RTMinds is an online project of RTProjects.
Statement of Policy
In order to operate efficiently RTProjects has to collect and use information about certain people. This may include current, past and prospective trustees, staff, volunteers, beneficiaries, customers, and suppliers. Any personal information will be handled and dealt with properly in its collection, recording and use, whether this be on paper, in computer records or recorded by any other means.
RTProjects regards the lawful and correct treatment of personal data as very important to its work and to maintaining confidence between the charity and those with whom it carries out business. RTProjects will ensure that it treats personal information lawfully, fairly and transparently.
To this end RTProjects fully endorses and adheres to the Principles of Data Protection as set out in the Data Protection Act 2018.
Information we collect
As a member, volunteer or a subscriber of RTProjects (including RTMinds) we are required to hold personal details relating to your association with our service. These details include your name, address and contact details such as email and phone number. You may also choose to provide us with additional personal information relating to your personal circumstances in relation to your contact with our service.
How we collect your information
As a member of RTProjects, a trustee, a staff member (freelance or PAYE) or as a volunteer you will complete an application which contains personal information. We will review this information with you as required by us and as directed by you – i.e. in the event of a change of address or circumstance.
As a subscriber to RTMinds you will complete a sign up form to register and an approval form if you wish to take part in interactive sessions.
Why we need your information and how we use it
Within RTProjects we work within a legal framework to collect, use, and share your information, including:
· MEMBERSHIP - as needed to provide our services, such as when we use your anonymous information to report on funding outcomes, or information to settle disputes, or to provide support in line with our policies relating to referral requirements, studio use and policies such as safeguarding vulnerable adults.
· MARKETING CONTACT - when you have provided your affirmative consent, which you may revoke at any time, such as by signing up for our mailing list and receiving newsletters and information about events and exhibitions.
· ACCOUNTING - if necessary to comply with a legal obligation or court order or in connection with a legal claim, such as retaining information about your purchases or fees if required by tax and charity law.
· LEGITIMATE INTEREST - as necessary for the purpose of our legitimate interests, if those legitimate interests are not overridden by your rights or interests, such as providing and improving our services. We use your information to provide the services you requested and in our legitimate interest to improve our services.
Information Sharing and Disclosure
Security of Information is very important to RTProjects. We will only share your personal information for very limited reasons and in limited circumstances, as follows:
· FUNDERS. We share information with funders as necessary to provide you with our services and comply with our obligations under the terms of financial contracts and agreements. This will usually be in anonymised format as described in the referral and registration forms completed on application. If you have specifically agreed to provide feedback in narrative form this will be agreed and noted separately.
· SERVICE PROVIDERS. We engage certain trusted third parties to perform functions and provide services to our Charity, such as our valued volunteers, our accountants and IT Specialists. We will share your personal information with these third parties, but only to the extent necessary to perform these services.
· COMPLIANCE WITH LAWS. We may collect, use, retain, and share your information if we have a good faith belief that it is reasonably necessary to: (a) respond to legal process or to government requests; (b) enforce our agreements, terms and policies; (c) prevent, investigate, and address fraud and other illegal activity, security, or technical issues; or (d) protect the rights, property, and safety of our members staff, volunteers or others.
As a studio member, volunteer or subscriber to RTProjects you have a number of rights in relation to your personal information. While some of these rights apply generally, certain rights apply only in these limited cases:
· ACCESS. You may have the right to access and receive a copy of the personal information we hold about you by contacting us using the contact information below.
· CHANGE, RESTRICT, DELETE. You may also have rights to change, restrict our use of, or delete your personal information. Except for under exceptional circumstances (like where we are required to store data for legal reasons) we will generally delete your personal information upon request.
· OBJECT. You can object to (i) our processing of some of your information based on our legitimate interests and (ii) receiving marketing messages from us after providing your express consent to receive them. In such cases, we will delete your personal information unless there are compelling and legitimate grounds to continue using that information or if it is needed for legal reasons.
· COMPLAIN. If you wish to raise a concern about our use of your information (and without prejudice to any other rights you may have), you have the right to do so with your local data protection authority.
The Principles of Data Protection
The Act stipulates that anyone processing personal data must comply with seven key Principles. These Principles are legally enforceable.
The Principles require that personal data:
1. Be processed lawfully, fairly and in a transparent manner in relation to the data subject (‘Lawfulness, Fairness. Transparency’)
2. Be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (‘Purpose Limitation’)
3. Be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘Data Minimisation’)
4. Be accurate and, where necessary, kept up to date and every reasonable step taken to ensure that inaccurate personal data is erased or rectified without delay (‘Accuracy’)
5. Be kept in a form for no longer than is necessary for the purposes for which the personal data are processed (‘Storage Limitation’)
6. Be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage (‘Integrity and Confidentiality – Security’)
7. The controller shall be responsible for, and be able to demonstrate compliance with, the other data protection principles. (‘Accountable’)
The Act provides conditions for the processing of any personal data. It also makes a distinction between personal data and special category data.
Personal data is defined as “any information relating to an identified or identifiable natural person”.
Special category data is defined as personal data about an individual:
· ethnic origin;
· political opinions;
· religious or philosophical beliefs;
· trade union membership;
· genetic data;
· biometric data (where this is used for identification purposes);
· health data;
· sex life; or
· sexual orientation.
Handling of Personal/Special Category Data
RTProjects will, through appropriate management and the use of strict criteria and controls:
· Observe fully the laws relating to conditions regarding the fair collection and use of personal data;
· Meet its legal obligations by specifying the purpose for which information is used;
· Collect and process appropriate information only to the extent that is needed to fulfil operational needs or to comply with any legal requirements;
· Ensure that the information used is correct;
· Apply strict procedures and checks to determine the length of time information is held;
· Take appropriate technical and organisational security measures to safeguard personal data;
· Ensure that personal data is not transferred abroad without suitable safeguards;
· Ensure that the rights of people about who the information is held can be fully exercised under the Act.
These include the:
· right to be informed
· right of access
· right to rectification
· right to erasure
· right to restrict processing
· right to data portability
· right to object
· rights in relation to automated decision making and profiling.
In addition, RTProjects will ensure that:
· There is someone with specific responsibility for data protection in RTProjects;
· Everyone managing and handling personal data understands that they are contractually responsible for following good data protection practice;
· Everyone managing and handling personal data is appropriately trained to do so;
· Everyone managing and handling personal data is appropriately supervised;
· Anyone wanting to make enquiries about handling personal data, whether a trustee, member of staff, volunteer or a member of the public, knows what to do;
· Queries about handling personal data are promptly and courteously dealt with;
· Methods of handling personal data are regularly assessed and evaluated;
· Performance in handling personal data is regularly assessed and evaluated;
· Data sharing is carried out under a written agreement, setting out the scope and limits of the sharing. Any disclosure of personal data will be in compliance with approved procedures.
All trustees, staff and volunteers will take steps to ensure that personal data is kept secure at all times against unauthorised or unlawful loss or disclosure in line with its Information Security Policy.
All contractors, consultants, partners or other agents of RTProjects must:
· Ensure that they and all of their staff who have access to personal data held or processed for or on behalf of RTProjects, are aware of this policy and are fully trained in and are aware of their duties and responsibilities under the Act. Any breach of any provision of the Act will be deemed as being a breach of any contract between RTProjects and that individual, company, partner or firm.
· Allow data protection audits of data held on its behalf (if requested);
· Indemnify RTProjects against any prosecutions, claims, proceedings, actions or payments of compensation or damages, without limitation.
All contractors who are users of personal data supplied by RTProjects will be required to confirm that they will abide by the requirements of the Act with regard to data supplied by RTProjects.
This policy operates alongside the following:
Procedure for Data Protection Breaches