff and volunteers may be considered a serious disciplinary matter.
Individuals may also be held criminally liable for knowingly or recklessly disclosing personal data outside of these policies and procedures.
Breaches on the part of third parties will be considered breach of contract.
YorSpace's privacy policy explains how we capture, store and use the personal data of people of our stakeholders. This includes how we meet the legal requirements of the Data Protection Act, GDPR and the Privacy and Electronic Communications Regulations, the Data Protection Bill and the ePrivacy regulations.
Definitions
Personal data means data which relate to a living individual who can be identified -
- from those data, or
- from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller, and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual.
Sensitive personal data means personal data consisting of information as to:
- the racial or ethnic origin of the data subject,
- their political opinions,
- their religious beliefs or other beliefs of a similar nature,
- whether they are a member of a trade union (within the meaning of the Trade Union and Labour Relations (Consolidation) Act 1992),
- their physical or mental health or condition,
- their sexual life,
- the commission or alleged commission by them of any offence, or
- any proceedings for any offence committed or alleged to have been committed by them, the disposal of such proceedings or the sentence of any court in such proceedings.
1. Standards - It is the responsibility of every Director, Volunteer and potential employee of YorSpace to make sure we fulfil requests from stakeholders about how they wish to be communicated with. - We must all make sure we only record or use 'sensitive' data such as someone's financial information, if we have explicit permission from them and we have a justified reason/ purpose for asking/holding this information. - Stakeholders' personal information must never be passed to a third party without their permission. The exceptions are for the fulfilment of a service on behalf of YorSpace or as prescribed by Law. - Stakeholders' personal information may be passed to a third party for the fulfilment of a service on behalf of YorSpace. In this case, the person responsible for the service must ensure that a data sharing agreement is put in place that covers: a. What information needs to be shared? b. The organisations that will be involved. c. What you need to tell people about the data sharing and how you will communicate that information. d. Measures to make sure adequate security is in place to protect the data, including how the data will be transmitted between the parties and secure storage. e. What arrangements need to be in place to provide individuals with access to their personal data if they request it? f. The agreed period of time both parties will store the data. g. Processes to make sure data is securely deleted. - Personal Identifying Information about our stakeholders can be passed between working teams , but care should be taken about how this is done and to what purpose. - Passwords for computer / network / software etc should be changed every year and deleted or changed immediately when a Director,volunteer or future employee ceases in their role with YorSpace.. - The loss or theft of any laptop or portable storage media must be reported to the Board of Directors if there is a possible breach of security. - Directors, volunteers and potential employees must not reveal to any person any information about the following (unless it is necessary and proper in the course of their duties): - any information reasonably or specifically considered confidential about the business, practice, dealings or affairs of YorSpace or any of its members, supporters or residents - or any other documents and information about the Society's business which may come to your knowledge by reason of your activities on behalf of the Society. - All individuals about whom we store data have a right to request that information. Any request must be passed immediately to YorSpace's Board of Directors. - Data captured may only be used for the purposes for which consent has been given and no other purpose. 2. Sharing data with third parties - Where, in connection with delivering our services, personal data is shared with any third party then the third party is required to sign the YorSpace confidentiality and data protection policy for third parties. - No amendment to this form can be made without the agreement of the Board of Directors. - These standards and policies are in addition to any requirements of the Data Protection Act / GDPR and do not replace them. 3. Obtaining consent to contact people and promote our services or fundraise. - All consent has to include a decisive affirmative act and active conscious decision (For example; opt in on websites, tick a box on a paper form or give a positive answer to a verbal question). - It is a requirement to retain proof of the consent, such as a copy of the email correspondence/telephone conversation or copy of the web form or paper form. - Consent requests have to be specific, granular, clear, prominent, opt-in, properly documented and easily withdrawn. - Consent that does not meet these requirements will not be used by YorSpace after 25 May 2018. - It must be easy to withdraw consent at any time. - All emails (whether using a marketing list or otherwise) should include an Opt Out link. - We may hold data if you are a person with whom we have professional or business contact with for example in the legal services, planning, highways, housing, environmental or development sectors, local authority elected Councillors and officers, MPs or journalists who works or may work with us, including but not limited to architects, project managers, planning and other consultants, statutory consultees as part of the planning process, local authority officers and government officials. This data allows us to communicate with our professional contacts and keep a record of these communications. We process this data for legitimate business interests, to enable us to carry out the various aspects of our work in residential development for the benefit of the community. 4. Time limits - Current GDPR guidance doesn't explicitly give a time limit for how long consent is valid; it does make it clear that it doesn't last forever. - YorSpace will decide over the next 12 months how long it will consider consent lasts and if varying periods will apply to different types of consent or topics. - At the moment it is expected to be two or three years. - GDPR provides that consent may be withdrawn at any time. 5. Granularity - YorSpace will be granular in what it seeks consent for. 6. How long we keep data - YorSpace is setting data retention standards for all data. - All data held longer than set out in the data retention standards will be deleted or suitably anonymised. 7. Recording consent - The database should be used to record the consent given - The database should record a date stamp for when any part of consent has been added or changed. 8. Sensitive personal data - Sensitive personal data will be stored on the database when specific and informed consent has been given. - This will normally apply in financial cases of potential tenants and residents of our developments. 9. Opportunities to opt out - All communications, whether by email, phone, post or text will give a clear and easy opportunity for people to amend their preferences or opt out from further communication. - The YorSpace email footer should have a permanent link to a web form to change communication preferences. 10. Corporate records (for fundraising/marketing) - When an individual is named on a record they must be closed to contact unless they have provided alternative contact preferences. - When no name is recorded the record can be left open to contact unless someone requests no contact. 13. Privacy policy - YorSpace's privacy policy sets out for those who interact with us how we will use their data. - Whenever the privacy policy is updated a flag (or other method) must highlight on our website that our privacy policy has been updated - A copy of our privacy policy will be permanently available on our website 14. Volunteer groups and working teams - Volunteers within working teams may collect data from those who attend public meetings using approved YorSpace forms or methods. - They can assist people to complete a contact form on YorSpace's website. - If the data is collected on a paper form this information must be passed to the membership working team . No local copy, paper, on a computer or in a mobile phone can be retained. - If a working team needs to send a message to the wider YorSpace membership they should request this via the membership team who will arrange for the communication to be sent. - Working teams will be able to communicate informally between themselves to arrange meetings 15. Media consent and use - When communicating with media, consent will be sought which contains identifiable material of individuals such as: - Photographs - Video footage - Still images taken from video - Sound recordings - Quotes and case studies submitted (spoken or written, including web form submissions)
YorSpace Privacy Statement -- how we use your information
Our privacy statement
This privacy statement tells you what to expect when we collect personal information.
Who are we?
In this policy, whenever you see the words 'we', 'us' or 'our', it refers to YorSpace..
Your acceptance of this policy
By using our websites, social media pages, becoming a member or providing your information you consent to our collection and use of the information you provide in the way(s) set out in this policy. If you do not agree to this policy please do not become a member, use our sites, social media pages or services.
What is personal data?
'Personal data' means any information that identifies a living person. This can include name, address, phone number or email address.
It also covers our use of any personal information you provide to us. This may be by phone, text message (SMS), email, social media, letter and other correspondence, and in person. It can include IP addresses and other technical identifying information.
What is sensitive personal data?
'Sensitive personal data' means information about someone that may include their financial information, age, ethnicity or physical or mental health condition.
Contents:
- People we collect information on
- Why we hold your data
- How we collect data
- Complying with the Data Protection Act
- Marketing communication preferences
- Social media
- Giving your data to other organisations
- Sensitive data
- Use of media and consent
- Your data on our website
- Website hosting
- People who contact us through social media
- Accessing information held about you
- Changing your communication preferences
- Asking for your data to be deleted
- The remit of this policy
- How to contact us
People we collect information on
We need to collect and use your personal data if you contact us for any reason, including if you are a:
- Member of YorSpace
- Member of our online community.
- Supporter
- Someone who contacts with us through social media platforms.
- Volunteer or prospective volunteer.
- Donor or someone fundraising for us.
- Supplier or prospective supplier to YorSpace.
- Journalist, member of the media or someone who publishes or broadcasts to the public.
- MP, other parliamentarian or representative including councillors and council officer.
- Person within the community build/Self build community who works with us. This can include architects, financial professionals, commissioners and officials of government and other similar departments.
- Person from an organisation that wishes to work with us or ask us for support or information (including, but not limited to, charities companies, government and other similar departments).
Why we hold your data
We hold your details to:
- Communicate with you as a supporter and service user.
- Respond to your enquiry or request for information.
- Provide you with the service or membership you have requested.
- Process sales or donations and verify financial transactions.
- Keep a record of any contact we have with you.
- Enable our Resident Selection process, see Allocation Policy for details
- Help you with any problems you may be experiencing with a form or our website. We may also do this if you enter your details onto one of our online forms, and you don't 'send' or 'submit' the form.
How we collect data
We may collect and store information about you whenever you interact with us. For example, when you make a donation, register for an event or submit an enquiry.
We may also receive information about you from third parties for a specific purpose. However, this will only happen if you have given them permission to share your information.
Complying with the Data Protection Act
Data Protection Act principles require YorSpace to process personal data fairly and lawfully. We will offer you choices about the way you are contacted. We will also be clear about how we will use your information. We will make sure that the reason for collecting information is lawful.
We only hold data about you that is enough for our purpose, nothing more.
We work to make sure the data we hold is accurate and up to date.
We only hold personal data as long as necessary. However, we may need to keep personal data from you even if you have requested no further contact. This is so that we can make sure we don't contact you about an activity.
We have systems in place to safeguard your personal data. Access to written and electronic personal data is restricted and has a level of security depending on the sensitivity of the data.
Marketing communication preferences
If you have given us permission to contact you about YorSpace news and information, our work or ways to support us, we will make sure that you can opt out of receiving marketing communications. At the first reasonable opportunity, you will be offered the chance to opt out of hearing from YorSpace. You will be able to say 'no' to contact by mail, telephone, text or email.
If at a later date you complete another form, giving different contact preferences, we will use those you have given most recently.
Every time we contact you in the future we will give you the chance to update your communication preferences.
Social media
We may use your details to contact you with updates and information relating to our events, meetings, fundraising and progress. This depends on your own privacy settings for social media and messaging sites such as Facebook, WhatsApp and Twitter. We will only do this if you have followed us on social media platforms. We may also use your details to promote other activities or events on social media platforms. To control these adverts you should amend your social media platform settings.
Giving your data to other organisations
Unlike some organisations, we will never swap or sell your data to another organisation for them to use for marketing purposes.
Sensitive data
If you join YorSpace as a member and undergo the process required to become a resident we may record the following
- Monthly income, level of savings, age, members of household, any dependent, size of house desired
If you withdraw from the process of becoming a resident this information will be securely deleted. Upon becoming a resident this information may be passed to the resident Mutual Home Ownership Society, with your permission. YorSpace will only keep this information if required, eg by our financial investors or lending institution, to maintain the integrity of an on-going community.
Some of this is classified as "sensitive data" (and is subject to additional Data Protection regulations). We will ask for your explicit consent to record and process sensitive information.
We have legally-backed reasons for collecting sensitive data. It helps us to achieve one or more of our organisations' aims. For example, our lenders require proof of income. . None of this data will be used in a way that could harm you as an individual.
Use of media and consent
- Media consent applies to
- Photographs
- Video footage
- Still images taken from video
- Sound recordings
- Quotes and case studies submitted (spoken or written, including web form submissions)
- It applies whether or not YorSpace took the material, commissioned it or it was submitted by a third party.
- If you give consent to the use of media YorSpace may use it as follows
- on the YorSpace website or other websites
- on social media and video-hosting platforms (for example Twitter, Facebook, Instagram and YouTube)
- in YorSpace information materials, such as leaflets, presentations, posters or fundraising material
- for broadcast and radio interviews
- for written press articles
- Expiry of consent
- Material will only be used, printed or published for as long as consent has been given.
- Consent can be withdrawn at any time in which case every effort will be made to withdraw from use and they will not be used in the future.
- YorSpace will take all reasonable steps to make sure that content used for our web sites, publications and materials is not used by third parties without our permission. However, we cannot guarantee that third parties will always request our consent.
- At some of YorSpace events other photographers not employed or associated with YorSpace may take and distribute photographs etc. These may be journalists, other event attendees or casual passers-by. The use of these images etc are beyond YorSpace control.
Your data on our website
If you use any of the email facilities or forms on any of our sites, we will capture your email address, your name and, where relevant, your postal address. This means we can respond to your request, enquiry or membership application. We will ask if you want to opt in to being contacted in the future by mail, telephone, email or text.
We will use a third party payment provider (PayPal) to process payments. We will not ask you for credit card or other payment details or store any payment details on our systems.
Information is automatically provided on your browsing behaviour through the use of cookies on our sites. This information does not enable us to identify you personally. However, it does allow us to track usage of our sites so that we can improve them.
We may use standard third-party web analytics services (such as Google Analytics) to collect anonymous information about your computer, including your IP address, operating system and browser type. This includes for example the number of users viewing pages on the site, but it does not identify you individually. This means we can monitor and report on the effectiveness of the site and help us improve it. If visitors want to post a comment on our sites, we require visitors to enter a name and email address.
We may temporarily retain any data that you provide on the website even if you do not complete an action. Such data may be used to contact you to enquire if you require any assistance with using the site but for no other purpose.
Website hosting
We use third-party services to host our websites. These sites are hosted at:
- 123-reg.com
Accessing information held about you
YorSpace will assist you if you want to see the information we hold about you. A request should be made in writing, by email, to yorspacehousing@gmail.com. In most cases, we will reply to a request within a month. We may need to extend this period for particularly complex requests.
Incorrect data can be changed or destroyed.
If you have already requested and received this information, there will need to be a reasonable period of time before you can request the information again.
Changing your communication preferences
You can change your communication preferences at any time. You can choose whether we contact you by mail, telephone, email or text message. You can also choose whether or not you receive information on certain activities of YorSpace, such as events, campaigns and developments. Just contact us by email to yorspacehousing@gmail.com or visit yorspace.org.
Asking for your data to be deleted
You can ask YorSpace to stop using your personal data at any time and we will delete your information.. However if you are a member this will mean ending your membership of YorSpace Community Benefit Society.
The remit of this policy
This privacy notice does not cover information gathered on other websites outside our control.
How to contact us
Requests for information about our privacy statement can be emailed: yorspacehousing@gmail.com