Freephone 0800 234 6282

Corporate Privacy Policy

Who we are

St Christopher’s Fellowship is a registered charity, registered in England and Wales (Charity Number: 207782), and on the Isle of Man (Charity Number: 927). We are also a company limited by guarantee registered in England and Wales (company number: 321509) and on the Isle of Man (company number: 111692C). Our registered office is at 1 Putney High Street, London SW15 1SZ.

In the main, we (“St Christopher’s”) are the ‘data controller’ in respect of your personal information, and are solely responsible for what happens to it, where it goes, and who sees it.

However, in some instances, we may process your personal information as a ‘data processor’. Where this is the case, we do not make decisions on how to process your personal information. The applicable ‘data controller’ in such instances instructs us on how we will process your personal information.

Our promise to protect your privacy

As a leading provider of children’s services and employer, St Christopher’s holds personal information on a variety of people, including children, young persons and vulnerable adults (current, former and prospective), current and former employees, job applicants, volunteers, foster carers applicants, donors and anyone who uses our services. We are committed to protecting the rights of individuals’ privacy with regard to the processing of personal data. We demonstrate this through operating within the requirements of GDPR with regard to collecting, storing, divulging, sharing and disposing of personal information.

We are responsible for protecting your personal information, and we take this responsibility very seriously. We aim to ensure you are content with the information you give us, understand how it is used, know that you can trust us with it, and that you have the right to withdraw your consent for us to use it at any time.

If you have any queries or concerns about how we use your personal information, please contact our Administration team on 0208 780 7800 or dataprotection@stchris.org.uk.

Our contact details for data protection purposes are as follows:

The Data Protection Officer

St Christopher’s Fellowship

1 Putney High Street

London

SW15 1SZ

Email:  dataprotection@stchris.org.uk

Tel: 0208 780 7800

The individual responsible for data protection compliance at St Christopher’s is the Company Secretary. They are contactable using the above contact details.

Whose information do we hold?

We collect personal information (or ‘personal data’) from those who directly interact with us, such as our:

  • Children, young persons and vulnerable adults (current, former and prospective)
  • Supporters and/or donors (current and historic)
  • Fundraisers/Campaigners
  • Event attendees
  • Volunteers
  • Foster carers (and/or those who make enquiries)
  • Job applicants
  • Employees (current and former)
  • Those who make general enquiries
  • Those who use our website
  • Those who request access to our records e.g. a genealogy or historical request

We will never ever sell your data to third parties for their own marketing needs.

What information do we collect?

We aim to collect the minimum personal information we need to carry out a service, as relevant, such as your:

  • Name
  • Age/date of birth
  • Gender
  • Contact number(s)
  • Email address(es)
  • Postal address
  • Contact preferences (emails or SMS messages)
  • Information for ‘market analysis’ (where appropriate)
  • Records of fundraising events you have attended
  • Campaigns you have supported
  • Our events you have attended
  • Financial details (where appropriate such as for donations)
  • Historical details relating to your foster or adoptive family (if relevant to you as an individual)
  • Record of your contact with us – whether a query, compliment, or complaint
Why do we collect this information?

We use this information, where relevant, to:

  • Raise further awareness of St Christopher’s and the work we do
  • Help raise further funds to support children and families across our network
  • Learn how best to contact you (and what about)
  • Keep a record of your support
  • Help us with profiling (where relevant)
  • Progress applications (employment, volunteering, fostering) or any other enquiries
  • Learn how to improve our products and services
  • Learn about other audiences who may be interested in supporting the work of St Christopher’s (and the new products, services, and information they may be interested in)
  • Verify your identity. When you phone in to our offices, we will need to ask you a series of questions to verify you are who you say you are. The questions will relate to information we hold about you.
  • If you visit our head office and request information, you will be asked to provide identification before we can help you. We also require some proof of identification before you are allowed to come into our head office. Sometimes, this is also to ensure we are talking to the right person before releasing any personal information.
Why are we allowed to process your personal information?

Our Privacy and Cookie Policies take into account several laws, including:

  • General Data Protection Regulation (EU) 2016/679 (GDPR)
  • The Data Protection Act 2018
  • The Privacy and Electronic Communications (EC Directive) Regulations 2003
  • The Data Protection (Application of GDPR) Order 2018 (“GDPR Order)
  • Adapted text of the EU GDPR in the Annex to the GDPR Order (“Applied GDPR”)
  • The Data Protection (Application of the LED) Order 2018 (“LED Order”)
  • The GDPR and LED Implementing Regulations 2018

Generally, our processing of your personal information as described in this policy is allowed by these laws based on one or more lawful grounds, including:

  • Where you have provided your consent to us using your personal information in a certain way. For example, we only use your information to send you marketing communications by email or text with your consent. We also may ask for your explicit consent if you share sensitive personal information with us.
  • Where the processing is reasonably necessary for the performance of a contract to which you are a party or to take steps at your request prior to entering a contract. For example, we may rely on this basis where you apply to work for us.
  • Where the processing is reasonably necessary to comply with a legal obligation to which we are subject. For example, we may rely on this basis where we are obliged to share your personal information with a regulator or HMRC.
  • Where the processing is reasonably necessary for the purpose of a legitimate interest pursued by us or a third party and your privacy rights do not override the legitimate interest. Our “legitimate interests” include pursuing the aims and mission of St Christopher’s through advocating and supporting children and families through our work in the UK and on Isle of Man, such as our grants for research from the Department of Education on the Staying Close pilot, and fundraising through direct marketing campaigns, Christmas appeals and events. However, “legitimate interests” can also include your interests, such as when you have requested information from us, and those of third parties, such as our beneficiaries.

For example, we rely on legitimate interests for activities such as sending marketing communications by post or telephone unless you have told us that you would prefer not to hear from us in this way, contacting you as a representative of an organisation about charity partnerships or in order to organise an event, and analysing your interaction with us to improve our internal business processes.

In any event, where we are relying on legitimate interests to process your personal information, we will consider any potential impact on you (positive or negative), your rights under data protection laws, and will not use your personal information for activities where the impact on you overrides the legitimate interests in the processing.

Where we process sensitive personal data (as mentioned above), we will make sure that we only do so in accordance with one of the additional lawful grounds for processing that type of data, such as where we have your explicit consent, you have made that information manifestly public or there is substantial public interest to do so.

How long do we keep your personal information?

We will only use and store personal information for as long as it is required for the purposes it was collected for.

We have adopted a data minimisation policy (available on request) that sets out the different periods we retain personal information for in respect of various purposes in accordance with our duties under applicable data protection law. The criteria we use for determining these retention periods is based on various legislative requirements; the purpose for which we hold data; and guidance issued by relevant regulatory authorities including but not limited to the Information Commissioner’s Office (ICO).

Personal information that we no longer need is securely disposed of and/or anonymised so you can no longer be identified from it. And some personal information may be retained by us in archives for historical research purposes, although we will do this in a manner that complies with applicable data protection law. Some of our retention periods are:

  • As long as you are an active campaigner, donor, or fundraiser – and only for as long as necessary after your last interaction with us
  • Up to five years if you make a genealogy request
  • Up to six years in relation to Gift Aid (in compliance with HMRC regulations)
  • Up to seven years if you volunteer with us
  • As long as is necessary in relation to fostering and any other enquiries
  • As long as necessary if you have pledged a Legacy to us
  • As long as is necessary if you have sent us a question, comment, compliment or a complaint in the event of a follow-up, dispute or investigation
How we manage your personal information

We process your personal information in accordance with the principles of GDPR.

We will treat your personal information fairly and lawfully and we will ensure that information is:

  • Processed for limited purposes
  • Kept up-to-date, accurate, relevant and not excessive
  • Not kept longer than is necessary
  • Kept secure

Access to personal information is restricted to authorised individuals on a strictly need to know basis.

We are committed to keeping your personal details up to date, and we encourage you to inform us about any changes needed to ensure your details are accurate.

To help us to ensure confidentiality of your personal information we may ask you security questions to confirm your identity when you call us. We will not discuss your personal information with anyone other than you, unless you have given us prior written authorisation to do so.

Why and who do we share your personal information with?

Where necessary, we will share relevant information with third parties when one of the following reasons applies:

  • To the extent that we are required to do so by law
  • Where there is a clear health or safety risk to an individual or members of the public, evidence of fraud against St Christopher’s, other irregular behaviour or a matter St Christopher’s is investigating
  • In connection with any legal proceedings or prospective legal proceedings or statutory action to enforce compliance
  • Where St Christopher’s has entered into a formal protocol with the police or a local authority department
  • Providing information anonymously for bona fide statistical or research purposes, provided it is not possible to identify the individuals to whom the information relate such as fostering survey answers through our research agency
  • Information required by the Charity Commission when monitoring St Christopher’s activities in its capacity as the regulator of charities
  • In order to establish, exercise or defend our legal rights (including providing information to others for the purposes of prevention and detection of fraud)
  • For the purposes of our legitimate business interests
  • To protect the vital interests of an individual (in a life or death situation)
  • Where we have obtained your consent (i.e. your agreement) to do so
  • To ensure secure storage of your personal data
  • For market analysis (looking at the types of people who engage with us, and why)
  • Screening data, so that we do not send information to an old address, or call an old phone number
  • Emailing via our email partner, Egress
  • Sending printed material (newsletters, updates, magazines, appeals), via our printing company, The Art and Design Studio
  • Securely processing online donations through Virgin money giving, or by debit/credit cards through Worldpay
  • Looking for prospective supporters or foster carers, of a similar background, via Facebook
  • Contacting interested supporters and linking them to our website through Twitter
  • Securely processing donations using our partners Give A Gift and Give As You Live

Any of the third parties stated can only act on our strict instructions, in line with our contracts with them, and cannot use your personal information for any reason outside of those instructions, or sell those details to any other organisations.

Transfer of personal information outside of the EEA

As much as possible, we store our data in the UK or within the European Union (EU). Countries outside the European Economic Area have differing approaches to data privacy laws and the enforcement of these may not be as robust as it is within Europe’s borders.

We take great care to manage your personal data within the EEA where possible. In any cases where a supplier is outside of the EEA, we ensure there is recognised assurance such as EU-US Privacy Shield Framework used by Facebook, Twitter or LinkedIn; or that there are strict data agreements and contracts are in place to ensure any data passed outside of the EEA is treated in line with the EEA regulations.

How do we secure your personal information?

We will use your personal data in a way which ensures appropriate security of the data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage and using appropriate technical or organisational measures. This includes:

  • Only keeping it for as long as is strictly necessary
  • Only passing it to carefully selected third parties
  • Anonymising your personal details when using data for market analysis
  • Encrypting your personal information when using it to develop new services or products,
  • or looking for supporters of a similar background or age
  • Ensuring all online forms are encrypted and that our network is protected
  • Securely destroying your identity documents once we’ve acted on an Access to Records or Genealogy request
  • Acting upon any requests to view, change, or delete your information, within 30 days 
CCTV

We continually review what personal information and records we hold, and delete what is no longer required.

Some of St Christopher’s premises have CCTV including our homes and you may be recorded when you visit them. We use CCTV to safeguard young people, public and for staff security. We also use it to monitor the security of our homes. St Christopher does not use the CCTV system for covert monitoring. CCTV may only be viewed when there is a need, for example to detect or prevent crime, and footage is only retained temporarily in accordance with our CCTV policy (available on request).

St Christopher complies with the ICO CCTV Code of Practice. We are registered with the Information Commissioner’s Office and St Christopher’s (Isle of Man) is registered on the Register of Data Controllers.

Complaints

If you wish to complain about how we are processing your personal information, you can reach us by using our data protection contact details.

You also have the right to complain to the Information Commissioner’s Office, at:

The Information Commissioner

Wycliffe House, Water Lane, Wilmslow, Cheshire

SK9 5AF

Phone: 0303 123 1113 / 01625 545745

Website: www.ico.org.uk

The Isle of Man Information Commissioner

P.O. Box 69

Douglas

Isle of Man

IM99 1EQ

01624 693260

Website: www.inforights.im

Changes to this Privacy Notice

We keep our privacy notice under regular review to ensure it continues to align with the requirements of all applicable legislation. We will place any updates on our website.

However, if there is a significant change to policies which may affect you, we will use your contact details to inform you of the changes.

Your rights

The Data Protection Act 2018 in conjunction with the General Data Protection Regulation (GDPR) grants you a number of rights which are explained below:

Access to personal information

Under the GDPR, you have a right to ask us what personal information we hold about you, and to request a copy of your information. This is known as a ‘subject access request’ (SAR). SARs need to be made using the access to records page on our website and you will need to provide proof of your identify. We have one calendar month from the point we confirm your identity within which to provide you with the information you’ve asked for (although we will try to provide this to you as promptly as possible). This will be provided free of charge.

Following your SAR, we will provide you with a copy of the information we hold that relates to you. This will not generally include information that relates to third parties or general information about the charity, as this is not considered personal information.

Rectification

If you need us to correct any mistakes contained in the information we hold about you, you can let us know by contacting us at info@stchris.org.uk.

Erasure (‘right to be forgotten’)

You have the right to ask us to delete personal information we hold about you.  You can do this where:

  • the information is no longer necessary in relation to the purpose for which we originally collected/processed it;
  • you withdraw your consent, and we were relying solely on your consent for processing;
  • you object to the processing and there is no overriding legitimate interest for us continuing the processing;
  • where we unlawfully processed the information; or
  • the personal information has to be erased in order to comply with a legal obligation

We can refuse to erase your personal information where the personal information is processed for the following reasons:

  • to exercise the right of freedom of expression and information;
  • to enable functions designed to protect the public to be achieved e.g. government or regulatory functions
  • to comply with a legal obligation or for the performance of a public interest task or exercise of official authority;
  • for public health purposes in the public interest;
  • archiving purposes in the public interest, scientific research historical research or statistical purposes;
  • the exercise or defence of legal claims; or
  • where we have an overriding legitimate interest for continuing with the processing
Restriction on processing

You have the right to require us to stop processing your personal information. When processing is restricted, we are allowed to store the information, but not do anything with it. You can do this where:

  • You challenge the accuracy of the information (we must restrict processing until we have verified its accuracy)
  • You challenge whether we have a legitimate interest in using the information
  • If the processing is a breach of the GDPR or otherwise unlawful
  • If we no longer need the personal data but you need the information to establish, exercise or defend a legal claim.

If we have disclosed your personal information to third parties, we must inform them about the restriction on processing, unless it is impossible or involves disproportionate effort to do so.

We must inform you when we decide to remove the restriction giving the reasons why.

Objection to processing

You have the right to object to processing where we say it is in our legitimate business interests. We must stop using the information unless we can show there is a compelling legitimate reason for the processing, which override your interests and rights or the processing is necessary for us or someone else to bring or defend legal claims.

Withdrawal of consent

You have the right to withdraw your consent to us processing your information at any time. If the basis on which we are using your personal information is your consent, then we must stop using the information. We can refuse if we can rely on another reason to process the information such as our legitimate interests.

You have the right to opt out of receiving communications from us at any time. We will only be able to send communications, updates, or information to those who have stated they are happy for us to do so.

Right to data portability

The right to data portability allows us to obtain and reuse your personal data across different services. It allows us to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way. The right only applies to personal data you have provided to us where the reason we are relying on to use the information is either your consent or for the performance of a contract. It also only applies when processing is carried out by us using automated means.

You can also exercise any of your rights above (b-f) by completing our ‘subject access request form’ here and returning this to us via our contact details.

They are all free of charge and we would respond within one calendar month from the date your identity was confirmed.

You have the right to be told if we have made a mistake whilst processing your data and we will self-report breaches to the Information Commissioner.

Where can I get more information?

For further information on how we process your personal information, you can contact us in the first instance at:

The Data Protection Officer

St Christopher’s Fellowship

1 Putney High Street

London

SW15 1SZ

Email:  info@stchris.org.uk

Tel: 0208 780 7800

In addition, the Information Commissioner’s Office (“ICO”) and the Isle of Man Information Commissioner are also sources of further information about your data protection rights. The ICO and the Isle of Man Information Commissioner are independent official bodies, and one of their primary functions is to administer the provisions of the GDPR. You can find out more information on your rights by visiting the ICO website or Isle of Man rights website.

Children’s personal information

While we do not actively collect information from children (under 18s) in the UK and the Isle of Man on our website, we appreciate that our supporters are of all ages. Where appropriate, we will always ask for consent from a parent or guardian to collect information about children. Additionally, all St Christopher’s events will have clear rules on whether or not children can take part, and the collection of information will be managed in accordance with each individual event, with appropriate safeguards in place.

Notably, St Christopher’s will not knowingly contact anyone under the age of 18 to ask them for donations or other forms of financial contribution. And we will not knowingly send communications about campaigns to children aged 12 years or under.

However, we would like to give young people the opportunity to be involved in campaigning for change in areas that affect their lives. To achieve this, we may sometimes send email and Facebook communications about campaigns that relate specifically to children and young people aged 13–17 years.

Where this is done, the consent of those children and young people will be requested using appropriate privacy notices to receive this type of campaign information. To help us confirm your age, when you agree to receive this information your date of birth may be requested. This must be provided in order to allow you to be involved. We also reserve the right to ask for verification of age if we think it necessary.

Data protection for children, young persons or vulnerable adults in our care

Crucially, in our capacity as a provider of children services, we mostly process children’s personal information as a ‘data controller’ jointly with placing Local Authorities, although in some cases, we can be a ‘data processor’. Broadly speaking, this means by association, our lawful basis for processing might be similar to that of the placing Local Authority and this would be documented per our contracts.

As part of our responsibility as either a ‘data controller’ or ‘data processor’, we take our responsibility of your personal information seriously and protect these (electronically) in a range of ways including secure servers, firewalls and SSL encryption or a comparable standard. We also operate a policy of restricted, password controlled access to any of your information which is stored on our electronic systems.

We manage access to all hard copy records, which are kept securely in lockable and access restricted storage. We will never sell or unlawfully disclose any child’s personal information.

As part of our GDPR compliance, other provisions of our corporate privacy policy apply to young people in relation to how we collect, use, secure and retain their personal information. We are legally obliged to generally maintain records of children who had been in our care for up to 75 years from their birth.

Applicable information can also be found in the privacy notices of relevant placing local authorities. You can also contact us via our details in the ‘your rights’ section if you require additional information.

Privacy policy for foster carers (applicants, current or former)

We (“St Christopher’s”) will only ever use the information you provide, to:

  • Process foster carer application;
  • Assess suitability to become a foster carer;
  • Monitor the progress and stability of placements, to safeguard and support children;
  • Provide ongoing support, advice and training to foster carers including information about fostering (e.g. newsletter)
  • Prevent or detect crime or fraud;
  • Assess and evaluate our services;
  • Inform future service planning and commissioning of services;
  • Ensure future service planning and the commissioning of services;
  • Market analysis.

By ‘market analysis’, we are simply looking to learn more about the types of people who might be interested in fostering, and we’ll always use minimal personal details when doing this.

However, you can contact us, at any time, to object to the use of your information for market analysis.

You can also withdraw your initial application, if you do not wish to go ahead and foster.

Information collected by us

In the course of approving and supervising foster carers, we collect the following personal information when you provide it to us:

  • Personal information (such as name, address, contact details, date of birth, gender, language)
  • Special category characteristics (such as ethnicity, disability, religion and medical information)
  • Family network and relationship information
  • Employment information
  • Financial information
  • Information relating to assessments and approvals for suitability to foster children

We also obtain personal information from the following other sources:

  • Local authority in whose area you live
  • NSPCC
  • Disclosure and Barring Service
  • Past and present employer
  • Social media
  • References (personal and employment)
  • Previous partners
  • Health
  • Schools

In terms of securely storing your information, this is done through our partners, SCN (Social Care Network), who manage a system called Charms on our behalf.

We only keep your information for as long as its legally required. If you decide to progress your enquiry to become a foster carer, or adopt, then the length of time your information is held changes, and is determined by law.

At present, foster carers whom a child has been placed will have their details kept until the date of their last contact plus 75 years. All finance details, payments and records of payments to foster carers will be kept for 6 years.

Lawful bases for processing your information

Where we have collected your contact details i.e. your name, email address, phone number and postcode for enquiring about our fostering services, we rely on your consent and our legitimate interests in processing your data at this point. We will store this information for at least 3 years regardless of whether you proceed with your application or not.

Where we hold your personal information as a current foster carer in our employ, our lawful basis for processing your personal information are as follows:

  • Where we are complying with our legal obligation under the fostering services (England) Regulations 2011
  • Where it is necessary for the performance of a contract or as steps taken prior to entering a contract e.g. paying fosters carers for working
  • Where we have your consent to process your information e.g. to share your success story as a foster carer on our website
  • Some personal information is treated as more sensitive for example information about health, sexuality, ethnic background, political opinions, religious or philosophical beliefs, or trade union membership, processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a person’s sex life or sexual orientation.

The legal basis for processing these special categories of personal information is more limited. To lawfully process special categories of personal data, we must identify a lawful basis for the processing and meet a separate condition for the processing. This condition will be one or more of the following:

  • With your consent
  • Substantial public interest grounds
  • Where we need to protect the vital interests (i.e. the health and safety) of you or another person
  • Where you have already made your personal information public
  • Where we or another person needs to bring or defend legal claims

We will hold your personal information after you have left our employ for a statutory period of time to comply with our lawful obligations after which it would be permanently deleted.

For further information on your rights, please see ‘Your Rights’ above.

Access to records and genealogy requests

If you make a genealogy request, to trace a member of your family, or request access to our historical records, we will collect information to:

  • Check your identity
  • Keep a record of all enquiries received
  • Help locate the information you have requested
  • Monitor our service

We collect your contact details and any other relevant (probably with identifying details) information that would help in responding to your request.

We collect, process and hold the above information for our legitimate interests. We will never share your data with any other organisation, unless required by law, and once we have acted upon your request, your identity documents will be securely destroyed.

In some instances, we may share your contact details and any other information we have with local authorities if during or after we have provided the information you have requested, there were allegations of abuse, neglect or inappropriate behaviour during your (or family member’s) time with us, for them to investigate.

Any other information in relation to your request, such as notes from meetings, is added to your file and stored according to the data protection legal requirements – for example:

  • For residential care files – 75 years from date of birth
  • For genealogy enquiries – 5 years
  • For all other files – 6 years (unless the law requires otherwise)

For further information on your rights, please see ‘Your Rights’ above.

Privacy policy for campaigners and event attendees

When you support us by campaigning for example, attending any of our events, we collect the information you provide, but only with your consent, to:

  • Keep a record of your support
  • Send you relevant information about campaigns, our interests and/or our events
  • Request further support
  • Keep records of our contact with you such as updates or information we send, and any enquiries or complaints you make

We collect and process your personal information such as your name, address, email address and contact phone number.

If you participate in an event that we have, or someone else has, organised in aid of or on behalf of St Christopher’s, we may ask you to provide information to make sure we can manage the event safely and efficiently. We may also ask you for details of any accessibility need which you may have, so that we ensure our event is inclusive, in line with the provisions of the Equality Act 2010.

We may sometimes use your data for our legitimate interest, helping us to become more effective as a children’s charity for example:

  • Understanding the types of people who support St Christopher’s
  • Finding new supporters of a similar background or age group
  • Developing new services

The data we use would be completely anonymised and we would only use the minimum amount of data required.

We may share limited information about you with our third party partners, but this will only be so that we can contact you in relation to St Christopher’s campaigns, appeals, or updates on events or services.

As mentioned, these partner organisations can only act on our instructions.

And, if you would rather this information was not shared, you can ask to have your preferences changed, withdraw your consent, or object to it being used (in our legitimate interests), at any time.

For further information on your rights, please see ‘Your Rights’ above.

Privacy policy for fundraising, donations, and legacies

When you support our work by fundraising (i.e.taking part in a St Christopher (sponsored) event, raising funds for us via a third party event like the London Marathon, donating your own money through ‘gift aid’, ‘Give as you Live’ or ‘Just Giving’ or money raised by a group, or choose to leave a gift in your will) we will collect the information you provide and only use it to:

  • Keep a record of your support
  • Keep a record of your preferred method of contact (phone, email, post, SMS)
  • Send you relevant information about our work, including campaigns or fundraising events, marketing and fundraising materials
  • Ask for further support
  • Note fundraising events you have taken part in
  • Keep records of our contact with you i.e. updates or information we send, and any enquiries or complaints you make
  • Keep information about donations and Gift Aid, to comply with HMRC requirements

The information we collect includes:

  • Your contact details i.e. your name, address, email address and phone number
  • Your financial details such as your bank card details
  • Details of living executors of your will as it relates to any legacy left to us

If you participate in an event organised by an external party then your information may be passed to us by the processor. When you make a donation through our website, it reroute automatically to ‘Virgin Money Giving’, a third party website that capture your personal information and passes it to us. Please click on any of our third party donation platform to check their privacy policy, such as Give as you Live, Give A Gift, or Virgin Money Giving for confirmation of how they manage your data.

If you make a donation to us in person, we process the transaction using a ‘Worldpay’ cash machine. Worldpay privacy notice can be read here. We follow payment card industry (PCI) security compliance requirements when processing credit card payments.

It is important to note that we cannot guarantee the security of your home computer or any information sent over the internet or any publicly accessible communications network, and using any online communications services are at the user’s own risk.

We may carefully use some of your personal information for our legitimate interests (completely encrypted) to help us in:

  • Understanding the types of people who support St Christopher’s
  • Finding new supporters of a similar background or age group
  • Developing new products and services
  • Understanding how we can improve existing products and services
  • Advertising those products and services to people with similar interests to you

Retaining your information

We will retain your personal information in line with statutory requirements.

We will never send you marketing by email or SMS (text messaging) without your consent, and you can withdraw your consent at any time. We collect your consent for such communications when you sign up to receiving our emails or newsletter; opt-in to such communications by using our forms (e.g. a donation form or an online form) or when you provide it in person. We will hold and use this consent for two years before reviewing when and how you are responding to our activities using these channels. We will consider your consent revoked if you have not responded to our email or SMS (text messaging) communications after three years.

If you ask us not to contact you, we will keep some basic information about you on a suppression list in order to avoid sending you unwanted materials in the future.

We keep information about donations and Gift Aid for 6 years, on our secure server located in the UK, to comply with HMRC requirements.

Legal basis for contacting you and using your personal information

If you have provided us with your postal or telephone contact details, for example, when making a donation by post, we will carry out an assessment of whether it would be fair and reasonable of us to use those details to send information about our work, fundraising or events and other information to you without your explicit consent (i.e. it is in the interests of our aims as a charity and will not cause undue prejudice to you). This is called a “legitimate interests assessment”. You can however opt out of or change the amount or type of marketing and fundraising communications we send you at any time by letting us know your communication preferences. We seek to make this easy for you to do by asking you let us know about any preferences you have when we communicate with you and you can also do this by contacting us using our details provided in the ‘your rights’ section.

We will ensure we have a legal basis to use your personal information for any of the other purposes mentioned in this policy (usually with your consent, further to a legitimate interests assessment, or because the use of your data is necessary to comply with a legal obligation).

Sharing your information

We may share limited information about you with our third party partners, but this will only be so that we can contact you in relation to St Christopher’s campaigns, appeals, or upcoming events.

As mentioned, these partner organisations can only act on our instructions.

We may use your information to enforce and comply with the law such as for the purposes of fraud prevention or to comply with the money laundering Act.

Also, if certain levels of donation are made, the Fundraising Regulator’s Code of Fundraising Practice requires us, and all charities in the UK, to perform certain checks on the donation. More details can be found on the Fundraising Regulator website.

If you would rather this information was not shared, you can ask to have your permissions changed, withdraw your consent, or object to it being used to help us (in our legitimate interests), at any time.

How we use profiling

We are grateful for every single penny we receive from our supporters be it through donations, fundraising, campaigning or legacies.

However, we want to ensure that what we ask of our supporters is fair, reasonable, and relevant, to them. For this reason, we carry out an action referred to as ‘profiling’.

This is standard practice across the charity sector, and simply means we look at your personal information i.e. your background and consider what is appropriate to ask of you, or send to you.

Manual profiling

Generally, profiling is a manual process, which we carry out by looking at information that you have given us, or information that is publicly available for example, on social media platforms such as facebook, twitter and other public sources such as the Electoral Register, land register etc.

We may also analyse information such as how often supporters donate, by how much, and in what way and why, in order to decide how often or what type of information and fundraising materials we share with those supporters.

It means we can tailor communications so that they are relevant (perhaps in relation to one of our services in your area), timely, and respectful, by only asking for donations that are within your means, or appropriate for those who may be able/willing to give more than they already do.

It also enables us to identify those who are in the fortunate position of being able to help us fund entire projects or services, and whether they would like to meet us to develop a more personal relationship and/or discuss future opportunities to support our work in helping children. In turn, this approach means we can raise funds sooner, and less cost.

Automated profiling

Additionally, we may also track emails which we have sent to you using our software to see which messages resonate with people and which have the highest response rates. We do this by logging whether emails we send have been opened, deleted and interacted with, for example, by clicking on links within the emails. We use this information to look at general patterns and to help us better target our activities so that we only send information in this way to people we believe still want to receive the emails they’ve consented to receive.

Profiling on institutional donors/large individual donors

For our institutional donors or any large donor, we may gather information about you from publicly available sources such Companies House, land records, the Charity Commission of England and Wales, and the media to help us to understand more about you as an individual (or organisation) and your ability and interest to support our work, including financially. Through our research, we aim to collect information about your philanthropic interests, for example, trusteeships or board memberships.

We take this approach in order to ensure that we develop relationships appropriately and that you always receive the most appropriate communications. This also helps ensure that our fundraising activity is as effective as it can be. In some cases, for example in the case of very large donations, this information is also helpful for due diligence purposes and to manage our reputational risks. We may also carry out wealth screening, either in-house or through trusted third-party partners with whom we have appropriate data protection agreements in place, to ensure that any approach for financial support is sensitive and appropriate.

If you would rather your personal information is not used for the purposes of profiling, please contact us using the details in the ‘Your Rights’ section above.

Privacy policy for volunteers

When you join St Christopher as a volunteer, we will collect some personal information from you such as your CV, covering letter, relevant supporting information, contact details, previous volunteering history and references which will be used to access suitability for volunteer positions.

We may sometimes use third-party volunteer platforms to publish and receive volunteer roles at St Christopher’s. When you apply through these platforms, your application will be automatically rerouted to our website with a link to our privacy policy for you to read and understand. We only work alongside other organisations in this way if we are satisfied that they will safely reroute your application to our website.

We will only ever use the information you provide, and references from your chosen referees, to:

  • Assess and progress your application
  • Contact you regarding other volunteer opportunities

Your information is securely stored on St Christopher internal server which is held here in the UK.

If your application is successful, this information will then form part of your file.

We delete the personal information of unsuccessful applications 12 months after the application process ends in case there are follow-up queries about the process, unless a candidate requests that we keep their details for longer. Statistical information like ethnicity, sexuality and disability is kept to ensure that our recruitment processes are inclusive and not discriminatory, but this is completely anonymised.

If we are required by law to share your information, (for example; in response to a warrant or court order), we will do so.

For further information on your rights, please see ‘Your Rights’ above.

Privacy policy for job applicants and shortlisted candidates

Who we are

St Christopher’s recruits through its website and through third party organisations such as recruitment agencies (as determined from time to time), that redirects applications to our website. During the recruitment process, we (“St Christopher’s”) collect, use, hold and are responsible for certain personal information about you.

When we do so, we are regulated under the General Data Protection Regulation (GDPR) which applies across the European Union (including in the United Kingdom) and the Data Protection Act 2018, and we are responsible as ‘a data controller’ of that personal information for the purposes of those laws.

Our Data Protection Officer is our Company Secretary. If you have any queries about the recruitment process or how we handle your information please contact us at recruitment@stchris.org.uk.

What will we do with the information you provide to us?

All of the information you provide during the process will only be used for the purpose of progressing your application, or to fulfil legal or regulatory requirements if necessary.

We will not share any of the information you provide during the recruitment process with any third parties for marketing purposes or store any of your information outside of the European Economic Area. The information you provide will be held securely by us and/or our data processors whether the information is in electronic or physical format.

We will use the contact details you provide to us to contact you to progress your application. We will use the other information you provide to assess your suitability for the role you have applied for.

What information do we ask for, and why?

We do not collect more information than we need to fulfil our stated purposes and will not retain it for longer than is necessary. We will notify you of any changes to information we collect or to the purposes for which we collect and process it.

The information we ask for is used to assess your suitability for employment. You do not have to provide what we ask for but it might affect your application if you do not.

The following table summarises the information we collect and hold for each stage of the recruitment process, how and why we do so, how we use it and with whom it may be shared. It applies to applications for jobs with St Christopher’s and its group companies up to and including the issue of contract of employment stage.

Application stage

Information we collect How we collect the information Why we collect the information How we use and share the information
Your name, email address and job preferences From you For the performance of a contract or in order to take steps at your request prior to entering into a contract: to enable you to sign up to and receive job alerts To enable us to notify you of job opportunities in line with your job preferences
Your name  and contact details (i.e. address, home & mobile phone numbers, email address From you Legitimate interest: to carry out a fair recruitment process

Legitimate interest: to progress your application, arrange interviews and inform you of the outcome at all stages

To enable the Human Resources department or the recruiting manager to contact you to progress your application, arrange interviews and inform you of the outcome and issue any other correspondence required

To inform the recruiting manager of your application

Your reason for application / CV and covering letter, details of your qualifications, experience, employment history (including job titles, salary, working hours) and interests From you, in your completed application form and interview notes if relevant Legitimate interest: to carry out a fair recruitment process

Legitimate interest: to make an informed decision to shortlist for interview and (if relevant) to recruit

To make an informed recruitment decision
Your racial or ethnic origin, sex and sexual orientation, religious or similar beliefs From you, in a completed, anonymised equal opportunities monitoring form To comply with our legal obligations and for reasons of substantial public interest (equality of opportunity and fair treatment) To comply with our equal opportunities monitoring obligations and to produce and monitor equal opportunities statistics
Declaration of disability From you in your completed application form To comply with our legal obligations and for reasons of substantial public interest (equality of opportunity and fair treatment)

Legitimate interest: to carry out a fair recruitment process

To comply with our equal opportunities monitoring obligations and to follow our equality policy

To carry out a fair recruitment process including provision of reasonable adjustments at interview if required

Shared with recruiting managers

Your information regarding your criminal record From you, in your completed application form or pre-employment tasks To comply with our legal obligations and for reasons of substantial public interest (preventing or detecting unlawful acts, safeguarding children, young persons and vulnerable adults) To make an informed recruitment decision

To carry out statutory checks

Information shared with the DBS and other regulatory authorities as required

Details of your referees (to be provided if you are successful in securing the role) From you, in your completed application form Legitimate interest: to carry out a fair recruitment process

For positions in the regulated sector, to comply with our legal obligations to obtain regulatory references (e.g. positions involving safeguarding)

To carry out a fair recruitment process

To comply with legal/regulatory obligations

Information shared with relevant managers, HR personnel

Our recruitment team will have access to all of this information. Any equal opportunities information provided by you will not be made available to any staff outside of our recruitment team, including hiring managers, in a way which can identify you.

Shortlisting before making a final decision to recruit

Our hiring managers and recruitment consultants (where applicable) will shortlist applications for interview. They will not be provided with your equal opportunities information if you have provided it.

Assessments

We might ask you to participate in assessment days, complete tests or occupational personality profile questionnaires, and/or to attend an interview – or a combination of these. Information will be generated by you and by us. For example, you might complete a written test or we might take interview notes. This information is held by St Christopher’s.

If you are unsuccessful following assessment for the position you have applied for, we may ask if you would like your details to be retained in our talent pool for a period of twelve months. If you say yes, we would proactively contact you should any further suitable vacancies arise.

Conditional offer

If we make a conditional offer of employment we will ask you for information so that we can carry out pre-employment checks. You must successfully complete pre-employment checks to progress to a final offer. We are required to confirm the identity of our staff, their right to work in the United Kingdom and seek assurance as to their trustworthiness, integrity and reliability.

You will therefore be required to provide:

Information we collect How we collect the information Why we collect the information How we use and share the information
Proof of your identity From you- you will be asked to attend our office with original documents, we will take copies To comply with our legal obligations to prevent fraud or misrepresentation

Legitimate interests: to maintain employment records and to comply with legal, regulatory and corporate governance obligations and good employment practice

We retain copies for our records.

To comply with legal/regulatory obligations

Information about your previous academic and/or employment history, including details of any conduct, grievance or performance issues, appraisals, time and attendance, from references obtained about you form previous employers and/or education providers and/or personal referees (where relevant) From your referees (details of whom you will have provided on your completed application form) Legitimate interest: to make an informed decision to recruit

To comply with our legal obligations

Legitimate interests: to maintain employment records and to comply with legal, regulatory and corporate governance obligations and good employment practice

To obtain the relevant reference about you

To comply with legal/regulatory obligations

Information shared with relevant managers and HR personnel

Information regarding your academic (and professional) qualifications (as applicable) From you- in person (we will need to see original copies of documents), from your education provider (from the relevant professional body) Legitimate interest: to verify the qualifications information provided by you To make an informed recruitment decision

Information shared with relevant managers and HR personnel

Information regarding your personal reference From you, from the personal referee (details of whom you will have provided on your completed application form) Legitimate interest: to make an informed decision to recruit To make an informed recruitment decision

Information shared with relevant managers and HR personnel

Information regarding your professional registrations From you – in person (we will need to see original copies of documents), from the registration body To comply with our legal obligations

Legitimate interest: to verify the professional registration information provided by you

To make an informed recruitment decision

To carry out statutory checks

Information shared with registration bodies as required

Information regarding your criminal record, in criminal records disclosure certificates and enhanced criminal records disclosure certificates (where applicable) From you and from the Disclosure and Barring Service (DBS) To perform the employment contract

To comply with our legal obligations

Legitimate interest: to verify the criminal records information provided by you

For reasons of substantial public interest (preventing or detecting unlawful acts) and safeguarding reasons

To make an informed recruitment decision

To carry out statutory checks

Information shared with DBS and other regulatory authorities as required

Your nationality and immigration status and information from related documents such as your passport or other identification and immigration information From you To enter into/ perform the employment contract

To comply with our legal obligations

Legitimate interest: to maintain employment records

To carry out right to work checks

Information may be shared with the Home Office

A copy of your driving licence  (where applicable) From you if you are appointed to a driving position To enter into/ perform the employment contract

To comply with our legal obligations

To comply with the terms of our insurance

To make an informed recruitment decision

To ensure that you hold a clean driving licence

Information may be shared with our insurer

Information regarding your occupational health clearance From you Legitimate interest: to make an informed decision to recruit

To comply with our legal obligations

For occupational health assessment purposes

To make an informed recruitment decision

Information shared with relevant managers and HR personnel

Before issuing a contract of employment

If we make a final offer, we will also ask you for the following:

Information we collect How we collect the information Why we collect the information How we use and share the information
Your emergency contact details From you To enter into/ perform the employment contract (so we know who to contact in case of an emergency at work)

To comply with our legal obligations

Legitimate interest: to maintain good employment records and good employment practice

To ensure that we hold contact details in the event of an emergency

Information shared with relevant managers and HR personnel

Financial information including Bank Details, Tax Information, Student Loan Status and NI number From you To enter into/ perform the employment contract (to process salary payments)

To comply with our legal obligations

To set up your payroll record, enrol you in the appropriate pension scheme and issue a contract of employment

Information shared with HMRC, Student Loans Company

We also comply with the additional conditions set out in the Data Protection Act 2018 which relate to criminal convictions and other special categories of personal data (sensitive personal information). The following are personal information we collect from you that pertain to special category and criminal conviction data:

  • Convictions
  • Cautions
  • Reprimands or warnings
  • National and immigration status
  • Occupational health information

Our additional (to those stated above) lawful basis for processing these categories of personal data can be:

  • Because you have given us your explicit consent
  • Because the processing is necessary for the purpose of carrying out our obligations and exercising our/your specific rights in the field of employment as authorised by employment regulations, equality Act and the Data Protection Act 2018
  • Because the processing is necessary for reason of substantial public interest

It is within our legitimate interest to follow recruitment best practice, to maintain employment records and to comply with legal, regulatory and corporate governance obligations and good employment practice – but only if these are not overridden by your interests, rights or freedoms. This means we will not use your data in any way that you would not reasonably expect.

Transfer of Undertakings and Protection of Employment (TUPE)

Where your employment transfers to St Christopher’s or other St Christopher’s Group Companies under TUPE regulations, the transferring employer remains the data controller until the transfer takes place.

TUPE requires that information (known as ‘employer liability information’) must be given to the new employer before the transfer takes place. This includes some personal data. This information will only be used in connection with the proposed transfer. GDPR allows this disclosure because it is required by law and consent is not required.

St Christopher’s and St Christopher’s group companies will not request more information than is required under the TUPE regulations and will comply with GDPR principles when handing this personal information. In the event that additional information is required, the data controller will request consent from the affected employees.

Once the transfer has taken place St Christopher’s or its group companies will receive further information from each transferring employee’s employment record (e.g. Personal File). The former employer does not need the employees’ consent to the transfer of their personal information if it is necessary for the purpose of the transfer and business needs of both parties.

Use of data processors

Data processors are third parties who provide elements of our recruitment service for us. We have contracts in place with our data processors. This means that they cannot do anything with your personal information unless we have instructed them to do it. They will not share your personal information with any organisation apart from us. They will hold it securely and retain it for the period we instruct.

U Check: They complete criminal record checks on our behalf. If you are successfully selected for a role then we will provide you with instructions on how to complete these either online or via post. Your DBS certificate comes directly to you; we do not receive or retain a copy of this. Their privacy notice can be found here.

Cascade: This is software owned by IRIS Human Capital Management Limited. If you accept a final offer from us, some of your personnel records will be held on Cascade which is an internally used HR information system. You will also have access to the information held here. Their privacy notice can be found here.

Occupational medicals: If we make you a conditional offer, we will ask that you complete a questionnaire which will help to determine if you are fit to undertake the work that you have been offered, or advise us if any adjustments are needed to the work environment or systems so that you may work effectively. We will send you a link to the questionnaire which will take you to the Occupational Medicals website. The information you provide will be processed by Occupational Medicals, and they will provide us with a fit to work statement, or a not fit for work statement, or a fit for work with recommendations (such as reasonable adjustments) statement.

How long is the information retained for?

If you are successful, the information you provide during the application process will be retained by us as part of your employee file for the duration of your employment plus 6 years following the end of your employment. This includes your criminal records declaration, fitness to work, records of any security checks and references.

If you are unsuccessful at any stage of the process, the information you have provided until that point will be retained for 2 years from the closure of the campaign unless you make a request to the Recruitment Service to remove this.

Information generated throughout the assessment process, for example interview notes, is retained by us for 2 years following the closure of the campaign.

Equal opportunities information is retained for 2 years following the closure of the campaign whether you are successful or not.

How do we keep your information secure?

We have appropriate security measures in place to prevent personal information from being accidentally lost, or used or accessed in an unauthorised way. We limit access to your personal information to those who have a genuine business need to know it. Those processing your information will do so only in an authorised manner and are subject to a duty of confidentiality.

We also have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.

How we make decisions about recruitment?

Final recruitment decisions are made by hiring managers and members of our recruitment team. All of the information gathered during the application process is taken into account.

You are able to ask about decisions made about your application by speaking to your contact within our recruitment team or by emailing recruitment@stchris.org.uk.

Your rights

Under GDPR you have rights which you can exercise free of charge which allow you to:

  • know what we are doing with your information and why we are doing it
  • ask to see what information we hold about you (subject access request)
  • ask us to correct any mistakes in the information we hold about you
  • object to direct marketing
  • make a complaint to the Information Commissioners Office
  • withdraw consent at any time (if applicable)

Depending on our reason for using your information you may also be entitled to:

  • ask us to delete information we hold about you
  • have your information transferred electronically to yourself or to another organisation
  • object to decisions being made that significantly affect you
  • object to how we are using your information
  • stop us using your information in certain ways

We will always seek to comply with your request however we may be required to hold or use your information to comply with legal duties. Please note, your request may delay or prevent us delivering a service to you.

For further information about your rights, including the circumstances in which they apply, see the guidance from the UK Information Commissioners Office (ICO) on individuals’ rights under GDPR.

If you would like to exercise a right, please contact our data protection officer by emailing dataprotection@stchris.org.uk.

Contact

Please contact our human resources department at recruitment@stchris.org.uk to exercise any of your rights, or if you have a complaint about why your information has been collected, how it has been used or how long we have kept it for.

You can contact our Data Protection Officer at dataprotection@stchris.org.uk, or write to: Data Protection Officer, St Christopher’s Fellowship, 1 Putney High Street, London SW14 1SZ.

GDPR also gives you right to lodge a complaint with a supervisory authority. The supervisory authority in the UK is the Information Commissioner or the Isle of Man Information Commissioner.