Privacy Policy
LYMM HERITAGE INFORMATIONCENTRE Issue Date: 9 August 2019
PRIVACY POLICY
Your privacy, and security of your personal information, are of the highest importance to us. This privacy policy explains what personal information the Lymm Heritage Information Centre (“The Charity”) collects about you, and how and why we use that information. Please note we will never sell your personal data or make personal data available to third parties for their marketing purposes.
The policy applies to you if you’re a supporter of the Charity (whether that’s as a Friend, donor, volunteer, customer or supplier) or use any of our services, visit our website, email, call or write to us.
Who we are
We are Lymm Heritage Information Centre which is a registered charity, registered number 1164961. Our address is 1 Legh Street, Lymm, Cheshire, WA13 0DA.
How to contact us
You can contact us by writing to the Trustees at the address noted above or by emailing: lymmheritagecentre@gmail.com and putting “Data Protection” in the subject field.
-
Purpose and scope of this policy
Using personal data allows us to develop a better understanding of, and engage with, our stakeholders and in turn provide you with relevant and timely information about the work that we do. Our charitable purpose is to educate the public about the heritage of Lymm and the surrounding area. We do this by operating a heritage centre, developing a digital archive, carrying out educational events and operating a Friends scheme. We therefore have a legitimate interest in using personal data to pursue our charitable objectives.
The purpose of this policy is to explain why we process your personal data and your rights in relation to your data. We are committed to respecting and protecting your personal data and being transparent about what we do with it, in accordance with your reasonable expectations, the Data Protection Act 2018 and other applicable laws and regulations.
We appreciate your support and the trust you give us when you provide us with your personal data.
2. Our lawful basis for collecting data
We will only use your personal data if we have a lawful basis to do so. This means that we will only use personal data where we have your explicit consent or where it is necessary in order to perform a contract with you or where the processing of your personal information is in our legitimate interest and not overridden by your legal rights.
There are generally four legal bases under which we may process your data:
-
Consent: When consent is required we will always ask for your explicit consent to processing your personal data.
-
Contract: When you become a Friend of the charity following payment of an annual fee and thereby a member, you are entering a contract with us. We need to process and store your data in order to perform this contract. Contracts can also apply to relationships with suppliers and customers where the purchase or sale entails the collection of personal data.
-
Legitimate interests: In some circumstances we collect and process your personal data for purposes that are in our legitimate organisational interests. In doing so we consider that there is no overriding prejudice to you and that you would reasonably expect us to use your data in this way.
-
Legal obligations: where legislation or regulation imposes requirements – for example in connection with health and safety or financial transactions such as Gift Aid.
3. Information we collect
3.1 Friends
We collect name, address, phone number, email address and whether or not the subscription has been Gift Aided from Friends joining forms. We also collect volunteer preferences if the Friend indicates this on the Friends membership form.
We use your personal data to administer your membership including renewals, inviting you to events and keeping you informed about Centre activities. Our legal basis for this processing is our membership contract with you.
We may also create information about you that becomes your personal data such as membership history and payments and donations you have made to us.
3.2 Donors – other than via the donation box
We collect name, address, whether or not the donation has been Gift Aided and in certain cases phone and email addresses.
When you make a donation or a pledge we use your personal data to record that you have given us financial support. Our lawful basis for this processing is our legitimate interest to recognise your valuable contribution.
We aim to send communications that you would reasonably expect to receive as a donor with minimal impact on your privacy
3.3 Volunteers
We collect name, address, phone number and email addresses as well as volunteer interests and preferences from individuals who wish to volunteer and use this information to administer volunteer time and contact volunteers about volunteering opportunities with the charity. Our legal basis for this processing is our legitimate interest in using volunteer resource to fulfil the purposes of the charity.
If you are a volunteer we may need to collect extra information about you such as DBS checks and emergency contact details but will only do so with your consent.
3.4 Visitors to the Centre
We collect email addresses for those visitors who choose to complete the visitors’ book and leave an email address so that they can opt in to hear more about the charity’s work and our Friends scheme. We only use these email addresses where we hold specific consent to use them for both telling visitors more about our work and marketing our Friends scheme.
3.5 Suppliers/customers and business associates
When commercial relations are established with suppliers, certain customers and business associates we collect name, address, email address, phone number and exceptionally bank details for suppliers where they indicate online payment is their preferred payment method. These details are used to satisfy contractual commitments and facilitate supplier payments. We don’t collect personal data where customers are merely purchasing an item for cash at the Heritage Centre.
3.6 Photograph of data subject (person)
These could be incidental or posed, generally for publicity purposes e.g. a record of an event attended or contained in historic photographs which include people who are still alive. The charity obtains an individual’s consent prior to taking an individual photograph and explains the purposes that the photograph will be used for and the limits on processing (use, disclosure and disposal). For photographs taken of a group of individuals our best practice is to seek consent before photographing begins. When acquiring this consent, we ensure that individuals are informed what the images will be used for (for example where they will be published and who will have access to them). Individuals have the opportunity to opt out by moving out of range of the photographer.
If an individual objects to their inclusion in an historic photograph in the Heritage Centre’s collection reference should be made to the “Rapid Take it down policy” – see Appendix 1.
3.7 Cookies
The Charity uses two web sites: our main web site www.lymmhic.co.uk and our digital archive www.thelymmarchive.co.uk . Both websites use Cookies – small text files which are stored on your computer when you visit websites. We may automatically collect information about you through cookies. For more information please click here to see our Cookie policy [Insert hyperlink to Cookie Policy].
3.8 High risk personal financial data and sensitive personal data
With the exception of certain suppliers (see above) we do not collect high risk personal financial data such as bank account details. We do not collect credit/debit card details.
Online Giving
Our online Friends subscription and donor payment service is operated by a company called Online Giving Limited – “OGL” which trades as Charity Checkout. The use of this service via our web site is a direct connection to a payment collection service provided by OGL. This means that when you input credit/debit card details into the payment page, you are communicating directly with OGL and OGL bank passes your payment to us. This means that your payment card information is handled by OGL and not processed or held by us. OGL is the controller for the purposes of the General Data Protection Regulation 2016/679 (“GDPR”)
Similarly direct debit collections are handled by OGL and their partner GoCardless Limited. Bank details are not processed or handled by us.
The Privacy Policies of Online Giving Limited and GoCardless Limited can be viewed:
https://www.charitycheckout.co.uk/privacy/
We do not normally collect or store sensitive personal data (such as information relating to health). However, there are some situations where we will need to do so (e.g. if you have an accident at the Centre or if you tell us about a disability). If we record your sensitive personal data we will take extra care and follow additional procedures to ensure your privacy rights are protected.
We do not collect special category information such as racial origin, political/religious beliefs other than as described above.
Our lawful basis for collecting sensitive personal data will usually be so that we can fulfil legal or regulatory requirements and in other cases it will be with your explicit consent.
3.9 Other
Other limited ad hoc supplementary information may be collected/processed on an exceptional basis and with the data subject’s knowledge (e.g. information supplied by them to the charity in an email) or their consent and opt in if it is to be used for marketing purposes.
4. Where we store your data
The Charity understands the importance of holding information securely and mostly holds its data electronically, with limited paper-based information. The Charity does not knowingly transfer personal data outside the EU/EEA other than as set out in this policy.
Electronic:
-
The charity’s PC (which is subject to logical and physical security arrangements and backup)
-
Google Drive (password protected)
-
Some Management Committee members/trustees/volunteers own PCs (e.g. their own email used for administration and management of the charity)
-
Charity’s website and social media
-
Mailchimp
Mailchimp has certified its agreement to the EU-U.S. Privacy Shield Framework and they state that their Data Processing Addendum meets the requirement of the GDPR to permit the lawful transfer of EU personal data to Mailchimp and permit Mailchimp to continue to lawfully receive and process that data. See Mailchimp’s Privacy Policy for more details: https://mailchimp.com/legal/privacy/
Paper:
-
Visitors book
-
Friends forms (where completed manually)
-
Volunteer day book
-
Media and object deposit forms
-
Any printed copies of meeting papers
Where the Society uses tools such as Committee members’ own email systems, One Drive, Twitter, Facebook and similar, it is possible that the servers used may be located outside the EEA. This is outside the Charity’s control and the Charity will not use such facilities where it is aware that the privacy protection might subject members’ personal data to a high level of risk.
We maintain appropriate safeguards, procedures and technology in order to keep your personal data secure.
5. How long we keep your information
We keep your personal data safely for as short a time as we need it or legally have to keep it. In doing so, we:
-
annually review the length of time we keep your personal data;
-
consider the purposes for which we hold the personal data in deciding whether (and for how long) to retain it;
-
securely delete personal data that is no longer needed for those purposes; and
-
update, archive or securely delete personal data if it goes out of date.
The time periods for which we retain your personal data depend on the purposes for which we use it.
6. Sharing your personal data
Subject to the following we will never share your data with others.
Email addresses and other contact details may incidentally be shared amongst those working on a project or initiative and with any other related third parties whilst in connection with conducting the legitimate interests of the charity.
We will never sell your personal data.
7. Your data protection rights
Individuals have certain rights over their personal data and data controllers are responsible for fulfilling these rights. Where we decide how and why personal data is processed, we are a data controller and have provided further information about the rights that individuals have and how to exercise them below.
a) Access to personal data
You have a right of access to personal data held by us as a data controller. This right may be exercised by emailing us at lymmheritagecentre@gmail.com and put “Data Protection” in the subject field , or write to us at:
Data Protection, Lymm Heritage Centre, 1 Legh Street, Lymm, WA13 0DA
You may be asked to provide the following details:
-
The personal information you want to access
-
Where it is likely to be held
-
The date range of the information you wish to access.
We will need you to confirm your identity. If we hold personal information about you, we will give you a copy of the information in an understandable format together with an explanation of why we hold and use it. We will aim to respond to any requests for information promptly, and in any event within the legally required time limits (30 days).
b) Withdrawal of consent
Where you have given consent for Lymm Heritage Information Centre to use your personal data, you have the right to withdraw that consent at any time. You also have the right to ask us to stop using your personal data for direct marketing purposes. If you wish to do this you should email or write to us using the details provided in a) above.
c) Amendment of personal data
If you wish us to amend personal data you should contact us using the contact methods specified in a) above. We will need you to confirm your identity. Once we are informed that any personal data processed by us is no longer accurate, we will (within 30 days) make corrections based on your updated information.
d) Other data subject rights
This privacy policy is intended to provide information about what personal data we collect about you and how it is used. As well as rights of access and amendment referred to above, individuals may have other rights in relation to the personal data we hold, such as a right to erasure/deletion (‘right to be forgotten’), to restrict or object to our processing of personal data and the right to data portability. There may be other lawful reasons why we need to process your personal data, but please tell us if you don’t think we should be using it. If you wish to exercise any of these rights, please send an email to lymmheritagecentre@gmail.com putting Data Protection in the subject field, or write to us at Data Protection, Lymm Heritage Centre, 1 Legh Street, Lymm, WA13 0DA.
You can also object to the way we process your data, including the way we communicate with you at any time using the contact details in this section.
e) Archive Photographic Collection
The charity regards its collection as “archiving in the public interest” and as such, in some circumstances, exceptions from or alterations to the provisions of the Data Protection Act 2018 (as set out in GDPR Article 89 for example) may apply.
8. Children's Personal Data
The Charity does not routinely process the personal data of children but when it does it does so in accordance with this Privacy Policy but additionally has particular regard to Recital 38 of the GDPR:
“Children require specific protection with regard to their personal data as they may be less aware of the risks, consequences and safeguards concerned and their rights in relation to the processing of personal data.”
As a matter of good practice we assess and mitigate the risks to children by:
-
Any contemporary photographs of children will only be taken and used with the consent of those individuals who have parental responsibility and/or in agreement with the relevant educational institution.
-
Children’s personal data will be restricted to their image (photograph) or their contact details (name, email address, phone number) for competitions.
-
Any initiative especially targeted at children such as a competition will have regard to Recital 38 and in particular children will be asked to inform their parent, guardian or carer in advance. Consent will be sought from children to use their personal data and any child under 13 will be asked to confirm they have the consent of their parent, guardian or parent in advance. Children will be told that the data will be processed in line with the Heritage Centre’s Privacy Policy.
9. Automated Decision Making
The charity does not perform automated decision making.
10. Review of this policy
We regularly review our privacy policy and may make changes from time to time.
11. How the Charity ensures its compliance with this Privacy Notice
As a very small organisation with a proactive and privacy aware committee, the Charity expects to be self-policing on an ongoing basis.
If any person suspects a breach of this Privacy Notice they are requested to advise the Chairman immediately. He can be contacted by emailing lymmheritagecentre@gmail.com and putting “Data Protection” in the subject field.
You also have the right to complain to the Information Commissioner’s Office about our processing of your data. They can be contacted via: https://ico.org.uk/ or by phoning 0303 123 1113.
You can also find further information about data protection matters on their web site.
APPENDIX 1
Rapid Take Down Policy
Have you a complaint about copyright? Lymm Heritage and Information Centre attempts where possible, to make every effort to contact known holders of copyright before using images on its site.
If you have a complaint about an image you have seen, and believe you are the copyright holder, or wish an image to be removed for other reasons, please download our Rapid Take it Down Policy
What is Lymm Heritage Information Centre Rapid Take Down Policy?
In the event that you are the owner of the copyright in any of the material reproduced on the Lymm Heritage website and do not consent to such reproduction in accordance with its terms and conditions, please follow the steps below. Additionally, you may wish items to be removed for personal or privacy reasons.
To request removal of an image / material from this site
Send the following information to lymmarchive@gmail.com
Your details:
-
Name
-
Organisation
-
Email address
-
Telephone number
-
Reason for requesting withdrawal
-
Proof of ownership
Image/ publication details:
-
Title of the item
-
Item reference number
-
Material objected to
On receipt of a withdrawal request
1. Lymm Heritage and Information Centre will acknowledge the request within 5 working days of receipt.
2. The Centre will withdraw the reproduction of the respective image/s immediately and subsequently review the request. An initial assessment of the request will be made within 10 working days of receipt.
3. If the request is considered legitimate, the respective image/s will be withdrawn permanently from the website, although its bibliographic details may be retained on the website. The requester will receive an email giving details of the action taken.
4. In the event when the request is not considered legitimate, Lymm Heritage Information Centre will reinstate the respective image/s.