We are committed to inclusiveness and equality of opportunity, and welcome individuals from all backgrounds, irrespective of their ethnicity, gender, sexuality, age, religion, belief and ability.
Rahab is committed to ensuring the privacy and security of your personal data. This policy explains what personal information we collect about you when you come into contact with our organisation and through your interactions with us. It includes information on why and how we collect your personal data, how it is processed and kept safe, as well as your rights as the ‘data subject’ under applicable data protection law. We hope this policy will provide you with the confidence and assurance that we treat your information with care, and are duty bound by law to protect the confidentiality and security of your personal data at all times.
- Lawful / justified under data protection laws
- Fair and transparent
- Limited for its purpose
- Adequate and necessary
- Accurate and proportional
- Not kept longer than needed
- Integrity and confidentiality
In this policy when we refer to “personal data”, we mean information which could directly identify you (for example, your name or ID number) and information which could indirectly identify you, meaning that it could identify you when combined with other information which we hold about you (for example, your gender or date of birth).
Process or processing
“Process” or “processing” means any conceivable use of personal data, including recording, storing, viewing or disclosing personal data.
The Rahab Project Ltd (company number 6820663) is the data controller of your personal data. Data controller means a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed.
Data subject refers to the identifiable natural person whose personal data is processed by the data controller.
We may revise this policy from time to time to reflect changes in our organisation or applicable laws. The revised policy will be effective as of the published date
If you have any questions about your personal data which are not answered by this policy, please contact our Data Protection Officer by emailing firstname.lastname@example.org.
Why we collect your personal data
We collect your personal data to give you the best possible experience when you interact with our organisation, when it is necessary to provide our services and associated functions, and when it is justified by our legitimate interest or our legal obligations. This covers all channels of communication with us, including over the telephone, email, website, social media, by post and in person.
Legislation that protects you
Your personal data is protected under data protection laws, which require us to maintain at all times all appropriate security measures in relation to how we may collect, record, use, retain, process, store, destroy, share and transfer your personal data, and not knowingly do anything or permit anything to be done which might lead to a breach.
What type of personal data we collect
The data we collect will vary depending on the nature of your engagement with us, for example as a client, volunteer, partners, supporter. It may include the following:
- Name and contact data. We may collect your first and last name, email address, postal address, home address and address history, home and mobile telephone numbers and other similar contact data.
- Demographic data. We may collect data about you such as your age, gender, ethnicity, nationality, country and preferred language.
- Content. We may collect additional personal data about you, your situation and circumstances, personal history, interests, contacts and relationships.
- Data from third party sources. We may obtain information from third party sources such as other agencies, organisations, statutory bodies where permitted by law.
- Other information we may collect relating to your use of our services. We may collect additional information from you when we are in contact with you, and you with us, and keep a record of our interaction and communication.
In most cases, the information described above will be provided to us by you because you want to take up services we offer or engage with us. In these instances, giving information to us is therefore your choice and you consent to our lawful processing of personal data as outlined in this policy.
When you are asked to provide personal data you may decline, however this may limit the services we are able to offer to you. You may also withdraw your consent at any time.
Where information is collected on our behalf by a third party, or when you request us to disclose your personal data to other people or organisations, or otherwise agree to disclosures, you will be asked to consent to this. If you choose not to give your consent, or you later remove your consent, this may limit the services we are able to offer to you.
How we use your personal data – the legal basis and purpose
Data protection laws require that, where we process your personal data, we must satisfy at least one prescribed condition for processing. These are set out in data protection law and we rely on a number of different conditions for the activities we carry out.
To provide the services you request / we offer/fulfil our contractual obligations
We process personal data about you as necessary to provide you with the services you request / we offer/fulfil our contractual obligations. Wherever possible we will tailor services to ensure our engagement with you is relevant, useful and timely, and that you receive a seamless, consistent and personalised experience. This may involve combining data that we collect to help us make informed decisions on the necessary steps to take to be able to provide the best response based on the information we have.
We may use your personal data where the benefit of doing this is not outweighed by your interests or fundamental rights or freedoms as the data subject. The law calls this the ‘legitimate interests’ condition for processing.
Where we rely on the legitimate interests condition, or those of other persons and organisations, the reasons for us to do so would include compliance with legal and regulatory requirements, including for activities and associated disclosures relating to the detection, investigation and prevention of crime, good governance, managing and auditing the charity.
To comply with our legal obligations and for the establishment, exercise or defence of legal claims
Like any organisation, we are required to comply with many laws and regulations. We will, where necessary, use our personal data to the extent required to enable us to comply with these requirements and our legal and regulatory obligations. For example, to meet our data protection obligations to verify your identity and ensure your contact details are correct, to resolve any disputes, for the detection, investigation and prevention of crime, to offer priority service for at risk and vulnerable clients such as those where there is a safeguarding concern.
We may use your personal data to stay in contact with you, for example by telephone, email, website, social media, by post and in person.Communication may include providing you with information related to our organisation and services, your use of our services, as part of a joint agreement. On occasion we may send you information or recommendations about other services that could be of interest to you.
You will not be inundated with information. All communication will be carefully screened and selected to match your specific interest and area of engagement with us. Wherever possible we will also personalise our communications with you and contact you by means and at intervals and times agreed with you.
You can manage how we communicate with you or opt out of receiving communications from us at any time by simply contacting us and letting us know.
Evaluation and learning
We may invite you to be involved in / ask for your feedback to help us improve our services. If you accept this invitation we will use the feedback you give us to provide better services and improve our knowledge.
To maintain our records and other administrative functions
Like any organisation, we need to ensure that we maintain comprehensive and uptodate records of our services and activities. We will therefore process the information you provide for record keeping, updates and general administrative purposes.
Monitoring, reporting and analytical purposes
Your personal data may be converted into anonymised statistical or aggregated data that can’t be used to identify you, and then used for management information reporting purposes to helps us understand how our services are used and continually improve our offering.
Complaints and dispute resolution
Whilst we will try and make sure that you are happy with the services we provide, in instances where this is not the case we will use the information we have about you to help us respond as quickly and efficiently as possible to resolve matters for you.
If we use your personal information for any purposes that are not set out in this policy we promise to let you know what we will use it for before we go ahead and use it, and to obtain your consent where appropriate.
How long we keep your personal data for
We will retain your personal data in an identifiable format for as long as is necessary to fulfil the purposes outlined in this policy. This can vary from one data type and piece of information to another, so the amount of time we keep your personal data for can vary significantly.
The criteria we use to determine retention periods include:
- The least amount of time necessary to operate the services we are providing and/or fulfil our legal and regulatory obligations. This is the general rule that establishes the baseline for most data retention periods.
- We may retain personal data for longer periods than is required by law if it is in our legitimate interest and not prohibited by law.
In all cases, our need to use your personal information will be reassessed on a regular basis, and information which is no longer required for any purposes will be disposed of securely.
Who we share your personal data with
Access to your personal data is restricted to those who need to know the information.
- Within the organisation to help manage and provide you with the services you have requested / we offer / to fulfil our legal and regulatory obligations.
- With third parties involved in providing you with the services you have requested / we offer on our behalf and at your direction.
Your personal data may also be shared with third parties (e.g. accessed, transferred, disclosed, preserved)
- for our purposes, for example to support our audit, compliance and corporate governance functions;
- where it is in our legitimate interest to do so, for example, to manage, grow and develop our organisation;
- to comply with a valid legal process or lawful request, including requests from law enforcement or other government agencies or third parties pursuant to a subpoena, a court order or other legal process or requirement;
- if we believe, in our sole discretion, and have a good faith belief that disclosure is necessary or appropriate to protect your vital interests and/or to protect the security and integrity of our services and operations. This includes for the prevention, investigation and management of suspected or actual risk and other harmful acts, violations or illegal activity.
Any third parties with whom we share your personal data are limited by law and by contract in their ability to use your personal data for the specific purposes identified by us.
Save as expressly detailed above, we will never share, sell or rent any of your personal data to any third party without notifying you and/or obtaining your consent. Where you have given your consent for us to use your personal data in a particular way, but later change your mind, you should contact us and we will stop doing so.
Your rights under applicable data protection law
As a ‘data subject’ you have a number of rights in respect of your personal date. These include:
- The right to decline to provide your personal data when it is requested.
- The right to be informed about our processing of your personal data.
- The right to restrict processing of your personal data.
- The right to have your personal data erased.
- The right to request access to and rectification of your personal data.
- The right to move, copy or transfer your personal data.
- The right to complain to the Information Commissioner’s Office. It has enforcement powers and can investigate compliance with data protection law: www.ico.org.uk / Helpline 0303 123 1113.
You can exercise these rights at any time by contacting our Data Protection Officer where applicable (see page 1 for contact details).
Data subject access request
You have the right to find out what information, if any, is held about you. This is known as a data subject access request.
When exercising your right to access a copy of your personal data, please contact us with a description of the information you would like to see. We will provide our response to you without undue delay and within one month of receipt of your request. Please note, however, that in certain circumstances we are not required to provide the information requested. If an exemption applies, we will tell you this when responding to your request.
- We may request that you provide us with information necessary to confirm your identity before responding to any request you make.
- A data subject access request is not designed to deal with general queries that you may have about what information, if any, is held about you. We therefore aim to provide you with the information you require without you having to make a formal request.
- Where requests are manifestly unfounded or excessive, in particular because they are repetitive, we may charge a reasonable fee taking into account the administrative costs of providing the information, or refuse to provide the information. Where we refuse a request, we will explain our reasons for the refusal.
How we protect your personal data
We maintain physical, electronic and procedural safeguards designed to provide reasonable protection against loss, misuse, unauthorised access, disclosure and alteration of your personal data. For example, personal data is stored on computer systems that have limited access and authorisation controls and are in controlled facilities. Written records are stored securely in locked cabinets to prevent unauthorised access, intentional or accidental viewing.Person identifiable data and / or confidential material – either on paper or a computer – are not left unattended and/or where it can be seen by unauthorised persons. When personal data is destroyed it is done so securely i.e. paper records shredded and electronic data deleted from systems.
We protect data obtained from third parties according to the practices described in this statement, plus any additional restrictions imposed by the source of the data.