General Privacy Policy
Updated November 2020
We are The Warren House Group at Dartington (‘WHG’) trading as the Dartington Service Design Lab (‘Lab’) and this incorporates the Centre for Social Policy (‘CSP’). For the purposes of data protection law, we are a data controller.
Your privacy is important to the WHG. This data protection policy provides information about the different types of personal information that we collect and the ways in which we use it. We process data in different ways depending upon our purpose. For example, if you are a supporter, we will process your data differently from that of a child who is part of a dataset concerning our research work. If in doubt, please feel free to check by contacting us using the contact details included at Clause 17.
As well as this general privacy notice, we will soon also be producing a version for members of the public or organisations that are invited to take part in any of our social and policy research activities.
1. When do we collect personal information about you?
We may hold information relating to you from a number of sources, and will collect personal information about you:
1.1. When you give it to us directly;
For example, personal information that you submit through our websites (www.dartington.org.uk, and http://www.centreforsocialpolicy.org.uk), by signing up to our blog or email newsletter, or contacting us to make a donation, or any personal data that you share with us when you communicate with us by email, phone or post;
1.2. When we obtain it indirectly;
Your personal information may be shared with us by third parties, including our business partners, our sub-contractors in technical and payment services, advertising networks, research providers and search information providers;
1.3. When it is substantially in the public domain;
Your personal data may be available to us from external publicly available sources which we may process when we have a legal obligation;
1.4. When you visit our website;
The WHG uses cookies to improve your experience on our website. Please refer to our cookies policy for details on the way our use of cookies may affect your personal data.
2. What personal information do we use?
We may collect, store and otherwise process the following kinds of personal information:
2.1. Your name and contact details, including email address, postal address, telephone number, and social media identity;
2.2. Information about our services which you use, such as the Lab or CSP events and meetings with WHG representatives that you have attended and your communication preferences;
2.3. Information about your computer/ mobile device and your visits to and use of this website, including, for example, your IP address and geographical location; and;
2.4. Any other personal information which you choose to share with us as per Clause 1.
3. Special categories of data
The UK GDPR (The Data Protection, Privacy and Electronic Communications Regulation 2019 which replaces the EU legislation) recognises certain categories of personal information as sensitive, and therefore requiring more protection. These categories of data include information about things such as your health, ethnicity, attitudes, political opinions and an individual’s sexuality. In certain situations, we may collect and/or use special categories of data (for example in order to make adjustments for any disabilities or dietary requirements you may have when attending our events). This is particularly common in our research activities (see our Research Privacy Notice for further details). We will only process these special categories of data if there is a valid reason for doing so and where the GDPR allows us to do so. For instance, by seeking your explicit consent to use such data, or via some other lawful purpose, as defined by GDPR (see this linkon the Information Commissioner’s Office website; and what are most commonly relevant to us in Section 3 below).
4. Lawful processing
We are required to have one or more lawful grounds to collect and use the personal information that we have outlined above. We consider the grounds listed below to be relevant:
4.1. Consent and explicit consent;
Where you have provided your consent for our use of your personal information in a certain way, for example, where we ask for your consent to send you our newsletter or to participate in research.
4.2. Legal obligation
Where the processing of your personal information is necessary for us to comply with a legal obligation to which we are subject, for example, where we have to share your personal information with regulatory bodies which govern our work;
4.3. Contractual relationship
Where it is necessary for us to process your personal information in order to perform a contract to which you are a party (or to take steps at your request prior to entering a contract), for example, where you are a client or provide associate consulting services;
4.4. Legitimate interests
Where applicable law allows us to collect and use personal information on the condition that to do so is reasonably necessary for our legitimate interests (and the use of your personal information is fair, balanced, and does not unduly impact your rights). We may rely on this ground to process your personal information when we believe that it is more practical or appropriate than asking for your consent. For instance, we rely on the legitimate interest ground to process your personal data:
4.4.1. in order to protect the security of our networks e.g. when we receive external emails, we will scan such emails for any threats;
4.4.2. To retain a library of photographs that reflect the history of our organisations and the events we organise;
4.4.3. To retain some data such as those that attend our events;
4.4.4. Some of our research and the outcome of such research may be conducted and retained in our interests;
5. How we use your personal information
Once you choose to provide us with personal information, we will make reasonable efforts to ensure that your personal information is only used for the purposes specified in this data protection policy. We will ensure that all of the information we are obliged to share in accordance with article 13 and 14 of the UK GDPR is made available in good time.
We may use your personal information:
5.1. to provide you with services, products or information that you have requested;
5.2. to provide updates about our work, services, activities, publications or products (where necessary, and only where you have provided your consent to receive such information);
5.3. to invite you to Lab and CSP events which we feel that you might be interested in;
5.4. to answer your questions/ requests and communicate with you in general;
5.5. to further our charitable aim in general, including asking for volunteer support;
5.6. to analyse and improve our work, services, activities, products or information (including our website) or for our internal records;
5.7. to audit and/ or administer our accounts;
5.8. to satisfy legal obligations which are binding on us, for example in relation to regulatory, government and/ or law enforcement bodies with whom we may work, or due diligence checks before accepting major donations;
5.9. for the prevention of fraud or misuse of service and for the establishment, defence of enforcement of legal claims.
6. Research
We may analyse your personal information to create a record of your interests and preferences to help us manage our records efficiently and effectively. This allows us to ensure that communications (e.g. by post, telephone, email, text or social media) are appropriate and to generally provide you with an improved user experience.
If you would prefer us not to use your personal information in this way, please let us know by using the contact details included at Clause 17.
We also undertake social science research as a core aspect of our work. Research participants (or potential participants) may see our research-oriented version of this privacy statement here: www.dartington.org.uk/privacy_research).
7. Do we share your personal information?
We will not sell, rent or lease your personal information to others. However, we may disclose your personal information to selected third party processors (such as partners, sub-grantees or sub-contractors) for the purposes outlined at Clause 4.The third party in question will be obligated to use any personal data they receive in accordance with our instructions.
In particular, we reserve the right to disclose your personal information to third parties:
7.1. in the event that we buy or sell any business or assets, in which case we will disclose your personal information to the prospective buyer or seller or such business or assets;
7.2. if substantially all of our assets are acquired by a third party, personal information held by us may be one of the transferred assets;
7.3. if we are under any legal or regulatory obligation to do so; and
7.4. in connection with any legal proceedings or prospective legal proceedings, in order to establish, exercise or defend our legal rights.
8. International Data Transfers
As we sometimes use third parties to process personal information, it is possible that personal information we collect from you will be transferred to and stored in a location outside the UK or the European Economic Area (“EEA”).
Please note that certain countries outside of the UK or EEA have a lower standard of protection for personal information, including lower security protections. Where your personal information is transferred, stored, and/or otherwise processed outside the UK or EEA in a country which does not offer an equivalent standard of protection to the UK or EEA, we will take all reasonable steps necessary (including entering into standard contractual clauses to protect your personal information or relying on the Privacy Shield for transfers to organisations in the US) to ensure that the recipient implements appropriate safeguards designed to protect your personal information. If you have any questions about the transfer of your personal information, please contact us using the details at Clause 17.
9. Securing your personal information
We will take reasonable technical and organisational precautions to prevent the loss, misuse or alteration of your personal information. We will store all the personal information you provide on secure servers.
10. How long do we keep your personal information?
We will generally remove your personal information from our records six years after the date at which it is no longer required unless:
10.1. we are required to hold for longer for legal or regulatory purposes; or
10.2. it is still required in connection with the purpose for which it was collected and/or processed.
However, we will remove your personal information from our records before this date if we become aware that:
10.3. your personal information is no longer required in connection with such purpose(s);
10.4. we are no longer lawfully entitled to process it; or
10.5. you validly exercise one of your right of erasure under Clause 10
11. How we deal with breaches of data protection
When we become aware that there may have been a breach of data protection, we complete a risk assessment lead by our data protection officer. This assists us to establish;
11.1. There a reasonable degree of certainty the breach includes personal information;
11.2. The level and severity of the breach;
11.3. Does the breach include sensitive information such as details about individual’s health;
11.4. Does the breach mean;
11.5. The subject has lost control of their personal information;
11.6. Whether they may be affected economically;
11.7. Whether the breach may cause them distress;
11.8. Are the data subjects concerned potentially vulnerable or at risk;
11.9. Could there be humiliation or discrimination to the individuals concerned?
Having considered the findings of the assessment, we then decide whether the breach should be reported to the information commissioner’s office. If so, this action is led by our data protection officer. If we decide not to report such a breach, we will record the incident and take remedial action to prevent a similar incident in the future. As a rule, we always report incidents concerning sensitive information. If you are concerned about this, please contact the data protection officer.
12. Your rights and preferences
We may contact you by post unless you request otherwise, and by telephone, email, text, social media or other electronic means depending on the communication preferences you have previously indicated. Where we rely on your consent to use your personal information, you have the right to:
12.1. Ask us for confirmation of what personal information we hold about you, and to request a copy of that information. If we are satisfied that you have a legal entitlement to see this personal information, and we are able to confirm your identity, we may provide you with this information;
12.2. Request that we delete the personal information we hold about you, as far as we are legally required to do so;
12.3. Ask that we correct any personal information that we hold about you which you believe to be inaccurate.
12.4. Object to the processing of your personal information where we process on the basis of the legitimate interest ground;
12.5. use the personal information for direct marketing;
12.6. Ask for the provision of your personal information in a machine-readable format to either yourself or a third party, provided that the personal information in question has been provided to us by you, and is being processed by us:
12.7. in reliance on your consent; or
12.8. because it is necessary for the performance of a contract to which you are party; and in either instance, we are processing using automated means.
12.9. Ask for processing of your personal information to be restricted if there is disagreement about its accuracy or legitimate usage.
If you decide you do not want to receive any further emails from the Lab or CSP please tell us and we will remove you from the mailing list. At any point you can request to unsubscribe from the Lab’s mailing list or remove your personal information from the database by contacting us using the details listed at Clause 17.
Please note that where you ask us to delete your personal information, we will maintain a skeleton record comprising your name and organisation to ensure that we do not inadvertently contact you in the future. We may also need to retain some records for statutory purposes.
Please note that you also have the right to lodge a complaint about our handling of your personal data with the Information Commissioner’s Office at www.ico.org.uk/concerns
13. Accountability for data processing.
The GDPR includes a seventh principle detailed in artcle5(2) of the UK GDPR that requires each data controller to be accountable for their processing of personal information. Accountability requires the controller to effectively demonstrate how it is responsible for processing activities such as how it;
13.1. Ensures transparency;
13.2. Has legitimate purposes for processing;
13.3. Processes the minimum of data it requires;
13.4. Keeps data up to date and only processes data that is accurate;
13.5. Only keeps information for as long as is required;
13.6. Developed and maintain a sustainably and appropriate security protocol.
14. Accountability statement
We regularly review our data protection policies, procedures and staff guidance. This helps us to ensure we continue to comply with the law and that our intended processing is both clearly explained, necessary and absolutely transparent. Where we rely on Consent, we ensure it is gathered in accordance with the law. When we rely on other conditions, we consider the Rights of others before we proceed.
We assess the risks we may, from time to time create when processing data to ensure we uphold the Rights and Freedoms of every individual. This is especially true when we process data in a new way.
We only share data where we have a defined purpose to do so and a data sharing agreement is in place. International transfers are safeguarded with Standard Contractual Clauses where necessary.
We keep extensive records of our processing. For example, Activity and Incident logs measure our compliance and help us to identify any weaknesses in our procedures. We actively consider the opinion and advice of others both here, in the EU and beyond. We monitor case law and the guidance of the ICO and the EDPB. We have appointed a Data Protection Officer who is an expert in data protection law and is experienced in the sector in which we work. We positively welcome enquires from the public concerning their personal information.
To ensure we protect personal data we constantly review our security measures, both technical and physical and have instigated appropriate safeguards. This includes regularly training our staff. Access to data is based on the ‘Least Privileged’ principle (POLP).
We have appointed an identifiable ’Accountable person’ to oversee our processing.’ We are registered with the ICO as a data controller and have a clear breach reporting policy.
15. Other websites
The WHG is not responsible for the privacy practices or the content of linked websites. Please review the privacy notices of such websites.
16. Updating this privacy statement
We may update this privacy statement by posting a new version on this website. If we update this privacy statement in a way that significantly changes how we use your personal information, we will use reasonable efforts to bring these changes to your attention where we have your contact details. Otherwise, we would recommend that you periodically review this privacy statement to be aware of any other revisions.
17. If you have any concerns
If an individual has any concerns about how we are using their personal data then we ask that they contact our Data Protection Officer in the first instance (dataprotectionoffcer@dartington.org.uk). However, an individual can contact the Information Commissioner’s Office should they consider this to be necessary, at https://ico.org.uk/concerns/.
18. Contact
If you would like to discuss anything in this privacy notice, please contact:
Data Protection Officer: Brian Warren
Email: dataprotectionofficer@dartington.org.uk