The William Barry Trust: Privacy Notice
What is the purpose of this document?
The William Barry Trust (the Trust) is committed to protecting the privacy and security of your personal information. This privacy notice describes how we collect and use personal information about you during and after your relationship with us, in accordance with the General Data Protection Regulation (GDPR). It applies to everyone whose personal data we process in our capacity as “data controller”.
The William Barry Trust is registered in England with charity number 272551 and our contact address is Church Road, Lane End, High Wycombe, Buckinghamshire HP14 3HH.
We are not required to appoint a Data Protection Officer under the GDPR but we have appointed Mike Gough as a Data Protection Manager instead. He can be contacted on 01494 881171 or at email@example.com.
This notice is not contractual and we may update it at any time.
Data protection principles
We must comply with the principles relating to processing of personal data set out in the GDPR which, in summary, state that personal data shall:
• be processed fairly and lawfully in a transparent manner;
• be collected for specific, explicit and legitimate purposes and not be processed in any manner which is incompatible with those purposes;
• be adequate, relevant and limited to what is necessary for that purpose;
• be accurate and kept up to date where necessary, with every reasonable step being taken to ensure that personal data are accurate, having regard to the processing purpose, and are erased or rectified without undue delay;
• be kept in a form which permits identification of data subjects for no longer than is necessary for that purpose;
• be kept secure, safe from unauthorised access, accidental loss, damage or destruction; and
• be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction of damage, using appropriate technical or organisational measures.
Our collection, use and transfer of your data
Applicants and Beneficiaries
In order to accept applications and provide grants to successful applicants, we need to collect, store, review and transfer data relating to our applicants and beneficiaries. We only accept applications completed by the applicant and the information we process is therefore provided by you (the applicant).
The type of data we hold includes your name, address, contact information, date of birth, education background, financial information and anything you wish to supply in your written supporting letter and evidence.
We may contact you by post, phone or email in line with our legitimate business interests, for the following reasons:
• To discuss your application and ask for supporting or additional information.
• To inform you whether your application was successful and, if applicable, to provide a grant.
Your application and additional information or documents will be seen by our contractors, volunteers and trustees for our legitimate purposes in relation to the administration, decision-making and processing of applications and grants.
We use the contact details of our trustees to send them updates about the Trust as well as agreements, resolutions and documents relevant to their role within the Trust. We also provide their full name, home address, email address, date of birth and date of appointment to the Charity Commission and their name, home address, service address, date of birth, occupation and nationality to Companies House in relation to companies owned or significantly controlled by the Trust, in each case to comply with our legal obligations.
Contractors and Volunteers
We use the contact details of our contractors and volunteers to send them applications by post and to liaise with regards to trustee meetings or the status of applications.
We also collect information about many other people, mainly in the form of contact details (name, job title, organisation, address, e-mail address and telephone number, as well as other information from e-mail signatures and footers) of people interested in the Trust, contacts at suppliers and potential suppliers, people within the industry and other stakeholders. This information is usually provided directly from you and collected via email, website forms, telephone or social media. The data provided may be used for the legitimate interest of communicating with you in relation to specific issues or products that you are involved in, or services that you might be able to assist with. We may also contact you to keep in touch or make introductions.
We keep the details of any compliments and complaints for our legitimate interest in trying to improve our service but this information will not be disclosed by us to any third parties.
All Individuals: Onsite visitors
We operate CCTV on our premises to ensure the safety of all our visitors. Footage is deleted on a monthly basis. If you choose to use our guest wifi network, your use of this may be recorded for security reasons.
All Individuals: Organisations that may see your data
Our banks, accountants, solicitors, auditors, insurers and other professional advisers are also entitled to obtain specific data on request as part of our compliance checks and legal obligations, and in relation to potential or actual legal claims, although they rarely need specific personal data.
Our contractors and volunteers have access to all data on our systems to provide their services and process applications in line with our legitimate interests. We only allow our third-party service providers to use your personal data for specified purposes and in accordance with our instructions.
All Individuals: Marketing Correspondence
We do not engage in any marketing activities and your date will not be added to a database for marketing purposes.
All Individuals: Special category personal data such as health information
"Special categories" of particularly sensitive personal information, such as information about a person's health or sexual orientation, require higher levels of protection. We may collect, store and use this information if you provide it to us and consent to us using it for a specific purpose, where it is necessary to protect your interests (or someone else's interests) and you are not capable of giving your consent, or where you have already made the information public.
All Individuals: Criminal convictions
We will not store or use information about any criminal convictions and offences, unless you have provided your consent to it.
All Individuals: Legal claims
Any personal data may be held and used for establishing, exercising or defending legal claims.
All Individuals: Future sale
We may share your personal information in the context of our legitimate interests in a possible sale or restructuring of the Trust. In this situation we will, so far as possible, share anonymised data with the other parties before the transaction completes. Once the transaction is completed, we will share your personal data with the other parties if and to the extent required under the terms of the transaction.
Use of our website
A cookie is a small file that asks permission to be placed on your computer’s hard drive. Once you agree, the file is added and the cookie helps analyse web traffic or lets you know when you visit a particular site. Cookies allow web applications to respond to you as an individual. The web application can tailor its operations to your needs, likes and dislikes by gathering and remembering information about your preferences.
We use traffic log cookies to identify which pages are being used. This helps us analyse data about web page traffic and improve our website in order to tailor it to customer needs. We only use this information for statistical analysis purposes and then the data is removed from the system.
Overall, cookies help us provide you with a better website, by enabling us to monitor which pages you find useful and which you do not. A cookie in no way gives us access to your computer or any information about you, other than the data you choose to share with us.
You can choose to accept or decline cookies. Most web browsers automatically accept cookies, but you can usually modify your browser setting to decline cookies if you prefer. This may prevent you from taking full advantage of the website.
Our website is hosted by Rackspace, who – as one of our data processors – can only process your data in accordance with our instructions. Rackspace may transfer your data to the USA but there are adequate safeguards in place as it is self-certified to the Privacy Shield.
Our website may contain links to enable you to visit other websites of interest easily. However, once you have used these links to leave our site, you should note that we do not have any control over that other website. Therefore, we cannot be responsible for the protection and privacy of any information that you provide whilst visiting such sites and such sites are not governed by this privacy statement. You should exercise caution and look at the privacy statement applicable to the website in question.
Transferring information outside the EU
Our website is hosted by Rackspace. We also use Microsoft Onedrive to store a database of all applications received. The data stored on the database includes initial and last name, date of application, institution and status of application. All these platforms may transfer your data to the USA but there are adequate safeguards in place as they are self-certified to the Privacy Shield.
Further information can be found on the respective websites at the following links:
Right to withdraw consent
In the limited circumstances where you may have provided your consent to the collection, processing and transfer of your personal information for a specific purpose, you have the right to withdraw your consent for that specific processing at any time. To withdraw your consent, please contact our Data Protection Manager. Once we have received notification that you have withdrawn your consent, we will no longer process your information for the purpose or purposes you originally agreed to, unless we have another legitimate basis for doing so in law.
If you fail to provide personal information
If you fail to provide certain information when requested, we may not be able to consider your application or continue our professional relationship (as applicable), depending on the specific data, why we need it and what risks the provision of it poses to your rights and freedoms.
Change of purpose
We will only use your personal information for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal information for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so. Please note that we may process your personal information without your knowledge or consent, where this is required or permitted by law.
Automated decision-making takes place when an electronic system uses personal information to make a decision without human intervention. You will not be subject to decisions that will have a significant impact on you based solely on automated decision-making, unless we have a lawful basis for doing so and we have notified you.
We have put in place appropriate security measures to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.
How long will we use your information for?
We hold personal data of applicants for as long as it is necessary to process the application and establish whether the applicant will receive a grant. Successful applications and their supporting documents are retained for seven years after the grant is completed. Full applications and supporting documents of unsuccessful applicants are destroyed within 12 months of the application being declined. However, we keep a record of all applicants containing initial and surname, date of application, institution and status of application on a secure drive. This record is kept indefinitely in line with our legitimate business interest to cross reference future applications and ensure we only provide grants to applicants who have not previously applied.
We hold personal data of all beneficiaries for up to seven years after providing a grant, in order to cover any legal or tax issues that may arise afterwards.
We will hold your personal data until we are satisfied that there is no longer any purpose for retaining it. To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements. The actual retention period will be different for different people as the above factors will be different.
Trustees, Contractors and Volunteers
We generally keep personal data regarding trustees, contractors and volunteers for seven years after they cease to be involved with the Trust, in order to deal with any legal or tax issues that might arise or any legitimate queries we may receive.
In some circumstances we may anonymise your personal information so that it can no longer be associated with you, in which case we may use such information without further notice to you.
Rights of access, correction, erasure, and restriction
You have a number of rights under the GDPR:
• the right to access personal data we hold;
• the right to ask us to rectify or complete our records;
• the right to ask us to delete personal data;
• the right to object to us processing your personal data;
• the right to restrict our processing; and
• the right to ask us to transfer your personal data to another organisation.
These are not absolute rights and are subject to specific conditions and depend on our processing purposes. If you are interested in using any of these rights, please contact our Data Protection Manager for more information.
You will not have to pay a fee to access your personal information (or to exercise any of the other rights). However, we may charge a reasonable fee if your request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.
Your duty to inform us of changes
It is important that the personal information we hold about you is accurate and current. Please keep us informed if your personal information changes during your relationship with us.
If you are unhappy with any aspect of our processing of your personal data, we ask that you talk to us about it first and discuss your concerns with our Data Protection Manager. If you are not satisfied with the outcome, you may lodge a complaint with the Information Commissioner’s Office.
Should you require further information regarding your rights under Regulation (EU) 2016/679 General Data Protection Regulation (GDPR), this may be obtained from:
Information Commissioners Office
Information Line: +44 (0)1625 545745