We take your privacy extremely seriously and want you to feel confident that your personal information is safe in our hands.
We will only use your personal information in accordance with data protection law applicable to England and Wales from time to time.
Under data protection law, when we use your personal information, we will be acting as a data controller. Essentially, this means that we will be making decisions about how we want to use your personal information and why.
Below, we summarise the main rules that apply to us under data protection law when we use your personal information:
We must be upfront about how we intend to use your personal information and must use your personal information fairly. Providing privacy information to individuals (such as in this privacy notice) is one aspect of using personal information fairly.
We must only use your personal information if we have a legal basis to do so under data protection law. These legal bases include:
- That you have consented to our use of your personal information;
- That we (or someone else) has a legitimate reason for needing to use your personal information and those legitimate interests are not outweighed by your rights or interests. We must balance our respective rights and interests before we can rely upon this legal basis; and
- We need to use your personal information to comply with laws we are subject to.
We must only use certain types of sensitive personal information (such as information relating to your health, racial or ethnic origin or religion) if we can also satisfy one of the conditions for processing this type of information set out in data protection law. These conditions include:
- As a not-for-profit body, it is necessary for us to process your personal data internally, in the course of our legitimate activities;
- That the processing is necessary for reasons of substantial public interest.
- That processing is necessary to protect your vital interests; or
- That you have given us your explicit consent.
We are only permitted to share your personal information with others in certain circumstances and if we take steps to ensure that your personal information will be secure.
Generally speaking, we must only use your personal information for the specific purposes we have told you about. If we want to use your personal information for other purposes, we need to contact you again to tell you about this.
We must not hold more personal information than we need for the purposes we have told you about and must not retain your personal information for longer than is necessary for those purposes (this is known as the “retention period”). We must also dispose of any information that we no longer need securely.
We must ensure that we have appropriate security measures in place to protect your personal information.
We must act in accordance with your rights under data protection law.
We must not transfer your personal information outside the European Economic Area (“EEA”) unless certain safeguards are in place. One such safeguard is that the personal data is only transferred to a country that has been approved by the European Commission as having an acceptable level of data protection law.