Privacy notice - Cyrenians

Who we are

Cyrenians serve those on the edge, working with the homeless and vulnerable to transform their lives by beginning with their story, helping them believe that they can change their lives, and walking with them as they lead their own transformation.

Our clients, volunteers, supporters and employees are important to us, and we're committed to keeping your data safe, making it clear what information we collect from you, and how we use it.

Cyrenians is registered as a data controller with the Information Commissioner’s Office under number Z5986534 and is a Scottish Charitable Incorporated Organisation (SCIO) registered charity number SC011052.

You can change how we contact you at any time, simply by contacting central data management by email at gdpr@cyrenians.scot. As part of our commitment to you, we have appointed a Data Protection Representative and can be contacted via email: admin@cyrenians.scot.

How we use your information

This privacy notice tells you what to expect when Cyrenians collects personal information. It applies to information we collect about:

  • Clients
  • Volunteers
  • Supporters
  • Employees

Clients

Cyrenians is the data controller for the information you provide during the process unless otherwise stated.

When we support you with any of our services personal information collected are not shared with any third parties except if you give us specific consent to do so. We will collect your contact details and preferences, and any other data that is relevant to delivering the service to you. This information will only be used for the purposes of the service and not shared with the rest of Cyrenians unless you give us permission to do so.

We will keep the data for up to six years, in line with contracts and government regulations.

If you accept services from us, your personal records will be held on a secure cloud based application called Lamplight.

Here is a link to their GDPR Security page:

http://www.lamplightdb.co.uk/the-system/gdpr/system-security/

Volunteers

If you enquire about our volunteering opportunities, we will usually collect your name, contact details, contact preferences, ethnicity, gender, availability to volunteer, disability (including physical and mental conditions) and criminal convictions.

We collect this data so that we can contact you about volunteering opportunities that come up, so that we ensure the safety of our volunteers, staff and clients, carry out our awards programme, and to help us anonymously measure our inclusion and accessibility across our volunteering programmes.

If you volunteer with us, we will then collect your emergency contact details in case of an emergency during your time volunteering at Cyrenians, and bank details for paying expenses.

We are required to confirm the identity of our volunteers, their right to work in the United Kingdom and seek assurance as to their trustworthiness, integrity and reliability. You will therefore be required to provide:

  • Proof of your identity – you will be asked to attend one of our offices with original documents, and we will take copies.
  • You will be asked to complete a criminal records declaration to declare any unspent convictions.
  • Depending on the volunteer role, we may contact you to complete an application for a PVG Certificate (Protection of Vulnerable Groups) via Disclosure Scotland, which will verify your declaration to work with such groups and individuals.
  • We will contact your referees directly, using the details you provide in your application, to obtain references.

We will keep this data for three years after you stop volunteering for us. If you volunteer with us, your personal records will be held on a secure cloud based application called Lamplight. Here is a link to their GDPR Security Page:

http://www.lamplightdb.co.uk/the-system/gdpr/system-security/

Supporters

Cyrenians is the data controller for the information you provide during the process unless otherwise stated.

If you support us, for example by signing up to an event, donating, signing up to Gift Aid, or signing up to a campaign, we will usually collect your name, contact details, and whether you would like to be contacted, and how we would do so. We collect this data so we can keep you up to date with information and services you have requested, or may be interested in, and to ask for more support, in the way that you have chosen; to run our events; and to fulfill our legal responsibilities for financial and Gift Aid reporting.  We will keep this data for three years after you stop interacting with us.

If you accept communication from us, your personal records will be held on a secure cloud based application e-Tapestry which is a Donor Management system.

Here is a link to their Privacy Notice:

https://www.blackbaud.com/privacy-policy.aspx

Use of data processors

Data processors are third parties who provide elements of our fundraising service for us. We have contracts in place with our data processors. This means that they cannot do anything with your personal information unless we have instructed them to do it. They will not share your personal information with any organisation apart from us. They will hold it securely and retain it for the period we instruct.

We do use third-party organisations to help us collect donations such as Givergy, Good Thyngs, JustGiving, CAF, Facebook Payments International Limited and WorldPay. We use Eventbrite to arrange supporter events and your email address are shared securely via a secure web portal.

We will keep your data only for as long as necessary. If you have kindly donated to us, we are required to keep this data for seven years. If you have not donated to us, we will only keep your data for three years.

Employees (Job applicants, current and former Cyrenians employees)

Cyrenians is the data controller for the information you provide during the process unless otherwise stated.

We will collect your personal information, banking details and contact details and preferences, to process your job application, pay your salary and leave administration and HMRC PAYE taxation.

This information will only be used for the purposes of the service and not shared with the rest of Cyrenians unless you give us permission to do so. 

We are required to confirm the identity of our staff, their right to work in the United Kingdom and seek assurance as to their trustworthiness, integrity and reliability. You will therefore be required to provide:

  • Proof of your identity – you will be asked to attend our office with original documents, we will take copies.
  • Proof of your qualifications – you will be asked to attend our office with original documents, we will take copies.
  • You will be asked to complete a criminal records declaration to declare any unspent convictions.
  • Depending on your role, we may contact you to complete an application for a PVG Certificate (Protection of Vulnerable Groups) via Disclosure Scotland, which will verify your ability to work with such groups and individuals.
  • We will contact your references, using the details you provide in your application, directly to obtain references

Your personal details and records will be held on a secure cloud based application i-Trent which is a Human Resource Management system. Here is a link to their Privacy Notice: https://www.mhr.co.uk/privacy-policy/

Use of data processors

Data processors are third parties who provide elements of our employee- related services for us. We have contracts in place with our data processors. This means that they cannot do anything with your personal information unless we have instructed them to do it. They will not share your personal information with any organisation apart from us. They will hold it securely and retain it for the period we instruct.

We use a third-party organisation Scottish Council for Voluntary Organisations (SCVO) to process the Cyrenians Payroll, and data is transferred securely and encrypted. Personal data is sent and received using a secure web portal to the following employee benefit administrators: Lothian Pension Fund, Standard Life and Canada Life.

We will keep the data for up to 7 years, in line with contracts and government regulations.

Complaints

Should you wish to register a complaint we will collect your name, contact

details and details about the complaint to enable us to respond, monitor and improve our charity. We will hold this data for three years.

Visitors to our websites

When someone visits www.cyrenians.scot we use a third party service, (Google Analytics), to collect standard internet log information and details of visitor behaviour patterns. We do this to find out things such as the number of visitors to the various parts of the site. This information is only processed in a way which does not identify anyone. We do not make, and do not allow Google to make, any attempt to find out the identities of those visiting our website. If we do want to collect personally identifiable information through our website, we will be up front about this. We will make it clear when we collect personal information and will explain what we intend to do with it.

Search engine

Our website search and decision notice search is powered by WordPress. Search queries and results are logged anonymously to help us improve our website and search functionality. No user-specific data is collected by either Cyrenians or any third party.

E-newsletter

We use a third party provider, MailChimp, a registered trademark of The Rocket Science Group, to deliver our monthly e-newsletters. We gather statistics around email opening and clicks using industry standard technologies including clear gifs to help us monitor and improve our e-newsletter. For more information, please see MailChimp’s privacy notice (https://mailchimp.com/legal/privacy/).

Security and performance

Cyrenians uses a third party service Site Ground to help maintain the security and performance of Cyrenians website. To deliver this service it processes the IP addresses of visitors to Cyrenians website.

Your data and this web site

Certain pages on our web site ask you for personal information - such as contact forms that ask for your name and e-mail address, or application forms that could go into far greater detail.

By supplying these details, you enable us to be more specific in responding to your needs: or to put it simply - 'you are helping us to help you'.

We act in accordance with current legislation and current Internet 'best practice' guidelines:

  • We collect our information fairly, lawfully and for specific requested purposes only
  • Information is only for use within Cyrenians - it will not be released to others without your consent unless we are obliged or permitted by law to disclose it
  • If you send or post offensive (or in any other way inappropriate) material to us, or otherwise engage in disruptive behaviour we can use whatever information is available about you to stop the behaviour. This may involve contacting relevant third parties.

All personal information supplied is held securely - in accordance with the GDPR.

How your data gets to us

Pages which ask for personal information from you are protected using SSL encryption. You can check this by looking for the closed padlock icon in thetoolbar or status bar of your browser. Encryption prevents anyone from looking at data sent between your computer and our servers.

Third Parties that host our Website

We use a third party service, WordPress.com, to publish our website and blogs. These sites are hosted at WordPress.com, which is run by SiteGround. We use a standard WordPress service to collect anonymous information about users' activity on the site, for example the number of users viewing pages on the site, to monitor and report on the effectiveness of the site and help us improve it. WordPress requires visitors that want to post a comment to enter a name and email address. For more information about how WordPress processes data, please see WordPress’ privacy notice. https://wordpress.org/about/privacy/

People who contact us via social media

We manage our own social media interactions. We might also obtain your personal data through your use of social media such as Facebook, YouTube and Twitter, depending on your settings or the privacy policies of these social media and messaging services. To change your settings on these services, please refer to their privacy notices, which will tell you how to do this.

People who email us

We use Transport Layer Security (TLS) to encrypt and protect email traffic in line with government requirements. If your email service does not support TLS, you should be aware that any emails we send or receive may not be protected in transit.

We will also monitor any emails sent to us, including file attachments, for viruses or malicious software. Please be aware that you have a responsibility to ensure that any email you send is within the bounds of the law.

Your rights

Under the GDPR, you have rights as an individual which you can exercise in relation to the information we hold about you.

We will only collect the data that we need to carry out the purposes you have contacted us for, or given us permission to use it for.

To enable us to carry out the purposes you have contacted us for, there will be occasions when we will make some data collection mandatory i.e. your name and address to claim gift aid, or your email address to access our services. If you don’t provide this data, we cannot carry out the purposes you have contacted us for.

We will always tell you why these fields are mandatory.

1. At any time that you wish you can:

2. gain access to your personal information,

3. object to the processing of your personal information,

4. object to the use of automated decision-making and profiling,

5. restrict the processing of your personal information,

6. ask for a copy of your personal data (known as data portability),

7. rectify or correct your personal information, and

8. have your personal information removed (known as Erasure or the ‘right to be forgotten’).

Where you have provided consent to be contacted or to receive a service, you will be entitled to withdraw that consent at any time. If you are at any point unhappy with the way that we handled your personal data, you can make a complaint to the Information Commissioner’s Office.

To make changes to how we contact you, please contact central data management at gdpr@cyrenians.scot. For all other requests please contact the Data Protection Representative at: admin@cyrenians.scot.

Access to personal information

Cyrenians tries to be as open as it can be in terms of giving people access to their personal information. Individuals can find out if we hold any personal information by making a ‘subject access request’ under the GDPR. If we do hold information about you we will:

  • give you a description of it;
  • tell you why we are holding it;
  • tell you who it could be disclosed to; and
  • let you have a copy of the information in an intelligible form.

To make a request to Cyrenians for any personal information we may hold of you, you need to put the request in writing addressing it to our Corporate Services department, or writing to the address provided below.

If you agree, we will try to deal with your request informally, for example by providing you with the specific information you need over the telephone.

If we do hold information about you, you can ask us to correct any mistakes by, once again, contacting the Corporate Services department.

Links to other websites

This privacy notice does not cover the links within this site linking to other websites. We encourage you to read the privacy statements on the other websites you visit.

Changes to this privacy notice

We keep our privacy notice under regular review. This privacy notice was last updated on 25/05/2018.

How to contact us

If you want to request information about our privacy policy you can

Email us at admin@cyrenians.scot

or write to:

Corporate Services dept, Cyrenians, Norton Park, 57 Albion Road, Edinburgh, EH7 5QY