Privacy Policy

All permanent staff, freelance staff and volunteers will be given a copy of the following policy and our GDPR information guidance.

The Board has overall responsibility for the implementation and monitoring of the Data Protection Policy. Suggestions for improvements to the Policy, or complaints about the Policy, should be addressed to the Chair of the Board. The underlined text contains a link for further information on the Information Commissioner’s Office website www.ico.org.uk 

Why do we collect personal information?

We collect personal information depending on the service we are offering to you; this could be as a participant, coming to see an event, interested in PSU’s activities or if you deal with us on behalf of your business. We also collect information about people who are visiting our Website or social media pages. 

Data protection principles

Data is: Processed lawfully, fairly and in a transparent manner

There are several grounds on which data may be collected, including consent.

• We are clear that our collection of data is legitimate, and we have obtained consent to hold an individual’s data, where appropriate.

• We are open and honest about how and why we collect data and individuals have a right to access their data.

All data has/ is collected for specified, explicit and legitimate purposes and not used for any other purpose

How we collect and manage data:

• We are clear on what data we will collect and the purpose for which it will be used.
• Only collect data that we need.
• When data is collected for a specific purpose, it may not be used for any other purpose, without the consent of the person whose data it is.

Adequate, relevant and limited to what is necessary

• We collect all the data we need to get the job done.
• And none that we don’t need.

Accurate and, where necessary, kept up to date

• We ensure that what we collect is accurate and have processes and/or checks to ensure that data which needs to be kept up-to-date is, such as beneficiary, staff or volunteer records.
• We correct any mistakes promptly.

Kept for no longer than is necessary

• We understand what data we need to retain, for how long and why.
• We only hold data only for as long as we need to.
• That includes both hard copy and electronic data.
• Some data must be kept for specific periods of time (eg accounting, H&SW).
• We have some form of archive/review policy/process that ensures data no longer needed is destroyed.
• We review marketing data on Mailchimp and remove inactive email accounts every 4 years.

Held Securely

• Processed to ensure appropriate security, not only to protect against unlawful use but also loss or damage.
• Data is held securely so that it can only be accessed by those who need to do so. For example, paper documents are locked away, access to online folders in shared drives is password restricted to those who need it, IT systems are password protected, and/or sensitive documents that may be shared (eg payroll) are password protected.
• Third party storage (Mailchimp). Mailchimp is our email service provider and the only third party provider we use for marketing. We ask people to choose what they want to hear from PSU about. Individuals can update their accounts as well as PSU.
• Data is kept safe. Our IT systems have adequate anti-virus and firewall protection that’s up-to-date. Staff understand what they must and must not do to safeguard against cyber-attack, and that passwords must be strong and not written down or shared.
• Data is recoverable. We have adequate data back-up and disaster recovery processes.

Individual Rights

• We recognise that individuals’ rights include the right to be informed, of access, to rectification, erasure, restrict processing, data portability and to object.

If you wish to discuss, edit or remove your data please contact info@peoplespeakup.co.uk

Use of Imagery/Video

• All imagery is protected by copyright and cannot be used without the consent of the owner, usually the person who took the image.
• We will obtain consent to photograph and video people wherever this is reasonably possible.
• Imagery will be only used for the purpose originally intended.
• They cannot be used for another purpose without the consent of the individuals concerned.
• Consent forms will be used for small groups and individuals.
• People will be told how the imagery will be used.
• We will only use the imagery according to how the person/people were told it would be used.
• When using images of children, or people who may not be competent, consent will be obtained by their carer.
• When using images of children or other vulnerable people, we will only use the imagery if we are confident, it will not place them at risk, particularly if it is to be used in publicity such as in the media or on the web.

Third Party, PSU website and social media channels.

The PSU website may include links to third-party websites, plug-ins and applications such as Google Analytics, Social Media (Youtube, Facebook, X and Instagram). Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements. When you leave our website, we encourage you to read the privacy policy every website you visit.

You are in control of your personal settings on social media. We will only contact you if you wish to receive messages from us depending on your permission to access information from those accounts or services.

IP Addresses and Cookies

PSU uses Cookies and Analytics to gather information about online users, including where available your IP address, operating system and browser type, for system administration and to help us monitor our engagement and delivery to you.

An IP address is a unique number which allows a computer, group of computers or another internet connected device to browse the internet. The log file records the time and date of your visit, the pages that were requested, the referring website (if provided) and your internet browser version. Using Google Analytics, we use this information to help understand online engagement; where they are from; what pages they are most interested in; how did they find out the information and how we could improve our engagement. This is statistical data about our users' browsing actions and does not identify any individual.

Data Protection Impact Assessment (DPIA)

We will maintain an up-to-date DPIA, with adequate oversight procedures to ensure that we can be confident that all substantive data protection risks have been identified and are being managed effectively.

Data Breach

A breach is more than only losing personal data. It is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.

• We will investigate the circumstances of any loss or breach, to identify if any action needs to be taken. Action might include changes in procedures, where they will help to prevent a re-occurrence or disciplinary or other action, in the event of negligence.

• We will notify the ICO within 72 hours, of a breach if it is likely to result in a risk to the rights and freedoms of individuals. If unaddressed such a breach is likely to have a significant detrimental effect on individuals. For example:

• Result in discrimination.
• Damage to reputation.
• Financial loss.
• Loss of confidentiality or any other significant economic or social disadvantage.

Complaints to the ICO

If you have any concerns about how we collect or process your information then you have the right to lodge a complaint with a supervisory authority, which for the UK is the UK Information Commissioner’s Office (“ICO”). Complaints can be submitted to the ICO through the ICO helpline by calling 0303 123 1113. Further information about reporting concerns to the ICO is available at https://ico.org.uk/concerns/.

This Policy was updated 1 July 2024. Those who have consented to receive email information will be notified by email of any further updates to the Privacy Policy.