Rose Castle Foundation Privacy Policy

Version 3.0 | Last updated 19 November 2021

 

Your information security matters to us.

At the Rose Castle Foundation (Charity No. 1159568), we are committed to protecting and respecting your privacy. We take the security of data you provide to us with utmost seriousness, processing only necessary data to keep your right to privacy at heart. Remember that you have the right to access your information, to object to its collection, to restrict, to erase, to rectify, and to receive human-made decisions. 

Who we are

Your private information is collected by the rosecastlefoundation.org domain under the oversight of the Rose Castle Foundation, which is liable to you for collecting, storing and removing your information as you require or permit. This legal organisation listed immediately below is the Data Controller of your information:

Rose Castle Foundation (RCF) – the charitable activities of education, residential and workshop programmes focused on peace and reconciliation delivered across the UK and abroad.

Registered address: Rose Castle Foundation, Rose Castle Farm Cottage, Rose Castle, Dalston, Carlisle, Cumbria, CA5 7BY
Registered charity no: 1159568

All personal information about you will be under the control of Rose Castle Foundation acting as Data Controller and will be processed in line with applicable UK data protection legislation including, but not limited to, the General Data Protection Regulation (EU) 2016/679 (GDPR) and the Data Protection Act 2018 (the DPA). Rose Castle Foundation is registered with the Information Commissioner's Office (ICO) and our registration number is ZA776379.

This privacy policy sets out how we collect, use and protect your personal information.

To update your information and/or to make changes to your preferences at any time, please contact our Data Protection Officer (DPO), Joe Banfield, at contact@rosecastle.foundation. More information about your rights is contained in the policy below.

This policy explains:

We may change this Privacy Policy from time to time to ensure that that it is up to date and in line with current legislation. If you would like to view the Privacy Policy please contact us. We deem that you accept changes to this Privacy Policy unless you notify us otherwise. The current Privacy Policy was reviewed July 2021.

 

What is personal information?

Personal information is information about someone which allows that person to be identified. Examples of personal information that we collect and hold about you include:

  • Names
  • Personal details – in relation to job applications/employment
  • Contact information including telephone number, postal address, email address
  • Demographic information such as area of interest e.g. events, volunteering opportunities or activities you are interested in and your personal contact preferences
  • Personal information such as your religious identity, in relation to delivery of a service
  • How you heard about us
  • Financial information such as credit/debit card or bank details so that we can process payments, payroll
  • Other information relevant to bookings, delivery of a service, employment related, and/or relating to offers
  • Preferences you indicate via web forms on your choices of activities, services, needs and other factors relevant to your programme

Some personal information is deemed to fall into special categories of personal data. The special categories of data that we hold will be information about your religion, in relation to delivery of a service.

 

How do we collect your information?

We only hold your ‘personal’ data when you provide it to us, e.g., when you register for a programme with us, apply for a role with us, become an employee, when you use our website, when you subscribe to our communications, when you contract with us for a service and the data that we do hold is relative to your relationship with us. It will only include personal information that you have voluntarily provided to us (as above).

We also may receive personal information indirectly, in the following situations:

  • A complainant refers to you in their complaint correspondence.
  • From other regulators or law enforcement bodies.
  • An employee of gives your contact details as an emergency contact or a referee.

 

How do we use your information? 

We do not collect more information than we need to fulfil our stated purposes and will not keep it longer than necessary. We require this information to understand your needs and provide you with a better service, and in particular for the following reasons:

  • Internal record keeping
  • To respond to your request for a service – e.g., programme bookings
  • To send you information relevant to your relationship with us – e.g., member, trustee, customer, delegate
  • To invite you to stay, attend an event, or participate in training or educational programmes
  • To fulfil a contract e.g., provision of accommodation
  • To process payment
  • To improve our products and services
  • To ensure the security and safety of our services
  • To process an application/ manage your employment with us
  • If you have requested information about new products, services special offers or other information which we think you may find interesting we may periodically send promotional emails using the email address which you have provided
  • From time to time, we will also use your information to contact you for monitoring evaluation purposes. We are likely to contact you by email, but we may contact you by phone or post.

 

The purpose and lawful basis for processing your data

Make an enquiry/contact:
6 (1) (b): The processing is necessary for the performance of a contract to which the data subject is a party, or for the taking of steps at the request of the data subject with a view to entering into a contract.

Attend an event/training/network:
6 (1) (a): The data subject has given his consent to the processing
9 (2) (a): the data subject has given his explicit consent to the processing of the personal data for one or more specified purposes (if dietary or access information is provided).

Subscribe to communications:
6 (1) (a):The data subject has given his consent to the processing

Make an information request:
6 (1) (c): The processing is necessary for compliance with any legal obligations to which the data controller is subject, other than an obligation imposed by contract

Enter into a service:
6 (1) (b): The processing is necessary for the performance of a contract to which the data subject is a party, or for the taking of steps at the request of the data subject with a view to entering into a contract
9 (2) (b) processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or the data subject in the field of employment and social security and social protection law (if any special category data is provided).

Provision of a service (e.g. payroll):
6 (1) (c): The processing is necessary for compliance with any legal obligations to which the data controller is subject, other than an obligation imposed by contract

9 (2) (b) processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or the data subject in the field of employment and social security and social protection law (if any special category data is provided)

Make a complaint:
6 (1) (d): The processing is necessary in order to protect the vital interests of the data subject
Emergency Contacts:
6 (1) (d): The processing is necessary in order to protect the vital interests of the data subject
Applications for role// Trustee:
6 (1) (b): The processing is necessary for the performance of a contract to which the data subject is a party, or for the taking of steps at the request of the data subject with a view to entering into a contract
9 (2) (b) processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or the data subject in the field of employment and social security and social protection law (if any special category data is provided)

Employees:
6 (1) (f): The processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject
DBS Checks (employees/volunteers)
The processing is necessary under the Law Enforcement Directive
9 (2) (b): processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or the data subject in the field of employment and social security and social protection law (if any special category data is provided).

Communicate with us as business:
• 6 (1) (c) suppliers, contractors, building management, IT services The processing is necessary for compliance with any legal obligations to which the data controller is subject, other than an obligation imposed by contract

• 6 (1) (f) The processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject

 

Your rights in relation to this processing

As an individual you have certain rights regarding our processing of your personal data, including a right to lodge a complaint with the Information Commissioner as the relevant supervisory authority.

 

Who do we share data with?

We never have and never will sell your data or share it with another company or charity for marketing purposes. We keep your data safe and will only share this when we are required to by law or we are using other companies’ services – for example Hubspot to circulate our email bulletins or compliance and regulatory bodies: HM Revenue & Customs (HMRC), police, local authorities, where they request it and we may lawfully disclose it, for example for the prevention and detection of crime.

Any company whose services we use in this way are required to treat your data as carefully as we do and use it only in the course of the work, they are doing for us.

Third parties who may provide an element of a service for us are classed as Data Processors. They will not share any data with any organisation other than us. They will hold it securely and retain it for the period instructed.

We will not sell, distribute or lease your personal information to third parties unless we have your permission or unless we are required by law to do so.

 

Where will your information be stored? 

The information provided will be held in accordance with the General Data Protection Regulations and may be used by the Rose Castle Foundation to supply the services which you have requested and/or to ensure the protection and safety of our staff.

Where we have collected the personal information based on your consent and we have no other lawful basis to continue with that processing, if you subsequently withdraw your consent then we will stop processing that personal information and delete it. This will not affect the lawfulness of processing based on consent before its withdrawal.

In order to prevent unauthorised access or disclosure we have effective physical, electronic and managerial procedures to safeguard and secure the information we hold about you including online collection of data.

We keep information about you safe and secure by using electronic databases, including Hubspot and Microsoft Office 365, both of which are password protected systems, accessed only by staff who have been sufficiently trained and who are bound by our organisational policies and procedures. Paper copies are kept securely in locked drawers/cupboards. If you have provided information on paper, it may be transferred to an electronic database.

If we collect and retain information for payment, audit or employment purposes, it is stored securely. We do not store debit/credit card details and destroy or obscure these as soon as your payment is processed.

The data that we collect from you may be transferred to, and stored at, a destination outside the European Economic Area ("EEA"). It may also be processed by staff operating outside the EEA who work for us or for one of our suppliers. Such staff may be engaged in, among other things, the fulfilment of your order, the processing of your payment details and the provision of support services.

If we do transfer information outside the EEA, we will make sure that it is protected in the same way as if it was being used in the EEA. To do this we will use one or more of these safeguards:

  • Only transfer it to a non-EEA country with privacy laws that give the same protection as the EEA as specified by the European Commission and which has been determined as adequate by the EEA;
  • Ensure that a contract with the recipient (data processor) is in place that means that they must protect it to the same standards as the EEA;
  • If transferring personal data to the US ensure that the organisation is part of Privacy Shield, which is a framework that sets privacy standards for data sent between the US and EU countries.

You can find out more about these safeguards on the European Commission Justice and ICO websites.

By submitting your personal data, you agree to this transfer, storing or processing. We will take all steps reasonably necessary to ensure that your data is treated securely and in accordance with this privacy policy.

 

How long is your information kept?

We only keep data for as long as it is required. You have the right to ask for your information to be removed from our records. 

We review the retention periods for personal information on a regular basis. We are legally required to hold some types of information to fulfil our statutory obligations (e.g. financial and contractual obligations and records). We will hold the information as long as is necessary for the relevant activity or as long as set out in any contract you hold with us.

 

Websites

Rosecastlefoundation.org Website

Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted to our site; any transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access.

 

Links to other websites

Our website may contain links to and from other websites including some of our partners, affiliates and other websites of interest. However, please note that we do not have any control over that other website and therefore cannot be responsible for the protection and privacy of any information which you provide whilst visiting such sites. They are not governed by this privacy policy and we do not accept any responsibility or liability for these sites and would advise that you check the privacy statements before submitting any personal data to these websites.

  

Cookies

It is possible that we may gather general information regarding your computer for our services. This collection of data is used for statistical analysis about our website for use by us.

Any information shared regarding your computer will not identify who you are, but rather be mathematical data about our visitors and their use on our site. The computer data does not give out any personal details.

Cookies, which are small pieces of information sent by an organisation to your computer and stored on your hard drive to allow that website to recognize you when you visit, may be used to gather this general internet data. When used, cookies are downloaded to your computer only when accepted by you and they gather information on browsing actions and patterns and do not identify you as an individual. This helps us improve our site and services to you.

All computers can block cookies by activating proper browser settings. There is a place to enable you to decline cookies when you visit our site. Please note if you decline cookies you may experience limited access to certain areas of our site.

 

Social Media

Rose Castle Foundation uses Facebook and Twitter for social media interactions. For details of their privacy policies: www.facebook.com/about/privacywww.twitter.com/privacy

 

Your rights as a data subject.

At any time, you may review or update the personally identifiable information that we hold about you, by contacting us at the address below. To better safeguard your information, we may also take reasonable steps to verify your identity before granting access or making corrections to your information.

Rectification: We want to make sure that the personal information we hold about you is accurate but if you believe that any information, we are holding on you may be incorrect or incomplete, please contact us as soon as possible (see Contact us). We will promptly correct any information found to be incorrect.

Access: You have the right to request a copy of the information we hold about you (Data Subject Access Request) and this can be submitted at any time. We will respond within one month of receiving this request in writing. Please contact us for full details.

Erasure: You also have the right to request the modification or erasure of your personal information (otherwise known as right to be forgotten). We will only decline to modify or erase your personal information in some cases in accordance with applicable national laws. To protect your right to be forgotten, all personal data not subject to a contract will either be anonymised or destroyed.

Restriction: You can limit the way we use your personal data if you are concerned about the accuracy of the data or how it is being used.
We do not make any decisions by automated processes.

Data Portability: This only applies to information you have given us. You have the right to ask that we transfer the information you gave us from one organisation to another or give it to you. The right only applies if we are processing information based on your consent or under, or in talks about entering into a contract and the processing is automated.

If you wish to opt out of any communication/update your preferences please simply follow the instructions at the end of every communication from us or contact us

 

Can I find out the personal data that Rose Castle Foundation holds about me?

At your request, Rose Castle Foundation can confirm what information we hold about you and how it is processed. If we hold personal data about you, you can request the following information:

  • The purpose and legal basis for processing;
  • If the processing is based on the legitimate interests of Rose Castle Foundation or a third party, information about those interests;
  • The categories of personal data collected, stored, and processed;
  • The recipient(s) or categories of recipients that the data is/will be disclosed to;
  • If we intend to transfer the personal data to a third party or international organisation, information about how we ensure this is done securely;
  • How long the data will be stored;
  • Information about your right to withdraw consent at any time;
  • Whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether you are obliged to provide the personal data and the possible consequences of failing to provide such data;
  • The source of personal data if it wasn’t collected directly from you; and
  • Any details regarding automated decision making, such as profiling, and any meaningful information about the logic involved, as well as the significance and expected consequences of such processing.

If we need to establish your identity before responding to a request to exercise your rights, we may request that you provide us with ID, for example passport, driving licence, birth certificate or utility bill (within the last three months).

If you would like to exercise any of your rights or request a copy of some or all of your personal information, please contact our Data Protection Officer on the details provided below.

 

Complaints

If you wish to make a complaint about how your personal data is being processed by Rose Castle Foundation or any of our third parties, or how your complaint has been handled, please contact Rose Castle Foundation’s Data Protection Officer on the details provided below.

You also have the right to complain to the ICO about how we have processed your personal data. The ICO can be contacted at Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, by telephone on 0303 123 1113 or through the website www.ico.org.uk.

 

How to contact us

You can contact us in the following ways to discuss any aspect of this notice or about the information we hold about you:

This privacy notice may change from time to time. Please check our website on a regular basis to read our latest version.

  

What data we collect

What we do with it

Name, address, and contact details, including email address and telephone number.

To correspond with you.

Details of your qualifications, skills, experience and employment history, including start and end dates, performance, attendance, conduct, training record, disciplinary and grievance information with previous employers

To assess your suitability for employment and to request references should we decide to make you an offer.

 

To keep records of our hiring process

Passport, national insurance details, images and other evidence of identity

Confirmation of your identity

Information about your nationality and entitlement to work in the UK

To check your right to work in the UK and enter into a contract with you

For certain positions - DBS (Disclosure Barring Service) details

To ensure the suitability of individuals for certain positions

For positions where you are required to work in a care home or visit care homes as part of your role – details of your Covid vaccination or exemption status

To meet government and regulatory requirements

Records, emails, correspondence and other communication you created or updated in relation to your application for employment.

Share with relevant third parties for the purposes of references, verification, and fraud prevention

Information about your criminal record (where this is a requirement of the role or relates to unspent convictions)

To ensure you are permitted to undertake the role in question.

For positions where you are required to drive – details of your driving licence, motoring convictions, vehicle insurance

To ensure you have the legal capacity for a role that involves driving at work

Details of your car/vehicle ownership and registration

To ensure you have the capacity for a role that involves driving at work

 

To process expenses claims

 

For parking control and monitoring parking

Information about medical or health conditions, including whether you have a disability for which Rose Castle Foundation needs to make reasonable adjustments under the Equality Act 2010

To ensure that reasonable accommodation can be made for interview and for the role in question.

Equality and diversity monitoring information, including your ethnic origin and date of birth.

For the purposes of equal opportunities monitoring to ensure we are being fair in our employment practices

Voice recordings of phone calls

Monitor service quality, complaint resolution