Corporate Privacy Policy

We collect personal information (or ‘personal data’) from those who directly interact with us, such as our:

• Children, young persons and vulnerable adults (current, former and prospective)
• Supporters and/or donors (current and historic)
• Fundraisers/Campaigners
• Event attendees
• Volunteers
• Foster carers (and/or those who make enquiries)
• Job applicants
• Employees (current and former)
• Those who make general enquiries
• Those who use our website
• Those who request access to our records e.g. a genealogy or historical request

We will never ever sell your data to third parties for their own marketing needs.

We aim to collect the minimum personal information we need to carry out a service, as relevant, such as your:

• Name
• Age/date of birth
• Gender
• Contact number(s)
• Email address(es)
• Postal address
• Contact preferences (emails or SMS messages)
• Information for ‘market analysis’ (where appropriate)
• Records of fundraising events you have attended
• Campaigns you have supported
• Our events you have attended
• Financial details (where appropriate such as for donations)
• Historical details relating to your foster or adoptive family (if relevant to you as an individual)
• Record of your contact with us – whether a query, compliment, or complaint

• We use this information, where relevant, to:
• Raise further awareness of St Christopher’s and the work we do
• Help raise further funds to support children and families across our network
• Learn how best to contact you (and what about)
• Keep a record of your support
• Help us with profiling (where relevant)
• Progress applications (employment, volunteering, fostering) or any other enquiries
• To record financial transactions such as payment for foster placements
• Learn how to improve our products and services
• Learn about other audiences who may be interested in supporting the work of St Christopher’s (and the new products, services, and information they may be interested in)
• Verify your identity. When you phone in to our offices, we will need to ask you a series of questions to verify you are who you say you are. The questions will relate to information we hold about you.
• If you visit our head office and request information, you will be asked to provide identification before we can help you. We also require some proof of identification before you are allowed to come into our head office. Sometimes, this is also to ensure we are talking to the right person before releasing any personal information.

Our Privacy and Cookie Policies take into account several laws, including:

• General Data Protection Regulation (EU) 2016/679 (GDPR)
• The Data Protection Act 2018
• The Privacy and Electronic Communications (EC Directive) Regulations 2003
• The Data Protection (Application of GDPR) Order 2018 (“GDPR Order)
• Adapted text of the EU GDPR in the Annex to the GDPR Order (“Applied GDPR”)
• The Data Protection (Application of the LED) Order 2018 (“LED Order”)
• The GDPR and LED Implementing Regulations 2018

Generally, our processing of your personal information as described in this policy is allowed by these laws based on one or more lawful grounds, including:

• Where you have provided your consent to us using your personal information in a certain way. For example, we only use your information to send you marketing communications by email or text with your consent. We also may ask for your explicit consent if you share sensitive personal information with us.
• Where the processing is reasonably necessary for the performance of a contract to which you are a party or to take steps at your request prior to entering a contract. For example, we may rely on this basis where you apply to work for us.
• Where the processing is reasonably necessary to comply with a legal obligation to which we are subject. For example, we may rely on this basis where we are obliged to share your personal information with a regulator or HMRC.
• Where the processing is reasonably necessary for the purpose of a legitimate interest pursued by us or a third party and your privacy rights do not override the legitimate interest. Our “legitimate interests” include pursuing the aims and mission of St Christopher’s through advocating and supporting children and families through our work in the UK and on Isle of Man, such as our grants for research from the Department of Education on the Staying Close pilot, and fundraising through direct marketing campaigns, Christmas appeals and events. However, “legitimate interests” can also include your interests, such as when you have requested information from us, and those of third parties, such as our beneficiaries.

For example, we rely on legitimate interests for activities such as sending marketing communications by post or telephone unless you have told us that you would prefer not to hear from us in this way, contacting you as a representative of an organisation about charity partnerships or in order to organise an event, and analysing your interaction with us to improve our internal business processes.

In any event, where we are relying on legitimate interests to process your personal information, we will consider any potential impact on you (positive or negative), your rights under data protection laws, and will not use your personal information for activities where the impact on you overrides the legitimate interests in the processing.

Where we process sensitive personal data (as mentioned above), we will make sure that we only do so in accordance with one of the additional lawful grounds for processing that type of data, such as where we have your explicit consent, you have made that information manifestly public or there is substantial public interest to do so.

We will only use and store personal information for as long as it is required for the purposes it was collected for.

We have adopted a data minimisation policy (available on request) that sets out the different periods we retain personal information for in respect of various purposes in accordance with our duties under applicable data protection law. The criteria we use for determining these retention periods is based on various legislative requirements; the purpose for which we hold data; and guidance issued by relevant regulatory authorities including but not limited to the Information Commissioner’s Office (ICO).

Personal information that we no longer need is securely disposed of and/or anonymised so you can no longer be identified from it. And some personal information may be retained by us in archives for historical research purposes, although we will do this in a manner that complies with applicable data protection law. Some of our retention periods are:

• As long as you are an active campaigner, donor, or fundraiser – and only for as long as necessary after your last interaction with us
• Up to five years if you make a genealogy request
• Up to six years in relation to Gift Aid (in compliance with HMRC regulations)
• Up to seven years if you volunteer with us
• As long as is necessary in relation to fostering and any other enquiries
• As long as necessary if you have pledged a Legacy to us
• As long as is necessary if you have sent us a question, comment, compliment or a complaint in the event of a follow-up, dispute or investigation

We process your personal information in accordance with the principles of GDPR.

We will treat your personal information fairly and lawfully and we will ensure that information is:

• Processed for limited purposes
• Kept up-to-date, accurate, relevant and not excessive
• Not kept longer than is necessary
• Kept secure

Access to personal information is restricted to authorised individuals on a strictly need to know basis.

We are committed to keeping your personal details up to date, and we encourage you to inform us about any changes needed to ensure your details are accurate.

To help us to ensure confidentiality of your personal information we may ask you security questions to confirm your identity when you call us. We will not discuss your personal information with anyone other than you, unless you have given us prior written authorisation to do so.

Where necessary, we will share relevant information with third parties when one of the following reasons applies:

• To the extent that we are required to do so by law
• Where there is a clear health or safety risk to an individual or members of the public, evidence of fraud against St Christopher’s, other irregular behaviour or a matter St Christopher’s is investigating
• In connection with any legal proceedings or prospective legal proceedings or statutory action to enforce compliance
• Where St Christopher’s has entered into a formal protocol with the police or a local authority department
• Providing information anonymously for bona fide statistical or research purposes, provided it is not possible to identify the individuals to whom the information relate such as fostering survey answers through our research agency
• Information required by the Charity Commission when monitoring St Christopher’s activities in its capacity as the regulator of charities
• In order to establish, exercise or defend our legal rights (including providing information to others for the purposes of prevention and detection of fraud)
• For the purposes of our legitimate business interests
• With software providers including but not limited to Charms, Clearcare, Access (Accounting software), Raiser’s Edge.
• To protect the vital interests of an individual (in a life or death situation)
• Where we have obtained your consent (i.e. your agreement) to do so
• To ensure secure storage of your personal data
• For market analysis (looking at the types of people who engage with us, and why)
• Screening data, so that we do not send information to an old address, or call an old phone number
• Emailing via our email partner, Egress
• Sending printed material (newsletters, updates, magazines, appeals), via our printing company, The Art and Design Studio
• Securely processing online donations through Virgin money giving, or by debit/credit cards through Worldpay
• Looking for prospective supporters or foster carers, of a similar background, via Facebook
• Contacting interested supporters and linking them to our website through Twitter
• Securely processing donations using our partners Give A Gift and Give As You Live

Any of the third parties stated can only act on our strict instructions, in line with our contracts with them, and cannot use your personal information for any reason outside of those instructions, or sell those details to any other organisations.

As much as possible, we store our data in the UK or within the European Union (EU). Countries outside the European Economic Area have differing approaches to data privacy laws and the enforcement of these may not be as robust as it is within Europe’s borders.

We take great care to manage your personal data within the EEA where possible. In any cases where a supplier is outside of the EEA, we ensure there is recognised assurance such as EU-US Privacy Shield Framework used by Facebook, Twitter or LinkedIn; or that there are strict data agreements and contracts are in place to ensure any data passed outside of the EEA is treated in line with the EEA regulations.

We will use your personal data in a way which ensures appropriate security of the data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage and using appropriate technical or organisational measures. This includes:

• Only keeping it for as long as is strictly necessary
• Only passing it to carefully selected third parties
• Anonymising your personal details when using data for market analysis
• Encrypting your personal information when using it to develop new services or products,
• or looking for supporters of a similar background or age
• Ensuring all online forms are encrypted and that our network is protected
• Securely destroying your identity documents once we’ve acted on an Access to Records or Genealogy request
• Acting upon any requests to view, change, or delete your information, within 30 days 

We continually review what personal information and records we hold, and delete what is no longer required.

Some of St Christopher’s premises have CCTV including our homes and you may be recorded when you visit them. We use CCTV to safeguard young people, public and for staff security. We also use it to monitor the security of our homes. St Christopher does not use the CCTV system for covert monitoring. CCTV may only be viewed when there is a need, for example to detect or prevent crime, and footage is only retained temporarily in accordance with our CCTV policy (available on request).

St Christopher complies with the ICO CCTV Code of Practice. We are registered with the Information Commissioner’s Office and St Christopher’s (Isle of Man) is registered on the Register of Data Controllers.

If you wish to complain about how we are processing your personal information, you can reach us by using our data protection contact details.

You also have the right to complain to the Information Commissioner’s Office, at:

The Information Commissioner

Wycliffe House, Water Lane, Wilmslow, Cheshire

SK9 5AF

Phone: 0303 123 1113 / 01625 545745

Website: www.ico.org.uk

The Isle of Man Information Commissioner

P.O. Box 69

Douglas

Isle of Man

IM99 1EQ

01624 693260

Website: www.inforights.im

We keep our privacy notice under regular review to ensure it continues to align with the requirements of all applicable legislation. We will place any updates on our website.

However, if there is a significant change to policies which may affect you, we will use your contact details to inform you of the changes.

Under the GDPR, you have a right to ask us what personal information we hold about you, and to request a copy of your information. This is known as a ‘subject access request’ (SAR). SARs need to be made using the access to records page on our website and you will need to provide proof of your identify. We have one calendar month from the point we confirm your identity within which to provide you with the information you’ve asked for (although we will try to provide this to you as promptly as possible). This will be provided free of charge.

Following your SAR, we will provide you with a copy of the information we hold that relates to you. This will not generally include information that relates to third parties or general information about the charity, as this is not considered personal information.

If you need us to correct any mistakes contained in the information we hold about you, you can let us know by contacting us at info@stchris.org.uk.

You have the right to ask us to delete personal information we hold about you.  You can do this where:

• the information is no longer necessary in relation to the purpose for which we originally collected/processed it;
• you withdraw your consent, and we were relying solely on your consent for processing;
• you object to the processing and there is no overriding legitimate interest for us continuing the processing;
• where we unlawfully processed the information; or
• the personal information has to be erased in order to comply with a legal obligation

We can refuse to erase your personal information where the personal information is processed for the following reasons:

• to exercise the right of freedom of expression and information;
• to enable functions designed to protect the public to be achieved e.g. government or regulatory functions
• to comply with a legal obligation or for the performance of a public interest task or exercise of official authority;
• for public health purposes in the public interest;
• archiving purposes in the public interest, scientific research historical research or statistical purposes;
• the exercise or defence of legal claims; or
• where we have an overriding legitimate interest for continuing with the processing

You have the right to require us to stop processing your personal information. When processing is restricted, we are allowed to store the information, but not do anything with it. You can do this where:

• You challenge the accuracy of the information (we must restrict processing until we have verified its accuracy)
• You challenge whether we have a legitimate interest in using the information
• If the processing is a breach of the GDPR or otherwise unlawful
• If we no longer need the personal data but you need the information to establish, exercise or defend a legal claim.

If we have disclosed your personal information to third parties, we must inform them about the restriction on processing, unless it is impossible or involves disproportionate effort to do so.

We must inform you when we decide to remove the restriction giving the reasons why.

You have the right to object to processing where we say it is in our legitimate business interests. We must stop using the information unless we can show there is a compelling legitimate reason for the processing, which override your interests and rights or the processing is necessary for us or someone else to bring or defend legal claims.

You have the right to withdraw your consent to us processing your information at any time. If the basis on which we are using your personal information is your consent, then we must stop using the information. We can refuse if we can rely on another reason to process the information such as our legitimate interests.

You have the right to opt out of receiving communications from us at any time. We will only be able to send communications, updates, or information to those who have stated they are happy for us to do so.

The right to data portability allows us to obtain and reuse your personal data across different services. It allows us to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way. The right only applies to personal data you have provided to us where the reason we are relying on to use the information is either your consent or for the performance of a contract. It also only applies when processing is carried out by us using automated means.

You can also exercise any of your rights above (b-f) by completing our ‘subject access request form’ here and returning this to us via our contact details.

They are all free of charge and we would respond within one calendar month from the date your identity was confirmed.

You have the right to be told if we have made a mistake whilst processing your data and we will self-report breaches to the Information Commissioner.

While we do not actively collect information from children (under 18s) in the UK and the Isle of Man on our website, we appreciate that our supporters are of all ages. Where appropriate, we will always ask for consent from a parent or guardian to collect information about children. Additionally, all St Christopher’s events will have clear rules on whether or not children can take part, and the collection of information will be managed in accordance with each individual event, with appropriate safeguards in place.

Notably, St Christopher’s will not knowingly contact anyone under the age of 18 to ask them for donations or other forms of financial contribution. And we will not knowingly send communications about campaigns to children aged 12 years or under.

However, we would like to give young people the opportunity to be involved in campaigning for change in areas that affect their lives. To achieve this, we may sometimes send email and Facebook communications about campaigns that relate specifically to children and young people aged 13–17 years.

Where this is done, the consent of those children and young people will be requested using appropriate privacy notices to receive this type of campaign information. To help us confirm your age, when you agree to receive this information your date of birth may be requested. This must be provided in order to allow you to be involved. We also reserve the right to ask for verification of age if we think it necessary.

Data protection for children, young persons or vulnerable adults in our care

Crucially, in our capacity as a provider of children services, we mostly process children’s personal information as a ‘data controller’ jointly with placing Local Authorities, although in some cases, we can be a ‘data processor’. Broadly speaking, this means by association, our lawful basis for processing might be similar to that of the placing Local Authority and this would be documented per our contracts.

As part of our responsibility as either a ‘data controller’ or ‘data processor’, we take our responsibility of your personal information seriously and protect these (electronically) in a range of ways including secure servers, firewalls and SSL encryption or a comparable standard. We also operate a policy of restricted, password controlled access to any of your information which is stored on our electronic systems.

We manage access to all hard copy records, which are kept securely in lockable and access restricted storage. We will never sell or unlawfully disclose any child’s personal information.

As part of our GDPR compliance, other provisions of our corporate privacy policy apply to young people in relation to how we collect, use, secure and retain their personal information. We are legally obliged to generally maintain records of children who had been in our care for up to 75 years from their birth.

Applicable information can also be found in the privacy notices of relevant placing local authorities. You can also contact us via our details in the ‘your rights’ section if you require additional information.

We (“St Christopher’s”) will only ever use the information you provide, to:

• Process foster carer application;
• Assess suitability to become a foster carer;
• Monitor the progress and stability of placements, to safeguard and support children;
• Provide ongoing support, advice and training to foster carers including information about fostering (e.g. newsletter)
• Prevent or detect crime or fraud;
• Assess and evaluate our services;
• Inform future service planning and commissioning of services;
• Ensure future service planning and the commissioning of services;
• Make payments for placements;
• Market analysis.

By ‘market analysis’, we are simply looking to learn more about the types of people who might be interested in fostering, and we’ll always use minimal personal details when doing this.

However, you can contact us, at any time, to object to the use of your information for market analysis.

You can also withdraw your initial application, if you do not wish to go ahead and foster.

Information collected by us

In the course of approving and supervising foster carers, we collect the following personal information when you provide it to us:

• Personal information (such as name, address, contact details, date of birth, gender, language)
• Special category characteristics (such as ethnicity, disability, religion and medical information)
• Family network and relationship information
• Employment information
• Financial information
• Information relating to assessments and approvals for suitability to foster children

We also obtain personal information from the following other sources:

• Local authority in whose area you live
• NSPCC
• Disclosure and Barring Service
• Past and present employer
• Social media
• References (personal and employment)
• Previous partners
• Health
• Schools

In terms of securely storing your information, this is done through our partners, SCN (Social Care Network), who manage a system called Charms on our behalf.

We only keep your information for as long as its legally required. If you decide to progress your enquiry to become a foster carer, or adopt, then the length of time your information is held changes, and is determined by law.

At present, foster carers whom a child has been placed will have their details kept until the date of their last contact plus 75 years. All finance details, payments and records of payments to foster carers will be kept for 6 years.

Lawful bases for processing your information

Where we have collected your contact details i.e. your name, email address, phone number and postcode for enquiring about our fostering services, we rely on your legal obligation and our legitimate interests in processing your data at this point. We will store this information for at least three years regardless of whether you proceed with your application or not.

Where we hold your personal information as a current foster carer in our employ, our lawful basis for processing your personal information are as follows:

• Where we are complying with our legal obligation under the fostering services (England) Regulations 2011
• Where it is necessary for the performance of a contract or as steps taken prior to entering a contract e.g. paying fosters carers for working
• Where we have your consent to process your information e.g. to share your success story as a foster carer on our website
• Some personal information is treated as more sensitive for example information about health, sexuality, ethnic background, political opinions, religious or philosophical beliefs, or trade union membership, processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a person’s sex life or sexual orientation.

The legal basis for processing these special categories of personal information is more limited. To lawfully process special categories of personal data, we must identify a lawful basis for the processing and meet a separate condition for the processing. This condition will be one or more of the following:

• With your consent
• Substantial public interest grounds
• Where we need to protect the vital interests (i.e. the health and safety) of you or another person
• Where you have already made your personal information public
• Where we or another person needs to bring or defend legal claims
• Performance of a contract

We will hold your personal information after you have left our employ for a statutory period of time to comply with our lawful obligations after which it would be permanently deleted.

For further information on your rights, please see ‘Your Rights’ above.

If you make a genealogy request, to trace a member of your family, or request access to our historical records, we will collect information to:

• Check your identity
• Keep a record of all enquiries received
• Help locate the information you have requested
• Monitor our service

We collect your contact details and any other relevant (probably with identifying details) information that would help in responding to your request.

We collect, process and hold the above information for our legitimate interests. We will never share your data with any other organisation, unless required by law, and once we have acted upon your request, your identity documents will be securely destroyed.

In some instances, we may share your contact details and any other information we have with local authorities if during or after we have provided the information you have requested, there were allegations of abuse, neglect or inappropriate behaviour during your (or family member’s) time with us, for them to investigate.

Any other information in relation to your request, such as notes from meetings, is added to your file and stored according to the data protection legal requirements – for example:

• For residential care files – 75 years from date of birth
• For genealogy enquiries – 5 years
• For all other files – 6 years (unless the law requires otherwise)

For further information on your rights, please see ‘Your Rights’ above.

When you support us by campaigning for example, attending any of our events, we collect the information you provide, but only with your consent, to:

• Keep a record of your support
• Send you relevant information about campaigns, our interests and/or our events
• Request further support
• Keep records of our contact with you such as updates or information we send, and any enquiries or complaints you make

We collect and process your personal information such as your name, address, email address and contact phone number.

If you participate in an event that we have, or someone else has, organised in aid of or on behalf of St Christopher’s, we may ask you to provide information to make sure we can manage the event safely and efficiently. We may also ask you for details of any accessibility need which you may have, so that we ensure our event is inclusive, in line with the provisions of the Equality Act 2010.

We may sometimes use your data for our legitimate interest, helping us to become more effective as a children’s charity for example:

• Understanding the types of people who support St Christopher’s
• Finding new supporters of a similar background or age group
• Developing new services

The data we use would be completely anonymised and we would only use the minimum amount of data required.

We may share limited information about you with our third party partners, but this will only be so that we can contact you in relation to St Christopher’s campaigns, appeals, or updates on events or services.

As mentioned, these partner organisations can only act on our instructions.

And, if you would rather this information was not shared, you can ask to have your preferences changed, withdraw your consent, or object to it being used (in our legitimate interests), at any time.

For further information on your rights, please see ‘Your Rights’ above.

When you support our work by fundraising (i.e.taking part in a St Christopher (sponsored) event, raising funds for us via a third party event like the London Marathon, donating your own money through ‘gift aid’, ‘Give as you Live’ or ‘Just Giving’ or money raised by a group, or choose to leave a gift in your will) we will collect the information you provide and only use it to:

• Keep a record of your support
• Keep a record of your preferred method of contact (phone, email, post, SMS)
• Send you relevant information about our work, including campaigns or fundraising events, marketing and fundraising materials
• Ask for further support
• Note fundraising events you have taken part in
• Keep records of our contact with you i.e. updates or information we send, and any enquiries or complaints you make
• Keep information about donations and Gift Aid, to comply with HMRC requirements

The information we collect includes:

• Your contact details i.e. your name, address, email address and phone number
• Your financial details such as your bank card details
• Details of living executors of your will as it relates to any legacy left to us

If you participate in an event organised by an external party then your information may be passed to us by the processor. When you make a donation through our website, it reroute automatically to ‘Virgin Money Giving’, a third party website that capture your personal information and passes it to us. Please click on any of our third party donation platform to check their privacy policy, such as Give as you Live, Give A Gift, or Virgin Money Giving for confirmation of how they manage your data.

If you make a donation to us in person, we process the transaction using a ‘Worldpay’ cash machine. Worldpay privacy notice can be read here. We follow payment card industry (PCI) security compliance requirements when processing credit card payments.

It is important to note that we cannot guarantee the security of your home computer or any information sent over the internet or any publicly accessible communications network, and using any online communications services are at the user’s own risk.

We may carefully use some of your personal information for our legitimate interests (completely encrypted) to help us in:

• Understanding the types of people who support St Christopher’s
• Finding new supporters of a similar background or age group
• Developing new products and services
• Understanding how we can improve existing products and services
• Advertising those products and services to people with similar interests to you

Retaining your information

We will retain your personal information in line with statutory requirements.

We will never send you marketing by email or SMS (text messaging) without your consent, and you can withdraw your consent at any time. We collect your consent for such communications when you sign up to receiving our emails or newsletter; opt-in to such communications by using our forms (e.g. a donation form or an online form) or when you provide it in person. We will hold and use this consent for two years before reviewing when and how you are responding to our activities using these channels. We will consider your consent revoked if you have not responded to our email or SMS (text messaging) communications after three years.

If you ask us not to contact you, we will keep some basic information about you on a suppression list in order to avoid sending you unwanted materials in the future.

We keep information about donations and Gift Aid for 6 years, on our secure server located in the UK, to comply with HMRC requirements.

Legal basis for contacting you and using your personal information

If you have provided us with your postal or telephone contact details, for example, when making a donation by post, we will carry out an assessment of whether it would be fair and reasonable of us to use those details to send information about our work, fundraising or events and other information to you without your explicit consent (i.e. it is in the interests of our aims as a charity and will not cause undue prejudice to you). This is called a “legitimate interests assessment”. You can however opt out of or change the amount or type of marketing and fundraising communications we send you at any time by letting us know your communication preferences. We seek to make this easy for you to do by asking you let us know about any preferences you have when we communicate with you and you can also do this by contacting us using our details provided in the ‘your rights’ section.

We will ensure we have a legal basis to use your personal information for any of the other purposes mentioned in this policy (usually with your consent, further to a legitimate interests assessment, or because the use of your data is necessary to comply with a legal obligation).

Sharing your information

We may share limited information about you with our third party partners, but this will only be so that we can contact you in relation to St Christopher’s campaigns, appeals, or upcoming events.

As mentioned, these partner organisations can only act on our instructions.

We may use your information to enforce and comply with the law such as for the purposes of fraud prevention or to comply with the money laundering Act.

Also, if certain levels of donation are made, the Fundraising Regulator’s Code of Fundraising Practice requires us, and all charities in the UK, to perform certain checks on the donation. More details can be found on the Fundraising Regulator website.

If you would rather this information was not shared, you can ask to have your permissions changed, withdraw your consent, or object to it being used to help us (in our legitimate interests), at any time.

How we use profiling

We are grateful for every single penny we receive from our supporters be it through donations, fundraising, campaigning or legacies.

However, we want to ensure that what we ask of our supporters is fair, reasonable, and relevant, to them. For this reason, we carry out an action referred to as ‘profiling’.

This is standard practice across the charity sector, and simply means we look at your personal information i.e. your background and consider what is appropriate to ask of you, or send to you.

Manual profiling

Generally, profiling is a manual process, which we carry out by looking at information that you have given us, or information that is publicly available for example, on social media platforms such as facebook, twitter and other public sources such as the Electoral Register, land register etc.

We may also analyse information such as how often supporters donate, by how much, and in what way and why, in order to decide how often or what type of information and fundraising materials we share with those supporters.

It means we can tailor communications so that they are relevant (perhaps in relation to one of our services in your area), timely, and respectful, by only asking for donations that are within your means, or appropriate for those who may be able/willing to give more than they already do.

It also enables us to identify those who are in the fortunate position of being able to help us fund entire projects or services, and whether they would like to meet us to develop a more personal relationship and/or discuss future opportunities to support our work in helping children. In turn, this approach means we can raise funds sooner, and less cost.

Automated profiling

Additionally, we may also track emails which we have sent to you using our software to see which messages resonate with people and which have the highest response rates. We do this by logging whether emails we send have been opened, deleted and interacted with, for example, by clicking on links within the emails. We use this information to look at general patterns and to help us better target our activities so that we only send information in this way to people we believe still want to receive the emails they’ve consented to receive.

Profiling on institutional donors/large individual donors

For our institutional donors or any large donor, we may gather information about you from publicly available sources such Companies House, land records, the Charity Commission of England and Wales, and the media to help us to understand more about you as an individual (or organisation) and your ability and interest to support our work, including financially. Through our research, we aim to collect information about your philanthropic interests, for example, trusteeships or board memberships.

We take this approach in order to ensure that we develop relationships appropriately and that you always receive the most appropriate communications. This also helps ensure that our fundraising activity is as effective as it can be. In some cases, for example in the case of very large donations, this information is also helpful for due diligence purposes and to manage our reputational risks. We may also carry out wealth screening, either in-house or through trusted third-party partners with whom we have appropriate data protection agreements in place, to ensure that any approach for financial support is sensitive and appropriate.

If you would rather your personal information is not used for the purposes of profiling, please contact us using the details in the ‘Your Rights’ section above.

When you join St Christopher as a volunteer, we will collect some personal information from you such as your CV, covering letter, relevant supporting information, contact details, previous volunteering history and references which will be used to access suitability for volunteer positions.

We may sometimes use third-party volunteer platforms to publish and receive volunteer roles at St Christopher’s. When you apply through these platforms, your application will be automatically rerouted to our website with a link to our privacy policy for you to read and understand. We only work alongside other organisations in this way if we are satisfied that they will safely reroute your application to our website.

We will only ever use the information you provide, and references from your chosen referees, to:

• Assess and progress your application
• Contact you regarding other volunteer opportunities

Your information is securely stored on St Christopher internal server which is held here in the UK.

If your application is successful, this information will then form part of your file.

We delete the personal information of unsuccessful applications 12 months after the application process ends in case there are follow-up queries about the process, unless a candidate requests that we keep their details for longer. Statistical information like ethnicity, sexuality and disability is kept to ensure that our recruitment processes are inclusive and not discriminatory, but this is completely anonymised.

If we are required by law to share your information, (for example; in response to a warrant or court order), we will do so.

For further information on your rights, please see ‘Your Rights’ above.

Who we are

St Christopher’s recruits through its website and through third party organisations such as recruitment agencies (as determined from time to time), that redirects applications to our website. During the recruitment process, we (“St Christopher’s”) collect, use, hold and are responsible for certain personal information about you.

When we do so, we are regulated under the General Data Protection Regulation (GDPR) which applies across the European Union (including in the United Kingdom) and the Data Protection Act 2018, and we are responsible as ‘a data controller’ of that personal information for the purposes of those laws.

Our Data Protection Officer is our Company Secretary. If you have any queries about the recruitment process or how we handle your information please contact us at recruitment@stchris.org.uk.

What will we do with the information you provide to us?

All of the information you provide during the process will only be used for the purpose of progressing your application, or to fulfil legal or regulatory requirements if necessary.

We will not share any of the information you provide during the recruitment process with any third parties for marketing purposes or store any of your information outside of the European Economic Area. The information you provide will be held securely by us and/or our data processors whether the information is in electronic or physical format.

We will use the contact details you provide to us to contact you to progress your application. We will use the other information you provide to assess your suitability for the role you have applied for.

What information do we ask for, and why?

We do not collect more information than we need to fulfil our stated purposes and will not retain it for longer than is necessary. We will notify you of any changes to information we collect or to the purposes for which we collect and process it.

The information we ask for is used to assess your suitability for employment. You do not have to provide what we ask for but it might affect your application if you do not.

The following table summarises the information we collect and hold for each stage of the recruitment process, how and why we do so, how we use it and with whom it may be shared. It applies to applications for jobs with St Christopher’s and its group companies up to and including the issue of contract of employment stage.

Application stage

Our recruitment team will have access to all of this information. Any equal opportunities information provided by you will not be made available to any staff outside of our recruitment team, including hiring managers, in a way which can identify you.

Shortlisting before making a final decision to recruit

Our hiring managers and recruitment consultants (where applicable) will shortlist applications for interview. They will not be provided with your equal opportunities information if you have provided it.

Assessments

We might ask you to participate in assessment days, complete tests or occupational personality profile questionnaires, and/or to attend an interview – or a combination of these. Information will be generated by you and by us. For example, you might complete a written test or we might take interview notes. This information is held by St Christopher’s.

If you are unsuccessful following assessment for the position you have applied for, we may ask if you would like your details to be retained in our talent pool for a period of twelve months. If you say yes, we would proactively contact you should any further suitable vacancies arise.

Conditional offer

If we make a conditional offer of employment we will ask you for information so that we can carry out pre-employment checks. You must successfully complete pre-employment checks to progress to a final offer. We are required to confirm the identity of our staff, their right to work in the United Kingdom and seek assurance as to their trustworthiness, integrity and reliability.

You will therefore be required to provide:

Before issuing a contract of employment

If we make a final offer, we will also ask you for the following:

We also comply with the additional conditions set out in the Data Protection Act 2018 which relate to criminal convictions and other special categories of personal data (sensitive personal information). The following are personal information we collect from you that pertain to special category and criminal conviction data:

• Convictions
• Cautions
• Reprimands or warnings
• National and immigration status
• Occupational health information

Our additional (to those stated above) lawful basis for processing these categories of personal data can be:

• Because you have given us your explicit consent
• Because the processing is necessary for the purpose of carrying out our obligations and exercising our/your specific rights in the field of employment as authorised by employment regulations, equality Act and the Data Protection Act 2018
• Because the processing is necessary for reason of substantial public interest

It is within our legitimate interest to follow recruitment best practice, to maintain employment records and to comply with legal, regulatory and corporate governance obligations and good employment practice – but only if these are not overridden by your interests, rights or freedoms. This means we will not use your data in any way that you would not reasonably expect.

Transfer of Undertakings and Protection of Employment (TUPE)

Where your employment transfers to St Christopher’s or other St Christopher’s Group Companies under TUPE regulations, the transferring employer remains the data controller until the transfer takes place.

TUPE requires that information (known as ‘employer liability information’) must be given to the new employer before the transfer takes place. This includes some personal data. This information will only be used in connection with the proposed transfer. GDPR allows this disclosure because it is required by law and consent is not required.

St Christopher’s and St Christopher’s group companies will not request more information than is required under the TUPE regulations and will comply with GDPR principles when handing this personal information. In the event that additional information is required, the data controller will request consent from the affected employees.

Once the transfer has taken place St Christopher’s or its group companies will receive further information from each transferring employee’s employment record (e.g. Personal File). The former employer does not need the employees’ consent to the transfer of their personal information if it is necessary for the purpose of the transfer and business needs of both parties.

Use of data processors

Data processors are third parties who provide elements of our recruitment service for us. We have contracts in place with our data processors. This means that they cannot do anything with your personal information unless we have instructed them to do it. They will not share your personal information with any organisation apart from us. They will hold it securely and retain it for the period we instruct.

U Check: They complete criminal record checks on our behalf. If you are successfully selected for a role then we will provide you with instructions on how to complete these either online or via post. Your DBS certificate comes directly to you; we do not receive or retain a copy of this. Their privacy notice can be found here.

Cascade: This is software owned by IRIS Human Capital Management Limited. If you accept a final offer from us, some of your personnel records will be held on Cascade which is an internally used HR information system. You will also have access to the information held here. Their privacy notice can be found here.

Occupational medicals: If we make you a conditional offer, we will ask that you complete a questionnaire which will help to determine if you are fit to undertake the work that you have been offered, or advise us if any adjustments are needed to the work environment or systems so that you may work effectively. We will send you a link to the questionnaire which will take you to the Occupational Medicals website. The information you provide will be processed by Occupational Medicals, and they will provide us with a fit to work statement, or a not fit for work statement, or a fit for work with recommendations (such as reasonable adjustments) statement.

How long is the information retained for?

If you are successful, the information you provide during the application process will be retained by us as part of your employee file for the duration of your employment plus 6 years following the end of your employment. This includes your criminal records declaration, fitness to work, records of any security checks and references.

If you are unsuccessful at any stage of the process, the information you have provided until that point will be retained for 2 years from the closure of the campaign unless you make a request to the Recruitment Service to remove this.

Information generated throughout the assessment process, for example interview notes, is retained by us for 2 years following the closure of the campaign.

Equal opportunities information is retained for 2 years following the closure of the campaign whether you are successful or not.

How do we keep your information secure?

We have appropriate security measures in place to prevent personal information from being accidentally lost, or used or accessed in an unauthorised way. We limit access to your personal information to those who have a genuine business need to know it. Those processing your information will do so only in an authorised manner and are subject to a duty of confidentiality.

We also have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.

How we make decisions about recruitment?

Final recruitment decisions are made by hiring managers and members of our recruitment team. All of the information gathered during the application process is taken into account.

You are able to ask about decisions made about your application by speaking to your contact within our recruitment team or by emailing recruitment@stchris.org.uk.

Your rights

Under GDPR you have rights which you can exercise free of charge which allow you to:

• know what we are doing with your information and why we are doing it
• ask to see what information we hold about you (subject access request)
• ask us to correct any mistakes in the information we hold about you
• object to direct marketing
• make a complaint to the Information Commissioners Office
• withdraw consent at any time (if applicable)

Depending on our reason for using your information you may also be entitled to:

• ask us to delete information we hold about you
• have your information transferred electronically to yourself or to another organisation
• object to decisions being made that significantly affect you
• object to how we are using your information
• stop us using your information in certain ways

We will always seek to comply with your request however we may be required to hold or use your information to comply with legal duties. Please note, your request may delay or prevent us delivering a service to you.

For further information about your rights, including the circumstances in which they apply, see the guidance from the UK Information Commissioners Office (ICO) on individuals’ rights under GDPR.

If you would like to exercise a right, please contact our data protection officer by emailing dataprotection@stchris.org.uk.

Contact

Please contact our human resources department at recruitment@stchris.org.uk to exercise any of your rights, or if you have a complaint about why your information has been collected, how it has been used or how long we have kept it for.

You can contact our Data Protection Officer at dataprotection@stchris.org.uk, or write to: Data Protection Officer, St Christopher’s Fellowship, 1 Putney High Street, London SW14 1SZ.

GDPR also gives you right to lodge a complaint with a supervisory authority. The supervisory authority in the UK is the Information Commissioner or the Isle of Man Information Commissioner.