Privacy and data protection policies

Privacy policy

The City of Winchester Trust treats your privacy rights seriously. This privacy policy sets out how we will deal with your ‘personal information’ and applies to all stakeholders (members, employees and volunteers).

When you join you are asked to provide certain information when you complete the Application Form. This includes:

• Name
• Address
• Email address
• Telephone number
• Method of payment

We will also request that you provide consent for us to store and use your data. Your consent is required in order to ensure our compliance with data protection legislation.

We use your data:

• To provide activities and services to you.
• For administration, planning and management of the Trust.
• To monitor, develop and improve the provision of Trust activities.

We will send you messages by email, telephone and/or post, according to how you wish to be contacted, to advise you of our own activities and other activities which Trustees and committee members feel would be of interest to our stakeholders.

We may disclose data about you:

• Internally to Trustees and members of our committees as required to run our activities.
• To HMRC to process Gift Aid claims.

Where we need to share your information to anyone outside the Trust we will inform you as to who the data will be shared with and for what purpose and seek your permission.

We hold your data so that we can provide our services to you. Your data will not be stored for longer than is required to meet the needs of your stakeholdership.

To ensure the data we hold is accurate and up to date, stakeholders need to inform us about any changes to their data. You can do this by contacting the Trust Secretary by email or telephone at any time. Contact details are in every issue of our quarterly newsletter, TrustNews, and on our website.

Should you wish to view the data that we hold on you, you can make a request by contacting the Trust Secretary. We will usually respond within 14 days of the request being made.

We have in place security safeguards to protect your data against loss or theft, as well as unauthorised access. Your membership data is held on a database which is only accessed by the Trust Secretary or authorised Trustees.

This policy can be requested in paper form from or by phoning the Trust on 01962 851664 or from the Heritage Centre, 32 Upper Brook Street, Winchester SO23 8DG. If we make any material changes we will make members aware of this via our newsletter, TrustNews.

If you have any queries about this policy, or have any complaints about our privacy practices, please contact the Trust Secretary by email, telephone or in writing.

data protection policy

This policy applies to the running of the City of Winchester Trust. The policy sets out the requirements that we have for gathering data from stakeholders (members, employees and volunteers). The policy details how data will be gathered, stored and managed in line with the General Data Protection Regulation (GDPR). The policy is reviewed on a regular basis to ensure that we are compliant. This policy should be read in tandem with our Privacy Policy.

This data protection policy ensures that we:

• Comply with data protection law and follow good practice.
• Protect the rights of members and partners.
• Are open about how we store and process stakeholders’ data.
• Protect ourselves from the risks of a data breach.

General guidelines

• Access to data covered by this policy will be limited to those who need to contact or provide a service to our stakeholders.
• We will provide training to employees, Trustees and committee members to help them understand their responsibilities when handling personal data.
• We will keep all data secure, by taking sensible precautions and following the guidelines below.
• Strong passwords will be used for computerised data records and they will be never be shared outside authorised employees and Trustees. Paper records are kept under lock and key.
• Data will not be shared outside the Trust unless with prior consent and/or for specific and agreed reasons.
• We will request help from the Information Commissioners Office if we are unsure about any aspect of data protection.

Data protection principles

The General Data Protection Regulation identifies 8 data protection principles.

Principle 1 - Personal data shall be processed lawfully, fairly and in a transparent manner.

Principle 2 - Personal data can only be collected for specified, explicit and legitimate purposes and will not be further processed in a manner that is incompatible with those purposes.

Principle 3 - The collection of personal data must be adequate, relevant and limited to what is necessary.

Principle 4 – Personal data held should be accurate and, where necessary, kept up to date. Every reasonable step must be taken to ensure that personal data is correct and any inaccurate data is erased or rectified without delay.

Principle 5 – Personal data which is kept in a form which permits identification of individuals shall not be kept for longer than is necessary.

Principle 6 - Personal data must be processed in accordance with the individuals’ rights.

Principle 7 - Personal data must be processed in a manner that ensures appropriate security of the personal data against accidental loss, destruction or damage, using appropriate technical or organisational measures.

Principle 8 - Personal data cannot be transferred to a country unless that country ensures an adequate level of protection for the rights of individuals in relation to the processing of personal data.

We request data from stakeholders so we can contact them about their involvement with the Trust. The forms used to request data contain a privacy statement as to why information is being requested and what it will be used for. Stakeholders are asked to provide consent for their data to be held, and a record of this consent and their data is held securely. Stakeholders can, at any time, remove their consent by contacting the Trust Secretary. Once a stakeholder requests not to be contacted using a particular method, this will be acted upon promptly and confirmed with them.

Processes for specified, explicit and legitimate purposes

Stakeholders will be told what we use their data for. Appropriate use of stakeholder data includes:

• Contacting stakeholders about Trust events and activities.
• Contacting stakeholders about their membership/employment/volunteering and/or their Consent.
• Contacting stakeholders about specific issues that may have arisen during the course of their membership/employment/volunteering.
• Occasionally we will send to stakeholders details of activities of other organisations that the Trust thinks will be of interest.

We will ensure that use of stakeholders' data does not infringe their rights, which include:

• The right to be informed.
• The right of access.
• The right to rectification.
• The right to erasure.
• The right to restrict processing.
• The right to data portability.
• The right to object.

We will only keep data that is relevant for membership/employment/volunteering purposes. This includes:

• Name
• Postal address
• Email address
• Telephone number
• Method of payment and donations
• Consent methods
• Personal information such as National Insurance numbers and tax codes (for employees only)

Where a stakeholders' data needs to be shared with a statutory authority then consent does not have to be sought from the stakeholder.

We have a responsibility to ensure stakeholders' data is kept up to date. Stakeholders will be asked to let the Trust Secretary know if any of their data changes.

We will ensure that we are compliant with data protection requirements and can prove it. Stakeholders are asked to provide consent which will be securely held as evidence of compliance. We will also stay up to date with guidance and the practice of the GDPR and will seek additional input from the Information Commissioners Office should any uncertainties arise. We will review data protection and what data is held and who has access to it on a regular basis.

The Council of Trustees has contracted for services from the following external service providers:

• Website services
• The printer of our newsletter, TrustNews, and our Annual Report & Accounts.
• A bulk email service

The Council of Trustees has scrutinised their Terms and Conditions and judges that they are GDPR compliant. In the first two cases no stakeholder data is provided. The bulk email service receives a list of email addresses only.

Stakeholders can request access to the data we hold on them by contacting the Trust Secretary and we will normally deal with a request within 14 days. A record will be kept of the date of the request and the date of the response.

Where a data breach has occurred action will be taken to minimise the harm. We will seek to rectify the cause of the breach as soon as possible. We will contact the Information Commissioners Office within 72 hours of the breach being reported. We will contact the relevant stakeholders to inform them of the data breach and the actions taken to resolve it.

If a stakeholder contacts us feeling that there has been a breach, he/she will be asked to produce an email or a letter detailing their concern. We will then investigate the breach. The stakeholder will also be informed that he/she can report their concerns to the Information Commissioners Office. Breach matters will be subject to a full investigation, records will be kept and all those involved notified of the outcome.

Data management policy

The Trust collects data from new Members when they join using either an application form, which includes a Consent section, a Gift Aid form and a Standing Order mandate, or online using an online form.

The data is recorded from the forms into a database of Members held by the Trust Secretary. This consists of:

Title, first name, surname, address, post code, telephone number, email address, joining date, Gift Aid date, type of member (Life, Double Life, Single, Family, Corporate), method of payment, amount paid and consent for the Trust to communicate with the Member via post, telephone or email.

This data is held until a Member leaves the Trust, when it is deleted from the database. At any time a Member can change their data or consents by contacting the Secretary and can also ask for a copy of their data.

Paper Application and Consent forms are held securely as proof of the original Application/Consent meeting GDPR requirements. The data is only used for the following activities:

• To store it securely for membership purposes.
• To communicate with Trust Members.

Standing Order mandates are sent to the Member’s bank. Bank account details are not retained. Gift Aid forms are held by the Secretary and the data is used to reclaim Gift Aid from HMRC.

Some of the data held in the database is extracted and used for the following purposes:

1. To mail hard copies of the Trust newsletter, TrustNews, AGM minutes and the Trust’s Annual Report and Accounts. This mailing is done by Council and Trust members and does not involve data passing to third parties.
2. To email Members using a bulk email service provided by Mail Chimp, whose privacy policy you can read by clicking here. Members can unsubscribe from the list at any time by clicking on the ‘Unsubscribe’ link at the bottom of the emails or by contacting the Trust direct.

Existing members as at May 2018 were asked to confirm their membership data and provide the required consents. This data has been used to update the Membership database and the data has been archived as proof of the consent meeting GDPR requirements. For new members, consent is requested in the membership application form and online joining form and then added to the Membership database and archived as proof of appropriate consent.

Members of the public who subscribe to the Heritage Open Days mailing list on the Winchester Heritage Open Days website are sent a maximum of twelve newsletters per year using Mail Chimp. They can unsubscribe at any time from the mailing list by clicking at the bottom of the email and/or by contacting Winchester Heritage Open Days directly. Winchester Heritage Open Days does not store or download any of the info as it is securely stored and managed using Mail Chimp.

When members of the public book a Winchester Heritage Open Days event, they are sent details of and/or changes to the event. Winchester Heritage Open Days does not store or download any personal information as it is securely managed and stored using the online events company EventBrite. Members of the public can elect not to provide contact details but will then not be notified of any changes or cancellations. Occasionally Winchester Heritage Open Days volunteer event organisers require the names and contact details too - this is to enable them to manage the event and to contact people if the event is cancelled or changed. The information is not used for any other purpose by the volunteer event organiser, and is only shared when strictly necessary. Winchester Heritage Open Days notifies the general public at the time of booking if their data is to be shared with their volunteer event organisers.

The names and contact details of the volunteer event organisers are required so they can be contacted about festival planning arrangements, their event and any associated festival events and activities. Some of this information is shared with the national Heritage Open Days team with the volunteer event organiser’s consent. Their information is stored on Dropbox with access limited to those volunteers who need it to undertake specific tasks.

The names and contact details of Winchester Heritage Open Days volunteers and paid interns are needed so they can be contacted about specific issues relating to work, volunteering experience/internship and any training opportunities and/or festival events and activities. These details are stored securely in the cloud or on password locked phones.