Privacy policy - Impatience Earth

Data Protection Policy

Introduction

Impatience Ltd (referred to as “Impatience Ltd”, “we”, “us” or “our”), is committed to protecting the rights and Personal Data of individuals in accordance with the Data Protection Act 2018 (“DPA”) and, where applicable, the General Data Protection Regulation (2016/679) (“GDPR”) (collectively, “Data Protection Laws”).

The principles of the GDPR will continue to have effect in the UK even after the UK exits the European Union. Non-compliance with this Data Protection Policy (“Policy”) may be considered to be a disciplinary matter, or may result in the termination of your engagement or employment with Impatience Ltd.

This Policy will be reviewed regularly to ensure it remains up to date and compliant with Data Protection Laws.

Purpose and scope

In the course of our activities, we will collect and use Personal Data about individuals including board members, partners, contractors, suppliers, employees, volunteers and programme participants.

As a result of collecting this Personal Data, we are the Data Controller, and we are subject to the requirements of Data Protection Laws.

This Policy establishes how we collect and use Personal Data, to ensure that we comply with Data Protection Laws. Annex 1 contains guidance on how we implement compliant practices internally. Annex 1 contains Impatience Ltd’s Privacy Policy and is available on our website.

Definitions

1. ‘Controller’ refers to the entity that determines the purposes and means of processing of Personal Data.
2. ‘Personal Data’ refers to any information related to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, financial, cultural or social identity of that natural person.
3. ‘Personal Data Breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed by us, or a third party engaged by us.
4. ‘Process’, ‘processing’, and ‘processed’ means any operation or set of operations which is performed on Personal Data sets or on Personal Data, whether or not by automatic means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
5. ‘Special Categories of Personal Data’ is a subset of Personal Data which may contain information relating to a person’s race or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.

Data Protection Principles. We are required to process Personal Data in a fair, lawful and transparent manner, and in accordance with the principles of Data Protection Laws, as listed below:

1. Purpose limitation. We will only process Personal Data for the specified, explicit and legitimate purposes for which the Personal Data was obtained. If it becomes necessary to change the purpose for which the Personal Data is processed, it may be necessary to provide individuals with a notice informing them of any changes.
2. Data minimisation. We will only process Personal Data that is strictly necessary for its defined business purpose. Personal Data that is not necessary for the intended business purpose, for example because it is inadequate, irrelevant or excessive, must not be processed.
3. Accuracy. We will check that Personal Data is accurate, complete, reliable and kept up to date as necessary for the purposes of which the Personal Data is held and used. Such steps will be taken at the point of collection of the Personal Data and at regular intervals afterwards.
4. Storage limitation / retention. We will not keep Personal Data for longer than is necessary for the purpose or purposes for which it was obtained, in accordance with our records retention policy found in our Data Audit Spreadsheet, which is maintained by the COO.
5. Integrity and confidentiality. Appropriate technical, physical and organisational measures shall be taken against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of Personal Data.

Personnel Personal Data

1. We may process the following categories of Personal Data about our employees, contractors and board members (“Personnel”):
  1. Personal details (such as name, address, email address, telephone number, date of birth, national insurance number, and photographs).
  2. Family and social (such as emergency contact details).
  3. Employment details (such as employment status, passport or work permit details, information provided to us by referees, education and employment history, CV, appraisals, professional development plans, and annual leave records).
  4. Any email correspondence that is sent or received using Impatience Ltd email addresses.
  5. Financial information (such as bank account details, tax reference number, salary details, student loan details, and information relating to employees’ mortgages or leases).
  6. Criminal record (such as criminal background data).
  7. Special Categories of Personal Data (such as health conditions or allergies, information related to any sick leave, and ethnicity).
2. Purpose of processing Personnel Personal Data:
  1. For the performance of the contract of employment or engagement.
  2. To comply with our legal obligations.
  3. To fulfil our legitimate business interests, including for the operation of standard business functions such as human resource management, legal and/or regulatory compliance and/or administrative and managerial purposes, including without limitation: pay, remuneration and expense reimbursement; administration of pension, insurance and other benefits, and appraisals and performance.
3. We process Special Categories of Personnel Personal Data on the basis of our legitimate activities, relying on GDPR Article 9(2)(d).

Disclosure of Personnel Personal Data. In connection with the purposes described above, we may need to transfer or disclose Personnel Personal Data to the following categories of recipients:

1. Other Personnel of Impatience Ltd, whose access is necessary to perform their role.
2. Third party service providers that provide services for us that involve data processing, including payroll, audit, accountancy, insurance, tax, pensions, medical, benefits, legal and other professional advisors.
3. Competent public authorities (such as tax authorities or law enforcement authorities) where required by law.

International Transfers of Personal Data. We may transfer any Personal Data we hold to a country outside of the United Kingdom and the European Economic Area (“EEA”).

1. Data Protection Laws prohibit transfers of Personal Data to countries outside the EEA, unless measures have been implemented to ensure adequate protection for Personal Data. Where we make such transfers we do so on the basis of the legitimate interests set out in GDPR Article Art 49(1).
2. Transfers of any Personal Data internationally can only be done with the approval of the COO prior to the transfer.

Personal Data Breaches. In line with Data Protection Laws, Impatience Ltd will notify actual or suspected Personal Data Breaches to the Information Commissioner’s Office (“ICO”), the UK’s data protection authority, and possibly the affected individuals.

Individuals’ Rights.

1. All individuals whose Personal Data is held by us have the following rights in relation to the Personal Data:
  1. right of access
  2. right to rectification
  3. right to erasure (also known as the ‘right to be forgotten’)
  4. right to restriction of processing
  5. right to data portability
  6. right to object
  7. rights against automated decision making including profiling.
2. The most commonly-exercised right is the right of access. This entitles individuals to request access to all of the Personal Data related to them, and held by us, at the time of the request (a “Subject Access Request”).
3. On receipt of a request, we may request additional information from an individual, to confirm their identity and for security purposes, before disclosing the information requested. Any request will be processed in line with Data Protection Laws.
4. Individuals also have the right to lodge a complaint with the ICO at www.ico.org.uk or by phone on 0303 123 1113.

Annex 1 – Guidance

This Annex provides guidance about how Impatience Ltd implements some of the practices outlined in the Policy. The guidance applies to all Personnel who come into contact with Personal Data held by us, including board members, partners, contractors, suppliers, employees and volunteers.

Responsibilities. All staff have responsibility for ensuring that Personal Data is collected, stored, and handled in compliance with the Data Protection Laws, and with this Policy. The key areas of responsibility are set out below.

Board of Directors

● Ultimately responsible for ensuring that Impatience Ltd meets its legal obligations.

COO

● Keeping the Board of Directors updated about data protection responsibilities, risks, and issues.

● Reviewing all data protection procedures and related policies, in line with an agreed schedule.

● Arranging data protection training and advice for the people covered by this Policy.

● Handling data protection questions from Personnel and anyone else covered by this Policy.

● Approving any data protection statements attached to communications and the website.

● Providing training and ensuring Personnel understand their responsibilities.

● Identifying opportunities for further training.

● Where necessary, working with Personnel to ensure their work abides by data protection principles.

● Advising Personnel on data protection issues.

● Notifying the ICO where necessary, and generally cooperating with the ICO including acting as a point of contact.

● Handling Subject Access Requests.

● Approving unusual or controversial disclosures of Personal Data.

● Monitor compliance with Data Protection Laws.

All staff

● Compliance with this Policy

● Reporting any actual or suspected Personal Data Breaches to the COO without undue delay after becoming aware of it.

General Personnel Guidelines

1. 1. Access to Personal Data shall only be given to those whose access is necessary to perform their role.
  2. Personal Data may only be transferred through Impatience Ltd-approved systems, such as our email accounts and cloud computing service.
  3. You must keep all Personal Data secure by following Data Storage and Security Guidelines guidance below.

Data Storage and Security Guidelines.

Personal Data should be updated regularly, to ensure that it remains accurate.

Staff should keep their own and their team’s Personal Data updated and inform the COO of any changes.

Any Personal Data that is no longer reasonably necessary for the purpose for which it was originally collected should be deleted.

Impatience Ltd has a comprehensive records retention policy that details how long we retain Personal Data for. For more information, please contact the COO.

When deleting Personal Data, ensure that it is fully deleted. If it is a hard copy, it must be shredded on site. If it is a soft copy, it must be fully deleted from Impatience Ltd’s cloud computing service and/or from hard drives.

Personal Data Collection Guidelines

1. A legal basis is required for the collection of any Personal Data. Most common legal bases under the GDPR include: by consent, for performance of a contract, for compliance with a legal obligation, and for purposes of a legitimate business interest.
2. The legal bases on which we collect Personal Data are set out in the Data Audit Spreadsheet, which the COO maintains.
3. Where an individual’s Personal Data is collected on the basis of consent:
  1. The individual shall have the opportunity to ‘opt out’ at any time. This is outlined in our Privacy Policy.
  2. In some circumstances, regardless of a withdrawal of consent, we may still be required to retain the Personal Data for a certain length of time.
  3. Where an individual is under the age of 16, consent must be given by an adult with parental responsibility over the child.
4. Where consent is obtained by our international partners, for example because photographs are being taken of students, the consent should be clearly documented by the international partners and a copy shared with us.

Personal Data Storage and Security Guidelines

1. Only produce hard copies of Personal Data when strictly necessary.
  1. Keep them securely locked away when not being used
  2. Keep them in a secure place where unauthorised people cannot access it and never leave them on desks.

Soft copies of personal data

1. Always protect soft copies of personal data by strong passwords that are changed regularly and never shared.
2. If stored on removable media such as a USB stick or external hard drive, ensure these are password protected and securely locked away when not in use.
3. Only stored on designated folders.
4. Where personal devices are used for work purposes, all work must be uploaded to the google drive, and not stored locally or directly onto laptops or other mobile devices. These personal devices must be password protected.

Personal Data Breach Guidelines

1. A Personal Data Breach can include:
  1. Access by an unauthorised third part
  2. Deliberate or accidental action or inaction
  3. Sending Personal Data to an incorrect recipient
  4. Computing devices containing Personal Data being lost or stolen
  5. Alteration of Personal Data without permission
  6. Loss of availability of Personal Data.
2. In the event of an actual or suspected Personal Data Breach inform the COO of the actual or suspected Personal Data Breach without undue delay.

Subject Access Requests

1. If an individual wishes to exercise their right of access, they can make a Subject Access Request.
2. Subject Access Requests are dealt with by the COO.
3. Forward anything which might relate to a Subject Access Request to the COO as soon as you receive the request

Annex 2 – Privacy Policy

Impatience Ltd, a non-profit company registered in the UK (Company number 11862567)

Overview. This privacy policy provides information about the different types of personal information that we collect and the ways in which we use it. When we enter contractual relationships with clients, Impatience Earth will ensure that these individuals are aware that their data is being processed, and that they understand how their data is being used and how to exercise their rights.

Impatience Ltd may update this policy by posting a new version on this website. If significant changes are made to this privacy statement, we will endeavour to bring these changes to your attention where we have your contact details. Otherwise, we recommend that you periodically review this privacy statement.

All information will be stored and used in accordance with this privacy policy.

For further information, please contact aditi@impatience.earth.

When and how does Impatience Ltd collect information?

1. When you use our services or register for a place on one of our programmes or events
2. When you contact us with an enquiry or other feedback
3. When you request to be sent communications such as updates or newsletters
4. When we are checking compliance with the Terms of Use and/or otherwise as required by law
5. When you disclose your personal information to us or through our Services at any other point
6. We may also combine information that you provide from one service with information collected from other services as well as with information that is publicly available or that we receive from other reputable sources.

What personal information does Impatience Ltd use and how do they use it?

1. Your information may be used to help tailor the nature of how best to communicate with you as well as guide and improve the provision of services we offer you.
2. We may collect, store and process the following kinds of personal information:
  1. Your name and contact details, including an email and postal address, telephone number, and social media identity
  2. Your gender and date of birth, as and when given; Details of your qualifications and experience
  3. Your interests in philanthropy, specific areas of interest and engagement in the sector, including current and planned donations and support made to other organisations
  4. Information about which of our services you use, or Impatience Earth events you have attended
  5. Any other personal information which you choose to share with us.

Does Impatience Ltd share personal information? Impatience Ltd will not sell your personal information to others. However, we may disclose your personal information to selected third party partners to help carry out our organisational objectives. This third party will be required to use any personal data they receive in accordance with this Privacy Policy.

How does Impatience Ltd ensure personal information is kept safe

1. Impatience Ltd will take reasonable technical and organisational precautions to prevent the loss, misuse or alteration of your personal information.
2. We will delete personal information from our records when requested by the person, if we no longer require it for our organisational purposes or if we are no longer lawfully entitled to process it.