Udny Community Trust Company Limited
About Udny Community Trust Company Limited
Udny Community Trust Company Limited takes it's responsibility as an organisation working in and for the community of Udny seriously. We aim to work in ways that give our members and the wider community confidence in us. That includes how we deal with any personal data that we collect and process.
We try to collect as little personal data as possible but there are situations where we must collect personal data to meet a legal requirement or because it is in our legitimate interests to do so.
Whenever we collect personal data we will try and make sure that people can understand what we are collecting and why. Normally this means there will be a privacy notice, and, in some cases, we will ask for written permission.
It is important to us that people have reasonable expectations of what we will do with personal data, not just because it is the law, but because Udny Community Trust is part of the local community and we want to do the right thing in the right way.
Why are we providing you with this information?
The General Data Protection Regulations or GDPR mean that from 25th May 2018 individuals have new rights about the control and use of their personal data. You can find out more about this from the Information Commissioner’s Office website: www.ico.org.uk
If you are unhappy about how we deal with your personal data, you have the right to complain to the Information Commissioner’s Office.
What is personal data?
Personal data is information that could identify a living person, either because it is unique to them (like a National Insurance Number) or because pieces of information like a name, address and email, taken together, could identify a unique individual.
Photographs can be personal data if you can identify an individual from them, normally this means if clearly see a person’s face.
What about sensitive personal data?
We do not normally collect or store sensitive personal data (such as information relating to health, beliefs or political affiliation).
If you come to work or volunteer with us, then we may collect extra information about you (e.g. references, criminal record checks, details of emergency contacts, medical conditions, etc.). We would discuss this with you at the time and provide you with a privacy notice, so that you can understand what we need to collect and why.
Sensitive personal data (GDPR calls this Special Category Data) includes any of the following: racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health or data concerning a natural person's sex life or sexual orientation.
What is UCTC’s legal basis for processing data?
The Data Protection law means that we must have a legal basis for collecting and processing personal data. As mentioned above, we only collect personal data if we must or have a legitimate need to.
The reasons that apply to UCTC are as follows:
Legal obligation. This applies to our members. We are required by the Companies Act 2006 and by the Charity and Trustee and Investment Scotland Act 2005 to collect personal data about our individual members.
Contract. This applies to staff, grant applicants including personal data, and to volunteers with volunteer agreements.
Consent. This applies mainly when we take photographs in which people can be individually identified. It would not, though, apply at public events where it would be reasonable to expect that photographs would be taken (by others as well as by us). An example of this would be the Udny Gala that we organised in 2018.
Legitimate interest of the organisation. This applies when we need to process personal data for our legitimate interests (such as the management and administration of our charity and the improvement of our services). We will only use people’s data in ways they would reasonably expect, and which have minimal privacy impact. Examples might include contacting you about a specific new project because we believe it might be of genuine interest to you or because we are gathering community feedback on a specific issue.
What personal data do we collect?
We collect personal data provided on membership forms, grant application forms and at events or projects. Mostly the personal data we collect is text such as names, addresses, phone numbers and email addresses.
Sometimes we collect images (photographs) that can be personal data.
How do we use this information?
We use information in different ways but the most important way is to be able to contact people. We also use images (which could be personal data) to illustrate our work. UCTC has tried to consider all the ways in which we use personal data and actively try not to use personal data in ways people would not expect or might find unreasonable. We use data to:
Process member application forms.
Process grant application forms.
Correspond with individuals about membership and UCTC work.
Correspond with individuals about grant applications they have made on behalf of community groups.
Correspond with individuals about projects.
Illustrate our work to partners in reports.
Publicise our projects in the press, locally and on social media.
Keep in touch with our volunteers.
Who do you share and disclose information with?
We will never sell your personal data. We may contact you with information about partner organisations, and this might include services they want to offer you, but these communications will always come from us and where possible will be included in a regular newsletter.
We will never use your personal data to ask you for donations to UCTC or another organisations.
We may share personal data with subcontractors or partner organisations for a specific project but will only do so with your consent.
Otherwise we would only share personal data if we were legally required to.
How do you protect young people?
We take great care to protect and respect the rights of individuals in relation to their personal data, especially in the case of children. We will ask for the consent from a parent or guardian to process the personal data of a person who is under 16 years old.
This will mainly apply to consent for photographs taken at events but will also apply to the category of Young Membership which was introduced in 2018.
When using photographs, we do not normally publish names and ages of young people. In cases where we would like to publish names and ages of young people we would explain this in the privacy notice and consent form.
How do you protect my data?
We employ a variety of physical and technical measures to keep your data safe and to prevent unauthorised access to, use or disclosure of your personal information.
Electronic data and databases are stored on secure cloud server systems and we control who has access to information (using both physical and electronic means).
We do not collect any personal data through our website.
Where do you store my data and for how long?
UCTC’s operations are based in Scotland and we store our data within the European Union. We use a reputable IT contractor and a cloud based system which is fully compliant with GDPR rules.
Some organisations that provide services to us may transfer personal data outside of the European Economic Area (EEA), but we’ll only allow them to do so if your personal data is adequately protected and we will always try and keep the personal data processed to a minimum. We will check they are registered with Privacy Shield. Examples include:
We will only use and store information for as long as it is required for the purposes it was collected for and this will be set out in the privacy notice when we collect the personal data, so you know exactly what we will do
What are my rights?
We want to ensure you remain in control of your personal data.
The new GDPR give you the following rights:
The right to be informed about how we use your personal data.
The right to access your personal data.
The right to obtain a copy of the personal information we hold (this is known as subject access request).
The right to have your data erased (though this will not apply where it is necessary for us to continue to use the data for a lawful reason).
The right to have inaccurate data rectified.
The right to restrict the processing of your personal data.
The right to object to your data being used for marketing and or profiling.
Where technically feasible, you have the right to the data portability of the personal data you have provided to us which we processed.
More information about your rights can be found on the Information Commissioner’s Office (ICO) website.
How do I make a complaint?
If you wish to make a complaint you can follow the regular complaint process. See the separate complaints policy for information (you can find this on our website).
You have the right to make a complaint at any time to the Information Commissioner’s Office, the UK supervising authority for data protection issues. Details of how to do this can be found at the Information Commissioner’s Office (ICO) website.
This policy will be reviewed by the UCTC Board to ensure it remains up to date and compliant with the law.
This document was last reviewed on 24th August 2018.