Duffus Community Foundation (or DCF) is a registered charity (1173774) based in Croydon, South London.
We make a positive difference to children & young people’s wellbeing through groupwork and 121 activities. Our group programmes support young people to meet others and learn tools and techniques to boost wellbeing. We empower young people to share their ideas and shape provision around their interests and requirements. DCF also work in schools delivering our resilience programme that gives young people some of the tools needed to navigate life’s challenges.
2. Your Rights
DCF is fully committed to respecting and protecting your information, using it reasonably and in line with the General Data Protection Regulation (GDPR) that came into force on 25th May 2018. When you choose to provide us with personal information, it will only be used to support your relationship with DCF and in line with this policy.
Under GDPR, you have a number of rights in relation to your personal data, which we recognise and will act upon accordingly. These are as follows:
- right to be informed of why, where and how we use your information
- request access to your personal information
- have your personal information corrected if it is inaccurate or incomplete
- have your personal information erased from our systems where we have no legitimate interest for continuing to hold such information.
- restrict the use of your information, where you have previously provided us with your consent
- ask us to transfer your personal information to another person or organisation
- object to how your information is used.
- Where you have provided consent to be contacted or to receive a service, you have the right to withdraw that consent at any time.
Once we have received notification that you have withdrawn your consent, we will no longer process your personal information, except where legally required and subject to our retention policy, we will dispose of your data securely.
3. Where and how we collect your information
The vast majority of information collected by DCF is provided knowingly by our young people, their families and supporters. We rarely seek personal data from third party organisations but some might be provided to us in the normal course of our business relationships with companies or organisations.
For people directly involved with the DCF (employees, volunteers, members etc), we will ask you to provide personal information to us through the completion of an application form to establish that relationship.
Where you make an online donation either through our website or through a third party provider such as a credit card company or People’s Fundraising, they may provide the details necessary for us to record your donation and say thank you.
Where you wish to support DCF, you may be asked to provide contact details so we can keep you informed with what’s happening. Where you make a donation and provide a Gift Aid declaration, we will need to maintain that information in our records for HMRC disclosure, if necessary to justify our gift aid claim.
4. What information we collect, why and how we use it
The type of information we collect and retain and how we use it will depend on your relationship with DCF. More details on each type of relationship are shown below but in summary we will:
- Collect personal data that will consist mainly of contact details but for young people using our services and in some other cases we will collect more detailed information.
- Retain the personal data provided via online forms and on our central database maintained on a secure Cloud-based system. All information received by other means will be transferred to our central database when we have your consent to store that information.
- Occasionally we receive your personal information through external event organisers or through third party websites such as People’s Fundraising or Eventbrite. Such information will be treated as if it was received from you directly and only used with your consent.
- Use your personal data to contact members and others to offer our services and information regarding DCF events. We will only contact you if you have provided your consent to be contacted on these matters.
- Mailing list communication from us will either have an “unsubscribe” option or tell you how to contact us to request to amend your consents.
What do we collect?
We may collect and use some or all of the following types of personal data, which may include information that you provide to us, information that we collect about you, for example, in relation to your use of the website and/or the Services, and information that we collect from third parties:
- Full name;
- Contact information (address, telephone number, email address etc.);
- Contact names and contact information of your emergency contact, spouse/partner and/or referee;
- Images (print and digital photographs, moving images i.e. video);
- Personal and demographic information (date of birth, age, gender, nationality etc.);
- Professional information (organisation, title, board memberships, connections, employment records etc.);
- Support services (Looked After Children, support/ key workers etc.);
- Safeguarding records (concerns, disclosures, meetings etc.);
- Identification numbers;
- Biometric data;
- Financial information;
- Information relating to a young person’s attendance
- With regard to your visits to our website, we may collect the following information:
- Technical information, including the Internet protocol (IP) address used to connect your computer to the Internet, browser type and version, time zone setting, browser plug-in types and versions, operating system and platform;
- Information about your visit to the website, including the full Uniform Resource Locators (URL), clickstream to, through and from our website (including date and time), pages you viewed or searched for, page response times, download errors, length of visits to certain pages, page interaction information (such as scrolling, clicks, and mouse-overs), methods used to browse away from the page.
Special Categories of Personal Data relating to you that we may process may include (without limitation):
- Racial or ethnic origin;
- Religious or other beliefs of a similar nature;
- Physical or mental health or condition;
- Sexual health and relationships;
- The commission or alleged commission by you of any offence; and/or
- Any proceedings for any offence committed or alleged to have been committed by you, the disposal of such proceedings or the sentence of any court in such proceedings.
a. Young people accessing our services
Young people (or their families or schools) are asked to complete an application form that is needed by us to run the operations of the charity and for which there is a valid lawful basis.
This information will be recorded on our cloud-based secure system. The information will then be used to offer, provide, and monitor your use of our services. By signing the application form, you will be consenting to our collecting, storing and using your data for this purpose.
When working with groups of young people in school, we ask for non-identifying information and use initials only.
We would also like to contact you using the information you have provided to us with our periodic general and fundraising newsletters as well as specific information on certain events and information that we think you might be interested in. We will not do so without having first received your specific consent to receiving these. Any contact made by us will be in the manner you tell us is acceptable.
We will only keep personal data for as long as we are either required to by law or as is relevant for the purposes for which it was collected in line with our GDPR policy, a copy of which is available on request by contacting us on firstname.lastname@example.org. After this point, the data will either be deleted or rendered anonymous.
Retention of data will normally be in line with statutory requirements, except where legitimate interest or best practice recommendations relevant to on-going provision of the charitable services dictate alternative periods, for example where an insurance company requires the retention of Member information for a period of 50 years in the event of an abuse claim.
We will keep a record of your name and email address on our ‘do not contact’ suppression list if you request that we do not send you direct marketing.
b. Staff, Volunteers including Trustees
Before any new person joins the DCF team, they will have completed a confidential application form.
In the course of our activities and legal obligations as an employer and providing volunteer opportunities we will process personal data (which may be held on paper, electronically, or otherwise) about our applicants; and we recognise the need to treat it in an appropriate and lawful manner, in accordance with GDPR.
We process the personal information you provide to us when you apply for a job or to volunteer with us. We may also receive personal data from third parties such as an independent recruitment agencies.
We use this information to assess your suitability for the role applied for and where applicable during the interview process.
We only request information from you that is required to satisfy legitimate recruitment information, to satisfy relevant health and safety requirements and to satisfy relevant equal opportunities legislation. It will also be used to obtain third party references or to meet statutory obligations.
Contact details only will be stored in our central database with all the other information kept securely in confidential electronic and paper files. The sensitive data stored will rarely need to be processed and will only be done so as part of our normal employment checks and for subsequent personnel matters such as payroll once employment has commenced.
Our supporters come in many guises including individual and business donors, fundraisers and people interested in the charity and what we do in the local community and for our young people. It is important to us to have as many supporters as possible on our database to help spread awareness of our services. In the majority of cases, we will just receive normal contact details consisting of some or all of name, address, telephone number(s) and email address. For donors, our database will record when and how we have received your donation.
Credit card details are never retained in paper or electronic form.
If you provide us with a Gift Aid declaration, the information will be transferred to our database and will, if requested be provided to HMRC. We will need to retain the database information for as long as HMRC rules dictate.
We will only use your contact details in a way that you have consented to or where the contact is a legitimate part of the contact between us. We would obviously like to contact you with regular updates about our services and with information on events and fundraising campaigns, but only if we have received your consent to do so.
5. How we keep your personal data secure
Electronic records of personal data are held securely on our cloud-based system. Access to such records is strictly limited to those with a legitimate requirement.
6. Sharing your personal data with third parties
We will only share your personal data with certain third parties:
- where it is a necessary for DCF to provide its services
- where we use a third party to process the data on our behalf. This will normally involve use of their software or hardware and includes credit card operators, MailChimp etc;
- where we have a legal obligation to do so. For example, auditing of our accounts or provision of information to HMRC for Gift Aid purposes;
- where you have given your consent for us to do so.
7. How long we keep your data
We hold your personal data for as long as necessary to fulfil the purpose it was collected or the relationship with you is ongoing and then a reasonable retention period afterwards to ensure we can maintain accurate records of our services and your preferences. Where we have had no contact from you for three years, we will normally contact you one further time to seek your consent to future communications. If we do not receive any response, we will then remove your personal data from our records, unless we have a legal obligation to retain your information for a longer period.